Jump to content


Photo

Homepage hijacked plus IE problem


  • Please log in to reply
5 replies to this topic

#1 styler

styler

    Member

  • New Member
  • Pip
  • 3 posts

Posted 27 June 2004 - 11:41 AM

(I have read the rules posting.) My homepage has been hijacked to the URL in the R0 and R1 lines of the HijackThis log below. A couple weeks after this first happened I started having problems running certain apps due to "Not enough memory" messages (I've got 512 Mb RAM) and within a day or so nothing would run, not even IE. So I did a Start/Run/msconfig and checked my startup.ini and found a slew (100+) of items in there that didn't appear to belong (according to recommendations from another "pc help" site (www.sysinfo.org/startupinfo.php)), so I unchecked them and got my machine memory back. Also, I had run AdAware and Spybot and fixed/disabled/quarantined everything they had indicated as a potential problem, but when I got my pc running again I got an error message that said it couldn't find c://windows/system/wininet.dll, and so IE wouldn't run. I'm not sure if I messed up IE by unchecking too much in the startup.ini, or if I "fixed" too much of AdAware/Spybot's recommendations, or if the malware caused the problem. So I reloaded the wininet.dll from my original install cd and that got rid of the error message but IE still wouldn't run, so I decide to uninstall IE and reinstall it. When I started the uninstall, it gave me the option of returning to a previous version so I said yes and it took me back to IE v5.0 (I was previously running IE v6.0).

So now my questions are: 1) How do I get control of my homepage back? 2) Should I attempt to reinstall IE v6.0, or should I just apply the latest Microsoft patches for IE v5.0? 3) How can I make sure that I am rid of all malware?

Thank you for your help!

(PS: I forgot to mention that I removed both WildTangent and CoolWebSearch with the AdAware and Spybot scans.)

Logfile of HijackThis v1.97.7
Scan saved at 12:01:49 PM, on 6/27/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\WINDOWS\SYSTEM\EN60CTB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - InprocServer32 - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {8E8798A7-3BAA-8BFD-3C68-1038F50DE431} - C:\WINDOWS\IETL32.DLL (file missing)
O2 - BHO: (no name) - {42A8F66B-95DF-11A4-B87A-4FA44D7AB52E} - C:\WINDOWS\SYSTEM\NTHV32.DLL (file missing)
O2 - BHO: (no name) - {C5150914-A240-E61A-1A39-B4EF54027B55} - C:\WINDOWS\SYSTEM\ADDNI32.DLL (file missing)
O2 - BHO: (no name) - {FCBFBA3A-4852-F3A0-84AA-F262300E7E43} - C:\WINDOWS\SYSTEM\SYSWW32.DLL
O2 - BHO: (no name) - {677F1711-9252-F24B-4D54-8BE119CD9837} - C:\WINDOWS\APIGH.DLL (file missing)
O2 - BHO: (no name) - {58A4AB14-594D-A19E-A17D-779FBA794B12} - C:\WINDOWS\SYSTEM\NETQW.DLL (file missing)
O2 - BHO: (no name) - {9E37589B-6037-730A-AAF5-DB565653BA71} - C:\WINDOWS\ADDDY.DLL (file missing)
O2 - BHO: (no name) - {4D483A30-EFF6-DCEA-0CF5-30EE07EAE66D} - C:\WINDOWS\SYSTEM\APIPD32.DLL (file missing)
O2 - BHO: (no name) - {E5CD8348-9D6A-B2CA-1A19-50BF5FC5E624} - C:\WINDOWS\SYSTEM\SYSFP32.DLL (file missing)
O2 - BHO: (no name) - {31395C3D-4FC8-A196-BB55-70DD816B5ADE} - C:\WINDOWS\SYSTEM\D3AV32.DLL (file missing)
O2 - BHO: (no name) - {6BE0AC45-3AB6-9AB8-D25B-C18F3E63EADD} - C:\WINDOWS\D3NG.DLL (file missing)
O2 - BHO: (no name) - {7D784662-D8EA-9B49-A147-28A44BEB5965} - C:\WINDOWS\SYSTEM\CRSH32.DLL (file missing)
O2 - BHO: (no name) - {6CC07C5F-6948-D55F-F8C4-5DC171542BAF} - C:\WINDOWS\SYSTEM\D3LU.DLL (file missing)
O2 - BHO: (no name) - {6D6EC17A-B05D-F77A-6172-F8FCE87738D1} - C:\WINDOWS\SYSTEM\NETTA32.DLL (file missing)
O2 - BHO: (no name) - {E2EE63AA-6042-4A78-50B3-4072F042785E} - C:\WINDOWS\MSNM32.DLL (file missing)
O2 - BHO: (no name) - {B86CB85B-1A6E-2E40-52CF-704D1A427D84} - C:\WINDOWS\IERH.DLL (file missing)
O2 - BHO: (no name) - {013F1D00-32FB-D06B-1419-6480DD6E1239} - C:\WINDOWS\WINSY.DLL (file missing)
O2 - BHO: (no name) - {8B9C0A99-375A-81A8-8BF9-BC1CC41DDF5D} - C:\WINDOWS\SYSTEM\SYSSC.DLL (file missing)
O2 - BHO: (no name) - {9AF830EE-B4FC-5AE7-09FD-EE99691152F9} - C:\WINDOWS\D3OJ32.DLL (file missing)
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\IEAG\IPMO32.DLL (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [EN60C Taskbar] C:\WINDOWS\SYSTEM\\EN60CTB.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\SDKXV32.DLL,Install
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\SDKXV32.DLL,Install
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: Canon MultiPASS Server.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7875.7750810185
O16 - DPF: ConferenceRoom Java Client - http://chat.strictly...080/java/cr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

Edited by styler, 27 June 2004 - 11:46 AM.


#2 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 29 June 2004 - 03:47 PM

The first thing to do is to finish cleaning the hijackers out of your pc. The updated reflist definitions for Ad-aware are now targetting this res://mshp.dll/sp.html#37049 infection.

So, start Ad-aware, and follow these instructions for running a full scan:

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window
  • In the General window make sure the following are selected:
    • Automatically save log-file
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
  • Click on the Scanning button on the left and select :
    • Scan Within Archives
    • Scan Active Processes
    • Scan Registry
    • Deep Scan Registry
    • Scan my IE favorites for banned URL’s
    • Scan my Hosts file
    • Under Click here to select drives + folders, choose:
    • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page, and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image Save the log file when it asks and then click Finish

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.


HijackThis has just been updated so you may want to download the new v.1.98.0 version.

Now, run another HijackThis scan, and mark all of the following that are still present for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#37049

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

O2 - BHO: (no name) - InprocServer32 - (no file)
O2 - BHO: (no name) - {8E8798A7-3BAA-8BFD-3C68-1038F50DE431} - C:\WINDOWS\IETL32.DLL (file missing)
O2 - BHO: (no name) - {42A8F66B-95DF-11A4-B87A-4FA44D7AB52E} - C:\WINDOWS\SYSTEM\NTHV32.DLL (file missing)
O2 - BHO: (no name) - {C5150914-A240-E61A-1A39-B4EF54027B55} - C:\WINDOWS\SYSTEM\ADDNI32.DLL (file missing)
O2 - BHO: (no name) - {FCBFBA3A-4852-F3A0-84AA-F262300E7E43} - C:\WINDOWS\SYSTEM\SYSWW32.DLL
O2 - BHO: (no name) - {677F1711-9252-F24B-4D54-8BE119CD9837} - C:\WINDOWS\APIGH.DLL (file missing)
O2 - BHO: (no name) - {58A4AB14-594D-A19E-A17D-779FBA794B12} - C:\WINDOWS\SYSTEM\NETQW.DLL (file missing)
O2 - BHO: (no name) - {9E37589B-6037-730A-AAF5-DB565653BA71} - C:\WINDOWS\ADDDY.DLL (file missing)
O2 - BHO: (no name) - {4D483A30-EFF6-DCEA-0CF5-30EE07EAE66D} - C:\WINDOWS\SYSTEM\APIPD32.DLL (file missing)
O2 - BHO: (no name) - {E5CD8348-9D6A-B2CA-1A19-50BF5FC5E624} - C:\WINDOWS\SYSTEM\SYSFP32.DLL (file missing)
O2 - BHO: (no name) - {31395C3D-4FC8-A196-BB55-70DD816B5ADE} - C:\WINDOWS\SYSTEM\D3AV32.DLL (file missing)
O2 - BHO: (no name) - {6BE0AC45-3AB6-9AB8-D25B-C18F3E63EADD} - C:\WINDOWS\D3NG.DLL (file missing)
O2 - BHO: (no name) - {7D784662-D8EA-9B49-A147-28A44BEB5965} - C:\WINDOWS\SYSTEM\CRSH32.DLL (file missing)
O2 - BHO: (no name) - {6CC07C5F-6948-D55F-F8C4-5DC171542BAF} - C:\WINDOWS\SYSTEM\D3LU.DLL (file missing)
O2 - BHO: (no name) - {6D6EC17A-B05D-F77A-6172-F8FCE87738D1} - C:\WINDOWS\SYSTEM\NETTA32.DLL (file missing)
O2 - BHO: (no name) - {E2EE63AA-6042-4A78-50B3-4072F042785E} - C:\WINDOWS\MSNM32.DLL (file missing)
O2 - BHO: (no name) - {B86CB85B-1A6E-2E40-52CF-704D1A427D84} - C:\WINDOWS\IERH.DLL (file missing)
O2 - BHO: (no name) - {013F1D00-32FB-D06B-1419-6480DD6E1239} - C:\WINDOWS\WINSY.DLL (file missing)
O2 - BHO: (no name) - {8B9C0A99-375A-81A8-8BF9-BC1CC41DDF5D} - C:\WINDOWS\SYSTEM\SYSSC.DLL (file missing)
O2 - BHO: (no name) - {9AF830EE-B4FC-5AE7-09FD-EE99691152F9} - C:\WINDOWS\D3OJ32.DLL (file missing)
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\IEAG\IPMO32.DLL (file missing)

O4 - HKLM\..\Run: [EN60C Taskbar] C:\WINDOWS\SYSTEM\\EN60CTB.EXE

O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\SDKXV32.DLL,Install

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.


Reboot in SAFE MODE and Show Hidden Files/Folders and delete this file:

C:\WINDOWS\SYSTEM\EN60CTB.EXE

Reboot normally, run another HJT scan, and post it here for further review.
How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#3 styler

styler

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 June 2004 - 10:01 PM

Thanks for your response, Fireflyer! I followed all instructions. Please let me know if I need to do anything else or if I'm free of this malware. BTW, when I downloaded a new HJT, it turned out to be the same version that I downloaded the other day (v.1.97.7), but anyway, here's the latest logfile:

Logfile of HijackThis v1.97.7
Scan saved at 10:55:05 PM, on 6/29/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ATLZM.EXE] C:\WINDOWS\ATLZM.EXE
O4 - HKLM\..\RunServices: [D3ZY32.EXE] C:\WINDOWS\SYSTEM\D3ZY32.EXE
O4 - HKLM\..\RunServices: [ATLSX32.EXE] C:\WINDOWS\SYSTEM\ATLSX32.EXE
O4 - HKLM\..\RunServices: [MFCQS32.EXE] C:\WINDOWS\SYSTEM\MFCQS32.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: Canon MultiPASS Server.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7875.7750810185
O16 - DPF: ConferenceRoom Java Client - http://chat.strictly...080/java/cr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#4 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 30 June 2004 - 08:19 AM

It's looking pretty good - still a few remnants to clean up. Run a new HJT scan and mark these for removal:

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\RunServices: [ATLZM.EXE] C:\WINDOWS\ATLZM.EXE

O4 - HKLM\..\RunServices: [D3ZY32.EXE] C:\WINDOWS\SYSTEM\D3ZY32.EXE

O4 - HKLM\..\RunServices: [ATLSX32.EXE] C:\WINDOWS\SYSTEM\ATLSX32.EXE

O4 - HKLM\..\RunServices: [MFCQS32.EXE] C:\WINDOWS\SYSTEM\MFCQS32.EXE


Make sure all browser and Windows Explorer windows are closed, and click on Fix Checked.

Reboot normally, run another HJT scan, and post it here for another look.

Sorry about the HJT download being the old one - I got the new version from http://www.downloads.../hijackthis.zip

EDIT: Don't worry about the new HJT right now - the v1.97.7 version is fine and the 1.98 version might have some bugs in it - if so a fixed version will be released shortly.

Edited by Fireflyer, 30 June 2004 - 03:51 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.

#5 styler

styler

    Member

  • New Member
  • Pip
  • 3 posts

Posted 11 July 2004 - 11:56 AM

Thanks again, Fireflyer! I used HJT to fix the 5 items you mentioned and have run another scan (see below). Anything left that I need to fix?

Logfile of HijackThis v1.97.7
Scan saved at 12:53:35 PM, on 7/11/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\CARPSERV.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\CANON\MULTIPASS\MONITR32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Startup: Canon MultiPASS Server.lnk = C:\Program Files\Canon\MultiPASS\monitr32.exe
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yaho...mail/ymmapi.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7875.7750810185
O16 - DPF: ConferenceRoom Java Client - http://chat.strictly...080/java/cr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#6 Fireflyer

Fireflyer

    Spyware Scorcher

  • Retired Staff
  • PipPipPipPipPip
  • 571 posts

Posted 11 July 2004 - 03:58 PM

The log looks very good. All traces of malware are gone.

A line in the log indicates that Spybot's bad download blocker BHO file is missing, and I'm not entirely sure how to get it back. Give this a try.

Open Spybot. Go to: Advanced Mode -> Tools -> Resident

and under Resident protection status see if the box is checked in front of:

Resident "SD Helper" (Internet Exporer bad download blocker) active.

If it is then try unchecking it and then recheck it after your next reboot.

If that doesn't work then the only way to get the missing .dll back may be to reinstall Spybot.

There are a couple of optional items to consider:

You have RealPlayer running at Startup and this is not necessary. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself. This is the item to fix in HJT:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

This is considered to be a resource hog that's not needed to run at startup and it may be worthwhile to fix it with HJT. You will still be able to start it manually when you need it.

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

You know how to use HJT to fix those if you choose to do so.

By the way, Merijn's updated HJT v1.98 is now available.

To reduce the potential for spyware infection in the future, I recommend installing SpywareBlaster, SpyWareGuard and IE/Spyad if you do not already have them installed.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

More info and download is available at:
SpywareBlaster: http://www.javacools...areblaster.html
SpywareGuard: http://www.wildersse...ywareguard.html

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at:
IE/Spyad:
https://netfiles.uiu...ww/resource.htm

You might also want to consider installing a firewall program - two very good free ones are available thru the links in my Signature. I use Kerio Personal Firewall myself.

Edited by Fireflyer, 11 July 2004 - 04:00 PM.

How did I get infected in the first place?
Online Virus and Trojan Scanners
Panda Software . . . Trend Micro . . . Bitdefender . . . Sygate Trojan Scan . . . Trojan Scan
Tools for Fighting Spyware
Spybot S & D . . . Ad-aware . . . CWShredder . . . HijackThis . . . PeperFix
Tools for Prevention
SpywareBlaster . . . SpywareGuard . . . IE-Spyad . . . avast! Free Anti-Virus . . . AVG Free Anti-Virus
Zone Alarm Free Firewall . . . Kerio Personal Firewall
Help support this site! Click here to learn how.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button