Yes..another HJT log :) [Archive] - The PC Guide Discussion Forums

View Full Version : Yes..another HJT log :)

gracious

12-28-2004, 09:04 PM

Ok, before runing HJT, I ran Nod32 in safe mode, no virus, ran spybot and adaware got rid of some junk. A couple of weeks ago, I downloaded Outlook 2000 to use instead of express and it seems to me that my problems started shortly there after. Had kernel32.dll error messages with Outlook and ie. Nod had picked up on some trojans which I have deleted. My problems are ie crashing, (getting the Microsoft message about sending a report)...outlook 2000 crashing..I did the ie repair in add/remove programs and that didn't help so I am just checking to see if there is something running around that shouldn't be. Thank you for checking my log! :p Gracious (and I am!)

************************************************** ********
Logfile of HijackThis v1.97.7
Scan saved at 6:56:08 PM, on 12/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gulftel.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - [url]http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab[/url]
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - [url]http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - [url]http://office.microsoft.com/officeupdate/content/opuc.cab[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37934.2464930556[/url]
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - [url]http://www2.incredimail.com/contents/setup/downloader/imloader.cab[/url]
O16 - DPF: {C1ECC9B2-75B2-4490-8040-B8A107F45DC2} (PtConnector422 Class) - [url]http://aim.ati-title.com/ptermX.CAB[/url]
O16 - DPF: Yahoo! Pinochle - [url]http://download.games.yahoo.com/games/clients/y/ut2_x.cab[/url]
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - [url]https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]https://www-secure.symantec.com/techsupp/activedata/SymAData.cab[/url]
O16 - DPF: Yahoo! Euchre - [url]http://download.games.yahoo.com/games/clients/y/et1_x.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://www.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - [url]http://www.rovion.com/Controls/Rovion.cab?affiliate=MEDIAGEN[/url]
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - [url]http://support.gateway.com/support/serialharvest/gwCID.CAB[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://support.gateway.com/support/profiler/PCPitStop.CAB[/url]
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,64.40.67.50

PrntRhd

12-28-2004, 09:23 PM

gracious,
while waiting for Budfred or others to comment, you are running an outdated version of HJT. (current version 1.99) get new version and post the log again.
http://www.subratam.org/?page=removal

gracious

12-28-2004, 09:34 PM

Golly Gee Whitakers Batman! Thank you kind PrntRhd :)
Ok, here it is.....................

************************************************** ********

Logfile of HijackThis v1.99.0
Scan saved at 7:35:09 PM, on 12/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gulftel.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\PROGRAM FILES\PARTYPOKER\IEEXTENSION.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - [url]http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab[/url]
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - [url]http://hoylegames.sierra.com/cab/WONWebLauncherControl.cab[/url]
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - [url]http://www2.incredimail.com/contents/setup/downloader/imloader.cab[/url]
O16 - DPF: {C1ECC9B2-75B2-4490-8040-B8A107F45DC2} (PtConnector422 Class) - [url]http://aim.ati-title.com/ptermX.CAB[/url]
O16 - DPF: Yahoo! Pinochle - [url]http://download.games.yahoo.com/games/clients/y/ut2_x.cab[/url]
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - [url]https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]https://www-secure.symantec.com/techsupp/activedata/SymAData.cab[/url]
O16 - DPF: Yahoo! Euchre - [url]http://download.games.yahoo.com/games/clients/y/et1_x.cab[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - [url]http://www.rovion.com/Controls/Rovion.cab?affiliate=MEDIAGEN[/url]
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - [url]http://support.gateway.com/support/serialharvest/gwCID.CAB[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://support.gateway.com/support/profiler/PCPitStop.CAB[/url]
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = gulftel.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.231.160.2,64.40.67.50

Budfred

12-29-2004, 01:42 AM

You log looks pretty good to me... There are a few O16s that seem somewhat suspicious and you can fix them without causing any problems since they get restored when you visit the site again... If you know them to be okay, just leave them:

O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activ...pside_web18.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://hoylegames.sierra.com/cab/WO...cherControl.cab
O16 - DPF: {C1ECC9B2-75B2-4490-8040-B8A107F45DC2} (PtConnector422 Class) - http://aim.ati-title.com/ptermX.CAB
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovi...iliate=MEDIAGEN

Good luck... :)

gracious

12-29-2004, 10:29 AM

Thank you Budfred! I moved all my mail, folders back to Outlook express and stopped using Outlook 2000 and seems to be better but really won't know until hubbie starts using it. Still am trying to decided whether or not to use Thunderbird, I am so use to using Outlook that so far Tbird is freaking me out! LOL

Anyway...I am glad that I have a clean log at least that rules out a bunch of stuff not to worry about!

classicsoftware

12-29-2004, 12:23 PM

I use thunderbird and it is great. Worth it alone for the junk mail controls.

gracious

12-30-2004, 12:55 AM

Yes Tbird does have some great tools for junk mail and plus the fact that it will not execute programs in an email which I really like but I can't figure out how to keep it from showing messages as read when I scroll down...and the sort mail keeps changing around, driving me crazy. Haven't given up on it yet.

classicsoftware

12-30-2004, 09:12 AM

What version are you running as I do not have that problem.

It is easy to mark them as not read if that is your desire.

gracious

01-06-2005, 08:50 AM

Sorry it took me so long to respond, I dloaded vs 9.0