re: need lots of help, spyware, hijackthis log
Monday, April 3, 2006 at 3:26 pm
Windows Me Annoyances Discussion Forum
Posted by Jay
(15 messages posted)
Hello again MrC thanks for all the help, i could use more if you can, i didnt reply
sooner because i lost my internet connection. my router said it blocked several "ping
of death" not sure if that caused it but works now.
A ? about the mad.exe, devldr16 do i need to these run at start up? also i noticed
there is two devldr16 in the start up config.
Also when i run spybot this is what i get:
-CoolWWWSearch.BadZoneMap when expanded shows:
HKEY_USERS\.DEFAULT\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains\my-internet.info\*!=W=4
HKEY_USERS\.DEFAULT\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains\mt-download.com\*!=W=4
HKEY_USERS\.DEFAULT\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains\clickspring.net\*!=W=4
HKEY_USERS\.DEFAULT\Software\Microsoft\CurrentVersion\Internet Settings\ZoneMap\Domains\skoobidoo.com\*!=W=4
Also TNS-Search expanded is the same except starts with: HKEY_LOCAL_MACHINE\
These show up every time i run spybot, idelete them but they come back, when i right
click them and jump to location, it brings me to the registry under remote access.
hers another HJT log, those trusted ip keep coming back to
Logfile of HijackThis v1.99.1
Scan saved at 5:16:09 PM, on 03/04/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
= proxy:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_0/home.html");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\rd99rsfz.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\rd99rsfz.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN
APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
(file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
(file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN
APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference
2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37}
- C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37}
- C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common
Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program
Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM
FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com
(file missing) (HKCU)
O15 - Trusted IP range: 64.127.104.144
O15 - Trusted IP range: 64.127.104.144 (HKLM)
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://nbctv.nbci.com/tonightshow/virtualjay/NBC/install/english/AxPulse.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://aol.ea.com/downloads/games/common/ieell.cab
O16 - DPF: {17163BB4-107E-11D4-9B76-006097DF2317} (EABootStrap Class) - http://aol.ea.com/downloads/games/common/boot_strap/iegils.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
- http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
thanks Jay
On Saturday, April 1, 2006 at 6:22 pm, MrCharlie wrote:
>
>These you have to leave:
>mad.exe is a process which deals with certain important Microsoft Excahnge
>functions such as the loading of DLL's and message logging. This program is important
>for the stable and secure running of your computer and should not be terminated.
>
>devldr16.exe is installed alongside Creative Labs SoundBlaster 16 driver
software.
>This application is crucial for the running of this piece of hardware and should
>not be removed.
>---------------
>
>You don't need these 2 "04" entries - they're from Creative Soundblaster - you can
>always restore them using HJT backups if needed.
>
>Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
>Place a check against the following items:
>
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
>
>O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
>(For Creative Soundblaster Live! series soundcards. System tray application for
SB
>Live! functions. Available via Start -> Programs)
>
>O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
>(Reminder to register Creative Labs SoundBlaster Live! cards)
>
>If you didn't put these in your Internet Explorers Trusted Zone - have HJT fix them.
>They're from:
>OrgName: Global Netoptex, Inc San Jose StateProv: CA
>
>O15 - Trusted IP range: 64.127.104.144
>O15 - Trusted IP range: 64.127.104.144 (HKLM)
>
>Click on Fix Checked and exit HijackThis.
>
>Open up Internet Explorer , Tools, General Tab, reset your home page to what you
>want, now the Programs Tab, click Reset Web Settings
>That will change everything back to the default settings.
>
>If you have any problems or questions - please post back, MrC
|
All messages in this thread [show all]
 | | | | | | | |  | re: need lots of help, spyware, hijackthis log (Jay: Mon, Apr 3, 2006, 3:26 pm) |
| |
| |
| |
Return to the Windows Me Discussion Forum
|
|
