Jump to content


Photo

http://solongas.com/hp.htm?id=9 - Hijack ?


  • This topic is locked This topic is locked
14 replies to this topic

#1 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 05 June 2004 - 04:48 PM

Having read the FAQ and carried out the following, I am still having problems:-

I'm using Win 98 with IE5.5, and recently my home page in IE (which is
normally blank) has started changing to:-

http://solongas.com/hp.htm?id=9

If I reselect blank through Tools>Internet Options>Use Blank, it is OK for
a short time, but every 2 or three times I open IE, it reverts back to the
URL above.

Also, sometimes it opens with the following page:-

C:\WINDOWS\SYSTEM\hp.uti


I have downloaded and installed (then updated) the following:-

CSW v1.58.0
Spybot S&D 1.3
AVG 6.0.699 (release date 2.9.03) Virus Database 456 (release date 4.6.04)
MiniRemoval
Hijack This v1.97.7


I ran CWS and it reported that it removed 4 infected IE registry values.

I ran Spybot1.3 and it immunised the following (but it keeps returning):-
Hellz Little Spy (1 Entry – C:windows\sytem\system.exe)

I ran AVG 6.0 and it found nothing (A previous scan yesterday found 39 viruses, with 37 being removed and 2 put into the virus vault).

I then ran MiniRemoval which reported “CoolWWWSearch smartkiller (v1/v2) was not found…”.

Then, Hijack This produced the following log.-


Logfile of HijackThis v1.97.7
Scan saved at 10:32:39, on 05/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\DOWNLOADS\PROGRAMMES\SECURITY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 140.122.64.20:80
F1 - win.ini: run=c:\Modem\Modem.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\04C2VCYAAUY.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...oc...wflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...d/...mv9VCM.CAB





After a re-boot, I re-ran Hijack This:-


Logfile of HijackThis v1.97.7
Scan saved at 10:37:59, on 05/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\MY DOCUMENTS\DOWNLOADS\PROGRAMMES\SECURITY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solongas.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 140.122.64.20:80
F1 - win.ini: run=c:\Modem\Modem.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\04C2VCYAAUY.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...oc...wflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...d/...mv9VCM.CAB

The various pieces of software report, and seemingly fix, a number of problems, but they keep returning, and I seem to be going round in circles!!! – Help!!!!


Coincidentally, or otherwise, my pop-up stopper (which I have been using successfully for a long time) has stopped working (Pop-up Stopper 2.4). I upgraded to the latest version, but it still doesn’t work. It happened this evening, and I’m not sure which, if any of the following has caused the problem:-

As shown in my original post, I have been doing a lot of scanning with all the software detailed, but I also followed the IE security settings advice by Mike Healan on the Spyware Forum site. I though it may be because of this latter change, so I returned the security settings back to the way they were, but it still does not work.


Any ideas?

TIA.

Edited by Albascotia, 05 June 2004 - 04:55 PM.


#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 05 June 2004 - 04:58 PM

Update CWShredder to v1.59 (new today) click 'Fix' then rescan with HJT and post a new log so that any remnants can be removed.
Posted Image

#3 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 05 June 2004 - 05:56 PM

@ Daemon

Thanks for the reply.

As requested, I updated CWShredder to v1.59, then ran HJT:-

Logfile of HijackThis v1.97.7
Scan saved at 23:53:40, on 05/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\DOWNLOADS\PROGRAMMES\SECURITY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F1 - win.ini: run=c:\Modem\Modem.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\04C2VCYAAUY.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB


TIA.

Edited by Albascotia, 05 June 2004 - 05:58 PM.


#4 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 05 June 2004 - 06:32 PM

My apologies, I forgot to close all browser windows!

This is the result of re-running after closing all windows:-


Logfile of HijackThis v1.97.7
Scan saved at 00:19:59, on 06/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\DOWNLOADS\PROGRAMMES\SECURITY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
F1 - win.ini: run=c:\Modem\Modem.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\04C2VCYAAUY.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB

TIA.

#5 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 06 June 2004 - 03:52 AM

Did CWShredder say that it had removed anything? There's still a few remnants left behind. Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - C:\WINDOWS\SYSTEM\04C2VCYAAUY.DLL
O4 - HKLM\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [jopa] C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
O15 - Trusted Zone: *.greg-search.com

Click here, for instructions on how to enable hidden files and folders to be visible. After enabling, reboot into safe mode by tapping F8 after the BIOS has loaded, find and delete the following:

C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
C:\WINDOWS\image.dll

Reboot when done. Click here to get the latest version of Internet Explorer. Click here to make sure that you have the latest Critical Update patches for Windows. It's very important to keep your system up to date to avoid unnecessary security risks. Rescan with HJT and post a new log here for a final check over.
Posted Image

#6 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 06 June 2004 - 05:28 AM

I made sure that all IE windows were closed and re-ran CWShredder. All items were not present/not infected, with the following exceptions:-

CWS.hptui – Removed
Restoring Internet Explorer Pages – Restored 4 Items
Cleaning Up Orphaned Leftovers – Done!


I then ran HJT and ticked as per your suggestions above, then selected ‘Fix Checked’.

I then did File>Settings>Folder Options>View and selected show all files.

Reboot in safe mode (at second attempt!!), but I was unable to find:-

C:\WINDOWS\SYSTEM\SYSSTARTUP.EXE
C:\WINDOWS\image.dll

They were not there.



Reboot as normal then I re-ran HJT:-


Logfile of HijackThis v1.97.7
Scan saved at 11:12:08, on 06/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\DOWNLOADS\PROGRAMMES\SECURITY\HIJACKTHIS.EXE

F1 - win.ini: run=c:\Modem\Modem.exe
O2 - BHO: (no name) - {A9A674BF-771F-42E5-A440-D20DDA85A862} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB


I notice that 02 – BHO is still there.

Should I try fixing 02: BHO again?

I also notice that I have 14 ‘backup-20040606-…’ files in the same folder as HJT – are these HJT backups of the fixed files?

My PC is 6 years old and substantially full, so I’m not sure if I will be able to upgrade to latest IE. I realise that this means that I am unnecessarily unsecure, but I am just about to start looking at the possibilities for a replacement PC.

Are there any other problems in this latest log?

As mentioned in my original post, I have also had some viruses that re-appear – should I post separately to deal with this problem?


Thanks for all your help.

#7 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 06 June 2004 - 06:04 AM

It's clean now. The O2 is an orphan entry as the file is gone - you could try removing it again but it can't harm you anyway.

We can carry on here with the virus problem for now - are any being revealed in your latest scans?
Posted Image

#8 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 06 June 2004 - 07:40 AM

My latest scan using AVG 6.0.699 (virus database 456) found 1 virus:-

Trojan Horse Dialer.8.U in file C:\windows\on-line.exe

AVG moved it to the virus vault.

I have run a number of scans over the last few days, and although some come back clean, the virus above keeps re-appearing every few scans or so.

Similarly, although not present this time, Trojan Horse Krepper.I in various Windows Temp files re-appears even though AVG reports that they have all been healed.

Do I just delete on-line.exe?

TIA.

#9 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 06 June 2004 - 07:47 AM

If it's been moved to the vault then it can do you no harm.

Clear out the junk files with this. Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so.
Posted Image

#10 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 06 June 2004 - 05:02 PM

I followed your instructions re SSE, and, so far, the viruses seem to have gone for good. I’ll keep an eye on it over the next few days though, just in case.

I have one (hopefully!) final recurring problem reported in Spybot – should I start a new thread for this one?

TIA.

#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 06 June 2004 - 05:06 PM

No, just carry on here.
Posted Image

#12 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 06 June 2004 - 05:36 PM

Do you ever sleep? :)

Spybot 1.3 keeps finding, then fixing:-

Hellz Little Spy in C:\WINDOWS\SYSTEM\system.exe

Can't seem to get rid of it for good though.

Any ideas?

#13 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 07 June 2004 - 02:10 AM

Looks dodgy. Could you find, zip and send it to this e-mail address including a link to this thread in the body of the email. I'll check it for you.
Posted Image

#14 Albascotia

Albascotia

    Member

  • Full Member
  • Pip
  • 13 posts

Posted 08 June 2004 - 05:45 PM

I have done a couple of scans over the last two days, and Spybot reports no problems, so it seems as though HLS may finally have been eradicated, I will keep an eye on it, and if it returns, I will email you as per your instructions.

Thanks once again for all your help; I very much appreciate all the time and effort you have put into solving these problems. At the moment (touch wood!) my system now seems ‘clean’.

Thank you.

#15 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 09 June 2004 - 01:34 AM

You're welcome - glad to help :D

As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button