# Please help with hijackthis log file



## tnpuddleduck (Oct 30, 2003)

Thanks in advance for help guys, here is my log file, one question my explorer start page has this ehttp.cc\? before my home page. How do I fix, and if there are any other problems you see, let me know. Thanks again
Logfile of HijackThis v1.97.2
Scan saved at 8:00:06 AM, on 10/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ANALOGX\POW\POW.EXE
C:\PROGRAM FILES\ZIPCENTRAL\ZCENTRAL.EXE
C:\WINDOWS\TEMP\_ZCTMP.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ehttp.cc/?www.netscape.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.netscape.com/"); (c:\Program Files\Netscape\Users\bgallway\prefs.js)
O1 - Hosts: 66.118.163.109 auto.search.msn.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [C:\WINDOWS\SYSTEM\gone.scr] C:\WINDOWS\SYSTEM\gone.scr
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton CleanSweep\csinsm32.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O16 - DPF: ChatSpace JavaLight Client - http://64.85.20.108:8058/Java/cslt4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://netcenter.ea.com/downloads/games/common/snoopy/iesnoopy.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37868.2200462963
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -


----------



## e-liam (Jun 19, 2003)

Hi tnpuddleduck, and welcome to TSG.. 

Please run a new HJT! Scan, and check to fix the following entries. Next, close *all* browser windows and click the *Fix checked* button*

O1 - Hosts: 66.118.163.109 auto.search.msn.com

O4 - HKLM\..\Run: [C:\WINDOWS\SYSTEM\gone.scr] C:\WINDOWS\SYSTEM\gone.scr

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O13 - DefaultPrefix: http://ehttp.cc/?

O13 - WWW Prefix: http://ehttp.cc/?

O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://netcenter.ea.com/downloads/g...py/iesnoopy.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...uditControl.cab*

Then please serch for and delete the following *bolded* file..

C:\WINDOWS\SYSTEM\*gone.scr*

Then could you go here and run the online virus scan. Delete all it finds.

Then please reboot and download Spybot - Search & Destroy, from here: if you haven't already got the program.

Now press Settings, and Settings again. Go to the Webupdate section, and check "Display also available beta versions".

Now press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove all it finds marked RED.

After that, please reboot and post a new log.

Cheers

Liam


----------



## tnpuddleduck (Oct 30, 2003)

Thanks for help Liam
I tried to run scan from online source you gave, downloaded it but it would not scan. I can not find how to select settings with Spybot. I have this program and keep it up to date, however the "settings" tab does not seem to be available to me. Perhaps it needs to be loaded different?
Here is my latest Hijackthis, Thanks again for your assistance
Logfile of HijackThis v1.97.2
Scan saved at 11:24:15 AM, on 10/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ANALOGX\POW\POW.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZIPCENTRAL\ZCENTRAL.EXE
C:\WINDOWS\TEMP\_ZCTMP.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.netscape.com/"); (c:\Program Files\Netscape\Users\bgallway\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton CleanSweep\CSINJECT.EXE
O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton CleanSweep\csinsm32.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: ChatSpace JavaLight Client - http://64.85.20.108:8058/Java/cslt4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37868.2200462963
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805...ch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) - 
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab


----------



## $teve (Oct 9, 2001)

Its a clean log now:up:

In the main spybot windows the settings button is on the left....hit that and you will see the 2nd settings button.


----------



## e-liam (Jun 19, 2003)

Hi, tnpuddleduck,

As far as Spybot is concerned, that explanation is for first time users. If you already have it and keep it upto date, then your fine just running it as stated. :up:

With the virus scan, it's actually done online, with you downloading the activex control, first. You've now got that, as can be seen in the last entry in your new log.

The reason for doing this scan is that the *gone.scr* entry is a virus. See here for info. Running a scan with Housecall will make sure that, although it doesn't show in the log now, *all* references to it are deleted.

Could you please go back to that page I gave the link to, select the country you're in, then press the *Go* button. Then on the next page shown, just click the *Scan Now* button (as shown in the attached image).

Apart from that you have a clean log... :up: 

Cheers

Liam


----------



## e-liam (Jun 19, 2003)

We'll have to stop meeting like this, Steve... people will talk..


----------



## TomCoyote (May 14, 2003)

Your post indicates another baddie missed and is the culprit of the default prefixes

O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE

However your HJT needs to be updated to the current version

http://TomCoyote.org/hjt/

Please do that first


----------



## $teve (Oct 9, 2001)

Thanx Tom........Stands out like a sore thumb and im embarressed to have missed that one.
I must get some glasses just like yours

:up:


----------



## scarlettsilk (Nov 13, 2003)

can i just delete the addclass.exe file? neither my virus scanner, housecall or spybot have removed it. also it is saying that the bkdr lixy virus in my ssocks32.dll and msm32.dll cannot be removed....so how do i get the infected files out?


----------



## Metallica (Jan 28, 2003)

Hi scarlettsilk,

Please post your log in your own thread, and we will take it from there:
http://forums.techguy.org/t179256/s.html

Regards,

Pieter

PS Hi TomCoyote


----------



## fkrl (Jun 7, 2004)

The Default Prefix is located in the registry under 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ URL \ DefaultPrefix \'.

Reset the Default Prefix manually
To reset the Default Prefix settings, follow the instructions below, which includes minor modifications to the registry.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.) 
Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ URL \ DefaultPrefix \'. 
In the right pane, right-click the '(Default)' value and modify its data to 'http://' 
Exit the registry editor. 
Close all Internet Explorer browsers. 
Your browser should now have the default WWW prefix, and you can verify this by entering 'kephyr.com' in the Internet Explorer address field. The domain name should be replaced with the http://kephyr.com/ URL. 
posted on 2004年06月08日 12:22 AM


----------



## ~Candy~ (Jan 27, 2001)

This thread is 6 months old 

And what is so special about kephyr.com?


----------



## cybertech (Apr 16, 2002)

fkrl,
Welcome to TSG!! 

The tread you posted in here is pretty old  Are you asking for help or just making a comment?


----------



## cybertech (Apr 16, 2002)

Candy's got faster reaction time today


----------



## FinestRanger (Oct 13, 2003)

I'm going to request that your thread's separated from this one. Attaching a new thread to an old one's a REALLY REALLY bad idea...you'll often get overlooked. No big deal, it's for your benefit.


----------



## ~Candy~ (Jan 27, 2001)

http://forums.techguy.org/newthread.php?do=newthread&f=54


----------



## cybertech (Apr 16, 2002)

Candy, Your link is not working.


----------



## ~Candy~ (Jan 27, 2001)

Hmmm...well, it works for me, must be a cookie issue


----------



## Flrman1 (Jul 26, 2002)

Works for me too


----------



## cybertech (Apr 16, 2002)

Oh, well I never liked cookies anyway 

I get "Post New Thread" window.


----------



## ~Candy~ (Jan 27, 2001)

That is what you are SUPPOSED to get girlie


----------



## cybertech (Apr 16, 2002)

That felt like a *smack*, it worked  I get it now


----------

