HijackThis Log
-
HijackThis Log
hi. i've ran adaware, cwshredder, and spybot, and nothing has worked to cure my browser hijack. here is the hijack this log:
Logfile of HijackThis v1.99.0
Scan saved at 2:05:10 PM, on 1/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\IPFA32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\WUCLIENT.EXE
C:\PROGRAM FILES\COMPAQ\COMPAQ 11 MBPS WIRELESS USB ADAPTER\CONFIGA.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\TUZ6.EXE
C:\WINDOWS\SYSTEM\JEL277G.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R3 - Default URLSearchHook is missing
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Class - {EDB351A4-66C4-592C-4D6E-5DA4F46F6A5C} - C:\WINDOWS\ATLEJ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [51F2.TMP] C:\WINDOWS\TEMP\51F2.TMP.exe 0 10001
O4 - HKLM\..\Run: [Uvoru6] C:\WINDOWS\TEMP\UVORU6.EXE
O4 - HKLM\..\Run: [51F2.TMP.EXE] C:\WINDOWS\TEMP\51F2.TMP.EXE 0 10001
O4 - HKLM\..\Run: [0fe83a8c711c] C:\WINDOWS\SYSTEM\RPCLTC55.exe
O4 - HKLM\..\Run: [2WLSTK65YNANMZ] C:\WINDOWS\SYSTEM\Wdit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [IPFA32.EXE] C:\WINDOWS\SYSTEM\IPFA32.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Fjqkae] C:\WINDOWS\SYSTEM\gpbis.exe
O4 - HKCU\..\Run: [Oasr] C:\WINDOWS\Profiles\Spenser\Application Data\uetc.exe
O4 - Startup: Compaq Wireless Configuration.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
O4 - User Startup: Compaq Wireless Configuration.lnk = C:\Program Files\Compaq\Compaq 11 Mbps Wireless USB Adapter\configA.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)
O9 - Extra button: Microsoft® JavaScript® Console - {2DC2E7A0-A224-11D8-82D8-00055DD5B015} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {2DC2E7A0-A224-11D8-82D8-00055DD5B015} - (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...63/mcfscan.cab
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
thanks.
-
Now being new to this forum and never having spoken a word here,mind you this is all a suggestion.
I would download and run the Peper Trojan removal Tool from one of these links:
http://www.zerosrealm.com/downloads/uninst.exe
http://www.memorywatcher.com/uninst.exe
Now mind you,the computer must be connected to the Internet when you run this tool.
If ir were me,I would start by Unregistering a few DLLs:
Click Start>>>Click Run>>>Type in regsvr32 /u vvrao.dll, then hit OK.
If for some reason,you should get an error message,try it like this:
regsvr32 /u C:\WINDOWS\vvrao.dll
I would do the same for this entry:
regsvr32 /u ATLEJ.DLL
(regsvr32 /u C:\WINDOWS\ATLEJ.DLL)
After that,I would Open Up Hijack this and put a tick by these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vvrao.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EDB351A4-66C4-592C-4D6E-5DA4F46F6A5C} - C:\WINDOWS\ATLEJ.DLL
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [51F2.TMP] C:\WINDOWS\TEMP\51F2.TMP.exe 0 10001
O4 - HKLM\..\Run: [Uvoru6] C:\WINDOWS\TEMP\UVORU6.EXE
O4 - HKLM\..\Run: [51F2.TMP.EXE] C:\WINDOWS\TEMP\51F2.TMP.EXE 0 10001
O4 - HKLM\..\Run: [0fe83a8c711c] C:\WINDOWS\SYSTEM\RPCLTC55.exe
O4 - HKLM\..\RunServices: [IPFA32.EXE] C:\WINDOWS\SYSTEM\IPFA32.EXE
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [Fjqkae] C:\WINDOWS\SYSTEM\gpbis.exe
O4 - HKCU\..\Run: [Oasr] C:\WINDOWS\Profiles\Spenser\Application Data\uetc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
Now before I went clicking the fix checked button,I wouold definatly make sure that all other windows that were open,are now closed,before I hit that button.
Now I definatly wouldnt just go deleteing files while I was in normal mode,i would restart the computer in safe mode.
This is done by tapping the f8 key while windows is loading,then pick safe mode.
While I was in safe mode,i would go find these and delete them,
C:\WINDOWS\vvrao.dll
C:\WINDOWS\ATLEJ.DLL
C:\WINDOWS\system32\xpsp2fw.exe
C:\WINDOWS\SYSTEM\RPCLTC55.exe
C:\WINDOWS\SYSTEM\IPFA32.EXE
C:\WINDOWS\SYSTEM\gpbis.exe
C:\WINDOWS\system32\wuclient.exe
C:\WINDOWS\Profiles\Spenser\Application Data\uetc.exe
C:\WINDOWS\TEMP\51F2.TMP.exe
C:\WINDOWS\TEMP\UVORU6.EXE
Matter of fact,I would Open the Temp folder,and right click inside it,then choose Select All,and delete everything that was inside that folder,it is a Temp folder and should be treated as such.
Now just after I restarted the Computer,I would click on this link and follow these Instructions to fix the 015s that were in my log,
http://ralphcaddell.com/Uploads/
Please download DelDomains.zip.
Unzip it and right click the file DelDomains.inf and from the drop down menu, click Install.
It will perform a silent process.
Now I might run HijackThis again and Post my new log to the forum.
But again,
Thats Just Me.
Hope that helps.
