alright people you've rocked my world in the past with your awsome help. So I'm coming back to you agian. I've contracted and fought a virus. I'm trying to clear my self of any back door attacks. I know my IE is being hijacked could someone review these and let me know if anything odd is going on?

Thanks


start up log

StartupList report, 1/24/03, 12:08:19 AM
StartupList version: 1.51
Started from : C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACK\HIJACKTHIS.EXE
Detected: Windows 98 Gold (Win9x 4.10.1998)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\GRXP4EXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\WEBTRAP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACK\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
PowerReg Scheduler.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AELaunch = AELaunch.exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
pop3trap.exe = "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
WebTrap.exe = "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
autoupd = C:\WINDOWS\AUTOUPD\autoupd.exe
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
LoadQM = loadqm.exe
IFSplash = ImmSplsh.exe
zSPGuard = c:\program files\pjw\spguard\spguard.exe /s

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
PCCIOMON.EXE = "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AIM = C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
msnmsgr = "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 23/1/2003, 0:22:32)

[rename]
nul=C:\WINDOWS\TEMP\~e5d141.tmp
nul=C:\WINDOWS\TEMP\~ef6591
nul=C:\WINDOWS\TEMP\~ef6591\clcd16.dll
nul=C:\WINDOWS\TEMP\~ef6591\~efe2.tmp
nul=C:\WINDOWS\TEMP\~e5d141.tmp
nul=C:\WINDOWS\TEMP\~e5d141.tmp
nul=C:\WINDOWS\TEMP\~e5d141.tmp
nul=C:\WINDOWS\TEMP\~e5d141.tmp
nul=C:\WINDOWS\TEMP\~e5d141.tmp
nul=C:\WINDOWS\TEMP\~e5d141.tmp

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/w98/en/actsetup.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a224.g.akamai.net/7/224/52/20011004/qtinstall.info.apple.com/qt503/us/win/QuickTimeInstaller.exe

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab

[OPUCatalog Class]
InProcServer32 = C:\WINDOWS\SYSTEM\OPUC.DLL
CODEBASE = http://office.microsoft.com/ProductUpdates/content/opuc.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RDXIE.DLL
CODEBASE = http://207.188.7.150/094a888d9cb1ea1d0321/netzip/RdxIE.cab

[GSDACtl Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GSDA.DLL
CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

[Measurement Service Client]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MSC.OCX
CODEBASE = http://ccon.madonion.com/global/msc.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1038700330030

--------------------------------------------------
End of report, 6,224 bytes
Report generated in 0.082 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

and config

Logfile of HijackThis v1.91.2
Scan saved at 12:10:51 AM, on 1/24/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://yahoo.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AELaunch] AELaunch.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [WebTrap.exe] "C:\Program Files\Trend PC-cillin 2000\WebTrap.exe"
O4 - HKLM\..\Run: [autoupd] C:\WINDOWS\AUTOUPD\autoupd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PowerReg Scheduler.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20011004/qtinstall.info.apple.com/qt503/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/094a888d9cb1ea1d0321/netzip/RdxIE.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: JT's Blocks (Measurement Service Client) - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Klondike Solitaire (Measurement Service Client) - http://yog2.games.snv.yahoo.com/yog/y/ks11_x.cab
O16 - DPF: Yahoo! Word Racer (Measurement Service Client) - http://download.yahoo.com/games/clients/y/ws1_x.cab
O16 - DPF: Yahoo! Spelldown (Measurement Service Client) - http://download.yahoo.com/games/clients/y/sds0_x.cab
O16 - DPF: Tornado 21 (Measurement Service Client) - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Chess (Measurement Service Client) - http://download.yahoo.com/games/clients/y/cs0_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Dominoes (QuickTime Object) - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1038700330030

If this were my computer I would backup all important data, and reformat. This may not be an option for you so I would start by stopping all unwanted processes, scanning for viruses (scanner of choice: I prefer Trend), scanning for Trojans ( The Cleaner), scanning with Ad-aware, and using a firewall (zonealarm) to stop all unwanted traffic.

From Spywareinfo website

Hijack This | Written by a member of our support forums and based on our Hijacked! article, this program scans the locations in your computer system that may be modified by browser hijackers and fixes any problems found.

Go to www.lurkhere.com and in the downloads section get Spybot Search and Destroy, install it, and the run it, getting the updates first. It will get rid of anything that might be there

No need to reformat. As Morriswindgate says just run Spybot on it and it will remove the garbage. I have had to deal with this more than once at work usually after Bonzai Buddy or something similar is installed.

I've run spybot a couple of times. And it cleared out a ton of garbage. However, my IE is still getting hijacked. I know this because I have the gate keeper program that annouces when it happens and then puts me back where I want to be. I don't so much car that I get hijacked because I can counter that, what I want to make sure is there's no back door set up in my system leaving free to getting screwed. I've run spybot a couple of times and a few other virus / trojan checkers ( I can't say which, becuase I'm at my work PC) and things come up clean. Should I just go on like normal or is there reason for concern??

Go into the Internet Explorer Properties and then the Programs TAB. Click on the Reset Web Settings Button. Then go and enter your preferred start page again.

I'm familliar with those settings, however, what I've learned so far is that when you've been hijacked, there's something in your registry or hidden else where that no matter how many times you reset your ie settings it gets reconfigured upon reboot.

Maybe everyone is overlooking the obvious, but have you looked in add/remove programs to see if HijackThis can be uninstalled?

HijackThis is a tool to scan and clean systems, not a hijacker.

I was suggesting that HijackThis was being mistaken for a hijacker. It doesn't seem to be detecting anything tangible and could be generating a false report.

I"m not sure if we're getting off topic here, but hijackthis, is a reputable program suggested by a varitey of other virus / trojan web sites. Its goal is not to locate anything specific, its purpose, is to tell you what boots up upon start up and what programs are running in the background that ctl + alt+ del isn't showing. What I need is some more familiar with the inner workings of windows to look over these logs and tell me if anything looks "off," wierd, strange, rotton in denmark. I need someone with experience with trojans and back doors.