loading the shotgun

  1. 31-12-2004  #1
    gasveins
    gasveins is offline Newbie

    Angry loading the shotgun

    I have been having problems with my computer. It is a 450mhz pentium 2 with windows me. I ran hijack this to remove some items, but it allways freezes up when i try to remove anything. Lately the computer restarts while im on the internet for no reason. I am about to load the shotgun......here is my hijack this scan......Please help before the system gets lead poisoning!




    Logfile of HijackThis v1.98.2
    Scan saved at 2:44:55 PM, on 12/31/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTI-SPAM\QSP-2.1.212.0\QOELOADER.EXE
    C:\PROGRAM FILES\ACESOFT\TRACKS ERASER PRO\TE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETTRAY.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTI-SPAM\QSP-2.1.212.0\QOELoader.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/downloa...abasetup155.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.c...es/MsnPUpld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
  2. 31-12-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    First of all, update your version of Hijack This from http://hjt.isecureit.co.uk and then post a fresh log.
  3. 31-12-2004  #3
    gasveins
    gasveins is offline Newbie
    ok heres the updated logfile...thanks


    Logfile of HijackThis v1.99.0
    Scan saved at 3:08:39 PM, on 12/31/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTI-SPAM\QSP-2.1.212.0\QOELOADER.EXE
    C:\PROGRAM FILES\ACESOFT\TRACKS ERASER PRO\TE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\WINAMP\WINAMP.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\X72ZAPMN\HIJACKTHIS[1].EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETTRAY.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTI-SPAM\QSP-2.1.212.0\QOELoader.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O15 - Trusted IP range: 213.159.118.226
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup155.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
  4. 31-12-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Your log is basically clean, except for O2 and O15 entries listed below. What I'm going to offer are some optional fixes and a description of each one.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    Loads the System Tray icon for the WinAmp media player. Can be used to mantain file associations so programs like QuickTime and RealPlayer don't take over as default player for various media types. Available via Start -> Programs

    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    Simple Service Discovery Protocol (SSDP) and General Event Notification Architecture (GENA) services for network plug and play functionality. Starts up a web server on port 5000. Used by Universal Plug and Play (for network device discovery). To remove this program, open Add/Remove Programs, select either Communications (Me) or Networking Services (XP), and remove the checkmark next to Universal Plug and Play

    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    Resource hog that launches common MS Office components to help speed up the launch of Office programs. Some users claim there's no difference with or without it but it isn't required anyway. Different filenames used for different variants

    O15 - Trusted IP range: 213.159.118.226

    Click Fix Checked

    Reboot and post a fresh log

    What I will also say is that running Etrust Firewall/Zone Alarm (Etrust Firewall is just a graphically modified version of Zone Alarm) on a low spec system is not the best of ideas. It is very resource heavy. I tried it on my old 500Mhz and I've never seen it run so slow.
  5. 31-12-2004  #5
    gasveins
    gasveins is offline Newbie
    i did what you said. here is the new log. fir some reason nothing was deleted.....


    Logfile of HijackThis v1.99.0
    Scan saved at 3:57:39 PM, on 12/31/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTI-SPAM\QSP-2.1.212.0\QOELOADER.EXE
    C:\PROGRAM FILES\ACESOFT\TRACKS ERASER PRO\TE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\DOWNLOADS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
    O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - (no file)
    O2 - BHO: (no name) - {82315A18-6CFB-44a7-BDFD-90E36537C252} - (no file)
    O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe
    O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VETTRAY.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [QOELOADER] "C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTI-SPAM\QSP-2.1.212.0\QOELoader.exe"
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
    O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
    O15 - Trusted IP range: 213.159.118.226
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup155.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
  6. 31-12-2004  #6
    owen
    owen is offline D-A-L Team Member (UK)
    Right, first of all, download the attached DelDomains.zip. Unzip it and right click the DelDomains file contained and select install. It will perform a silent process.

    WARNING: This will remove all sites from the Internet Explorer trusted and restricted zones. If you've made immunizations with programs like Spybot or SpywareBlaster, you will need to redo them after this process.

    Also download the attached fix.zip. Download and unzip it. Double click it and confirm the merge with the Registry. You will receive a successful message.

    Then reboot and post a fresh Hijack This log
    Attached Files
  7. 31-12-2004  #7
    gasveins
    gasveins is offline Newbie
    ok i downloaded deldomain and tried to install. i got an error and it said a device attached to the system is not functioning....i really appreciate your help on this one.....

    i tried to install fix reg and i got an error...the specified file is not a registry script.you can only import regisrtry files
    Last edited by gasveins; 31-12-2004 at 10:27 PM.
  8. 01-01-2005  #8
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Try running DelDomains in Safe Mode.
+ Reply to Thread
« Hijack This Log - Search Extender, Shopping Wizard, Home search assistant | hijackthis help please newbe »