-
December 20th, 2004, 06:06 PM
#1
i need help
there is a virus or trojan or something in my computer, i thought i removed it but it still comes back, here is the hijack this log thanks:
Logfile of HijackThis v1.99.0
Scan saved at 5:01:01 PM, on 12/20/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
C:\WINDOWS\TEMP\11F2.TMP.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVSUIT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fxvza.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fxvza.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\fxvza.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fxvza.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fxvza.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fxvza.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
O4 - HKLM\..\Run: [11F2.TMP] C:\WINDOWS\TEMP\11F2.TMP.exe 0 28129
O4 - HKLM\..\Run: [11F2.TMP.EXE] C:\WINDOWS\TEMP\11F2.TMP.EXE 0 28129
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {BB95299D-B65B-47E0-8DDB-697A66298C3A} (UniVoiceX Control) - http://webcamnow.com/fs5/voice/voice.cab
-
December 20th, 2004, 06:32 PM
#2
Registered User
you got too much junk to begin to list here.
first go here and run Adaware, Spybot S&D, and Spywareblaster.
After they've fixed all that stuff, rerun Hijack this and get a new logfile, and post it into this analyser.
"And just when I thought today couldn't get anymore poo-like." -Outcoded
-
December 21st, 2004, 01:12 AM
#3
still problems
i did all of that and still have this trusted zone and trusted ip **** that wont fix there is also a file winservad that wont delete, here is the current hijackthis log:
Logfile of HijackThis v1.99.0
Scan saved at 12:00:04 AM, on 12/21/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
-
December 21st, 2004, 09:37 AM
#4
Registered User
Have you tried removing in safe mode? If that doesn't work, you could modify your hosts file to block access to those sites/ip's (associate the addresses w/ 127.0.0.1).
Probability factor of one to one...we have normality, I repeat we have normality. Anything you still can't cope with is therefore your own problem.
-
December 21st, 2004, 11:19 AM
#5
Originally Posted by hudsonsmith
Have you tried removing in safe mode? If that doesn't work, you could modify your hosts file to block access to those sites/ip's (associate the addresses w/ 127.0.0.1).
THE ADDRESSES IN THE HOSTS FILE ALL HAVE 127.0.0.1 MOST OF THEM ARE UNWANTED SITES. THE LIST HAS ABOUT 200 SITES ON IT, SHOULD I DELETE THEM OR CHANGE THEM OR WHAT?
-
December 21st, 2004, 11:57 AM
#6
Registered User
Originally Posted by slush2003
THE ADDRESSES IN THE HOSTS FILE ALL HAVE 127.0.0.1 MOST OF THEM ARE UNWANTED SITES. THE LIST HAS ABOUT 200 SITES ON IT, SHOULD I DELETE THEM OR CHANGE THEM OR WHAT?
All caps are not necessary. If it were me I would begin my lovely Windows experience all over again with a fresh format and a fresh reinstall of the OS.
That will undoubltly solve the problem.
-
December 21st, 2004, 03:24 PM
#7
Registered User
Originally Posted by slush2003
THE ADDRESSES IN THE HOSTS FILE ALL HAVE 127.0.0.1 MOST OF THEM ARE UNWANTED SITES. THE LIST HAS ABOUT 200 SITES ON IT, SHOULD I DELETE THEM OR CHANGE THEM OR WHAT?
Leave them alone - by setting addresses to 127.0.0.1, it blocks access to them. You want to add the problematic ip/web addresses to your hosts file with 127.0.0.1 assigned to them.
Probability factor of one to one...we have normality, I repeat we have normality. Anything you still can't cope with is therefore your own problem.
-
December 21st, 2004, 04:07 PM
#8
Originally Posted by xsrvx
All caps are not necessary. If it were me I would begin my lovely Windows experience all over again with a fresh format and a fresh reinstall of the OS.
That will undoubltly solve the problem.
is that your answer to every problem?
-
December 21st, 2004, 06:05 PM
#9
Registered User
If you have sites showing up as a Trusted Zone. You can go to Internet Explorer->Tools->Internet Options, then on the Security Tab, highlite the Trusted Sites Icon, then click the sites button below it.
From that box highlite any sites you want to remove outta the trusted zone and click the remove button. After that OK your way outta everything, and you shoooooould be OK.
Then run Hijack This again and they should be gone, if not, then either you did something wrong, or Spyware on your system put them back in there.
Then you should get rid of "HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE"
I would suggest using Startup Control Panel from here, and disable or delete the winserverad.exe entry from the HKLM/RUN tab.
Then run Hijack This again and that should be gone, if not, then either you did something wrong, or Spyware on your system put that registry entry back in there.
Then post back and let us know.
"And just when I thought today couldn't get anymore poo-like." -Outcoded
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks