Jump to content


Photo

keylogger.briss.g


  • Please log in to reply
12 replies to this topic

#1 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 09 June 2004 - 03:17 PM

Have contracted this beastly infection on my daughter's pc runing Windows ME & now it's not booting up properly.... can get to the desktop but then it hangs completely & have to power off, restart starts to do scandisk but never finishes...

Have booted to safe mode, disabled sys restore, run Stinger which was clear, have AVG but haven't been able to update it since april....

Not sure what to do now...

here's the HJ log

Logfile of HijackThis v1.97.7
Scan saved at 12:09:17, on 09/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\NEW FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL (file missing)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MyEMessenger Quick Access] C:\WINDOWS\SYSTEM\myemaccess.exe C:\Program Files\MyEMessenger\MyEMessenger.exe
O4 - HKCU\..\Run: [MyEMessenger] C:\Program Files\MyEMessenger\MyEMessenger.exe /autorun
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://www.plaxo.com...laxoInstall.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingsto...inue/bridge.cab
O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessen...etupProject.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...364/mcfscan.cab

Tia for any help of any kind

JTK

#2 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 09 June 2004 - 08:10 PM

Hello,

I suggest you first try uninstalling MyEMessenger from Add/Remove Programs if it's available there to do so. Then remove the remaining 04 and 016 items by fixing with HijackThis.

Please print a copy of the following instructions because you will be working with all windows closed except HijackThis.

Please run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL (file missing)

O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL

O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe

O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE

O4 - HKCU\..\Run: [MyEMessenger Quick Access] C:\WINDOWS\SYSTEM\myemaccess.exe C:\Program Files\MyEMessenger\MyEMessenger.exe

O4 - HKCU\..\Run: [MyEMessenger] C:\Program Files\MyEMessenger\MyEMessenger.exe /autorun

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.konti...current/kdx.cab

O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://www2.flingsto...inue/bridge.cab

O16 - DPF: {91BE8DAC-957E-416C-B735-E2B63CDB915B} (MyEMessengerSetup Control) - http://www.myemessen...etupProject.cab


Enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, boot into safe mode and search for, and delete if found, (some files may not be present after previous steps) the following:

C:\WINDOWS\TWAINTEC.DLL < file

C:\Program Files\ClearSearch\ < folder

C:\WINDOWS\SYSTEM\A.EXE < file

C:\WINDOWS\SYSTEM\myemaccess.exe < file

C:\Program Files\MyEMessenger\ < folder

Reboot.

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

C:\WINDOWS\Temp\

C:\Temp\

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

If you cannot update your AVG antivirus, then download avast! free antivirus from the link in my signature below. After you download it, and before you install it, uninstall AVG.

Next, please click here to download Spybot Search & Destroy - Install, update, scan and fix all RED items it finds. Reboot when done.

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry," "Scan my IE Favorites for banned sites," and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start." Make sure "Activate in-depth scan" is ticked green, then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next." The bad files will be listed. Right click the pane and click "Select all objects" - This will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?"

Next, perform an online virus scan at Trend Micro and an online Trojan scan at Sygate. (See links in my signature below). Allow each program to remove whatever it may find. Reboot after each scan.

Now, use the link below to proceed to the Windows Update site. Scan your system for needed updates, then download and install them. This may take some time and you may have to reboot in between some installations, and then return to the site for more updates. It's important that you do this.

Scan with HJT and post a new log into this same thread, and we will see what remains to be done.

#3 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 10 June 2004 - 10:09 AM

Hello, Nonsuch

Your help is very much appreciated... I've followed your instructions with the following results:

MyEMessenger - couldn't remove via Add/Remove Progs - error said the program had already been deleted.

Spybot 1.3 & Adaware - as I can't get the pc online I've just downloaded both from internet onto cd & installed from there, both found items which I've deleted.

Have not been able to run online virus scans or updates as you suggested.

Rebooted in between installing & runing both Adaware & spybot but now I'm back to the same problem pc is hanging within 3/4 mins of booting up into normal windows !!

Just about to boot into safe mode again, un-install AVG & install Avast to see if that'll make any difference.....

Looking forward to your reply, pls, tia

JTK

#4 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 10 June 2004 - 10:46 AM

further update,

I've un-installed AVG, rebooted into normal windows ok, installed & run Avast
......it's found the W32.Revop (Trj) file in C:\windows\system\bH.dll\(UPX)

Options:
Move or Rename - ticked 'Force moving locked or used file on system startup' - access denied msg
Delete - delete permenantly - gave access denied msg
Repair - gives an access denied msg
Move to Chest - same access denied msg

Help it seems what ever option I choose it doesn't get rid of the virus !! don't know what to do now.....

Tia

JTK

#5 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 10 June 2004 - 12:49 PM

another update....

at the results page I was able to delete this file C:\windows\system\bH.dll\(UPX)

Then rebooted into normal windows, now able to conn to Internet & currently running online virus scan at trend micro... will then head over to Sygate as per your instructions - will post further update with HJT log after that....

Thanks again for all assistance & apologies for the many follow-up posts.

Tia

JTK

#6 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 10 June 2004 - 01:34 PM

jtkpenguin,

Don't worry about the number of posts, you're giving updates and that's important. It sounds like you're making real progress! Posted Image

I personally like avast! because it will automatically check for and install updates when you connect to the internet. Also, it updates frequently.

Post a fresh log when you've finished with everything, and we'll have a look.

#7 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 10 June 2004 - 02:29 PM

Many thanks again for your help, NonSuch,

online scan at Trend Micro found 1 file C:\Windows\Downloaded Programs\jao.dll infected with Troj.Briss.A
Sygate found nothing & ZA detected an attack so it must be doing its job!

Currently running through the Windows updates - jeez there's a heap of them....

Will then post fresh HJT log

JTK

#8 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 11 June 2004 - 07:21 AM

Have now finished Win updates...
Updated Ad-aware, run it & found 4 items - deleted
Updated Spybot, run it found 1 item - deleted
Ran Cwshredder - system clean

2 probs still seem to remain & I don't know if they're related to the infestations I've had on the pc, both happen on booting into Windows:

1) ZAlarm says I have no AV software installed opt is to turn on ZA's own & despite doing this the same msg still reappears on rebooting system
2) Yahoo Messenger login scr (with username I don't recognise) comes up & attempts to dial internet - establishes a con even though I cancel it & then says another prog is trying to establish a conn.

here's my HJT log

Logfile of HijackThis v1.97.7
Scan saved at 13:07:38, on 11/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
C:\PROGRAM FILES\CASIO\PHOTO LOADER\PLAUTO.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\NEW FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://www.plaxo.com...laxoInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...364/mcfscan.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8148.4708564815

Pls could you tell me what's left to do...

Thanks in advance

Jtk

#9 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 11 June 2004 - 11:19 AM

update...

Have now re-installed ZA & it's seems to have sorted out that problem but still left with the Yahoo messenger, tried uninstalling through Add/remove but it's just hanging... every time I reboot Yahoo dials the internet, so I'd really like to get it off the system.

Have run another AVast scan which was clean, also put it in as second drive to my system & run McAfee scan - also clean...

Tia

Jtk

#10 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 11 June 2004 - 03:04 PM

jtkpenguin,

First, remove everything from Add/Remove Programs that references Yahoo. If this does not work in normal mode, boot into safe mode. (You can always do a fresh reinstall later if you choose).

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

Please run HijackThis and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)


Fix all of the following. They will be reinstalled if/when the web sites requiring them are revisited:

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab

O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://www.plaxo.com...laxoInstall.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab



Enable the ”Show Hidden Files and Folders” option:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, boot into safe mode search for, and delete the following folder:

C:\Program Files\Yahoo!\

Reboot and empty out all your temp folders again, then empty the Recycle Bin.

I suggest you download IE-SPYAD from here: http://www.staff.uiu...rce.htm#IESPYAD

It will place over 5000 sites in your restricted zone so that you don't accidentally visit innocent appearing sites that aren't really innocent. (This may keep the same problem from arising again!)

There's also a small program, called RegistryProt that will warn you when a program attempts to make changes to your registry and will ask you if you want to allow the change. You'll find it here, under "freeware": http://www.diamondcs...p?page=products

Reboot, and see if the problems are resolved.

#11 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 11 June 2004 - 03:41 PM

Thanks again, NonSuch, for your ongoing excellent advice,

Just before I saw your post I had tried un-installing Yahoo messenger through add/remove progs, choosing custom option & it managed to remove most of the prog, will now boot into safe mode & do as you suggest.

Update to follow.

Your ongoing support is very much appreciated - hats off to you!!

Jtk

#12 jtkpenguin

jtkpenguin

    Member

  • Full Member
  • Pip
  • 27 posts

Posted 12 June 2004 - 09:57 AM

And finally...

After completing your instructions & rebooting the beastly infections & Yahoo messenger are at last gone, the pc is back to it's old self again & I have regained a mediocum of sanity.

Thanks for all the patient & kind assistance given in such a friendly manner.

JTK

#13 NonSuch

NonSuch

    Spyware Eradicator!

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,369 posts

Posted 12 June 2004 - 11:43 AM

JTK,

You're very welcome. I'm so glad we could help! Posted Image

I know you've had to work very hard to get this system cleaned up. To help keep it that way, please take a few minutes to read the short article, "How did I get infected in the first place?" (See link below). It has excellent information on keeping your computer secure in the future as well as links to good, free anti-spyware tools. (It's a good article for your daughter to read too! :p )

:wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button