|
-
August 11th, 2004, 09:26 PM
#1
spybot won't remove dso exploit
Hey,
Firstly I'd like to thank NooNoo for posting how to get rid of that pesky DSO Exploit, it got rid of it. I also used the same sort of method to delete another virus, Hellz little spy. Anyway, everytime I try to get into my yahoo account, it keeps redirecting me to a page like www.windowws.com or something. Then some pop up say that my computer is infected and I can't get my yahoo email. Anyway, Here's my hijakthis log. Can somebody tell me which files should I delete please? Thanks in advance.
Logfile of HijackThis v1.98.2
Scan saved at 9:14:23 PM, on 8/11/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ONLINE SERVICES\PRODIGY\BIN\PIDUNHK.EXE
C:\CYBERTRIO\SHOWMODE.EXE
C:\WARNER\WARNER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\JUNO\BIN\JUNO.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.juno.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.juno.com/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.juno.com/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
F1 - win.ini: run=c:\windows\options\systools\cyxid98.exe
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\KVDYEEPF5CEN.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRAM FILES\ONLINE SERVICES\PRODIGY\BIN\PIDUNHK.EXE"
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [CyberTrioModeInfo] C:\CyberTrio\ShowMode.exe
O4 - HKLM\..\Run: [Warner] C:\Warner\Warner.exe
O4 - HKLM\..\Run: [FontFix] c:\windows\options\systools\fntfix.exe
O4 - HKLM\..\Run: [SystemWizard Sniffer] C:\Program Files\Common Files\SystemSoft\sniffer.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MMHID] rundll32 mmhid.dll,StartMmHid
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\3637127.EXE
O4 - HKLM\..\Run: [STOPzilla] "c:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.juno.com
-
August 16th, 2004, 06:55 AM
#2
Driver Terrier
I have split off your post from the dso exploit thread as your hijack log has nothing to do with the dso problem.
You are using juno which, I understand is adware and as such, if you remove the adware, you will remove your ability to connect to the internet with juno.
F1 - win.ini: run=c:\windows\options\systools\cyxid98.exe
is one I cannot find any good info on...
I suggest you get hijack this to make a back up and then uncheck that one and see if things improve.
sniffer exe is a pest
matrixhere is a trojan
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\3637127.EXE may be part of matrixhere...
If you have another isp then it would be easier to be able to kill all the juno stuff as well.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
August 16th, 2004, 12:31 PM
#3
Registered User
I would remove these and then download and update SpyBot 1.3 and run that
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowws.cc/hp.htm?id=632
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\KVDYEEPF5CEN.DLL
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\SYSTEM\MATRIXHERE.EXE
These I would all remove for system speed/performance:
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [PiDunHk] "C:\PROGRAM FILES\ONLINE SERVICES\PRODIGY\BIN\PIDUNHK.EXE"
O4 - HKLM\..\Run: [QuickenSEMessage] C:\QUICKENW\QSEMSG.EXE
O4 - HKLM\..\Run: [BillMinder] C:\QUICKENW\BILLMIND.EXE
O4 - HKLM\..\Run: [CyberTrioModeInfo] C:\CyberTrio\ShowMode.exe
O4 - HKLM\..\Run: [Warner] C:\Warner\Warner.exe
O4 - HKLM\..\Run: [SystemWizard Sniffer] C:\Program Files\Common Files\SystemSoft\sniffer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\3637127.EXE
Sniffer.exe, at least the one you have, is an older system diagnostic utility...so it's not spyware, but I'm sure it's useless anyways. This is an older Packard Bell or NEC ain't it?
-
August 16th, 2004, 03:13 PM
#4
 Thank you everybody!!!!!!!!!!!!!!
Thanks,
I did exactly what you said, and I got rid of the trojan, and everything else to improve my speed on my computer!!!!!
Yes, this is an older type computer. Packard Bell. I bought it in 98. Haha, an oldie, but a goodie. I also manually put some memory on the computer and now it works great. Thanks again for all the help, I appreciate it.
No more annoying pop ups on my internet explorer, So I can now check my yahoo mail.
Awesome.
Can't thank you guys enough.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks