Someone diagnose my HijackThis log?

Started by Darkman, Jul 28 2005 04:54 PM

Next

You cannot reply to this topic

46 replies to this topic

#1 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 28 July 2005 - 04:54 PM

Hi.. i am new here...

how is my hijackThis looks to you .. i had some viruses ..but i think got rid of them..

any suggestions on this:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:00 AM, on 28/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PSYCH\RUNNER.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MRASEARCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/o...utodetect98.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.11channel...ayx_vp3_mp3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Back to top

#2 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 28 July 2005 - 05:18 PM

Log is clean, these are just maintenance and performance fixes.

Generated by Tarun's HijackThis Converter v0.36 Beta.

Changed registry value. Safe to remove:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm

Created registry value. Safe to remove:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet

Created extra registry value where only one should be. Safe to remove:
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MRASEARCH.DLL

Enumeration of existing IE's toolbars. Safe to remove:
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

Enumeration of suspicious auto-loading registry entries. Safe to remove:
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE

Extra IE context menu items. Safe to remove:
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

Extra "Tools" menu items and buttons. Safe to remove:
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE

IE plugins for file extensions or MIME types. Safe to remove:
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

Downloaded Program Files item. Safe to remove:
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/o...utodetect98.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.11channel...ayx_vp3_mp3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

I see you're on ME as well and I've seen your other posts. Have you disabled System Restore?

Look for System Restore Remover Pro, let it remove System Restore, PCHealth, and the Windows File Protection (or whatever ME calls it). Your pc will run a lot better, surprisingly enough.

Back to top

#3 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 28 July 2005 - 05:45 PM

Ok.. thanks a lot..
gotto go to work soon.. so will later..

ya.. system restore i think disabled .. but i will doublecheck later..

and will check for System Restore Remover Pro later..

meanwhile .. - all those entries that your reported above.. - safe to remove, how do i remove / fix them? (if wanted)

With Fix button in a hijackThis? or any other way?

and what's this HijackThis Converter v0.36 Beta thingy you showing above?
Some program one can download - to produce these kind of outputs of what safe to remove?

hehe

Thanks again...

Back to top

#4 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 28 July 2005 - 06:11 PM

and sorry to bug you again..

But i just did newest Hijack log.. - as i installed / reinstalled few programs (that didn't have before.. or uninstall due to some virus i had)

Here:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:52 PM, on 28/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PSYCH\RUNNER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MRASEARCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/o...utodetect98.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.11channel.dp.ua/res/broadcast/n...ayx_vp3_mp3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Back to top

#5 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 28 July 2005 - 07:15 PM

Darkman, on Jul 28 2005, 01:45 PM, said:

Ok.. thanks a lot..
gotto go to work soon.. so will later..

ya.. system restore i think disabled .. but i will doublecheck later..

and will check for System Restore Remover Pro later..

meanwhile .. - all those entries that your reported above.. - safe to remove, how do i remove / fix them? (if wanted)

With Fix button in a hijackThis? or any other way?

and what's this HijackThis Converter v0.36 Beta thingy you showing above?
Some program one can download - to produce these kind of outputs of what safe to remove?

hehe

Thanks again...

<{POST_SNAPBACK}>

Yes, use the fix button in HijackThis with the above entries selected. Simply check the entries mentions and click Fix.

HijackThis Converter is a program I made with DjLizard. Used to handle HijackThis logs, a beautifier as he puts it.

Darkman, on Jul 28 2005, 02:11 PM, said:

and sorry to bug you again..

But i just did newest Hijack log.. - as i installed / reinstalled few programs (that didn't have before.. or uninstall due to some virus i had)

<{POST_SNAPBACK}>

Since nothing has changed (that I can see) from the first log you posted, see my above post.

Back to top

#6 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 28 July 2005 - 07:29 PM

Ok.. COol

Thanks for that information.. Nice Bueatifier btw

Looks good..
So OK - that how i will fix.. - will select them .and then press Fix in HijackThis..
Thanks..
But before i do it..
One last time - can you please check my freshest log .. i ll do it now..
Cuz - for the first time ever i just used your CCleaner..and registry twicked with it too..
So in case something changed in hijacklog there.. - i don't want to make the boo-boo.. so here is my log again (last time)

If something changed since first one.. - make me that beutifier again

and if nothing changed - then please tell me - and i will follow the first log's instruction:

Logfile of HijackThis v1.99.1
Scan saved at 2:28:38 PM, on 28/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PSYCH\RUNNER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
R3 - URLSearchHook: MraSearch Class - {30DA811B-BCBF-4aa7-B5E3-CEE0E03EF2B2} - C:\WINDOWS\SYSTEM\MRASEARCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMESCA.DLL
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {BA549C46-AD38-11D7-A476-00D0590EC9DE} (SiS_OCX98 Control) - http://www.sis.com/o...utodetect98.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup156.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.11channel.dp.ua/res/broadcast/n...ayx_vp3_mp3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Back to top

#7 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 28 July 2005 - 08:10 PM

I don't see any changes, though a small tip. Before you post a new log, be sure to clean what was suggested. It helps.

Back to top

#8 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 28 July 2005 - 11:46 PM

Oh.. cool.. cool tip..
but before i wasn't sure exactly how to clean..

Now i know..
But have to go to work now..

So tomorrow sometimes.. will clean hijack (fix) ..according to original bueatifier instructions

and then see what's what

now gone to work

Back to top

#9 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 03:11 PM

OK.. back from work

OK.. before i fix this hijackThis log - couple question (cuz i am newbie with this and somewhat a lamer)

- what does HijackThis program exactly mean (in simple words - my english is not the best)?

- this Hijackthis's log - what does it mean?

- fixing / cleaning or whatever... this hijackthis's log - what does it mean or do.. ( simple words

)

Ok.. few questions:

looking at what's recommended above by Beautifier's "Safe to clean":

i know i am using some of those programs - like for example - mra (maybe aka Magent - kinda Russian Chat thingy.. kinda like icq etc.. but specific to people with mail.ru , inbox.ru, etc mail accounts..)...

also screensaver thingy: Psych\Runner.EXE - i think i put it in tray on purpose... manager for this and that

also - pctvoice.exe .. not sure now what it is.. but maybe it's purposly.. or for sound card's sound..

also - i know i am using Winzip, and winamp, and Antivirus there.. - and i think when install those.. - they go in the tray...

also - i know - i am using Getright, icqlite, etc on occasion...

adn i know - i installed yahoo chat.. msn chat, etc - purposly also .. (even though .. almost never use them.. and when windows start.. those do not start, neither does Icqlite (from chats - only Russian one - mra or magent or whatever it called - loads to tray at windows start .. it maybe newer and older version.. and one was called mra.. and other one magent.exe maybe.. - and i think new one was giving me some conflicts.. so i went to the old one.. .. and it was somewhat tricky.. but i got it to work again - that is wher it stands with those mra/magent)

OK. - my question / concern is .. - If i "fix" (or whatever it called) all those suggested to "safe to remove" above - what Exactly will happen afterwards?

Like for example - will those programs etc (that i just mentioned above) - will they Still ..work? , lol

Thanks

Back to top

#10 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 29 July 2005 - 04:57 PM

Darkman, on Jul 29 2005, 11:11 AM, said:

OK.. back from work

OK.. before i fix this hijackThis log - couple question (cuz i am newbie with this and somewhat a lamer)

- what does HijackThis program exactly mean (in simple words - my english is not the best)?

- this Hijackthis's log - what does it mean?

- fixing / cleaning or whatever... this hijackthis's log - what does it mean or do.. ( simple words

)

Ok.. few questions:

looking at what's recommended above by Beautifier's "Safe to clean":

i know i am using some of those programs - like for example - mra (maybe aka Magent - kinda Russian Chat thingy.. kinda like icq etc.. but specific to people with mail.ru , inbox.ru, etc mail accounts..)...

also screensaver thingy: Psych\Runner.EXE - i think i put it in tray on purpose... manager for this and that

also - pctvoice.exe .. not sure now what it is.. but maybe it's purposly.. or for sound card's sound..

also - i know i am using Winzip, and winamp, and Antivirus there.. - and i think when install those.. - they go in the tray...

also - i know - i am using Getright, icqlite, etc on occasion...

adn i know - i installed yahoo chat.. msn chat, etc - purposly also .. (even though .. almost never use them.. and when windows start.. those do not start, neither does Icqlite (from chats - only Russian one - mra or magent or whatever it called - loads to tray at windows start .. it maybe newer and older version.. and one was called mra.. and other one magent.exe maybe.. - and i think new one was giving me some conflicts.. so i went to the old one.. .. and it was somewhat tricky.. but i got it to work again - that is wher it stands with those mra/magent)

OK. - my question / concern is .. - If i "fix" (or whatever it called) all those suggested to "safe to remove" above - what Exactly will happen afterwards?

Like for example - will those programs etc (that i just mentioned above) - will they Still ..work? , lol

Thanks

<{POST_SNAPBACK}>

A majority of it is to optimize your startup, cleaning it up etc. It won't break any program functionality. If you still want certain items to load at startup simply do no check the item before clicking fix. Fixing them removes them from the registry. That's about all really.

About HijackThis said:

HijackThis : A general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgable folks (e.g. the forums) before deleting anything.

Back to top

#11 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 05:20 PM

"A majority of it is to optimize your startup, cleaning it up etc. It won't break any program functionality. If you still want certain items to load at startup simply do no check the item before clicking fix. Fixing them removes them from the registry. That's about all really"

------
Thanks.....

So what you are saying .. - to check them .. and press Fix after.. BUT - the ones that i still want to start up at startup .. just NOT to check them.. exclude them from checking (even though the beuatifier above suggested and said "safe", eh?

Exclude the wanted ones.. and then press Fix.. and fix the checked ones?

Back to top

#12 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 29 July 2005 - 06:07 PM

The HijackThis Converter says what is safe to remove. It won't hurt your system to remove things like AIM, Msn, etc from starting with your computer. They will still function just fine, you'd just have to run them after bootup is all.

The entire process is very easy really.

Back to top

#13 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 06:10 PM

Ok.. i did some ..from "beauty list" - above - "safe to remove"

Not all.. - can do others later.. and see.. (noticed can always restore in hijack's backup - that's good)

When i removed.. something went fishy.. kernel or something.. computer halted.. but i booted it up..and -hehe - it''s still alive

)))

deleted that script finally - from 2nd try.. cuz 1st try (halted .. above mentioned) .. this one is gone now:

IE plugins for file extensions or MIME types. Safe to remove:
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

Tell me something .. - i tried to removed this one several time - but it doesn't remove.. Not Fixing in hijack.. still there if scan again.. this one:

Extra "Tools" menu items and buttons. Safe to remove:
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm

ya.. that one above doesn't remove.. not sure why..
i remember something like .. when installed that viewer irfanview in past.. Ebay buton appeared or something.. .. and then i think i removed that button (i think at IE's top tool bar somewhere)
Anyhow - if you know - let me know..

Anyhow.. here is freshest hijack.. hehe - it's way shorter...
Would you please anylize it again with bueatifier (same as above).. or give me some other comments/suggestions..

Then later.. i will play with the rest ones.. the ones that didn't fix yet..
(can always restore them after)
But firstly i want to see what's some of them do.. (i can't remember even some of them.. or do not know what they are)..
and then maybe - i will fix them one by one.. to see what's missing from where (toolbars, etc).. to see what's what.. and how computer will react to each "fix"..
after each "fix" - i will be probably rebooting .. to see how is going

ANyhow .. here it is .. let me know analizer / bueatifier thingy again.. - it looks good and neat .. i like it

Here is freshest... will do it now! :

Logfile of HijackThis v1.99.1
Scan saved at 1:09:09 PM, on 29/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PSYCH\RUNNER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE

Back to top

#14 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 29 July 2005 - 06:40 PM

These are not needed at all.

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe

Back to top

#15 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 06:42 PM

Tarun, on Jul 28 2005, 11:18 AM, said:

I see you're on ME as well and I've seen your other posts. Have you disabled System Restore?

Look for System Restore Remover Pro, let it remove System Restore, PCHealth, and the Windows File Protection (or whatever ME calls it). Your pc will run a lot better, surprisingly enough.

Ya.. just got the program - and removed those 3 (PCHealth was disabled on my PC anyhow - but i removed all 3 anyways)..

They are gone..

And i also got rid of Movie Maker - hehe - I ain't makin' no movies anyhow!

Thanks

So after i installed Sys Restore Remover Pro 1.5 i think (the newest and final)
And after i removed what i just mentioned above... - Here is my freshest hijack log.. If you analize me again.. might as well analize this one.. as it's most current..and includes any of the above mentioned changes.. (if they are effected in a hijack) ..
Here:

Logfile of HijackThis v1.99.1
Scan saved at 1:41:58 PM, on 29/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PSYCH\RUNNER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [SRP Startup] C:\WINDOWS\SYSTEM\SRP\SRRPRO.EXE /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\WBEM\WinMgmt.exe
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE

Back to top

#16 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 06:48 PM

Tarun, on Jul 29 2005, 12:40 PM, said:

These are not needed at all.

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe

<{POST_SNAPBACK}>

Thanks..

What do those 3 do?
- Winamp i know.. so i will delete it.. - i guess it will still Run anyhow

But SysTray.exe and loadqm.exe - what do they do? (that is why i said in previous post that i was going to check each manually)

hehe - just found SysTray.exe with Search .. and clicked on it.. - lol - but it didn't do anything.. so i still do not know what it is .. Let me know!

same with Loadqm.exe - just found it.. clicked on it.. but it didn't do nothing....
Let me know what it do!

meanwhile i ll go remove them 3 anyhow.. (can always restore

)
and will reboot computer
Then will give you newest log

Back to top

#17 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 06:59 PM

removed those 3 (above)

Winamp - still working

Computer - still alive

looks like less things in tray at the right - only 5 now - 3d thingy ( i think volume from sound card ), AntiVir (antivirus), Screensaver Utility thingy, Winzip ..and my internet connection from DSL

Here is latest hijack.. log.. will take it now:
If look at or analize anything again.. This one please:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:15 PM, on 29/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PSYCH\RUNNER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [SRP Startup] C:\WINDOWS\SYSTEM\SRP\SRRPRO.EXE /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\WBEM\WinMgmt.exe
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE

Back to top

#18 OFFLINE Tarun

Lunarian

Banned
3,071 posts

Posted 29 July 2005 - 07:17 PM

The fewer items in the tray near the clock (Systray) the better your comp will run. These can go too:

O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\WBEM\WinMgmt.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Back to top

#19 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 07:24 PM

ya.. the less the better i know..

Thanks for System Restore Remover Pro by the way

OK - i will get rid of this:
O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\WBEM\WinMgmt.exe

But winzip quick pick .. or whatever it is.. maybe later...
when i do one by one some others...
for now it looks good there .. hehe - or if need winzip just click on it there (even though, truth - i clicked on winzip in tray there - hardly ever.. hehe - usually from windows explorer , etc..

Thanks again....

Gotto work tonight again too..and tomorrow etc.. until monday morning.. then day offs again

Back to top

#20 OFFLINE Darkman

Advanced Member

Members
171 posts

Posted 29 July 2005 - 07:32 PM

O4 - HKLM\..\RunServices: [WinMgmt] C:\WINDOWS\SYSTEM\WBEM\WinMgmt.exe --- Gone

btw - russian magent (mra) or whatever - in tray also at boot-up.. (but last time when i said was 5 in tray - i shut it off)
I want it to be in tray at boot-up (personal preference) .. but often shut it off manually afterwards

here is after boot-up the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 2:29:32 PM, on 29/07/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\PSYCH\RUNNER.EXE
C:\PROGRAM FILES\MTS\ENTERNET 300\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.ru/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [$EnterNet] C:\PROGRA~1\MTS\ENTERN~1\APP\ENTERNET.EXE -AutoStart
O4 - HKLM\..\Run: [Mra] C:\WINDOWS\SYSTEM\Mra.EXE
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [SRP Startup] C:\WINDOWS\SYSTEM\SRP\SRRPRO.EXE /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [MAgent] C:\Program Files\Mail.Ru\Agent\MAgent.exe -CU
O4 - HKCU\..\Run: [Mra] C:\WINDOWS\Application Data\Mra\Mra.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Runner.LNK = C:\Program Files\Psych\Runner.EXE
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\PROGRAM FILES\IRFANVIEW\Ebay\Ebay.htm
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Mail.Ru Agent - {7558B7E5-7B26-4201-BEDB-00D5FF534523} - C:\WINDOWS\SYSTEM\MRA.EXE

Back to top

Next

Back to Spyware Hell