• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
smiddleton

Mirka4.exe malware removal

15 posts in this topic

When I start up my computer, which is Windows ME, I have to end the process mirka4.exe every time. I ran ad aware, cw shredder, and spybot. None of them took care of this problem. The file is located in C:\WINDOWS\SYSTEM. I've deleted the file, and it comes back everytime I reboot my system. I've renamed the file to mirka4.old and it changes back to mirk4.exe after a reboot. I renamed 2 references in the registry to mirk4.old as well...still no luck. How do I get this robot off of my computer? Any help is much appreciated.

 

Here is my hijack this log:

 

Logfile of HijackThis v1.97.7

Scan saved at 8:32:43 AM, on 6/23/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\LVCOMS.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {FA040B34-FBE9-4BEF-9D85-F90BECAACA99} - C:\WINDOWS\SYSTEM\4lqbupe.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

O4 - HKCU\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa.../swdir8d205.cab

O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://help-data.excite.com/help/images/ra/tgrc.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://v55.comcastsupport.com/sdccommon/do...ad/tgctlins.cab

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//225/Eyetide%20Installer.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/....CAB?37875.5475

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab

O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

[Fooling the Program]

open the MIRKA4.EXE is in some editor, best is

from the command prompt

change to C:\WINDOWS\SYSTEM

 

C:\WINDOWS\SYSTEM> edit MIRKA4.EXE

 

Cut first 10 to 20 lines and paste them at the end and save the file.

 

By doing above you will corrupt the exe file, size will remain same,

only the modified date will change.

 

Most of the cases the above will fool the program, unless otherwise

it uses a CRC checking for the executable /modified date time stamp.

 

In regedit, under following keys just change the value:

O4 - HKLM\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

O4 - HKCU\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

 

to

 

C:\WINDOWS\SYSTEM\MIRKA4.EXE.

 

The above will prevent the program from running, but may be this value

will be overwritten if you reboot again with correct values

 

[Temporary Folder]

Clean your temporary folder

Start > Run > type Cleanmgr

select C: drive

 

 

[i Suspect the below]

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {FA040B34-FBE9-4BEF-9D85-F90BECAACA99} - C:\WINDOWS\SYSTEM\4lqbupe.dll

Share this post


Link to post
Share on other sites

New HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 10:06:25 AM, on 6/23/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\LVCOMS.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\WUAUCLT.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {FA040B34-FBE9-4BEF-9D85-F90BECAACA99} - C:\WINDOWS\SYSTEM\057.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

O4 - HKCU\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa.../swdir8d205.cab

O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://help-data.excite.com/help/images/ra/tgrc.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://v55.comcastsupport.com/sdccommon/do...ad/tgctlins.cab

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//225/Eyetide%20Installer.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/....CAB?37875.5475

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab

O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

Hi please run HijackThis again and place a check beside each of the following items. Once done close all other windows and click fix checked.

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy:8080

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {FA040B34-FBE9-4BEF-9D85-F90BECAACA99} - C:\WINDOWS\SYSTEM\057.dll

 

O4 - HKLM\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

O4 - HKCU\..\RunOnce: [MIRKA4.EXE] C:\WINDOWS\SYSTEM\MIRKA4.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

 

Now reboot and delete the following file

 

C:\WINDOWS\SYSTEM\MIRKA4.EXE

 

Then reboot once more and post a new HijackThis log.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 10:28:27 AM, on 6/23/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\LVCOMS.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

C:\WINDOWS\WUAUCLT.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa.../swdir8d205.cab

O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://help-data.excite.com/help/images/ra/tgrc.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://v55.comcastsupport.com/sdccommon/do...ad/tgctlins.cab

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//225/Eyetide%20Installer.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/....CAB?37875.5475

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab

O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:29:01 AM, on 6/23/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\LVCOMS.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\WUAUCLT.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa.../swdir8d205.cab

O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://help-data.excite.com/help/images/ra/tgrc.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://v55.comcastsupport.com/sdccommon/do...ad/tgctlins.cab

O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://spystream.babenet.com/cabs/videox.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe

O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab

O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//225/Eyetide%20Installer.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/....CAB?37875.5475

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab

O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://collsrv.thrifty.com/webline/applets/msie40x.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Share this post


Link to post
Share on other sites

I just noticed one more thing. So hopefully you check back to this thread it looks like you have both AVG and norton installed. Thats a bad idea as they will conflict with each other so please uninstall one or the other. I strongly recommend getting rid of Norton.

Share this post


Link to post
Share on other sites

I deleted all the norton files, but it will not remove out of the add/remove programs option. Should I remove anything in the registry?

Share this post


Link to post
Share on other sites

Sarah only if you are comfortable in the registry. I'm not sure what all needs to be removed but i know Norton make a whole bunch of registry entries when installed.

Share this post


Link to post
Share on other sites

Yes Mr.me we figured that out and the problem is taken care of thanks for the info though.

 

Once more thing its also known as morze not just adtomi

Share this post


Link to post
Share on other sites

I was able to clear the mirka4e.exe stuff off only after reading and comparing the Hijack This! results to my own. I downloaded every Trojan cleaner on the web, but none of them worked. Mcafee ver 8.0 with the latest dat files found and deleted the trojan, but opening a new IE window would create another copy of the file. What a pain!

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0