• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
redundantlyredundant

Help! Scan found 19 Trojans/Malware

5 posts in this topic

I stupidly forgot to download Zone Alarm on my new laptop AND enable Nortan before I surfed. I now have as many as 22 trojans/viruses/malwares. Among them are Kontiki in my registry, DownloaderEX, Adclicker-AF.dll, BLNet, QuestionMarket, and WinActive (according to SpyHunter.) At one point it would hijack my home page with each reboot and urge me to download "spyware protection." Nice.

 

Now ZoneAlarm is reporting a ping about three times a minute, all from the untraceable IP 172.16.0.1.

 

I'm broke at the moment or I would buy some software to clean it up. Plus I'd kinda like to learn how to do it myself from the experts here. The Panda ActiveScan zapped two of my parasites, and Norton found two others and got rid of them. However, I still show 14 infected files, 3 bad cookies and 1 registry parasite.

 

 

Help!

 

 

Here is my Hijack This log:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:24:21 PM, on 7/26/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Yahoo!\browser\ybrwicon.exe

C:\Program Files\2Wire\2PortalMon.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\Yahoo!\browser\ycommon.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\wuauclt.exe

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\d869g7iktkff.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: winlogin.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: Yahoo! Login (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt0_x.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8192.7919444444

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...380/mcfscan.cab

 

 

 

Thanks for your help!

 

~RR

Share this post


Link to post
Share on other sites

Hi redundantlyredundant,

 

Since you have a few trojans here, run a free online virus scan here:

http://housecall.trendmicro.com/housecall/start_corp.asp

 

Next, go to Add/Remove Programs and uninstall SpyHunter. This program does not do an effective job at removing spyware.

 

Now, move hijackthis into it's own permanent folder on your hard drive (Ex: C:\HJT). Run it from that location and place check marks in the following entries. Tell HijackThis to 'Fix checked' (make sure all windows except HijackThis are closed).

 

O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\System32\d869g7iktkff.dll (file missing)

O4 - HKLM\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKLM\..\Run: [spyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe

O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\1.5.2.32\InstallStub.exe -a

O4 - HKCU\..\Run: [jopa] C:\WINDOWS\System32\sysstartup.exe

O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll

O4 - Global Startup: winlogin.exe

 

Configure your computer to show hidden files.

 

Then reboot your computer in safe mode and delete the following file:

C:\WINDOWS\System32\sysstartup.exe

 

And delete the following folder:

C:\WINDOWS\Plaxo

 

Also click on Start > All Programs > Startup. If winlogin is listed there, right click it and choose delete.

 

Reboot your computer, run hijackthis again, save a fresh log and post it back into this thread.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0