Jump to content


Photo

At Wit's End - MERGED 2 threads


  • This topic is locked This topic is locked
28 replies to this topic

#1 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 22 May 2004 - 09:40 PM

My machine started the funnies, so I ran AVG, Spybot and Adaware and dealt to the problems. I then fixed the problems reported by Win '98's System File Checker.

I now have:

- IE5 defaulting to "http://greatsearch.biz/" (see log)
- IE5 freezing up
- Win Explorer freezing up
- My Docs freezing up
- Control Panel not running/freezing up.

Log file:

Logfile of HijackThis v1.97.7
Scan saved at 13:46, on 23/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\TRASH\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://tropotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LiveSexCam_nz] C:\Program Files\VCom\Dialers\LiveSexCam_nz\LiveSexCam_nz.exe /dontdial
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Scanner Detector.lnk = C:\Program Files\ScanSuite\SDetect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O14 - IERESET.INF: START_PAGE_URL=http://aproxy1/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab

Help, help, help!

#2 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 25 May 2004 - 12:48 AM

**BUMP**

Sorry, people!

I've been trying to "bear with you", but the Trojan "Downloader.Small" is multiplying all the time and AVG is now telling me to use the PC "at my own risk".

Please, oh please?!

#3 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 26 May 2004 - 04:18 PM

bump again

I seem to have managed to get rid of "Downloader.Small", but the rest of the problems are still there...

Cheers

#4 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 26 May 2004 - 11:02 PM

I lied!

Downloader.Small is back.

#5 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 27 May 2004 - 02:39 PM

Bump.

Sorry to be so persistent...

#6 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 28 May 2004 - 04:50 PM

Bump again!

#7 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 29 May 2004 - 04:55 PM

Bumpity-bump

I'm managing to (just) keep my head above water, but I cannot permanently remove/fix the problems.

Cheers

#8 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 29 May 2004 - 07:14 PM

Other things:

- Whatever's on it doesn't want me to be able to see malware detect/remove software

- Trying to access the Recycle Bin freezes the machine

#9 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 30 May 2004 - 03:24 PM

Bump

#10 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 31 May 2004 - 04:19 PM

Bump, please

#11 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 01 June 2004 - 06:50 PM

Bump, again.

Day 10....

#12 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 02 June 2004 - 02:42 PM

Bump

#13 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 03 June 2004 - 05:27 PM

Bump

#14 newb who needs help

newb who needs help

    Member

  • Full Member
  • Pip
  • 32 posts

Posted 03 June 2004 - 05:52 PM

first off i am really new at this stuff(as my name states) so if someone can guide me that would really be helpful

#15 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 03 June 2004 - 06:52 PM

Hi

I can't help you very much, but I can get you started...

First off, read the FAQ on the welcome screen.
Go back to the Homepage.
Go to "More Links".
Select "View All Categories".
Select "Browser Hijacking".
Read "Hijack Removal".
Download "Spybot S&D" and "Ad-aware".
Run both and follow their instructions.

Good luck!

#16 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 03 June 2004 - 07:16 PM

newb who needs help, Please start your own New Topic.

marcmeier, You've been waiting way too long. Our apologies. :(

For starters please do this (you have a CWS infection):
Download and run http://www.spywarein.../CWShredder.exe
from its own folder.
Click Fix and then Next, let it fix everything it asks about.

Then scan with HijackThis again.

Tick the boxes next to all these (some may have been removed by the shredder), then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://tropotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/

Don't fix this one if you are sure what it is and want to keep it.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/

Don't fix this one if you are sure what it is and want to keep it.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html

O4 - HKLM\..\Run: [LiveSexCam_nz] C:\Program Files\VCom\Dialers\LiveSexCam_nz\LiveSexCam_nz.exe /dontdial


After fix and reboot, delete this whole folder:
C:\Program Files\VCom\

Then please post a fresh log and let us know if the above has helped.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#17 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 03 June 2004 - 09:38 PM

Firstly, thank you, thank you, thank you for the reply: I'd kiss you if I could :love: . However, this will have to do... XXX.

Secondly, newb did have a separate thread. I'd logged in to check my post for replies, backed out, saw newby's, opened it, posted a reply. Somehow I must have merged... perhaps a "how not to" is an idea. My apologies to both of you.

Thirdly, I've done all of the above, but still have problems. When I rebooted after the fix, I shut down '98 and then cold booted. I hope this was the method you wanted.

At present:

- I can't start the Control Panel (freezes)
- Windows Explorer now sees CWS and HJT, but freezes on trying to open temp IE files (I'd hoped to clear these so as to get rid of anything lingering there), or on some other copy operations (notably the HJT log)
- IE5 still has the Coolsearch.biz as a default, even if I change it
- HJT still shows all the Coolsearch.biz parasites
- I've had to use another machine to post this, as mine reports an internal error on IE when I try to add a post to you.

Latest log:

Logfile of HijackThis v1.97.7
Scan saved at 14:12, on 04/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\MY DOCUMENTS\TRASH\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Scanner Detector.lnk = C:\Program Files\ScanSuite\SDetect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O14 - IERESET.INF: START_PAGE_URL=http://aproxy1/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab

Anyhow, thanks again.

I'll be pleased to be sorted out!

Edited by marcmeier, 03 June 2004 - 10:25 PM.


#18 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 03 June 2004 - 11:13 PM

I think you need an Expert, I'll see if I can get one to stop by.

In the meantime, it would be a really good idea to update your IE to IE 6. IE 5 isn't supported and has many vulnerabilities.
http://www.microsoft.../ie/default.asp

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#19 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 03 June 2004 - 11:25 PM

Hello,

Download Updated CWShredder from http://www.downloads.../CWShredder.exe.

Run CWShredder, and FIX. Let it fix what it finds.

Restart and post a fresh log

Regards

Edited by Subratam, 03 June 2004 - 11:40 PM.

http://blog.emsisoft.com
www.Emsisoft.com

#20 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 04 June 2004 - 12:42 AM

Thanks, CNM and Subratam

The updated CWS seems to have fixed the problem(s).

I still had to use another machine to post this, as IE5 reported the internal error again (and shut down) when I tried to add the post.

However, I'm in the process of upfrading to IE6.

Present log:

Logfile of HijackThis v1.97.7
Scan saved at 17:27, on 04/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\TRASH\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = APROXY1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Scanner Detector.lnk = C:\Program Files\ScanSuite\SDetect.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O14 - IERESET.INF: START_PAGE_URL=http://aproxy1/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab

I'll try again once I have IE6 loaded.

Many, many thanks again.

#21 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 04 June 2004 - 01:29 AM

Hello,

Please check the version of Spybot. It should be Spybot 1.3.

Also Fix this,
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Do you know about these

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = APROXY1:80
O14 - IERESET.INF: START_PAGE_URL=http://aproxy1/

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#22 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 04 June 2004 - 02:34 AM

Hokey-dokey.

Have loaded Spybot 1.3.

Have loaded IE6.

Have removed findfast.

Aproxy1 was when this machine was connected to a server.

Latest log:

Logfile of HijackThis v1.97.7
Scan saved at 19:24, on 04/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\TRASH\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Scanner Detector.lnk = C:\Program Files\ScanSuite\SDetect.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab

I'm still using the laptop due to IE reporting an error and shutting down whenever I try to add a post. :wtf:

Thanks again. ;D

#23 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 04 June 2004 - 10:23 AM

What is the error it is showing? Any other problems? Any re-directions again?

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#24 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 04 June 2004 - 05:46 PM

Subratam

I still have the problem with posting to the site. It seems to relate with interactivity between myself and the site(s). :scratchhead: For example, I tried to download Java 1.3.2 JRE from a secure site and it bombs too.

With IE5, it reported an internal error and said it will close down. With IE6, it says that "Microsoft Internet Explorer has encountered a problem and will have to close down....Send error report....". The technical side of the error report is meaningless to me: binary status codes for various modules.

Another thing: I've sset Google as my homepage. When first starting IE6, it doesn't open Google and reports "cannot find server or DNS error". Refreshed, no problem.

I haven't had much of a chance to play (was night here), but so far no other problems.

Thanks

#25 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 12 June 2004 - 06:56 PM

Subratam

I haven't had to download anything via IE, except for the Ad-aware, AVG and Spybot updates, which downloaded fine. I can't tell you if I still have download problems with anything else.

I've just downloaded the latest updates for Ad-aware and AVG and have run them. Ad-aware found nothing, but AVG found the two trojans "Startpage.6.S" and "Downloader.Small.6.AZ", both of which I've moved to the virus vault.

I then ran '98's System File Checker, which reported that the following files have altered:

msstasks.exe
mssys.exe
mstasks1.exe
mmefxe.ocx
system.exe
xdldr24.exe
system32.dll
lsd_f3.dll

I've haven't restored any of them:

should I?
from where?
can I re-install '98 without losing any other data?
what's the best approach?

I've also attached my latest HJT log- I'll remove the reference to aproxy 1, unless you state otherwise.

Logfile of HijackThis v1.97.7
Scan saved at 11:50, on 13/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = APROXY1:80
F1 - win.ini: run=HPFsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Scanner Detector.lnk = C:\Program Files\ScanSuite\SDetect.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab

Thanks for all the help :thumbsup:

#26 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 14 June 2004 - 05:54 PM

Bump, please

#27 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 14 June 2004 - 07:04 PM

Your log looks ok. You should be ok now.

Read How did I get Infected?

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#28 marcmeier

marcmeier

    Fully Confused Member

  • Full Member
  • PipPipPip
  • 136 posts

Posted 14 June 2004 - 07:08 PM

Thanks very much. ;D

#29 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 14 June 2004 - 08:04 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button