Need help reviewing HijackThis log

By Laurno2
Feb 17, 2005
Topic Status:
Not open for further replies.
  1. I recently followed previous postings on how to remove Twink64.exe, CoolSearch, etc as well as what to remove from othe HijackThis logs but the majority of items on my log were never mentioned. Could someone go over what I have and tell me what can/should be deleted? Also, does anyone know what Simple Toolbar and WexTech AnswerWorks are? I can't get Simple Toolbar to uninstall and I have no idea what the WexTech thing is.

    Thanks,
    Lauren

    Hijack log proceduced in safe mode:

    Logfile of HijackThis v1.99.0
    Scan saved at 10:36:30 PM, on 2/15/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\LAUREN\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\SYSTEM\SPM1316.DLL
    O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\NOTFI.DLL
    O2 - BHO: Name - {90615F85-1106-428B-928A-9E119500B8DF} - C:\WINDOWS\SYSTEM\MSGKT.DLL
    O3 - Toolbar: Cox Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\PROGRAM FILES\COX\APPLICATIONS\APP\AUTHBHO.DLL
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IESP2.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
    O4 - HKLM\..\Run: [FinePrint Dispatcher v4] C:\WINDOWS\SYSTEM\fpdisp4a.exe
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [qjjmxztm] C:\WINDOWS\SYSTEM\wketxg.exe
    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
    O4 - HKLM\..\Run: [process.exe] C:\WINDOWS\process.exe
    O4 - HKLM\..\Run: [AuthConsoleStart] C:\Program Files\Cox\Applications\\app\AuthStart.exe
    O4 - HKLM\..\Run: [Brong32] forces_elite.exe
    O4 - HKLM\..\Run: [abrek] NopeZ.exe
    O4 - HKLM\..\RunServices: [BCDetect] bcdetect.exe defer
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
    O4 - HKLM\..\RunServices: [CurtainsSysSvc] C:\Program Files\Cox\Applications\app\AuthSL.exe
    O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute Pro\wrctrl.exe"
    O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
    O4 - HKCU\..\Run: [winxpdll32.exe] C:\WINDOWS\SYSTEM\winxpdll32.exe
    O4 - HKCU\..\Run: [cmsound] c:\windows\openstre.exe
    O4 - HKCU\..\Run: [jopplerg] 321102.exe
    O4 - HKCU\..\Run: [killall] TorontoMail.exe
    O4 - HKCU\..\Run: [hyandex] prcmon.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: ChxInit.lnk = C:\Program Files\ADS Technologies\Channel Surfer TV\ChxInit.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O18 - Filter: tœ†5òÏTÆR - {819D6019-0F91-4F61-819C-52B927E9A705} - C:\WINDOWS\SYSTEM\QWSXP.DLL
    O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
    O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL
    O21 - SSODL: eplrr9 - {695D689C-DBB6-4BF1-9E52-A1AEAC2A0F1C} - C:\WINDOWS\SYSTEM\mspdnx.dll
  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  3. Laurno2

    Laurno2 Newcomer, in training Topic Starter

    whole log file

    Sorry. Here it is.
  4. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Where have you been surfing?

    Boot in Safe Mode.
    Uninstall anything to do with:

    C:\Program Files\Crystal Ball\CB Predictor\terminator.exe
    C:\Program Files\ADS Technologies\Channel Surfer TV\ChxInit.exe

    Press ctrl/alt/del and in Taskmanager try to STOP all the xxx.exe from the O4 - group below.

    Next, run HJT on its own and let it 'fix' (if there):
    O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
    O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-7173706D1316} - C:\WINDOWS\SYSTEM\SPM1316.DLL
    O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\WINDOWS\NOTFI.DLL
    O2 - BHO: Name - {90615F85-1106-428B-928A-9E119500B8DF} - C:\WINDOWS\SYSTEM\MSGKT.DLL
    O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\SYSTEM\IESP2.DLL
    O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
    O4 - HKLM\..\Run: [qjjmxztm] C:\WINDOWS\SYSTEM\wketxg.exe
    O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
    O4 - HKLM\..\Run: [process.exe] C:\WINDOWS\process.exe
    O4 - HKLM\..\Run: [Brong32] forces_elite.exe
    O4 - HKLM\..\Run: [abrek] NopeZ.exe
    O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
    O4 - HKCU\..\Run: [winxpdll32.exe] C:\WINDOWS\SYSTEM\winxpdll32.exe
    O4 - HKCU\..\Run: [cmsound] c:\windows\openstre.exe
    O4 - HKCU\..\Run: [jopplerg] 321102.exe
    O4 - HKCU\..\Run: [killall] TorontoMail.exe
    O4 - HKCU\..\Run: [hyandex] prcmon.exe
    O4 - Startup: ChxInit.lnk = C:\Program Files\ADS Technologies\Channel Surfer TV\ChxInit.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O18 - Filter: tœ†5òÏTÆR - {819D6019-0F91-4F61-819C-52B927E9A705} - C:\WINDOWS\SYSTEM\QWSXP.DLL
    O21 - SSODL: OLE Automation Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
    O21 - SSODL: Sysctl Desktop Handler - {23456789-0000-0020-0900-00AAFF6D2EA4} - C:\WINDOWS\System32\NTOSV.DLL
    O21 - SSODL: eplrr9 - {695D689C-DBB6-4BF1-9E52-A1AEAC2A0F1C} - C:\WINDOWS\SYSTEM\mspdnx.dll

    When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.

    Then start using Firefox (www.getfirefox.com) instead of IE.
    You could also uninstall this Comcast stuff (Cox popupstopper) because Firefox has one of the best popupstoppers built-in.
    Use IE only for Windows98-updates (if still available).
  5. Laurno2

    Laurno2 Newcomer, in training Topic Starter

    thanks

    Thank you for your help. However, I did have one problem. When I went to delete NTOSV.DLL it said that the file could not be deleted - specified file is being used by windows. The only thing I had running in the task manager was Explorer. It would let me delete NTOSV.DLL.conf and NTOSV.DLL.LGC. Other then that everything else seems to be cleaned up or removed.

    I stopped using IE last month and had switched over to Firefox. I don't recall going to any random websites so I don't know how all of that crap got on my computer in the first place before the switch. Thanks again.
  6. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

  7. Laurno2

    Laurno2 Newcomer, in training Topic Starter

    simple toolbar

    When I tried to use DrDelete it couldn't find NTOSV.DLL, I didn't see it in the wondows/system directory either so it must have gone away after I restarted. I got WexTech to go away but the Simple Toolbar is still in the install/remove software part of the control panel. I don't know what file it's linked to.

    Can I delete spool.exe, spoolsrv32.exe or scagent.exe? I'm pretty sure they are bad but just wanted to check first. Spool.exe is in the my latest run of HijackThis, I saw spoolsrv32 next to spool in the windows/system directory and I saw Cox block scagent from accessing the internet.
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Can you post another HJT.txt as attachment please?
    Do NOT delete any of those programs yet.
    If they do not show up in the HJT-log, tell us where they are located on your PC.
  9. Laurno2

    Laurno2 Newcomer, in training Topic Starter

    updated hijackthis log

    So I thought I had my computer pretty much cleaned out and then my friend tried to download windows media player and opened the flood gates for a bunch of new monsters. One of them some what broke spybot.....I get the error "Error during check! Z-Demon (Ungultiger Datetyp fur ") and now also have a giant warning that I'm in Danger as my background....awesome.

    Here's the new log file you wanted. The spool.exe and spoolsrv32.exe are in the log. Scagent.exe isn't in there and I can't find it any where so Cox must have killed it. SimpleToolbar is still in the add/remove software part of the control panel and I have no idea where it's coming from.
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Hellooohhh?

    What log?
  11. Laurno2

    Laurno2 Newcomer, in training Topic Starter

    Lost Log

    It was attached, I swear.
     
  12. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
    runonce.exe
    spools.exe

    Next, run HJT on its own and let it 'fix' if there:
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [Shellspl] spools.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)

    When done, delete the highlighted bold files.
    Boot normal.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.