View Full Version : HIJackThis won't run
ugaunc24
2006-09-11, 02:54
Hello,
I know that I am infected. I have gone through all the steps on the instructions but whenever I run hijack this the program freezes when it gets to 015 secure zone. I'm not sure what to do. S&D comes up clear. However sexlist keeps popping up. I ran avast! it found some trojan horses and stuff. But since I cannot run HiJack this, I don't have a log to post.
Please help. Thanks, :confused:
pskelley
2006-09-12, 14:09
Welcome to the forum, I need that HJT log. Sometimes it will appear to be freezing so allow more time to make sure it does not finish. If it does not, then run ewido according to the instructions I am about to post. Delete anything ewido locates unless you know it is not bad. Once ewido clean out some of the junk, then try HJT again.
ewido scan:
First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Post the ewido scan results and the HJT log. Let me know what symptoms are still showing at this point, including error messages "word for word".
Thanks
ugaunc24
2006-09-16, 01:48
I use windows 98. It says I need 2000 to download the program. Is there another program that I can use? Also, my avast shows that I have this thing called Ecru that is trying to install a BHO and a trojan horse called
c:\windows\wtet\wuauclt.exe\[UPX]
Win32:Purityscan-Q [Trj]
0637-2, 09/15/2006
I have had several attempts to run HiJack This however it still crashes at Zone 15 trusted content. I think that is what it is called.
Please help :(
pskelley
2006-09-16, 02:14
I apologize, I had no way of knowing what the operating system was. I need to see a HJT log, I will post a few online scans that may run with your Operating System. Most of the new tools will not run on it. Since you mention Purity Scan, you can try this:
Start > Control Panel > Add Remove programs. Uninstall anything that looks like this: PuritySCAN By OIN, OIN or OuterInfo. If you see nothing there, then download and run this uninstaller: http://www.outerinfo.com/howto.html
If you see any other programs you know do not belong, uninstall them also. If you are unsure, let me know and I will look.
That may get rid of PurityScan adware, but I have never know it to block HJT. I am going to suggest you delete all of HJT you have onboard and download it again. Open your C:\ and make a folder called HJT. Download from here: http://www.merijn.org/files/HijackThis.exe choose to "SAVE" the file then direct it to that folder you created. Then give it another try.
Here are a few scanners that may or may not run on Windows 98
http://housecall.trendmicro.com/
http://www.kaspersky.com/scanforvirus.html
http://www.windowsecurity.com/trojanscan/
Thanks
ugaunc24
2006-09-16, 04:23
I am working on using Kapersky. HJT still is not working. Neither does trend micro. I'm not sure if this list will work. I got it off of panda scan and adaware.
Incident Status Location
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Cookies\valued sony customer@c5.zedo[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\valued sony customer@www.burstbeacon[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Cookies\valued sony customer@apmebf[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Cookies\valued sony customer@ads.pointroll[2].txt
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\wtet\wuauclt.exe
AdaWare Log
Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, September 10, 2006 8:59:49 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R121 28.08.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):27 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
Tracking Cookie(TAC index:3):10 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
9-10-06 8:59:49 PM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : .DEFAULT\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recenturllist
Description : list of recently used web addresses in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\excel\recent files
Description : list of recent files used by microsoft excel
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\office\10.0\word\recent templates
Description : list of recent templates used by microsoft word
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system
MRU List Object Recognized!
Location: : .DEFAULT\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives
MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer
MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer
MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent open locations in realplayer
MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279188633
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL
#:2 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294933581
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE
#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294873753
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk
#:4 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294897161
Threads : 2
Priority : Normal
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 2000
OriginalFilename : mstask.exe
#:5 [BAYSWAP.EXE]
FilePath : C:\PROGRAM FILES\POWERPANEL\BAYSWAP\
ProcessID : 4294924789
Threads : 2
Priority : Normal
FileVersion : 1.1.2
ProductVersion : 1.1.2
ProductName : Phoenix BaySwap
CompanyName : Phoenix Technologies, Ltd.
FileDescription : BaySwap Application Program
InternalName : BaySwap.EXE
LegalCopyright : (C) 1998-1999 Phoenix Technologies Ltd.
OriginalFilename : BaySwap.EXE
#:6 [BWSVC.EXE]
FilePath : C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\
ProcessID : 4294894317
Threads : 10
Priority : Normal
FileVersion : 1, 0, 2, 2
ProductVersion : 1, 0, 2, 2
ProductName : BUFFALO Wireless Service
CompanyName : BUFFALO INC.
FileDescription : BUFFALO Wireless Service
InternalName : BWSVC
LegalCopyright : Copyright (C) 2004
OriginalFilename : BWSVC.EXE
#:7 [ASHSERV.EXE]
FilePath : C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\
ProcessID : 4294849349
Threads : 20
Priority : Normal
FileVersion : 4, 7, 844, 0
ProductVersion : 4, 7, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! antivirus service
InternalName : aswServ
LegalCopyright : Copyright (c) 2006 ALWIL Software
OriginalFilename : aswServ.exe
#:8 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294784273
Threads : 15
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE
#:9 [RPCSS.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294707169
Threads : 5
Priority : Normal
FileVersion : 4.71.2900
ProductVersion : 4.71.2900
ProductName : Microsoft(R) Windows NT(TM) Operating System
CompanyName : Microsoft Corporation
FileDescription : Distributed COM Services
InternalName : rpcss.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
OriginalFilename : rpcss.exe
#:10 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294733933
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright (C) Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE
#:11 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294723129
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE
ugaunc24
2006-09-16, 04:23
#:12 [DSLAUNCH.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294703993
Threads : 1
Priority : Normal
FileVersion : 4.00.2006
ProductVersion : 4.00.2006
ProductName : YAMAHA DS-XG Application
CompanyName : YAMAHA Corporation
FileDescription : YAMAHA DS-XG Launcher
InternalName : YAMAHA DS-XG Launcher
LegalCopyright : Copyright (c) YAMAHA Corp. 1999
OriginalFilename : dslaunch.exe
Comments : YAMAHA DS-XG Launcher
#:13 [HKSERV.EXE]
FilePath : C:\PROGRAM FILES\SONY\HOTKEY UTILITY\
ProcessID : 4294693129
Threads : 2
Priority : Normal
FileVersion : Version 1.18_su.3030
ProductVersion : Version 1.18_su.3030
ProductName : Hot Key Server executable file
CompanyName : Sony Corporation
FileDescription : Hot Key Server EXE
InternalName : HotKeyServ
LegalCopyright : Copyright 1998 - 2000 Sony Corporation
OriginalFilename : HotKeyServ.EXE
#:14 [QTTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294625193
Threads : 2
Priority : Normal
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2004
OriginalFilename : QTTask.exe
#:15 [TEATIMER.EXE]
FilePath : C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\
ProcessID : 4294928113
Threads : 3
Priority : Idle
FileVersion : 1, 4, 0, 2
ProductVersion : 1, 4, 0, 3
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.
#:16 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294770405
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe
#:17 [NOTEPAD.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294671849
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Notepad application file
InternalName : Notepad
LegalCopyright : Copyright (C) Microsoft Corp. 1991-1998
OriginalFilename : NOTEPAD.EXE
#:18 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294400581
Threads : 2
Priority : Realtime
FileVersion : 4.07.00.0700
ProductVersion : 4.07.00.0700
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-1999
OriginalFilename : DDHelp.exe
#:19 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294680793
Threads : 3
Priority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Baraolsearch.aol.com
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@real[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Cookies\valued sony customer@real[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@c5.zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Cookies\valued sony customer@c5.zedo[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Cookies\valued sony customer@apmebf[2].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@ads.pointroll[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Cookies\valued sony customer@ads.pointroll[2].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@~~local~~[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : C:\WINDOWS\Cookies\valued sony customer@~~local~~[1].txt
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 32
Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@real[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\valued sony customer@real[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@c5.zedo[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\valued sony customer@c5.zedo[1].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\valued sony customer@apmebf[2].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@ads.pointroll[2].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\valued sony customer@ads.pointroll[2].txt
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : valued sony customer@~~local~~[1].txt
TAC Rating : 3
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\valued sony customer@~~local~~[1].txt
Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 37
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Free AOL and Unlimited Internet.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/tryaolfree/index.adp?167070
Object : C:\WINDOWS\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Go Faster.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://free.aol.com/aolbb/bb/index.adp?promo=375692
Object : C:\WINDOWS\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : AOL Search.url
TAC Rating : 3
Category : Misc
Comment : Problematic URL discovered: http://aolsearch.aol.com/
Object : C:\WINDOWS\Favorites\Search\
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 40
9:20:01 PM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:20:11.220
Objects scanned:196488
Objects identified:13
Objects ignored:0
New critical objects:13
pskelley
2006-09-16, 12:51
Definitions of MRU on the Web:
Most Recently Used (MRU) is a term in used in computing to refer to the list of programs or documents which were last accessed.
These are benign, you can delete them or not, your call.
I see nothing of malware in the information you provided and still need to see a HJT log.
Try removing HJT from the computer, make sure you have a folder set up for it in the C:\HJT\ <<< like that, then download it again from here:
http://www.merijn.org/files/HijackThis.exe
Save the file into that folder you created and try again.
Once you get that new HijackThis.exe, then open it and choose "Open the misc tools section" > Open the uninstall manager > Save list to the Desktop > Copy/paste the information in that notepad into this same topic.
Then try again with the new HJT to see if you can generate a logfile. Make sure you are using "Do a system scan and save a logfile" Be patient, with Windows 98 if you have no 016 Downloaded Program Files (ActiveX) the 015 items would be the end of the logfile. Wait until a notepad opens and copy/paste that information to this topic.
Thanks
ugaunc24
2006-09-17, 02:22
HJT keeps freezing. I will try it from safe mode.
Adaptec UDF Reader
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0.1
Advanced MP3/WMA Recorder
avast! Antivirus
BatteryScope
BUFFALO Client Manager2
Client Manager
DVDExpress
DVgate
DVgate Plug-in for Adobe(R) Premiere(R)
EconoNet International's Simply Talker 2000
HijackThis 1.99.1
HotKey Utility
Intel SpeedStep technology Applet
J2SE Runtime Environment 5.0 Update 6
Jog Dial Utility
Kaspersky Online Scanner
LiveUpdate
Lyra System File Update Utility
Macromedia Flash Player 8
Media Bar 3.1.03
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Outlook Express 6
Microsoft Text-to-Speech Engine 4.0 (English)
Motion JPEG Software Decoder
Mozilla Firefox (1.5.0.7)
Panda ActiveScan
PhotoPrinter 2000 Pro
PowerPanel
QuickTime
RealPlayer
RealProducer ActiveX Control
RealProducer G2
Rockwell HCF 56K Modem
Smart Connect 3.0
Smart Connect Monitor
Smart Shared Library
SmartCDRipper
SnagIt 7
Sony DV Shared Library
Sony Notebook Setup
SONY USB Mouse
Sony Utilites DLL
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
System Files Update
TextSound
VAIO Wallpaper
VB Runtime
Viewpoint Media Player
VisualFlow 1.0
Windows Media Player system update (9 Series)
WinZip
YAMAHA DS-XG Driver
pskelley
2006-09-17, 02:38
I see a program or two that are wasting valuable resources, like Viewpoint, but nothing that should be stopping HJT from running.
When was the last time you reinstalled Windows 98? I suggest you run System File Checker in the event a file is missing or corrupt.
http://support.microsoft.com/kb/185836/
Make sure you have your Windows 98 CD handy.
________________________________________________
Let's see if Spybot will help us a little. Open the program and click on MODE at the top. Check Advanced Mode. At the bottom left, choose Tools and then Process List.
Choose Export and save it to your Desktop. Copy/Paste the information in that notepad to this same topic.
Thanks
ugaunc24
2006-09-17, 03:54
How do I save the log?
pskelley
2006-09-17, 03:56
Choose Export and save it to your Desktop. Copy/Paste the information in that notepad to this same topic.
ugaunc24
2006-09-17, 04:21
Logfile of HijackThis v1.99.1
Scan saved at 7:45:46 PM, on 9/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER\CLIENTMG\ESSIDSET.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\CLIENTMGR2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\DESKTOP\SPYBOT\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aolsearch.aol.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.phoenix.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BaySwap] C:\Program Files\PowerPanel\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [BWSVC] C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ecru] "C:\WINDOWS\wtet\wuauclt.exe" -vt yazr
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Client Manager.lnk = C:\Program Files\BUFFALO\Client Manager\CLIENTMG\ESSIDSET.exe
O4 - Startup: ClientManager2.lnk = C:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
pskelley
2006-09-17, 13:25
Thanks for the HJT log, I was hoping the problem would pop right out, such is not the case. We may have some hidden malware, but I will first address what I see. I need you to give me more information about what you are seeing, describe in more detail, does it vary, do you receive other popups and do they occur when you are offline. Is this:
sexlist the only one? Can you tell me where it is directing you, copy paste the url for me if there is one.
Here is what I see in the HJT log:
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
http://www.bleepingcomputer.com/startups/SBWatchdog.exe-4734.html
O4 - HKCU\..\Run: [Ecru] "C:\WINDOWS\wtet\wuauclt.exe" -vt yazr while that exe could be a legit item, windows updates, it can also be a trojan. I don't think you would have Windows updates running all of the time, especially since there are no more updates from Microsoft for your system.
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=wuauclt%2Eexe
You can scan this item with one or more of these from online scanners for us to be sure:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
I do not like th looks of this one, do you know it? I will remove it, if it is valid, it will be put back the next time you visit the website.
Turn off TeaTimer until you are done, it will block the changes we want to make:
http://russelltexas.com/malware/teatimer.htm
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKCU\..\Run: [Ecru] "C:\WINDOWS\wtet\wuauclt.exe" -vt yazr
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
(may be gone, just don't miss them)
C:\WINDOWS\SYSTEM\SBUtils\ <<< delete that folder
C:\WINDOWS\wtet\ <<< delete that folder
Clean out all temp, tif and cookies.
1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files
Restart the computer and post a new HJT log, let me know how you are running and post any information I requested above.
Thanks
ugaunc24
2006-09-17, 16:57
Here is my log. I see this thing called Irmon on it. Do you know what that is? My computer is running better and can shut down on its own now. Should I turn teatimer back on? Thanks!:)
Logfile of HijackThis v1.99.1
Scan saved at 9:56:16 AM, on 9/17/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER\CLIENTMG\ESSIDSET.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\CLIENTMGR2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\DESKTOP\SPYBOT\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aolsearch.aol.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.phoenix.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BaySwap] C:\Program Files\PowerPanel\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [BWSVC] C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Client Manager.lnk = C:\Program Files\BUFFALO\Client Manager\CLIENTMG\ESSIDSET.exe
O4 - Startup: ClientManager2.lnk = C:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
pskelley
2006-09-17, 17:15
Yes, turn TeaTimer back on. C:\WINDOWS\SYSTEM\IRMON.EXE <<< when you have a question like that, use your Google:
http://www.google.com/ Search for the executable. IRMON.EXE and you will get results like this:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=IRMON%2EEXE
Description: irmon.exe is a process which is installed alongside the default Windows drivers for an Infrared port. Usually installed on laptops, this process monitors for infrared devices such as mobile phones, and initiates the file transfer wizard. This program is important for the stable and secure running of your computer and should not be terminated.
Now this info is available at CastleCops: http://www.castlecops.com/startuplist-1703.html so if you do not use the device, use MSConfig: http://netsquirrel.com/msconfig/ and uncheck it and any other program (except security and those needed to run the system) that you do not need to start everytime, I know how important resources are to Windows98. I have an old Compaq with Win98SE on it that I only drive on an occaisional Sunday when the weather is nice...lol.
Your HJT log looks fine:bigthumb: all of this information may not apply to your Operating System.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Safe surfing...tashi:) will close your topic in a few days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
ugaunc24
2006-09-18, 01:19
And spybot said that it has detected an important registry change
C:\WINDOWS\wtet\wuauclt.exe
should I allow this change?
pskelley
2006-09-18, 01:24
You just deleted that folder and you scanned it to make sure it was bad first. Just exactly what is Spybot asking you?
ugaunc24
2006-09-18, 01:30
It is a S&D registry change permission thing
actually it is going through a bunch more. AlpsPoint is the next one. I am not allowing the changes. Is that okay?
Value Deleted
Entry: SBWatchDog.EXE
pskelley
2006-09-18, 01:34
Sounds good to me, might have to do with the TeaTimer memory. If you deleted the files/folder, there is nothing TT can do to reinstall them. I do not use TT, preferring SpywareGuard instead. You will find information about that in the links I provided. I use Spybot with TT turned off. Your topic will be open for a few days, if anything comes up, post it.
Thanks
ugaunc24
2006-09-18, 01:40
I did the msconfig thing and when I rebooted all of the programs were still there. They opened anyways.
Is that bad?
pskelley
2006-09-18, 01:53
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=how+to+use+msconfig
That link provides lots of information about the Microsoft Configuration Utility. The link I gave you is one of the easiest to understand. Be sure you are looking at information for your Operating System.
Whe you uncheck items that do not need to boot everytime and can be started via Start > Programs when you need them, you must then click on APPLY and OK. The next time you reboot, Windows will popup the Utility asking if you want to make the change, tell it yes, and check the box to not remind you anymore.
Thanks
ugaunc24
2006-09-18, 01:57
:bigthumb:
Cheers. :)
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Glad we could help.