Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Here is my logfile - what do I do now?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Here is my logfile - what do I do now?

Unread postby hermes » September 5th, 2005, 1:43 pm

Logfile of HijackThis v1.99.1
Scan saved at 18:07:23, on 05/09/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\D4\D4.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ARES\ARES.EXE
C:\PROGRAM FILES\INTENSE LANGUAGE OFFICE\COMMON\OFFMAN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hjxobtldehfdjctn.info/y9krgS ... Gjpj/e.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {A9A780FF-5136-24E5-2167-5B86536C53EA} - C:\WINDOWS\APPLICATION DATA\GREY NAME MEET\HTM POP.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Dimension4] C:\PROGRAM FILES\D4\D4.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRAM FILES\TEXTBRIDGE PRO 9.0\Bin\RegisterDropHandler.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ICSDCLT] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [DEFYWAVEVIEWANTI] C:\WINDOWS\Application Data\titletransdefywave\Extra Dog.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRAM FILES\TEXTBRIDGE PRO 9.0\Bin\RegisterDropHandler.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [ILO_Office_Manager] IntEdReg.exe /OFFMAN
O4 - HKCU\..\Run: [ares] "C:\PROGRAM FILES\ARES\ARES.EXE" -h
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Bin New] C:\WINDOWS\APPLIC~1\GREATH~1\Sixth Bone Trust.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Launch Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm (file missing)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm (file missing)
O16 - DPF: {DB1F089D-F410-11D3-A316-006008134E84} (CombinedTerm.desInput) - http://exweb.exchange.uk.com/clientbina ... urance.CAB
O16 - DPF: {A74D724A-AB17-11D2-A96A-006097E20477} (eXwebUtils.HTMLUtils) - http://exweb.exchange.uk.com/clientbina ... bUtils.CAB
O16 - DPF: {E7FF5332-854E-11D2-A952-006097E20477} (eXwebOccList.clsOccRes) - http://exweb.exchange.uk.com/clientbina ... webOcc.CAB
O16 - DPF: {91F82BFF-F70C-11D2-BB68-0008C7E9C2C6} (TEXNBSHELL.ProposalForm) - http://exweb.exchange.uk.com/texonline/ ... bshell.cab
O16 - DPF: {2F6A847E-2EC2-11D3-AE1B-00508B014C1D} (Parser Class) - http://exweb.exchange.uk.com/clientbina ... Parser.cab
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v4.1) - http://exweb.exchange.uk.com/clientbina ... eedZip.cab
O16 - DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} (VersionInfo.clsVersionInfo) - http://exweb.exchange.uk.com/clientBina ... onInfo.CAB
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (ProtoView DataTable Control 7.0 (OLEDB)) - http://exweb.exchange.uk.com/clientBinaries/pvdt70.CAB
O16 - DPF: {446A5950-33BC-11D3-82BC-0008C78A797E} - http://exweb.exchange.uk.com/download/free/eXUtils.CAB
O16 - DPF: {5A1BE570-32EA-11D4-898A-0008C7BB7484} (CTP Quotes Update) - http://exweb.exchange.uk.com/download/update/quotes.cab
O16 - DPF: {F952EDBD-84EF-11D5-8F0C-0008C7E9C2C6} (exchange Scripting Update) - http://exweb.exchange.uk.com/download/u ... update.CAB
O16 - DPF: {786F41FA-AC32-11D5-9B73-00508B6BAAB3} (exWebStopper.texexweb) - http://exweb.exchange.uk.com/download/u ... topper.CAB
O16 - DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} (ExWebClientUtils Class) - http://exweb.exchange.uk.com/clientbinaries/texInfo.CAB
O16 - DPF: {A98277A1-A141-11D5-98B9-00508B64538B} (Complist2 Class) - http://exweb.exchange.uk.com/clientbina ... stCtl2.CAB
O16 - DPF: {ABF92614-EBA5-11D3-A315-006008134E84} (Annuities.dsrMain) - http://exweb.exchange.uk.com/clientbinaries/ann_GD.CAB
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://exweb.exchange.uk.com/clientbinaries/msxml4.CAB
O16 - DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} (PrintComponent.clsVersionInfo) - http://exweb.exchange.uk.com/clientbina ... intdll.CAB
O16 - DPF: {08F04139-8DFC-11D2-80E9-006008B066EE} (ConfigChkr Class) - https://www.osis.uk.com/vscnfchk.cab
O16 - DPF: {0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC} (ScriptControl Object) - http://exweb.exchange.uk.com/texonline/ ... SCRIPT.CAB
O16 - DPF: {E0DE65BF-4655-11D3-BBBB-0008C7E9C2C6} (TEXInstall.InstallForm) - http://exweb.exchange.uk.com/texonline/ ... nstall.CAB
O16 - DPF: {AB5ED422-DE26-11D3-AD7A-0050044495F0} (WholeLife.desWOLBlank) - http://exweb.exchange.uk.com/clientbina ... leLife.CAB
O16 - DPF: {7B5A1CB7-2E01-11D7-90C1-0008C7E9C2C6} (PHI.desInput) - http://exweb.exchange.uk.com/clientbinaries/PHI.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/099ceba7bc2 ... xIE601.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.60/Java/cfsn31235.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b27571.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.143/100039/uk/gegames/geaccess.exe
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 62.30.112.39,194.117.134.19,62.30.0.39
hermes
Active Member
 
Posts: 1
Joined: September 5th, 2005, 1:39 pm
Advertisement
Register to Remove

Unread postby Acynic » September 6th, 2005, 5:22 pm

Hello hermes and welcome to malware removal.

HijackThis logs take some time to research and I will post back as soon as I have done so.

Thanks,

Acynic
Acynic
Regular Member
 
Posts: 59
Joined: June 28th, 2005, 6:26 pm

Unread postby Acynic » September 8th, 2005, 4:21 pm

Hello hermes and welcome to MalWare Removal,

My name is Acynic, and I will be helping with your log. Before beginning work on your log, please keep a couple of ground rules in mind. If you are having difficulties, please stop and ask questions. Post any responses back in this thread; do not start a new topic.

Uninstall the following programs.

You have a problem caused by installing Messenger Plus3 and agreeing to the 'sponsor software'.
To fix this you must first go to add/remove programs and uninstall "Messenger Plus 3"
If you insist using "Messenger Plus 3" then you can reinstall it once your PC is clean, only without the "Sponsor Software"
Note: Sponsor Software = C2Media\LOP (parasite)
This is not a Microsoft or MSN product! Be aware that any update to "Messenger Plus" will cause the program to prompt you to install the "Sponsor Software".

Go to Start>Settings >Control Panel >Add/Remove Programs. Uninstall/Remove the following programs:


MESSENGER PLUS! 3



Start HijackThis, press scan and check the following lines if present: (previous steps may have removed some of them.)


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hjxobtldehfdjctn.info/y9krgS ... Gjpj/e.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {A9A780FF-5136-24E5-2167-5B86536C53EA} - C:\WINDOWS\APPLICATION DATA\GREY NAME MEET\HTM POP.EXE
O4 - HKLM\..\Run: [DEFYWAVEVIEWANTI] C:\WINDOWS\Application Data\titletransdefywave\Extra Dog.exe
O4 - HKCU\..\Run: [Bin New] C:\WINDOWS\APPLIC~1\GREATH~1\Sixth Bone Trust.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/099ceba7bc2 ... xIE601.cab
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.158.165.143/100039/uk/gegames/geaccess.exe


Optional Fix-This can be checked to free up computer resources.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Application Scheduler is installed along with RealOne Player and is running in startup, and is not needed. Once installed, it runs independently of RealOne Player and consumes resources. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself:
  1. Start RealOne Player
  2. Click on "Tools"
  3. Click "Preferences"
  4. Select "Automatic services" in the "Categories" pane
  5. Uncheck all options and then OK.


Double check that only the above lines are selected, close all open windows except HijackThis and click Fix Checked.


Reconfigure Windows 98 to show hidden files:

Double-click the My Computer icon on the Windows desktop.
Click the View menu, and then click Folder Options. Select the View tab.

In the Hidden files section select Show all files.
Uncheck the box next to Hide file extensions for known file types.
Click Apply, and then click OK.


Restart your computer in Safe Mode.

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

Using Explorer, navigate to and delete the following files and folders (if present):

If you have trouble deleting a folder, delete the files in it first. If you have trouble deleting a file, right click it, select properties, and uncheck the “read onlyâ€
Acynic
Regular Member
 
Posts: 59
Joined: June 28th, 2005, 6:26 pm

Unread postby Nick-YF19 » September 18th, 2005, 8:57 am

While we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby ChrisRLG » September 18th, 2005, 5:03 pm

taken back to live topics on email request.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Nick-YF19 » September 22nd, 2005, 7:45 am

Please post a fresh log if you still need help.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby NonSuch » October 5th, 2005, 4:01 am

This topic was reopened by request. There has been no communication since that request; therefore, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27211
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware