Jump to content


Photo

KeyBoard Logger +


  • This topic is locked This topic is locked
20 replies to this topic

#1 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 30 June 2004 - 03:21 PM

My problems started with a key board logger "Hook98.dll" detected by PestPatrol. I now have a situation where Restore Points do not work (XP Home) and on the occasions when I can get out on the intenet down load though IE does not work. However download of updates to antivirus software and Spybot do work. I have read the FAQ an tired most of the advice there. I am at a loss. Here are my Logs:

Logfile of HijackThis v1.97.7
Scan saved at 20:45:44, on 30/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\program files\BigFix\BigFix.exe
C:\program files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\Aluria Software\ASE\ASE Scheduler.exe
C:\program files\Palm\HOTSYNC.EXE
C:\program files\Microsoft Office\Office\FINDFAST.EXE
C:\program files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\My Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evesham.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [KeyPatrol] c:\PROGRA~1\PESTPA~1\KeyPatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [PrivacyKeyboard] C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe
O4 - Global Startup: Billminder.lnk = C:\program files\Quicken\billmind.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe
O9 - Extra button: ATI TV (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\panda software\panda titanium antivirus 2004\pavlsp.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager....unttracking.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8121.9732060185
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab


StartupList report, 30/06/2004, 20:47:38
StartupList version: 1.52
Started from : C:\My Downloads\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\program files\BigFix\BigFix.exe
C:\program files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\Aluria Software\ASE\ASE Scheduler.exe
C:\program files\Palm\HOTSYNC.EXE
C:\program files\Microsoft Office\Office\FINDFAST.EXE
C:\program files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\My Downloads\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Colin Whitmore\Start Menu\Programs\Startup]
ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe
HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE
Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
BigFix.lnk = C:\program files\BigFix\BigFix.exe
Billminder.lnk = C:\program files\Quicken\billmind.exe
DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe
Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

C-Media Mixer = Mixer.exe /startup
AtiPTA = atiptaxx.exe
HydraVisionDesktopManager = desk98.exe
PestPatrol Control Center = c:\PROGRA~1\PESTPA~1\PPControl.exe
CookiePatrol = c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HydarVisionDesktopManager =
RoxioDragToDisc = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
SM1BG = C:\WINDOWS\SM1BG.EXE
KeyPatrol = c:\PROGRA~1\PESTPA~1\KeyPatrol.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
APVXDWIN = "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
PrivacyKeyboard = C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ATI Launchpad = "C:\Program Files\ATI Multimedia\main\launchpd.exe"
ATI Remote Control = C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Spyware Doctor = "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssflwbox.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[AccountTracking Profile Manager Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\accounttracking.dll
CODEBASE = http://moneymanager....unttracking.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8121.9732060185

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,195 bytes
Report generated in 1.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history onlyStartupList report, 30/06/2004, 20:47:38
StartupList version: 1.52
Started from : C:\My Downloads\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\program files\BigFix\BigFix.exe
C:\program files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\Aluria Software\ASE\ASE Scheduler.exe
C:\program files\Palm\HOTSYNC.EXE
C:\program files\Microsoft Office\Office\FINDFAST.EXE
C:\program files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\My Downloads\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Colin Whitmore\Start Menu\Programs\Startup]
ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe
HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE
Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE
Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
BigFix.lnk = C:\program files\BigFix\BigFix.exe
Billminder.lnk = C:\program files\Quicken\billmind.exe
DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe
Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

C-Media Mixer = Mixer.exe /startup
AtiPTA = atiptaxx.exe
HydraVisionDesktopManager = desk98.exe
PestPatrol Control Center = c:\PROGRA~1\PESTPA~1\PPControl.exe
CookiePatrol = c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HydarVisionDesktopManager =
RoxioDragToDisc = "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
SM1BG = C:\WINDOWS\SM1BG.EXE
KeyPatrol = c:\PROGRA~1\PESTPA~1\KeyPatrol.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
APVXDWIN = "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
PrivacyKeyboard = C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ATI Launchpad = "C:\Program Files\ATI Multimedia\main\launchpd.exe"
ATI Remote Control = C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
Spyware Doctor = "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssflwbox.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[AccountTracking Profile Manager Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\accounttracking.dll
CODEBASE = http://moneymanager....unttracking.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8121.9732060185

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,195 bytes
Report generated in 1.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#2 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 09 December 2004 - 04:36 PM

Hi Colinwhi :)

Welcome to SWI. Thank you for your patience. You are using an outdated version of HijackThis. Please download version 1.98.2 from here:
http://www.downloads.../hijackthis.zip
and make sure to unzip it to a permanent folder. Then please run HijackThis, click "Scan" and "Save log" and post the new log here. I would be happy to take a look at it :D

#3 dave38

dave38

    Devout Murphyite!

  • Emeritus
  • PipPipPipPipPip
  • 8,508 posts

Posted 30 December 2004 - 06:24 PM

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Be wary of strong drink. It may make you shoot at tax collectors, and miss!
Please support SWI forum

#4 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 12 January 2005 - 04:47 PM

Re-opened at users request: lpp
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#5 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 12 January 2005 - 06:12 PM

Re-opened at users request: lpp

View Post


Sorry it has taken me so long to post. Here is an explanation and my log. My XP SP1 became infected
and try as I may I could not get a working system. I removed the keyboard logger and the system then
complained, on start up, with a pop up box of an Appian Graphics Error “Couldn’t load Hook98.dll”.
Which was the logger I removed. I tried to reg edit the Appian stuff out but it kept returning. I
attempted a XP reload but that failed. Eventually I loaded a new XP to a different folder on my disc so
that I at least had something that worked. That version is now SP2.

I now have two OSs on my machine, the infected SP1 and until now a clean SP2. I have managed to
complete the reload of SP1, some of my applications do not work, but that should be a solvable
problem.

The Log is from the SP1 version. Any advice would be welcome.

Logfile of HijackThis v1.99.0
Scan saved at 17:54:06, on 12/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\WINDOWS\System32\desk98.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\apvxdwin.exe
C:\Program Files\ATI Multimedia\main\launchpd.exe
C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\WINDOWS\System32\msiexec.exe
C:\program files\BigFix\BigFix.exe
C:\program files\Common Files\DataViz\DvzIncMsgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\program files\Palm\HOTSYNC.EXE
C:\program files\Microsoft Office\Office\FINDFAST.EXE
C:\program files\Microsoft Office\Office\OSA.EXE
A:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.evesham.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by evesham.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [KeyPatrol] C:\PROGRA~1\PESTPA~1\KeyPatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [PrivacyKeyboard] C:\Program Files\PrivacyKeyboard\PrivacyKeyboard.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\program files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: ASE Scheduler.lnk = C:\program files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Startup: HotSync Manager.lnk = C:\program files\Palm\HOTSYNC.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\program files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\program files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: BigFix.lnk = C:\program files\BigFix\BigFix.exe
O4 - Global Startup: Billminder.lnk = C:\program files\Quicken\billmind.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\program files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\program files\Quicken\bagent.exe
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - http://moneymanager....unttracking.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Crypkey License - Unknown - crypserv.exe (file missing)
O23 - Service: Panda Process Protection Service - Unknown - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavsrv51.exe
O23 - Service: PrivacyKeyboard Service - Raytown Corporation LLC - C:\WINDOWS\System32\pksrv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service - Unknown - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

#6 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 16 January 2005 - 08:52 PM

Hi colinwhi :)

Welcome to SWI. I am sorry we have had trouble communicating for the past 6 months! I am glad to finally be able to address your problem. :D

Please run HijackThis and click Scan, then check:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all open windows except for HijackThis and click "Fix Checked".

That is the only malware entry I see in your log and it is minor. Let me get all the facts straight --- you had a keylogger, hook98.dll, which you removed, but is still causing error messages? I have a few questions:

1) How do you know hook98.dll was a keylogger? What program detected it? I found at least one reference to hook98.dll as a possible legitimate file.

2) Are you still seeing this error message regularly? What is the exact text of the error message and what Appian Graphics model do you use?

3) Why have you even bothered with all this if you have already installed a new copy of Windows into a new folder? Why don't you just copy your files over to the new version, and remove the old version?

Please describe your current problem in as much detail as possible, so I can help you diagnose the source. :)

#7 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 25 January 2005 - 07:34 AM

Hi colinwhi :)

Welcome to SWI.  I am sorry we have had trouble communicating for the past 6 months!  I am glad to finally be able to address your problem. :D

Please run HijackThis and click Scan, then check:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all open windows except for HijackThis and click "Fix Checked".

That is the only malware entry I see in your log and it is minor.  Let me get all the facts straight --- you had a keylogger, hook98.dll, which you removed, but is still causing error messages?  I have a few questions:

1) How do you know hook98.dll was a keylogger?  What program detected it?  I found at least one reference to hook98.dll as a possible legitimate file.

2) Are you still seeing this error message regularly?  What is the exact text of the error message and what Appian Graphics model do you use?

3) Why have you even bothered with all this if you have already installed a new copy of Windows into a new folder?  Why don't you just copy your files over to the new version, and remove the old version?

Please describe your current problem in as much detail as possible, so I can help you diagnose the source.  :)

View Post



#8 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 25 January 2005 - 07:35 AM

Hi colinwhi :)

Welcome to SWI.  I am sorry we have had trouble communicating for the past 6 months!  I am glad to finally be able to address your problem. :D

Please run HijackThis and click Scan, then check:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

Close all open windows except for HijackThis and click "Fix Checked".

That is the only malware entry I see in your log and it is minor.  Let me get all the facts straight --- you had a keylogger, hook98.dll, which you removed, but is still causing error messages?  I have a few questions:

1) How do you know hook98.dll was a keylogger?  What program detected it?  I found at least one reference to hook98.dll as a possible legitimate file.

2) Are you still seeing this error message regularly?  What is the exact text of the error message and what Appian Graphics model do you use?

3) Why have you even bothered with all this if you have already installed a new copy of Windows into a new folder?  Why don't you just copy your files over to the new version, and remove the old version?

Please describe your current problem in as much detail as possible, so I can help you diagnose the source.  :)

View Post


Thanks for the reply here are the answers to you questions:

1) The keylogger was detected by Pest Patrol.

2) I see the error message every time I reboot the machine. I do not believe I have Appian Graphics loaded at all. I do not have an Appian Graphics model. After I removed the keylogger with Pest Patrol the message kept appearing. A small popup box appears with a heading that says "Appian Graphics Error" in side the box the text message says "Couldn't Load Hook 98.dll", underneath the box is a click ok icon.

3) The new version of Windows does not have all my applications. I could not use the infected version of Window so I installed a "bare bones" version so that I could at least use the Internet.

In addition as I said in my first post I now have a situation where Restore Points do not work (XP Home) and on the occasions when I can get out on the Internet down load though IE does not work. However download of updates to antivirus software and Spybot do work.

Also I did have a laptop networked with this PC and whilst that did not have a key logger it also had problems with Internet access and restore points. I am not worried about the laptop at the moment, but am paranoid enough to have the main PC in stand-alone mode
only.

All these problems started after what I am sure was a Browser attack.

#9 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 25 January 2005 - 05:43 PM

Hi colinwhi :)

Okay, let's deal with one problem at a time. First, about the keylogger "hook98.dll" and the error you are getting related to Appian Graphics --- Appian Graphics is a company that makes multi-monitor drivers and software for ATI graphics cards. You have an ATI graphics card --- are you using a multiple-monitor setup?

PestPatrol is famous for false positives --- I have a feeling this may have been a false positive. Or if it was not, then the hook98.dll file may have somehow infected your graphics drivers and files. In either case, the first thing to try would probably be to uninstall and reinstall your monitor drivers and software. You may have to reinstall your graphics card drivers as well. This HijackThis entry:

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe

is related to Appian Graphics multi-monitor software. This is the software that probably you will want to uninstall and reinstall. Go to Start -> Control Panel -> Add/Remove Programs and look for anything related to Appian Graphics or HydraVision. Reinstall this software and see if you still get the error messages. You may additionally have to reinstall the ATI graphics card software.

That would be the easiest (and obviously most optimal) solution, so let's try that first.

About your other problems, what exactly do you mean by restore points and IE downloads "do not work"? Is System Restore enabled? Right-click on My Computer, choose Properties -> System Restore, and make sure it is enabled. These two problems sound much more typical of browser/malware hijacks. Can you describe them in a little more detail? Also, are you using a firewall? If so, disable it, and see if the IE problem goes away --- often firewall configuration problems cause what users think are malware problems.

Hope this helps :)

#10 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 February 2005 - 07:38 AM

Hi colinwhi :)

Okay, let's deal with one problem at a time.  First, about the keylogger "hook98.dll" and the error you are getting related to Appian Graphics --- Appian Graphics is a company that makes multi-monitor drivers and software for ATI graphics cards.  You have an ATI graphics card --- are you using a multiple-monitor setup?

PestPatrol is famous for false positives --- I have a feeling this may have been a false positive.  Or if it was not, then the hook98.dll file may have somehow infected your graphics drivers and files.  In either case, the first thing to try would probably be to uninstall and reinstall your monitor drivers and software.  You may have to reinstall your graphics card drivers as well.  This HijackThis entry:

O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe

is related to Appian Graphics multi-monitor software.  This is the software that probably you will want to uninstall and reinstall.  Go to Start -> Control Panel -> Add/Remove Programs and look for anything related to Appian Graphics or HydraVision.  Reinstall this software and see if you still get the error messages.  You may additionally have to reinstall the ATI graphics card software.

That would be the easiest (and obviously most optimal) solution, so let's try that first.

About your other problems, what exactly do you mean by restore points and IE downloads "do not work"?  Is System Restore enabled?  Right-click on My Computer, choose Properties -> System Restore, and make sure it is enabled.  These two problems sound much more typical of browser/malware hijacks.  Can you describe them in a little more detail?  Also, are you using a firewall?  If so, disable it, and see if the IE problem goes away --- often firewall configuration problems cause what users think are malware problems.

Hope this helps :)

View Post



#11 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 03 February 2005 - 07:40 AM

Thanks for the advice.

I went into Add/Remove Programs but did not find anything related to Appian Graphics. Found Hydravision and uninstalled it. System still complained about “Appian Graphics Error”. Uninstalled and reinstalled the ATI software using their installation disc. Problem no longer present.

Updated the system to SP2, updated my Zone Alarm firewall, put Antivirus Software on. Connected the modem and went out on the net OK. Updated windows and Antivirus files.

Things seem OK. I have done a number of restarts and some restores to see if I can provoke a failure, in the main it looks fine. However after a restore, during which I had left the ATI TV application running, the hook98 made an appearance. The system then seemed to be trashing the disc. I re-booted the machine and it now seems fine.

When I had problems before hook98 did not appear on every restart so I need to use the machine for a while to see if it is really OK.

You said that this may have been a false positive detection by Pest Patrol, but if so why did it suddenly start appearing?

Edited by colinwhi, 03 February 2005 - 10:45 AM.


#12 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 03 February 2005 - 02:30 PM

I don't know why it suddenly began appearing to be honest. Perhaps it was genuinely a keylogger. Did you update your PestPatrol detection rules recently? Perhaps the PestPatrol program added a detection rule for a real keylogger called hook98.dll, which then proceeded to confuse your legitimate version of the DLL for the bad version. There is no real way to know for sure. Run a full scan with PestPatrol and make sure it comes up clean. Then, for a second opinion, you can run the HouseCall online scan here:
http://housecall.tre.../start_corp.asp

Also, if you use System Restore to restore a previous state, make sure you uninstall and reinstall the ATI software again, to make sure you are using the intact copy rather than the damaged/infected copy.

Also, Windows Update and IE downloads now work again?

Let me know if it remains stable and working correctly. What other problems, if any, remain? :)

Edited by Swandog46, 03 February 2005 - 02:31 PM.


#13 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 15 February 2005 - 04:56 PM

I don't know why it suddenly began appearing to be honest.  Perhaps it was genuinely a keylogger.  Did you update your PestPatrol detection rules recently?  Perhaps the PestPatrol program added a detection rule for a real keylogger called hook98.dll, which then proceeded to confuse your legitimate version of the DLL for the bad version.  There is no real way to know for sure.  Run a full scan with PestPatrol and make sure it comes up clean.  Then, for a second opinion, you can run the HouseCall online scan here:
http://housecall.tre.../start_corp.asp

Also, if you use System Restore to restore a previous state, make sure you uninstall and reinstall the ATI software again, to make sure you are using the intact copy rather than the damaged/infected copy.

Also, Windows Update and IE downloads now work again?

Let me know if it remains stable and working correctly. What other problems, if any, remain? :)

View Post


Hi,

Thanks for the help. I have played around for a bit to convince myself that hook98 is a genuine file. As you say it seems that it is part of the ATI suite. So it look like I had a Browser Attack, and then at or around the same time I saw the Pest Patrol Alert for hook98. If I had examined this file I would have seen that it was from ATI. Panic and Paranoia did the rest.

As a result I ended up loading XP to WINDOWS2 on the same partition © as my damaged (perhaps) WINDOWS. I am back to using XP on WINDOWS and it does appear to be stable. I occasionally get the Pest Patrol warning about hook98 but I have marked that as OK and now ignore it. I am as sure as I can be that the system is clean having run various scans including, as you suggested “housecall”. Interestingly that picked up a piece of Malware that my Kaspesky did not; unfortunately I was not awake enough to make a note of its identity and simply deleted it.

Windows update and IE downloads are working fine. System Restore works but the restore points only last for a couple of days or so. I thought this might be because of an interaction with WINDOWS2, so I booted into that OS and turned restore off. In WINDOWS restore is on and using 12% of the disc, there is plenty of spare space on the C partition (this is the only partition on the disc).

The only other problem I have encountered is with Messenger. In WINDOWS2 that is working, in WINDOWS the connection fails with the other end saying there is problem either with the Network or My PC.

I would like to correct these problems, and at some stage, either before or after correction completely remove the other OS on WINDOWS2. I suspect this my cause some problems, certainly the registry will be a mess so I would like to be able to clean that up.




#14 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 15 February 2005 - 05:29 PM

Hi colinwhi :)

No, the reason you only have a few days' worth of restore points is that when you turn system restore off, as we did a little while earlier, it removes all previous restore points. So your current restore points only date after when you turned system restore back on. That is normal.

Using two copies of Windows on the same partition is a mess --- you definitely want to clean that up as soon as possible. I am not sure what goes wrong with Messenger --- can you please post the exact text of any error messages you get?

Also, let's be sure that you are clean --- I am a little surprised that you are still getting alerts from PestPatrol. Please run the Panda online antivirus scan here:
http://www.pandasoft...n_principal.htm
Delete any infected files found. Also restart, and run the online trojan scan here:
http://www.windowsec...com/trojanscan/
Delete any infected files found. Finally, please submit the hook98.dll file to Jotti's scanner here:
http://virusscan.jotti.org/
It checks single files with 9-10 antivirus scanners, so it will be a good test to see if that single file really is infected for real.

Then please post to tell me what happened, and post the exact text of the Messenger error message. :)

#15 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 19 February 2005 - 02:29 AM

Hi colinwhi :)

No, the reason you only have a few days' worth of restore points is that when you turn system restore off, as we did a little while earlier, it removes all previous restore points.  So your current restore points only date after when you turned system restore back on.  That is normal.

Using two copies of Windows on the same partition is a mess --- you definitely want to clean that up as soon as possible.  I am not sure what goes wrong with Messenger --- can you please post the exact text of any error messages you get?

Also, let's be sure that you are clean --- I am a little surprised that you are still getting alerts from PestPatrol.  Please run the Panda online antivirus scan here:
http://www.pandasoft...n_principal.htm
Delete any infected files found.  Also restart, and run the online trojan scan here:
http://www.windowsec...com/trojanscan/
Delete any infected files found.  Finally, please submit the hook98.dll file to Jotti's scanner here:
http://virusscan.jotti.org/
It checks single files with 9-10 antivirus scanners, so it will be a good test to see if that single file really is infected for real.

Then please post to tell me what happened, and post the exact text of the Messenger error message. :)

View Post


Hi,

The restore problem is not as result of turning off/on and effectively restarting its operation. I did that many days ago. If I set a restore point today it will dissappear in about two days. For example the only restore points I have at the moment are for the 18th an 19th (to day) all other points have gone. It is as if there is a space problem.

Ran the tools you suggested (thanks for that) here are the results:

Panda
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/SearchMall No disinfected C:\install.cab[winsrm32.dll]

I have removed the cab file but not touched the registry (I find registry changes scary).

Trojan scan found no infected files but four that it could not open

Unable to scan C:\c009f934467be7ab49\common - Access is denied.
Unable to scan C:\c009f934467be7ab49\sp1 - Access is denied.
Unable to scan C:\c009f934467be7ab49\sp2 - Access is denied.
Unable to scan C:\System Volume Information - Access is denied.

I guess that is OK they look like system files.

Submitted hook98.dll to the jotti virus scan, it came up clean. As an aside I recently loaded “Mavis Beacon Teaches Typing” Pest patrol found KeyHook.dll with in the application, submitted that to virus scan, that was clean too. Is PestPatrol a pest?

As to the Messenger problem it is difficult for me to give the exact message since I do not see it at my end. I and my buddy go thought the contact procedure but when we try to initiate video comms my buddy gets an error message. Here is what he tells me :
“The exact message that I received was in French, but translates into "unable to establish the link, possible source of problem comes from the network or your contact's PC".
I suspect that some of the required ports are blocked or not open. I will have a play around to see if I can get more information.


Thanks for the Help.

#16 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 19 February 2005 - 11:14 AM

Hi colinwhi :)

I am fairly confident you are clean. If you want more space for restore points, I would ask you to increase the amount of space devoted to them, but I think 12% is the maximum. How large is your hard drive? Do you have space problems --- System Restore purges previous restore points if your drive has (I think) 50 MB of free space or less? How much space does 12% of your disk comprise? You might try using Event Viewer to see if restore points have been purposely deleted:
http://www.microsoft...t_overview.mspx
although I warn you; Event Viewer is a real mess to use. In the Description field, search for "system restore" and see what you get.

PestPatrol, as I said, is famous for false positives --- as you can see! I think you are clean; do not worry about these. You can either set them not to alert you anymore, or you might look for an alternative product to PestPatrol (it's not my personal favorite, for exactly these reasons --- but of course that's your decision).

The Messenger problem could either be with your friend's computer or connection, or perhaps with some outgoing control on your traffic, since you don't see an error on your end. If you are using a firewall or other port/traffic control programs, try disabling them. If your friend still has problems but you do not, the issue is probably not on your end.

I hope this helps :)

#17 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 08 March 2005 - 05:29 PM

Hi Swandoq,

Once again thanks for the help. It is so easy once you have been infected by a piece of Malware to ascribe every ill to some sort of infection. Your help in this has been very useful. My Messenger problems seem to be caused by my ZoneAlarm firewall, I now have that working.

The restore problem I have not had chance to investigate yet. I have plenty of space the drive is 80 Gig with just over 52 Gig spare, so space should not be a problem. I have thought that it may be an interaction with my other XP installation, which I should not have put on the same partition, but I was desperate and it became my lifeboat. My intention now is to backup the whole system to an external drive and cast the lifeboat adrift. I think I will have to edit “boot.ini” as part of the cast off. Then I will have another look at the restore problem.

Any advice is welcome.

#18 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 09 March 2005 - 02:22 PM

I'm glad you found the source of your other problem --- firewalls are often the culprit for those sorts of things.

I have thought that it may be an interaction with my other XP installation, which I should not have put on the same partition


This is very plausible. Why don't you remove the other XP installation and do whatever other partitioning/backing up that you want, and then let me know if you still have the problem. I will be watching this thread.
:)

#19 colinwhi

colinwhi

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 04 May 2005 - 03:57 PM

I'm glad you found the source of your other problem --- firewalls are often the culprit for those sorts of things.

I have thought that it may be an interaction with my other XP installation, which I should not have put on the same partition


This is very plausible. Why don't you remove the other XP installation and do whatever other partitioning/backing up that you want, and then let me know if you still have the problem. I will be watching this thread.
:)

View Post


Hi,

I think I have cleaned things up a bit and for a while I thought the restore was working OK. I was provoking it and setting restore points to see what would happen. I decided in the end to leave it alone. Just looked and I have only one restore point, all others have gone, there should be a shed load of system restore points at least. I have not ventured with "Event Viewer", your post suggested that was a can of worms, but it is my next port of call.

colinwhi

#20 Swandog46

Swandog46

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 10,190 posts

Posted 04 May 2005 - 04:16 PM

If you turn off System Restore, even temporarily, it clears all previous restore points...

#21 jw50

jw50

    Forum Deity

  • Emeritus
  • PipPipPipPipPip
  • 18,969 posts

Posted 03 July 2005 - 01:08 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button