• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Prelude2244

Help - Got Hijacked!!!

7 posts in this topic

AVG detected a trojan, please help me with my log. Thanks : )

 

 

Logfile of HijackThis v1.97.7

Scan saved at 9:05:08 PM, on 6/2/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

C:\Program Files\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\NetZero\exec.exe

C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe

C:\Program Files\NetZero\exec.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Francisco\Local Settings\Temp\Temporary

Directory 1 for hijackthis1977.zip\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://my.netzero.net/s/search?r=minisearch

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://my.netzero.net/s/search?r=minisearch

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://my.netzero.net/s/search?r=minisearch

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://my.netzero.net/s/search?r=minisearch

R3 - URLSearchHook: URLSearchHook Class -

{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program

Files\NZSearch\SearchEnh1.dll

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} -

C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} -

C:\Program Files\NetZero\Toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common

Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH

Jukebox\mm_tray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common

Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD

Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD

Creator 6\AudioCentral\RxMon.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Zone Labs Client]

C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe

O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe

/startup

O4 - HKLM\..\Run: [TE_RegProtect] C:\Program Files\Anti Trojan

Elite\TERegPct.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background

O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun

O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program

Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: MoneySide (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline

Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

O17 -

HKLM\System\CCS\Services\Tcpip\..\{BA44B9CA-4A58-4503-85FD-A94D65C492AE}:

NameServer = 64.136.20.121 64.136.20.133

Share this post


Link to post
Share on other sites

Hi,

AVG detected a trojan

Where? (folder location)

 

Otherwise your log is clean ...

 

Most likely it's (trojan file) in your System Restore ... (see "Flush System Restore" below)

Basically turn off System Restore, reboot run a full AVG scan, reboot and turn System Restore back on and create a new Restore Point.

Share this post


Link to post
Share on other sites

It said it found a trojan called 'Startpage.4.AL' in Windows\System32\notepad.exe. I ran CW Shredder and my page is not being redirected anymore but AVG is still detecting the trojan.

Share this post


Link to post
Share on other sites

Hi,

'Startpage.4.AL' in Windows\System32\notepad.exe

Ok, shut down AVG ... right-click the Taskbar icon

Delete "Windows\System32\notepad.exe"

Locate Windows\Notepad.exe, highlight, right-click and select: Copy

Highlight the System32 folder, click Edit (up top) select: Paste

Close Windows Explorer, empty the Recycle Bin ...

 

Then reboot (AVG should restart by itself) run another scan and see what AVG says.

Share this post


Link to post
Share on other sites

Ok I did all you said. I ran AVG and it detected the same trojan..but this time it's in 'Windows:\Volume Information\restore......'. AVG advised me to put it in the Virus Vault, which I did. Then I re-scan and it came up clean. Is that it, no more virus? If it is....thanks for all your help.

 

This site rocks!!!

Share this post


Link to post
Share on other sites

Hi,

but this time it's in 'Windows:\Volume Information\restore

Follow the same instructions as before to "Flush System Restore"

AVG advised me to put it in the Virus Vault, which I did

Nope didn't happen ... see below = "Antivirus can not clean System Restore"

 

Otherwise, yes it's gone ... good job!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0