Jump to content


Photo

CWS


  • This topic is locked This topic is locked
14 replies to this topic

#1 Challenge

Challenge

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 31 May 2004 - 01:42 PM

My homepage is highjacked by CWS url is ip addy. The worst thing is that my "My Comp" button and other windows functions don't respond.

I would really appreciate help with this. I have read the guides and followed instructions. I have tried following instructions from other threads ie. bjp3's that had similar sounding probs but nothing has worked.

I have tried ad-ware, spybot and cwshredder. I have gone into safe mode and deleted the dialler that came from the page re-direction and run the above again but to no avail.
Any help with this log or ideas would be appreciated.


Logfile of HijackThis v1.97.3
Scan saved at 20:21:38, on 31.05.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\WINDOWS\SYSTEM\EXPLORER.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE
O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38137.672025463

#2 GHOST 1337

GHOST 1337

    Member

  • Full Member
  • Pip
  • 21 posts

Posted 31 May 2004 - 01:55 PM

alright, i did a search and ive come to the conclusion that line



O4 - HKLM\..\Run: [MSZTCE] C:\WINDOWS\SYSTEM\MSZTCE.EXE

is your problem

#3 Challenge

Challenge

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 31 May 2004 - 02:43 PM

Many thanks for your help Ghost but I am afraid the problem remains. I have done a new log but I think I'll smash the thing anyway!! :techsupport: or is there a chance?!

Logfile of HijackThis v1.97.3
Scan saved at 21:42:07, on 31.05.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\explorer.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38137.672025463
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab

#4 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 31 May 2004 - 04:19 PM

This is a fix that was worked out by some of our experts and we can see if it will work here. Post back with an update and fresh HJT log after you run it. If it works, we still have some more cleanup to do:

Please copy the contents of the quote box to notepad:


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"System"=-
[-HKEY_CLASSES_ROOT\CLSID\{061646A1-DC57-487D-B023-A938198C174E}]
[-HKEY_CLASSES_ROOT\CLSID\{4E8A9E72-8942-40EF-88DF-A559152F6B41}]
[-HKEY_CLASSES_ROOT\CLSID\{6E94CEC3-0C84-4310-AE20-CD4090178388}]

Hit save as and give it the name clear.reg under the filename set file types to all files. Save it to the desktop. After you have completed that, double click the clear.reg file and when asked to merge say "Yes" and reboot.

Find this file system32.dll which is probably in either:
  • c:\windows\system32\system32.dll
  • c:\windows\system\system32.dll
... and delete it.

Then fix these with hijackthis:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/redir.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/redir.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/redir.php


Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#5 Challenge

Challenge

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 31 May 2004 - 05:01 PM

Budfred, you and your experts are stars. It seems to have worked. I can access folders etc in normal mode and I am not being redirected anymore. Thank you ;D

Here is the new log. Cleaning up would also be appreciated as I am :wtf:

Logfile of HijackThis v1.97.3
Scan saved at 00:02:07, on 01.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe
O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38137.672025463
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab

#6 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 31 May 2004 - 05:45 PM

That is great to hear...

For cleanup, most of it is gone... This is probably bad and should be fixed by HJT unless you recognize it. If you are not sure, you can find it and check Properties with a Right click on the mouse, then see if it is from a legit company:

O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe

This one appears to be legit, but just want to be sure... are you familiar with it??

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

If it is bad, you will also have to remove it with Add/Remove Programs or delete it here:

C:\WINDOWS\SYSTEM32\WINTIME.EXE

Also, find and delete this if it doesn't seem legit. You may need to have Windows show all hidden files to find it:

C:\WINDOWS\SYSTEM\ETDIN.exe

That seems to be it, but post back another HJT log after a reboot to be sure... Also, here is my prevention speech so you can protect yourself from future infection:

This is a good time to set up protection against further attacks. Read the article linked below about "How did I get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#7 Challenge

Challenge

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 June 2004 - 01:31 PM

Thanks again Butfred.

The wintime.exe gives me no info and when I try to delete it it says it comes from windows.
The ETDIN.exe can't be found which I know is wierd but I have hidden files on and a search doesn't even find it.

Bad or not if I delete both these files with Highjackthis will/could it harm my comp? I don't car if some Mickey Mouse program I have forgotten about won't work but will it affect windows?

Lastly, You are absoloutly right about prevention and I am changing to Opera!

Cheers again,

Iain

#8 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 01 June 2004 - 08:34 PM

Here is a description of WinTime I found on Google:

WinTime

This utility, which runs from your system tray, can keep track of how much time has elapsed since you last booted up, active your screen saver, selectively close Explorer windows, quickly launch programs you use most often, create hot keys, and customize tray icons.

It is clearly not from Microsoft, but if you have a program that meets that description, it is probably okay...

If you couldn't find this program, it is probably a morpher:

O4 - HKLM\..\Run: [ETDIN] C:\WINDOWS\SYSTEM\ETDIN.exe

That means it takes a new name each time you reboot the system... To find it, you will either have to post a fresh log and I will tell you which one it is, then you would fix it and delete it without rebooting.... OR.... you can find the file that wasn't in the last HJT log and that is in the same folder and fix it with HJT and then delete it... You may have to tracking it down in Running Processes in Task Manager and stop it before you can delete it. You could also try booting to Safe Mode and use HJT to find it, since it is more likely it wouldn't load at boot in Safe Mode.... Nasty little bug these morphers....

Whatever way you decide to go, post a fresh HJT log after a reboot so we can make sure we got it all....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#9 Challenge

Challenge

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 03 June 2004 - 01:38 PM

Thanks again for the help Budfred.

I decided to delete both the possibly dodgy files and below is the new log without a reboot.
The ETDIN.exe file was still in the HJS scan even though I was unable to find the file either with a search or manually. It is now gone. I know my hard drive could do with being re formatted but I am still gtrateful for any input on dodgy files.


Logfile of HijackThis v1.97.3
Scan saved at 20:40:04, on 03.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\WINTIME.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.telegraph.co.uk/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38137.672025463
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab

#10 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 03 June 2004 - 08:27 PM

You don't need to reformat because of this garbage, we may have succeeded in cleaing it up!! However, we need a log AFTER a reboot to make sure the morpher is really gone. It is possible to fix it in HJT, but then have it reappear in the next reboot... So post that and we can check it out....
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#11 Challenge

Challenge

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 04 June 2004 - 04:08 PM

Ok, here's the log after a reboot.

Logfile of HijackThis v1.97.3
Scan saved at 23:13:59, on 04.06.04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMME\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAMME\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\PROGRAMS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.portal.telegraph.co.uk/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ESSOLO] ESSOLO.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programme\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Popup Eliminator (HKLM)
O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...38137.672025463
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai...all/xscan53.cab


Any ideas? :-)

#12 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 04 June 2004 - 09:39 PM

Are you still having a problem??

Your log appears to be clean, so if you aren't having a problem, it is time to tighten up security to keep it clean and then celebrate... Here is my speech for prevention:

This is a good time to set up protection against further attacks. Read the article linked below about "How did I get infected". You need an antivirus that is updated, a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyads. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

If you are having trouble, post back and we will look at other tools to solve it... post as much detail as possible so I can get an idea of what the problem might be...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#13 Challenge

Challenge

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 05 June 2004 - 09:10 AM

Comp seems to have returned to normal. Your advice has been taken and various security measures undertaken. Many thanks once again and kep up the work for all an amazing site!! :love:

#14 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,252 posts

Posted 05 June 2004 - 12:59 PM

Great!! :thumbsup: :thumbsup:

Thanks for reporting back.... :D :D
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#15 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 05 June 2004 - 01:07 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button