Jump to content


Photo

There is some worm in my IE!


  • Please log in to reply
16 replies to this topic

#1 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 June 2004 - 08:07 AM

I got some spy in my pc, that every time I connect to internet (Speedy connection)
a message comes that "another software is making the IE connection". Some Explorer windows open - Lycos, "new offer for you", "Partner search", the hell.
Can someone please help me? here is my hjc file.
:weep:
Logfile of HijackThis v1.97.7
Scan saved at 09:58:30, on 28.06.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAMME\MICROSOFT WORKS\WKSSB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\SPEEDY\WINPPPOVERETHERNET.EXE
C:\PROGRAMME\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\6TFF.EXE
C:\WINDOWS\TEMP\6TFF.EXE
C:\WINDOWS\SYSTEM\WINDLL32.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\VVJB.EXE
C:\WINDOWS\SYSTEM\DZDY3FZ.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DLLFILTER.EXE
C:\WINDOWS\SYSTEM\DMLMO.EXE
C:\PROGRAMME\SYSAI\SYSAI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uol.com.br/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAMME\SEP\SEP.DLL
O2 - BHO: (no name) - {62160EEF-9D84-4C19-B7B8-6AC2526CD726} - C:\WINDOWS\SYSTEM\IVACASO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAMME\SEP\SEP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4tech\Mouse\AWMMAIN.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Programme\Speedy\winpppoverethernet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [6TFF] C:\WINDOWS\TEMP\6TFF.EXE
O4 - HKLM\..\Run: [6TFF.EXE] C:\WINDOWS\TEMP\6TFF.EXE
O4 - HKLM\..\Run: [28G5DQA3DS9CNJ] C:\WINDOWS\SYSTEM\Cax65.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [AutoLoaderqDrp1ZOkIKcP] "C:\WINDOWS\SYSTEM\SERTIL.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [qq8V3tT] DLLFILTER.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [uu9gvl9j8b] C:\WINDOWS\67R4IMGIXG.EXE
O4 - HKCU\..\Run: [Osuw] C:\WINDOWS\Anwendungsdaten\rcns.exe
O4 - HKCU\..\Run: [windll32.exe] C:\WINDOWS\SYSTEM\windll32.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [b9r9RjfmT] DMLMO.EXE
O4 - Startup: Erinnerungen in Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol....tiveInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7956.5773032407
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://slnpl01.degu...m.br/iNotes.cab
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://19.sharedsour...onn_5.2.1.1.cab
O16 - DPF: {5C3A9EA6-4068-46B8-8B5A-692FB10607B1} (IntDialerData Class) - http://www.accesoonl.../DialerData.cab
O16 - DPF: {DF7A9F1F-E06B-4BE7-A27E-1BE7EA5AFC1C} (Infosistemas Class) - http://www.infodiale...istemas3000.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.1...Recomendada.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab

#2 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 28 June 2004 - 05:17 PM

Hi there, you have several problems.
First. Hijack will creates the backups wherever it sits, in your case, in a TEMP folder. Temp folders get deleted over time and you will lose the backups created there as well as the hijack program.

Can you please create a folder such as C:\hijack\ and then move your 'hijack this.exe ' program and any backups from the old location into the new hijack folder.

Please run hijack and place a check in the following entries.
Ensure All IE. browsers and windows explorers are closed,
then have hijack fix them:
O16 - DPF: {F57D17AE-CE37-4BC8-B232-EA57747BE5E7} - http://66.230.146.53/EPlugin.cab
O16 - DPF: {2F0D1DA3-F3E4-4C67-BB5C-5AFD70C1A4A5} (UDConnect Class) - http://19.sharedsour...onn_5.2.1.1.cab
O16 - DPF: {5C3A9EA6-4068-46B8-8B5A-692FB10607B1} (IntDialerData Class) - http://www.accesoonl.../DialerData.cab
O16 - DPF: {DF7A9F1F-E06B-4BE7-A27E-1BE7EA5AFC1C} (Infosistemas Class) - http://www.infodiale...istemas3000.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.1...Recomendada.cab
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe


Next
You have picked up the Peper trojan. To remove it, can you please download the PeperFix tool,
  • save it to your desktop,
  • close all browsers and doubleclick on it,
  • click 'Find and Fix' and reboot if prompted
Next.
Since there is no AV running, do a free online virus scan and delete anything it finds from 2 of :To continue your clean up, do a free online trojan scan as well and delete anything it finds from:Restart your system
You have some bits of spyware that is best removed by Ad-aware 6 Free.
Can you please download the Ad-aware 6 Free program from here Ad-aware 6 Free and install it.
Before scanning with Ad-aware 6 Free:
Run a FULL adaware scan using the following configuration below
  • Update
    • Select Check for updates.
    • Then Connect and download 01R324 22.06.2004 or latest.
    • When finished, shut down and restart Ad-Aware.
  • Select the gear wheel at the top and tick the following to get a green circle.
  • Select General
    • Automatically save log-file.
    • Automatically quarantine objects prior to removal.
    • Safe mode.
  • Select Scanning
    • In Drives & Folders,
      • Scan within Archives.
      • Select- Click here to select Drives + folders, select all hard drives.
    • In Memory & Registry, select all available options.
  • Select Tweaks > Scanning Engine
    • Unload recognized processes during scanning.
    • Include basic ad-aware settings.
    • Include additional ad-aware settings.
  • Select Tweaks > Cleaning Engine:
    • Select all available options.
  • Click Proceed, then Start and make sure Activate in-depth scan is green.
  • Select ‘Use custom scan’ and hit ‘Next’ to let Ad-Aware scan your drives.
It will list "bad" files and registry keys. Click ‘Next’.
Rightclick in the list and select all and click next.

It will ask for verification of checked items. Choose OK.

Close Ad-Aware, Shut down and reboot your unit .

To help keep from being reinfected, lets put up some barriers by insatlling SpywareBlaster, if you do not already have it. It's free and will help prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Just download, install and check for updates and enable all protection.

Reboot and show a fresh hijack log. We'll see what is left.
Thanks

Edited by pfofit, 28 June 2004 - 05:18 PM.


#3 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 06:33 AM

Dear Pfofit,

thank you very much. I did all the steps and, well, I still have the message
"another software is connecting" when I start the net connection.

:oops:

But the popus vanished. ;)



Thank you.


Kinho

The actual hjt log is:

Logfile of HijackThis v1.97.7
Scan saved at 08:21:35, on 29.06.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAMME\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAMME\SPEEDY\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\6TFF.EXE
C:\WINDOWS\TEMP\6TFF.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uol.com.br/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAMME\SEP\SEP.DLL
O2 - BHO: (no name) - {62160EEF-9D84-4C19-B7B8-6AC2526CD726} - C:\WINDOWS\SYSTEM\IVACASO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAMME\SEP\SEP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4tech\Mouse\AWMMAIN.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Programme\Speedy\winpppoverethernet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [6TFF] C:\WINDOWS\TEMP\6TFF.EXE
O4 - HKLM\..\Run: [6TFF.EXE] C:\WINDOWS\TEMP\6TFF.EXE
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [AutoLoaderqDrp1ZOkIKcP] "C:\WINDOWS\SYSTEM\SERTIL.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [qq8V3tT] SERTIL.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [uu9gvl9j8b] C:\WINDOWS\67R4IMGIXG.EXE
O4 - HKCU\..\Run: [Osuw] C:\WINDOWS\Anwendungsdaten\rcns.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [b9r9RjfmT] MDTPLWIZ.EXE
O4 - Startup: Erinnerungen in Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Recherche-Assistent (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol....tiveInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7956.5773032407
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://slnpl01.degu...m.br/iNotes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#4 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 29 June 2004 - 08:52 AM

Hello again kinho. Well done.
Next steps,
Please run hijack and place a check in the following entries.
Ensure All IE. browsers and windows explorers are closed,
then have hijack fix them:
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAMME\SEP\SEP.DLL
O2 - BHO: (no name) - {62160EEF-9D84-4C19-B7B8-6AC2526CD726} - C:\WINDOWS\SYSTEM\IVACASO.DLL

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAMME\SEP\SEP.DLL

O4 - HKLM\..\Run: [6TFF] C:\WINDOWS\TEMP\6TFF.EXE
O4 - HKLM\..\Run: [6TFF.EXE] C:\WINDOWS\TEMP\6TFF.EXE
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [AutoLoaderqDrp1ZOkIKcP] "C:\WINDOWS\SYSTEM\SERTIL.EXE" /PC="AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [qq8V3tT] SERTIL.EXE
O4 - HKCU\..\Run: [uu9gvl9j8b] C:\WINDOWS\67R4IMGIXG.EXE
O4 - HKCU\..\Run: [Osuw] C:\WINDOWS\Anwendungsdaten\rcns.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [b9r9RjfmT] MDTPLWIZ.EXE

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)


These items in blue can be fixed if you choose, they are unnecessary programs running at start and/or that hog resources: Having hijack fix it does not remove the program, just their start up command.
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
Launches common MS Office components to run and hog resources.

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
It's the system tray icon for quick time player.

O4 - HKLM\..\Run: [WorksFUD] C:\Programme\Microsoft Works\wkfud.exe
Marketing program for MSworks that loads at startup.


To unhide hidden files,
  • On desktop doubleclick My Computer and select View>Folder Options
  • Under the View tab,
  • Tick show all files
  • Untick hide file extensions for all file types. Select Apply
Restart in Safe mode and open an IE and select Tools> Internet options and delete all temporary internet files and tick "delete offline content".
Then find and delete the following files
C:\ temp <--delete all possible files in this folder
C:\windows\ temp <--delete all possible files in this folder

While still in safe mode, find and delete the following files/folders if they still exist:
C:\WINDOWS\TEMP\ 6TFF.EXE <--delete only this file
C:\WINDOWS\SYSTEM\ DP-HIM.EXE <--delete only this file
C:\WINDOWS\SYSTEM\ SERTIL.EXE <--delete only this file
C:\WINDOWS\ 67R4IMGIXG.EXE <--delete only this file
C:\WINDOWS\Anwendungsdaten\ rcns.exe <--delete only this file

Run a search for and delete any instant of :
SERTIL.EXE <--delete only this file
MDTPLWIZ.EXE <--delete only this file

C:\PROGRA~1\ CLOCKS~1\ <--delete only this folder
C:\PROGRAMME\ SEP <--delete only this folder

Restart your system and repost here with a new log from hijack.

Edited by pfofit, 29 June 2004 - 08:56 AM.


#5 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 29 June 2004 - 08:01 PM

Hi Pfofit

there should be not much trash in my system now. I followed the instructions
of your second answer - although I am not quite sure about all the things one
can delete from c:\windows\temp - and got the message "Another...." once again.

I run Ad-aware 6.0 and it found but 1 item this time (great! they were 81 yesterday!).
:lol:
Thanks a lot - let me know if you need some help with Portuguese or German - my languages.

Here the newest HJT log


Logfile of HijackThis v1.97.7
Scan saved at 23:48:24, on 29.06.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAMME\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAMME\SPEEDY\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAMME\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uol.com.br/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4tech\Mouse\AWMMAIN.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Programme\Speedy\winpppoverethernet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Erinnerungen in Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Recherche-Assistent (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol....tiveInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7956.5773032407
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://slnpl01.degu...m.br/iNotes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Edited by Kinho36, 29 June 2004 - 10:02 PM.


#6 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 29 June 2004 - 10:10 PM

Hi Kinho.

Something is very strange. :scratchhead: :scratchhead: Your last log is the same as the previous except the date/time.
No changes at all. :scratchhead:

Edited to reflect edit by kinho of last post -pfofit



Ok kinko, i just saw your log swap of your last post. You really had me going there. :p

Let me have a look see at the new/last post and I'll get back to you. ;)

Edited by pfofit, 29 June 2004 - 10:31 PM.


#7 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 29 June 2004 - 10:55 PM

Hi kinho, logs looking better, but there is a couple more things to do.

You have no Antivirus running which is bad, as the mess we have cleaned will be back, without one. AVG antivirus from Grisoft is a very good FREE antivirus program. Please download and install it.

although I am not quite sure about all the things one
can delete from c:\windows\temp

What is there that your not sure about?

and got the message "Another...." once again.

Do you get anything else from the message that may indicate what program is generating this message? What is the exact wording of the message?

I run Ad-aware 6.0 and it found but 1 item this time (great! they were 81 yesterday!).

That's good news kinho, we're getting there. Do you remember what it was?

As well, run hijack, go to "Config" and select "ignorelist" at the top. If anything is listed in that window, select "delete all".

Then go to Start> Run and type msconfig and hit OK. Under the "General" tab, ensure that "Normal startup" is selected and reboot.

After that, repost a fresh log.
thanks

#8 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 June 2004 - 07:00 AM

Hi Pfofit,

unfortunately I did not write the item found by Ad6 down.
I followed the steps below and now it finds nothing, neither does SpyW-S&D


AV - done

I am not sure about files like

Installter2.exe
r.exe
emule.css
appp7154.tmp
addclass.exe

When I start my IE Connection, Speedy, the login window should check the password, show "Connected", close and the initial browser, UOL, should be open.

But it is happening that the login window is not closing, at first nothing occurs. When I click on the Speedy icon on the menu bar the message
"Ein anderes Programm stellt gerade die gewählte Verbindung her" (Another program is establishing the chosen connection) - comes. After about 40s the
Speedy login goes on, the login window closes and I can open the initial browser.

I could not get any hint about which other program it may be. :huh:

Well, heres my new log. Thanks a lot.


Logfile of HijackThis v1.97.7
Scan saved at 08:27:25, on 30.06.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAMME\MICROSOFT WORKS\WKSSB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAMME\SPEEDY\WINPPPOVERETHERNET.EXE
C:\PROGRAMME\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\MICROSOFT PICTURE IT! PHOTOPUB\PIP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMME\MICROSOFT WORKS\MSWORKS.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uol.com.br/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1031,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NVQuickTweak] RUNDLL32.EXE NVQTWK.DLL,NvTaskbarInit
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4tech\Mouse\AWMMAIN.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Programme\Speedy\winpppoverethernet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Erinnerungen in Microsoft Works-Kalender.lnk = C:\Programme\Gemeinsame Dateien\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Recherche-Assistent (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol....tiveInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7956.5773032407
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://slnpl01.degu...m.br/iNotes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Edited by Kinho36, 30 June 2004 - 07:01 AM.


#9 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 30 June 2004 - 12:31 PM

Hello kinho.
Generaly delete your temp folder files.
If you have doubts then select the file, right click and select properties and the version tab and see what product and company name is associated with the file and if you recognize it or the program. If you're sure it’s from a program you do not know and or trust, either delete it or rename it with old infront of the extension so that it will not run on reboot. Some links below for additional info.
http://www.desilva.b...sc/deltemp.html
http://windows.about...ps/bltip700.htm
http://inquirer.phil...fdb7df9-58.html

However, Addclass.exe is a remnant of CWS.
Can you please download the latest version 1.59.1 of the CWShredder.
Ensure all browsers and window explorers are closed and run the CWShredder. Select 'FIX' . When it has finished, please restart your unit, and repost a fresh log from hijack this.

Rerun the peperfix program.

Also you need to get updated from MS for the latest critical updates to patch security problems. Go there and install all critical updates. You may need a couple of trips. Go back again and again until there are no more critical updates. It's the way MS does the updates.
Repost a fresh log and report your status.

Edited by pfofit, 30 June 2004 - 12:33 PM.


#10 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 June 2004 - 09:37 PM

Hi Pfofit,

I still get the message, but my PC runs really faster now. :cool:

Thank you very much.

Here the HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 23:33:52, on 30.06.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAMME\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAMME\SPEEDY\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uol.com.br/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4tech\Mouse\AWMMAIN.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Programme\Speedy\winpppoverethernet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Recherche-Assistent (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol....tiveInstall.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7956.5773032407
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://slnpl01.degu...m.br/iNotes.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#11 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 30 June 2004 - 10:33 PM

kinho, Good work with the updates. What did you do with the temp folder? Not sure what is happening with that message.

Lets take a look at a startuplist log please.
Can you please generate a stratuplist. From hijackthis, Click Config> Misc tools> and tick the two boxes under the generate startup list log button and then choose generate startuplist log.
Then copy and past the result from notepad.

kinho, Select Start-> Settings-> Control panel-> add/remove and look to see if there is anything listed that you do not recognize and report back.

Have you updated and run a complete scan with AVG yet?
thanks

#12 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 July 2004 - 05:33 AM

Hello Pfofit,

What did you do with the temp folder? Not sure what is happening with that message.


I deleted tmp files and put .old in the extensions of the files I can not identify. Well, it seems not to have disturbed anything.

Can you please generate a stratuplist.  From hijackthis...


I have got a "book" this time. Please see below.

kinho, Select Start-> Settings-> Control panel-> add/remove and look to see if there is anything listed that you do not recognize and report back.


I saw nothing suspect.

I did the scan with AVG. The complete test runs every 24h.

Best regards

StartupList report, 01.07.2004, 07:12:40
StartupList version: 1.52
Started from : C:\HJT\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAMME\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAMME\SPEEDY\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGW.EXE
C:\HJT\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Startmenü\Programme\Autostart]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\WINDOWS\All Users\Startmenü\Programme\Autostart]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Promon.exe = Promon.exe
YAMAHA DS-XG Launcher = C:\WINDOWS\dslaunch.exe
Microsoft Works Portfolio = C:\Programme\Microsoft Works\WksSb.exe /AllUsers
WheelMouse = C:\Programme\A4tech\Mouse\AWMMAIN.EXE
a-winpoet-service = C:\Programme\Speedy\winpppoverethernet.exe
LWBMOUSE = C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[SetupcPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SetupcPerUser 64 C:\WINDOWS\INF\setupc.inf

[AppletsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection AppletsPerUser 64 C:\WINDOWS\INF\applets.inf

[PerUser_CVT_Inis]
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf

[FontsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection FontsPerUser 64 C:\WINDOWS\INF\fonts.inf

[PerUser_HNW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_HNW_Inis 64 C:\WINDOWS\INF\ICS.inf

[PerUser_ICW_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ICW_Inis 0 C:\WINDOWS\INF\icw97.inf

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[PerUser_moviemaker] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_moviemaker 64 C:\WINDOWS\INF\moviemk.inf

[{CA0A4247-44BE-11d1-A005-00805F8ABE06}] *
StubPath = RunDLL setupx.dll,InstallHinfSection PowerCfg.user 0 powercfg.inf

[PerUser_Msinfo] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo 64 C:\WINDOWS\INF\msinfo.inf

[PerUser_Msinfo2] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Msinfo2 64 C:\WINDOWS\INF\msinfo.inf

[MotownMmsysPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMmsysPerUser 64 C:\WINDOWS\INF\motown.inf

[MotownAvivideoPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownAvivideoPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Base] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Base 64 C:\WINDOWS\INF\msmail.inf

[SamplerPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection SamplerPerUser 64 C:\WINDOWS\INF\sampler.inf

[ShellPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection ShellPerUser 64 C:\WINDOWS\INF\shell.inf

[Shell2PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Shell2PerUser 64 C:\WINDOWS\INF\shell2.inf

[PerUser_winbase_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winbase_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_winapps_Links] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_winapps_Links 64 C:\WINDOWS\INF\subase.inf

[PerUser_LinkBar_URLs] *
StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L

[TapiPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection TapiPerUser 64 C:\WINDOWS\INF\tapi.inf

[PerUser_MSWordPad_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_MSWordPad_Inis 64 C:\WINDOWS\INF\wordpad.inf

[PerUserOldLinks] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUserOldLinks 64 C:\WINDOWS\INF\appletpp.inf

[MmoptRegisterPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MmoptRegisterPerUser 64 C:\WINDOWS\INF\mmopt.inf

[PerUser_CDPlayer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CDPlayer_Inis 64 C:\WINDOWS\INF\mmopt.inf

[OlsPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsPerUser 64 C:\WINDOWS\INF\ols.inf

[PerUser_PCHealth] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PCHealth 64 C:\WINDOWS\INF\pchealth.inf

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[PerUser_Paint_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Paint_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Calc_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Calc_Inis 64 C:\WINDOWS\INF\applets.inf

[PerUser_Enable_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis 64 C:\WINDOWS\INF\enable.inf

[PerUser_Wingames_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_ZoneGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Inis 64 C:\WINDOWS\INF\games.inf

[PerUser_PBGame_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Inis 64 C:\WINDOWS\INF\games.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[MotownRecPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownRecPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_Vol] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Vol 64 C:\WINDOWS\INF\motown.inf

[MotownMPlayPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection MotownMPlayPerUser 64 C:\WINDOWS\INF\motown.inf

[PerUser_RNA_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_RNA_Inis 64 C:\WINDOWS\INF\rna.inf

[PerUser_Dialer_Inis] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis 64 C:\WINDOWS\INF\appletpp.inf

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[OlsAolPerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUser 64 C:\WINDOWS\INF\ols.inf

[Theme_MoreWindows_PerUser] *
StubPath = rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection Themes_MoreWindows_PerUser 0 C:\WINDOWS\INF\themes.inf

[{44BBA842-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.W95

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wpie5x86.inf,PerUserStub

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\SYSTEM\Rundll32.exe C:\WINDOWS\SYSTEM\mscories.dll,Install

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:

*File not found*

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 30/6/2004, 23:7:40)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\CONFIG.SYS listing:

*File is empty*

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------

C:\WINDOWS\DOSSTART.BAT listing:

*File not found*

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registrierungs-Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Programmstart beschleunigen.job
PCHealth-Planer für die Zusammenstellung der Daten.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINDOWS\SYSTEM\dajava.cab
OSD = C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[Instalador Remoto UOL]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\UOLACTIVEINSTALL.DLL
CODEBASE = http://download.uol....tiveInstall.cab

[{32564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv8dmo.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...7956.5773032407

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[iNotes Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\INOTES.DLL
CODEBASE = https://slnpl01.degu...m.br/iNotes.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[{32564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...i386/wmv8ax.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[PPSDKActiveXScanner.MainScreen]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PPSDKACTIVEXSCANNER.OCX
CODEBASE = http://www.pestscan....r/axscanner.cab

[HouseCall-Kontrolle]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\SYSTEM\rnr20.dll
Protocol #1: C:\WINDOWS\SYSTEM\mswsosp.dll
Protocol #2: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #3: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #4: C:\WINDOWS\SYSTEM\msafd.dll
Protocol #5: C:\WINDOWS\SYSTEM\rsvpsp.dll
Protocol #6: C:\WINDOWS\SYSTEM\rsvpsp.dll

--------------------------------------------------

Enumerating Win9x VxD services:

VNETSUP: vnetsup.vxd
VPOWERD: *VPOWERD
NDIS: ndis.vxd
JAVASUP: JAVASUP.VXD
CONFIGMG: *CONFIGMG
NTKern: *NTKERN
VWIN32: *VWIN32
VFBACKUP: *VFBACKUP
VCOMM: *VCOMM
COMBUFF: *COMBUFF
IFSMGR: *IFSMGR
IOS: *IOS
MTRR: *MTRR
SPOOLER: *SPOOLER
UDF: *UDF
VFAT: *VFAT
VCACHE: *VCACHE
VCOND: *VCOND
VCDFSD: *VCDFSD
VXDLDR: *VXDLDR
VDEF: *VDEF
VPICD: *VPICD
VTD: *VTD
REBOOT: *REBOOT
VDMAD: *VDMAD
VSD: *VSD
V86MMGR: *V86MMGR
PAGESWAP: *PAGESWAP
DOSMGR: *DOSMGR
VMPOLL: *VMPOLL
SHELL: *SHELL
PARITY: *PARITY
BIOSXLAT: *BIOSXLAT
VMCPD: *VMCPD
VTDAPI: *VTDAPI
PERF: *PERF
VNETBIOS: vnetbios.vxd
VREDIR: vredir.vxd
DFS: dfs.vxd
NDISWAN: ndiswan.vxd
LWBMOUSE: chimouse.vxd
LWBHMVXD: lwbhmvxd.vxd

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 22.434 bytes
Report generated in 0,325 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#13 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 01 July 2004 - 10:26 AM

hi kinho, the "book" looks normal enough to me. :whistle:

Could you translate these scheduled tasks, my German is very bad. I think it's German. :p The small words i can suspect, but the big ones, totally lost!
Enumerating Task Scheduler jobs:

Programmstart beschleunigen.job
PCHealth-Planer für die Zusammenstellung der Daten.job

I'm not sure what is happening. Maybe your ISP connection configuration is messed up from the malware. Is there anything else weird that is going on, pop ups, unknown items, icons buttons, browser redirects, unexpected search results etc.?

I'm also unfamiliar with this "Speedy" that you have.
Is it a High speed connection or a beefed up dial up. Could you explain the setup and your internet hardware.

Kinho, There is a new update for hijackthis. Version 1.98. You can get it through hijack by: Config> misc tools and check for update.
Along with improvements, the new hijack comes a process manager.
Under Config> misc tools and select "open process manager".

With this, you can see what is running on your system. You can look at it before connecting and then after the connection attempt to maybe see the "other program". Use the refresh button to update the list.

Post a 1.98 log.

Please also open IE, paste the following bold text into the address line and hit enter:
java script:navigator.userAgent
You should get a one line result, copy and paste that result here.

If we can't get any where after this, I will ask our other helpers for input.

Edited by pfofit, 01 July 2004 - 10:33 AM.


#14 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 July 2004 - 08:11 PM

Hi Pfofit!

the messages in my log are normal German, yes... ;D

Programmstart beschleunigen.job


"Programm start accelerate.job"

PCHealth-Planer für die Zusammenstellung der Daten.job

"PCHealth-Planer for the data assembly.job"

I'm not sure what is happening. Maybe your ISP connection configuration is messed up from the malware. Is there anything else weird that is going on, pop ups, unknown items, icons buttons, browser redirects, unexpected search results  etc.? 


No, there is nothing weird occuring anymore besides that. I am almost absolutely sure this is a consequence of the infection. I called the help desk of my provider (Telefonica, si) and they advised me to uninstall the Speedy software (Poet) and install it again - I will try it as soon as I find my installation CD. It is perhaps nonsense, but I have the impression it tries to get the normal, dialed connection while the broad band is not stablished yet. It lasts but up to 30s now and disappears.

I will get more tecnical information about speedy for you, but it is a broad band connection - enables using Internet and keeps telefon line free - something quite new in Brazil 3 years ago. There is an external "modem" (e.g. one SpeedTouch 510, from Thomson) to connect the pc to the net/telefon socket.

The message I got with the line you sent is:
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; .NET CLR 1.1.4322)

Kind regards

Kinho

And the new HJT log:

Logfile of HijackThis v1.98.0
Scan saved at 22:05:48, on 01.07.2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAMME\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAMME\SPEEDY\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAMME\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uol.com.br/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uol.com.br/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] C:\WINDOWS\dslaunch.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programme\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [WheelMouse] C:\Programme\A4tech\Mouse\AWMMAIN.EXE
O4 - HKLM\..\Run: [a-winpoet-service] C:\Programme\Speedy\winpppoverethernet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Programme\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Recherche-Assistent - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\EROProj.dll
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol....tiveInstall.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://slnpl01.degu...m.br/iNotes.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: msero - {B0D92A71-886B-453B-A649-1B91F93801E7} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\msero.dll
O18 - Protocol: msencarta - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\MSREF.DLL
O18 - Protocol: msref - {74D92DF3-6D9D-11D1-8B38-006097DBED7A} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Reference 2001\MSREF.DLL
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

#15 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 01 July 2004 - 08:57 PM

Hi again kinho, great feedback. :thumbsup:

I called the help desk of my provider (Telefonica, si) and they advised me to uninstall the Speedy software (Poet) and install it again - I will try it as soon as I find my installation CD. It is perhaps nonsense, but I have the impression it tries to get the normal, dialed connection while the broad band is not stablished yet. It lasts but up to 30s now and disappears.

That sounds resonable. Configuration could have been compromised.

I will get more tecnical information about speedy for you, but it is a broad band connection - enables using Internet and keeps telefon line free - something quite new in Brazil 3 years ago. There is an external "modem" (e.g. one SpeedTouch 510, from Thomson) to connect the pc to the net/telefon socket.

Kinho, no need for more info, what you have said is sufficient. I understand now. High speed on the phone line. We have the same here in eastern Canada, called Vibe.

Keep me posted.

#16 Kinho36

Kinho36

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 02 July 2004 - 08:35 PM

Thanks a lot, Pfofit,

I am moving to South France in four weeks (near Grasse, ever read "The Perfume", by Patrick Süsskind?).
Drop me an e-mail if you ever should be nearby


Kinho

Edited by Kinho36, 12 July 2004 - 11:05 PM.


#17 pfofit

pfofit

    It's raining spyware.

  • Trusted Advisor
  • PipPipPip
  • 171 posts

Posted 06 July 2004 - 10:03 AM

Hi kinho, I'm sorry, I seem to have missed seeing your last reply. :oops:

Your move sounds interesting. Have fun there.
Did you manage to find your disk and reinstall winpoet as per your ISP's suggestion, and did it resolve your connection problem?

Also, you should edit out your email from the last message because nasty people may try and harvest it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button