P.S. I've downloaded and installed SpywareBlaster and Spybot-S&D since posting this.
-
IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
(Solved) My browser gets redirected to Russian porn site
I supposed that wouldn't be so bad if I spoke Russian, but then again, there's not much writing... ;-) One of the exchange students spoke Russian, so I suspect that's when the "lovely" hijacking occurred. I think it's the "sexyque.com" items below. I've also seen "pretty.ru" on the browser window when it's redirected.
I've updated my Symantec virus software an hour ago, re-ran a scan, and that's clean.
Below is my Hijack This log. Please take a look at it and let me know what to do. Thanks!
Lori
Logfile of HijackThis v1.97.2
Scan saved at 9:29:55 PM, on 9/12/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\YDPDICT\WATCH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\3dmoused.exe
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\DELFIN\PROMULGATE\PGMONITR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\VPTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOSTR03.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOVDX03.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://poczta.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://sexymafia.ru/page0.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
F1 - win.ini: load=C:\YDPDict\watch.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [EAPCISetup] c:\windows\SYSTEM\wizard.exe c:\windows\SYSTEM
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANTEC\SAV8\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANTEC\SAV8\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANTEC\SAV8\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\powergg.exe /tray
O4 - Startup: Shortcut to Internet Explorer.lnk = ?
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: HP OfficeJet Series 700 StartUp.lnk = C:\Program Files\HP OfficeJet Series 700\bin\HPOstr03.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O13 - DefaultPrefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O13 - WWW Prefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.6961689815
I've updated my Symantec virus software an hour ago, re-ran a scan, and that's clean.
Below is my Hijack This log. Please take a look at it and let me know what to do. Thanks!
Lori
Logfile of HijackThis v1.97.2
Scan saved at 9:29:55 PM, on 9/12/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\YDPDICT\WATCH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\3dmoused.exe
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\DELFIN\PROMULGATE\PGMONITR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\VPTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\MSWORKS\CALENDAR\WKCALREM.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOSTR03.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 700\BIN\HPOVDX03.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://poczta.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://sexymafia.ru/page0.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
F1 - win.ini: load=C:\YDPDict\watch.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [EAPCISetup] c:\windows\SYSTEM\wizard.exe c:\windows\SYSTEM
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANTEC\SAV8\vptray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANTEC\SAV8\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANTEC\SAV8\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\powergg.exe /tray
O4 - Startup: Shortcut to Internet Explorer.lnk = ?
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: HP OfficeJet Series 700 StartUp.lnk = C:\Program Files\HP OfficeJet Series 700\bin\HPOstr03.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O13 - DefaultPrefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O13 - WWW Prefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.6961689815
- Status
- Not open for further replies.
1 - 9 of 9 Posts
Hmmm, is Russian porn better?? 
Just kidding you.
Give me some time to go over your log and make suggestions.
Just kidding you.Give me some time to go over your log and make suggestions.
on this entry
O4 - HKCU\..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\powergg.exe /tray
the only things I can find on Google are non-english.
So unless you know what powergg.exe is, we will assume that it is part of your current problems.
O4 - HKCU\..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\powergg.exe /tray
the only things I can find on Google are non-english.
So unless you know what powergg.exe is, we will assume that it is part of your current problems.
In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://poczta.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://sexymafia.ru/page0.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
F1 - win.ini: load=C:\YDPDict\watch.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\powergg.exe /tray
O4 - Startup: Shortcut to Internet Explorer.lnk = ?
O13 - DefaultPrefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O13 - WWW Prefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
IF you are running ME or XP Disable SYSTEM RESTORE : Here's How
Next reboot into Safe Mode and remove the following files and folders that are bolded
C:\Program Files\Gadu-Gadu\powergg.exe /tray
See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.
While in Safe Mode, use Notepad to open win.ini and edit this line
Load=C:\YDPDict\watch.exe
So that it only reads
Load=
Reboot into normal mode
Now download Spybot - Search & Destroy (if you haven't got the program installed already)
After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED
Reboot
Last, run HJT again and post your log again to see if anything was missed.
Thanks
Next, close all browser Windows, and have HT fix all checked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://poczta.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.puh.ru/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sexymafia.ru/page0.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.puh.ru/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://sexymafia.ru/page0.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.puh.ru/search.html
F1 - win.ini: load=C:\YDPDict\watch.exe
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Gadu-Gadu] C:\Program Files\Gadu-Gadu\powergg.exe /tray
O4 - Startup: Shortcut to Internet Explorer.lnk = ?
O13 - DefaultPrefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
O13 - WWW Prefix: http://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
IF you are running ME or XP Disable SYSTEM RESTORE : Here's How
Next reboot into Safe Mode and remove the following files and folders that are bolded
C:\Program Files\Gadu-Gadu\powergg.exe /tray
See here http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 for how to start in safe mode if you don't know how.
While in Safe Mode, use Notepad to open win.ini and edit this line
Load=C:\YDPDict\watch.exe
So that it only reads
Load=
Reboot into normal mode
Now download Spybot - Search & Destroy (if you haven't got the program installed already)
After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED
Reboot
Last, run HJT again and post your log again to see if anything was missed.
Thanks
Here's another run:
Logfile of HijackThis v1.97.2
Scan saved at 1:11:55 AM, on 9/13/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\3dmoused.exe
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\VPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [EAPCISetup] c:\windows\SYSTEM\wizard.exe c:\windows\SYSTEM
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANTEC\SAV8\vptray.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANTEC\SAV8\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANTEC\SAV8\defwatch.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.6961689815
Logfile of HijackThis v1.97.2
Scan saved at 1:11:55 AM, on 9/13/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\3dmoused.exe
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\SYMANTEC\SAV8\VPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [Primax 3-D Mouse] 3dmoused.exe
O4 - HKLM\..\Run: [EAPCISetup] c:\windows\SYSTEM\wizard.exe c:\windows\SYSTEM
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANTEC\SAV8\vptray.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TweakIco] c:\hp\support\tweakico.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANTEC\SAV8\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANTEC\SAV8\defwatch.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtw32.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.6961689815
Aaah, looks MUCH better!! :up:
Say hello to my friends down in DUNN a little south of you
Say hello to my friends down in DUNN a little south of you
Thanks for all your help!!!
1 - 9 of 9 Posts
- Status
- Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
