Hijack log...Thanks...

Fires_of_Sorrow · #1 (**permalink**) 16-11-2004, 12:10 AM

Logfile of HijackThis v1.98.2
Scan saved at 3:19:36 PM, on 11/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\REALTIME.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.179.61/wow/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.179.61/wow/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.179.61/wow/se.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.179.61/wow/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/wow/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.179.61/wow/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.179.61/wow/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.179.61/wow/se.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.179.61/wow/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/wow/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.179.61/wow/se.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.179.61/wow/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n0w9q4qx.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csea rchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n0w9q4qx.slt\prefs.j s)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: ComcastHSI - {A5EA9F20-2C21-11D9-BBA6-0040053FFBF2} - http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Help - {A5EA9F21-2C21-11D9-BBA6-0040053FFBF2} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: Support - {A5EA9F22-2C21-11D9-BBA6-0040053FFBF2} - http://www.comcastsupport.com/ (file missing) (HKCU)
O13 - WWW Prefix: http://69.50.191.50/?
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/

Fires_of_Sorrow · #2 (**permalink**) 16-11-2004, 12:11 AM

I just got this computer from a friend and i have no idea how to get it to work properly. Any help is greatly appreciated.

owen · #3 (**permalink**) 16-11-2004, 11:48 PM

Hiya

Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.179.61/wow/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.179.61/wow/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.179.61/wow/se.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.179.61/wow/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/wow/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://69.50.179.61/wow/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.179.61/wow/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.179.61/wow/se.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.179.61/wow/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://69.50.179.61/wow/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.179.61/wow/se.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://69.50.179.61/wow/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O4 - HKLM\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O4 - HKLM\..\RunServices: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O4 - HKCU\..\Run: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O4 - HKCU\..\RunServices: [Windows OLE Automation Server] C:\WINDOWS\system32\ole32aut.vbe
O13 - WWW Prefix: http://69.50.191.50/?

Click Fix Checked

Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

Delete the following files and folders:
C:\WINDOWS\system32\ole32aut.vbe

Reboot and post a fresh log

Fires_of_Sorrow · #4 (**permalink**) 17-11-2004, 09:46 AM

new hijack log

Logfile of HijackThis v1.98.2
Scan saved at 12:55:19 AM, on 11/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\REALTIME.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = :0
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n0w9q4qx.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csea rchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\n0w9q4qx.slt\prefs.j s)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: ComcastHSI - {A5EA9F20-2C21-11D9-BBA6-0040053FFBF2} - http://www.comcast.net/ (file missing) (HKCU)
O9 - Extra button: Help - {A5EA9F21-2C21-11D9-BBA6-0040053FFBF2} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: Support - {A5EA9F22-2C21-11D9-BBA6-0040053FFBF2} - http://www.comcastsupport.com/ (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/

Fires_of_Sorrow · #5 (**permalink**) 18-11-2004, 04:39 AM

Thank you for all your help. Between my original post that told me to post here and hijack this logs, my problem has been solved. Thanks again for your helpl J

owen · #6 (**permalink**) 21-11-2004, 12:00 AM

Preventing it returning

After your problem has been resolved on the forum, it is an absoulute MUST to do the following steps to prevent the problem returning. Click on the link to get access to the software or webpage that I'm referring to.

1. Visit Windows Update
Pay a visit to Windows Update and scan for and download ALL Critical Updates and Service Packs. New updates are usually released monthly so check back to Windows Update every month.

2. Download Antivirus Software-
If you haven't already got Antivirus software, you should download and install AVG Antivirus. It is freeware and is updated nearly every 2 days (sometimes more frequently if there are a lot of new viruses) and in my opinion, is better than some Antivirus software such as Norton. Antivirus software will prevent viruses infecting your system and it is important that you update it every two days or every week at the most.

3. Download a Firewall-
If you haven't already got a firewall, it is Very important that you download one. Firewalls will prevent unauthorised access to your computer and stop data leaking out of your computer. You may think that it won't happen to you, but Hackers don't care who you are, what you do, where you live or what you had for tea last Sunday on your holiday in the Lake District, they want your data. Firewalls will keep these sneaks out and one of the best is Sygate Personal Firewall, which happens to be freeware.

4. Spyware Scanners-
It is important that as well as having real time spyware protection, you have a spyware scanning application. If you have not already been told to download one earlier in this thread, it is a good idea to download Spybot Search And Destroy and Ad-aware. They are both spyware scanners and will search for a remove spyware. It is recommended that you have both, because one will pick up entries that the other misses. It is even a good idea to download these if you have other programs such as ASE, Spysweeper, Pest Patrol, etc, because one spyware scanner will not pick up everything. Please remember to update your spyware scanners weekly/fortnightly.

5. Prevent Spyware slipping through Internet Explorer-
Quite a lot of spyware slips through Internet Explorer if your settings are not tight enough. Spyware Blaster will help you prevent spyware slipping through and installing tracking cookies. Simply run it via Start> Programs> Spyware Blaster and click Enable All Protection and it will protect you. It doesn't even have to be open! Remember to update weekly/fortnightly.

6. Constant Spyware Protection-
It is important to have constant spyware protection. Spyware Guard works like an antivirus program but detects Spyware instead. It will constantly protect your system. Check for updates monthly.

All Of these steps are very important and it is HIGHLY recommended that you download all of the programs mentioned for your own safety. Remember to Update everything (including Windows using Windows Update)! It is also a good idea to perform weekly/fortnightly scans with Spybot S&D, Ad-aware and your antivirus software.

And last of all, please remember, that common sense is your greatest tool. Without it, spyware and other related Malware would rule!

Fires_of_Sorrow · #7 (**permalink**) 22-11-2004, 09:42 PM

i have anti-virus and spyware remover. And a firewall. That happened before I got them downloaded. Thanks again for the help. It is greatly appreciated. without it i wouldn't have a computer. Thanks again. Fires.

owen · #8 (**permalink**) 22-11-2004, 10:36 PM

Brilliant