4 replies to this topic

[CDWangs]

Hello! My browser is continually popping up with 69.50.164.197 as the home page, and will not stay on the one I want it to be. I have enclosed the Hijack this log file here. Could someone please tell me what I should do to remove it? I've tried Spybot, AdAware, etc... nothing seems to remove it. Windows 98 machine.

Thank you!

-Mark Lyons

HJT log file follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:20:23 PM, on 11/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVINIT9X.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\DVPRPT.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\SCHSC9X.EXE
C:\WINDOWS\SYSTEM\SYSTEM32.EXE
C:\PROGRAM FILES\PRINTKEY20\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\RMCLIENT\PMCTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.164.197/ie.html?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.164.197/?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.211.30.13:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [avinit] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVINIT9X.EXE
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\COMMAN~1\COMMAN~1\CUAGENT.EXE
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\DVPRPT.EXE
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVTRAY.EXE
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\VCHK.EXE
O4 - HKLM\..\Run: [AVSchedScan] C:\PROGRA~1\COMMAN~1\COMMAN~1\SCHSC9X.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [system32.exe] C:\WINDOWS\SYSTEM\system32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSS_Central] C:\PROGRA~1\COMMAN~1\F-PROT95\CSS_1631.EXE
O4 - HKLM\..\RunServices: [dvpapi9x] C:\PROGRA~1\COMMAN~1\F-PROT95\DVPAPI9X.EXE
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\wbem\winmgmt.exe
O4 - HKLM\..\RunServices: [MicrosoftWBEMCIMObjectManager] C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Shortcut to PrintKey20.exe.lnk = C:\Program Files\printkey20\PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204

[LDTate]

Hello CDWangs, welcome to the forum. Sorry about the delay in responding If you still need help, Scan again with HijackThis, and copy/paste" a new log file into this thread.

[CDWangs]

Thank you for getting back in touch with me. I also haven't heard about any available classes yet. I'd love to learn how to do this...

Here is the scan as of just a minute ago:

Logfile of HijackThis v1.99.1
Scan saved at 4:40:57 PM, on 11/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVINIT9X.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\DVPRPT.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\AVTRAY.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\COMMAND ANTIVIRUS\SCHSC9X.EXE
C:\WINDOWS\SYSTEM\SYSTEM32.EXE
C:\PROGRAM FILES\PRINTKEY20\PRINTKEY20.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\RMCLIENT\PMCTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
J:\AMWSQL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\MSAGENT\AGENTSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.164.197/ie.html?
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.164.197/?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.211.30.13:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IE Search Toolbar Helper - {2C5175A2-ADF3-4F57-AB70-BA90FD60A383} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: IE Search Toolbar - {EB381422-F797-4A98-A266-9DC490821907} - C:\PROGRAM FILES\IESEARCHTOOLBAR\0.9\IESEARCHTOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [avinit] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVINIT9X.EXE
O4 - HKLM\..\Run: [cuagent] C:\PROGRA~1\COMMAN~1\COMMAN~1\CUAGENT.EXE
O4 - HKLM\..\Run: [dvprpt] C:\PROGRA~1\COMMAN~1\COMMAN~1\DVPRPT.EXE
O4 - HKLM\..\Run: [avtray] C:\PROGRA~1\COMMAN~1\COMMAN~1\AVTRAY.EXE
O4 - HKLM\..\Run: [CSAV_CheckViruses] C:\PROGRA~1\COMMAN~1\COMMAN~1\VCHK.EXE
O4 - HKLM\..\Run: [AVSchedScan] C:\PROGRA~1\COMMAN~1\COMMAN~1\SCHSC9X.EXE
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [system32.exe] C:\WINDOWS\SYSTEM\system32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [CSS_Central] C:\PROGRA~1\COMMAN~1\F-PROT95\CSS_1631.EXE
O4 - HKLM\..\RunServices: [dvpapi9x] C:\PROGRA~1\COMMAN~1\F-PROT95\DVPAPI9X.EXE
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\wbem\winmgmt.exe
O4 - HKLM\..\RunServices: [MicrosoftWBEMCIMObjectManager] C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Shortcut to PrintKey20.exe.lnk = C:\Program Files\printkey20\PrintKey20.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: SmartDeviceMonitor for Client.lnk = C:\Program Files\RMClient\PMClient.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots....SDownloader.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204

[LDTate]

Here's the link to join the classroom.
http://forums.tomcoy...?showtopic=1421


This is what I suggest you do.


Please do not delete anything unless instructed to.



Download CWShredder from my signature below. Unzip it on the desktop.
Open CWShredder and with ALL other windows closed, click fix.


Go here and run at least one of the online scans, allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed
Reboot when done.

Next:

Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.



Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

[LDTate]

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log