Hijackthis Log - Experts please interpret

  Diemmess 14:03 20 Nov 04
Locked

This is a sidehoot from a current thread
click here
I will post an update on that thread as soon as this one is running.

It was suggested I posted the log here and may have to do it in chunks because of its size.

Hoping someone will point out the rogue lines?

Logfile of HijackThis v1.98.2
Scan saved at 11:31:21 AM, on 11/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

D:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

D:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE

D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

F:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = click here

O2 - BHO: (no name) - {BB757E5E-DBBC-4BC9-63A2-779D26137407} - C:\WINDOWS\APPLICATION DATA\SETUPDASHVC\JOY TICK.EXE

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} –
C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [vcidletwomedia] C:\WINDOWS\Application Data\Rect Grey Vc Idle\play bat.exe

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Avgserv9.exe] D:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [DUPEREAL] C:\WINDOWS\APPLIC~1\ISOTYP~1\film seek.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O14 - IERESET.INF: START_PAGE_URL=click here

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - click here

  VoG II 14:12 20 Nov 04

I think that

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here

needs to be fixed but please wait for confirmation from Nellie2 or another expert.

  Nellie2 20:31 20 Nov 04

Hi Diemmess

I'm afraid you have been infected by something known as LOP. I see you have Messenger Plus installed, I'll bet that when you installed it you agreed to the sponsor software.

This is a lesson for anyone installing software, especially software that is provided for free, please take time to read the EULA so that you know what you are agreeing to.

To clean this properly you will need to uninstall "Messenger Plus 3" via Add/Remove programs.

If you insist using "Messenger Plus 3" reinstall without the "Sponsor Software" once your system is clean.

Note: Sponsor Software = C2Media\LOP (parasite)click here for more information.

This is not a Microsoft or MSN product! Be aware that any update to "Messenger Plus" will cause the program to prompt you to install the "Sponsor Software".

Run hijackthis again after uninstalling Messenger Plus3, make sure all browsers and windows are closed, inclucing this one, put a tick against the following and click 'fix checked'

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://xxx.xtkqfoudwehxm.net/ 1cc4zwQQIIgrDUOGoUpXlnEIXsX5bpOq1U9MHQ8PdMT9R77ArZoBH3FKwkZRhQj7.html

O2 - BHO: (no name) - {BB757E5E-DBBC-4BC9-63A2-779D26137407} - C:\WINDOWS\APPLICATION DATA\SETUPDASHVC\JOY TICK.EXE

O4 - HKLM\..\Run: [vcidletwomedia] C:\WINDOWS\Application Data\Rect Grey Vc Idle\play bat.exe

O4 - HKCU\..\Run: [DUPEREAL] C:\WINDOWS\APPLIC~1\ISOTYP~1\film seek.exe

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Then delete the following folders

C:\WINDOWS\APPLICATION DATA\SETUPDASHVC
C:\WINDOWS\APPLICATION DATA\ISOTYP~1\ <-- I'm not sure of the full name of this folder, but the first six letters are ISOTYP and you will find 'film seek.exe' inside it.

C:\WINDOWS\Application Data\Rect Grey Vc Idle

Then clear your temp files and reboot and post a fresh log for a check over.

  Nellie2 20:36 20 Nov 04

ps... please update IE as soon as possible, v5 is full of holes :(

  VoG II 21:29 20 Nov 04

I said to wait for an expert and how right I was.

I really am hoping that Santa will give me a brain this year.

  stalion 22:25 20 Nov 04

best go to the doctors for a scan you will probably find you already have one ;o))

  ste_bla 22:27 20 Nov 04

ps there is a new version of avg out

  Diemmess 09:42 21 Nov 04

What a cheerful start to Sunday! Thank you both.

The step by step instructions have been printed off, so depending on what my son and his family will be doing today I am preparing to pay a "pastoral visit" armed with my memory pen and Nellie2's "war plan".

  Nellie2 11:04 21 Nov 04

Oooh err! Go get em! :-))

  Diemmess 14:40 21 Nov 04

Endless thanks, the cleaned system seems AOK.....
The new log file as requested.........Will flesh-out the details on next post.

Logfile of HijackThis v1.98.2
Scan saved at 12:54:04 PM, on 11/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

D:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

D:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE

D:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\WINDOWS MEDIA
COMPONENTS\ENCODER\WMENCAGT.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

D:\HIJACK TOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AVG_CC] D:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [Avgserv9.exe] D:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm

O14 - IERESET.INF: START_PAGE_URL=click here

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - click here

  Diemmess 15:10 21 Nov 04

When I went to pay my visit this morning I found that my son had already upgraded to IE 6, so I started by running CClean and the latest SpyBot, then uninstalling Messenger Plus. It was very reluctant to let go but - it went.

Granddaughter and her friend had disappeared and my son returned to share the responsibilty. Ticked most of the unwelcome lines (3 no longer there anyway) and deleted the dodgy folders where still present.

Rebooted and checked all was well, which it was except for the disappearance of the legitimate MSmessenger.

Found the download for MS messenger 6 and was about to do it when G-d returned.........Oh... Woe... "that's not what I want" "I want Messenger 3... it will take for ever to put all those addresses back"--- pause for stand-up shouting match between father and daughter... ultimatum offered -"This or I will pull the plug" ...mutter... mutter, (no girl likes to be put down in the presence of a classmate and lifelong buddy).

Exit of disgruntled G-d. MS messenger installed, or rather 'Repaired', as it turned out. Everything as it should be including those addresses.

New "HijackThis log" made, and a Ghost image in case of further trouble. I was able to gain Brownie points and leave G-d and her father to settle their differences. (Goodness knows its not so many years since I had been there and done that)

Many more thanks both to Nellie2 and to VoG™ for pointing me in the correct direction. Also to everyone who offerred their best advice from the beginning.

This thread is now locked and can not be replied to.

What is Amazon Go and will it come to the UK? The store without checkouts or queues

1995-2015: How technology has changed the world in 20 years

Why ecommerce hasn't taken off on social media

New MacBook Pro 2016 review | MacBook Pro with Touch Bar review: Apple's expensive and powerful…