HijackThis log

  1. 12-07-2004  #1
    Blondie_357
    Blondie_357 is offline Newbie

    HijackThis log

    I have a friend who was not running any antivirus software and of course has alot of spyware as well. His pc is a mess basically. He has installed an antivirus program now, as well as Ad-aware and Spybot. He has run all programs to do the cleaning and it has found and deleted many of them...some it will not let him get rid of. I know he has several trojans. He has even scanned in safe mode but is unable to rid himself of all problems. I figured one step in helping him out would be to have him run a hijackthis log and I'm hoping you can advise me on what to tell him to delete so we can go from there. Here is his log.

    Logfile of HijackThis v1.98.0
    Scan saved at 10:55:29 PM, on 7/11/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSCONFIG.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\85INGPQR\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\WINDOWS\ALL USERS\APPLICATION DATA\IESERVICE\IESERVICE.DLL
    O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VOICEIP.DLL
    O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\SYSTEM\SWIN32.DLL
    O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER BASIC\CCHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {27AC09EE-C20B-4BA4-8E27-F1C33D263875} - C:\WINDOWS\SYSTEM\002p03.dll
    O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER BASIC\POPUPPRO.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunOnce: [MIRKA3B.EXE] C:\WINDOWS\SYSTEM\MIRKA3B.EXE
    O4 - HKCU\..\RunOnce: [MIRKA3B.EXE] C:\WINDOWS\SYSTEM\MIRKA3B.EXE
    O4 - Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potd_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL


    Thank you.

  3. 13-07-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Restart Hijack This and put a checkmark next to the following entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\WINDOWS\ALL USERS\APPLICATION DATA\IESERVICE\IESERVICE.DLL
    O2 - BHO: VoiceIPObj Class - {00000250-0320-4DD4-BE4F-7566D2314352} - C:\WINDOWS\VOICEIP.DLL
    O2 - BHO: SDWin32 Class - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - C:\WINDOWS\SYSTEM\SWIN32.DLL
    O2 - BHO: (no name) - {27AC09EE-C20B-4BA4-8E27-F1C33D263875} - C:\WINDOWS\SYSTEM\002p03.dll
    O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\SYSTEM\automove.exe
    O4 - HKLM\..\RunOnce: [MIRKA3B.EXE] C:\WINDOWS\SYSTEM\MIRKA3B.EXE
    O4 - HKCU\..\RunOnce: [MIRKA3B.EXE] C:\WINDOWS\SYSTEM\MIRKA3B.EXE

    Click Fix Checked

    Reboot

    Go to C:\Windows\System and delete the files:
    Mirka3B.exe
    automove.exe

    Post a fresh log. This log isn't too bad considering your friend had no protection.
+ Reply to Thread
« Has any one downloaded MKS_VIR ??????? | Hijack this log »