Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

alevasseur14

2 Intern

 • 

593 Posts

870

June 8th, 2005 16:00

Hijack This logfile

Hello everybody, I'm working on my housemate's Dell and I just can't seem to make the popups stop. I've run adaware and spybot but both of them are missing something. I ran HijackThis and here's the logfile. Thanks!

Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\RUNSERVICE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\0YFVMI39\0YFVMI39.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ELITEWWH32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\0YFVMI39\0YFVMI39.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onestop.umn.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Nelson Telephone Cooperative
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {9D01FDFC-E6B2-4F0F-8E98-65A4C006CB81} - C:\PROGRAM FILES\0YFVMI39\0YFVMI39.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [0YFVMI39] C:\PROGRAM FILES\0YFVMI39\0YFVMI39.EXE
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEWWH32.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Dell Home - {9F555BC0-6289-11D4-A86D-B03251C10000} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .MOV: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} - http://fdl.msn.com/zone/Z4/heartbeat.cab

willard_

8 Posts

June 8th, 2005 17:00

get into safe mode to do that, restart windows and press f8 constantly til youll see a menu, select "safe mode"

run hijackthis and click "do a system scan only"
check the folowing items and click "fix checked" and "yes"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {9D01FDFC-E6B2-4F0F-8E98-65A4C006CB81} - C:\PROGRAM FILES\0YFVMI39\0YFVMI39.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR51.DLL
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [BMan] C:\WINDOWS\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\CFGMGR51.DLL,DllRun
O4 - HKLM\..\Run: [0YFVMI39] C:\PROGRAM FILES\0YFVMI39\0YFVMI39.EXE
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEWWH32.EXE
O4 - HKLM\..\RunServices: [LicCtrl] runservice.exe
O9 - Extra button: Dell Home - {9F555BC0-6289-11D4-A86D-B03251C10000} - http://www.dellnet.com (file missing) (HKCU)

run a search on these files and delete em:
CFGMGR51.DLL,runservice.exe,ELITEWWH32.EXE,AUNPS2.DLL
(make sure to search for hidden files some of em might be hidden)

get into "c:\program files" and delete the folder "0YFVMI39" if you cant see that folder it means its hidden and by default windows does not show hidden files/folders
incase its hidden goto start>>run type "command" without quotes and hit enter
type these one after another and hit enter after each one (will make folder non-hidden):
cd\
cd progra~1
attrib 0YFVMI39 -h
exit

when all done restart and it should all be gone

heres a few good advices on how not to get infected by spyware/adware:

1.dont use internet explorer unless absoultly nesseasry (some sites dont work well with other browsers) it have too many vulnerabilities and many spyware/adware/malicious sites use em to install their nasty programs/adware/trojans without user ever noticing as theres no user-interaction needed,i recommend using mozilla firefox/opera much more secure

2.do not click "yes" when your surfin some site and a window pops up asking if you wanna install something it may be spyware/adware/trojan,click "yes" only if you trust the site for example lets say you decided you wanna do a online virus-scan you accessed the online-scan page and a window pops up asking you to install something in that case you know its ok but if a window pops up just like that while surfin its most likely not something good

3.some softwares might come with it so i recommend reading disclaimer/license on the software website before downloading as it most likely will say if it comes with spyware/adware or not also reading what ppl have to say about it at download.com is a good idea

one last thing not really relevant but ill write it anyway - norton is junk
first of its incredibly resource hog
second of from my expirence its not good at finding trojans and in not the only one claiming that just read about it at download.com
i recommend moving to kaspersky or nod32 both of are much much better,nod32 is lighter on resource usage

willard_

8 Posts

June 8th, 2005 17:00

oops i missed one

check these aswell on hijackthis,and delete the folder "aws" from c:\program files
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

zbestwun2001

4 Apprentice

 • 

8.8K Posts

June 8th, 2005 18:00

deleted

Message Edited by zbestwun2001 on 06-08-2005 12:23 PM

zbestwun2001

4 Apprentice

 • 

8.8K Posts

June 8th, 2005 18:00

willard
I failed to see that you had reponded to this thread.
I appologize for that and am deleteling my entries.

Steve

willard_

8 Posts

June 8th, 2005 18:00

no need to apologize overall you tried your best to help another person :)

Message Edited by willard_ on 06-08-2005 02:29 PM

alevasseur14

2 Intern

 • 

593 Posts

June 9th, 2005 03:00

Thanks for the help guys. I'll get rid of those entries the next time I can get to the machine. I really appreciate it. This is the first time I've found a machine so bad I couldn't take care of it. I'll get the guy on firefox and try to educate him on some safer browsing habits.

Was this post helpful?

View All

No Events found!

Top