Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud.c on Win98SE[CLOSED]


  • This topic is locked This topic is locked

#1
Lady_Rocker

Lady_Rocker

    Member

  • Member
  • PipPipPip
  • 168 posts
Hello, I hope I am following the instructions correctly here. I have installed AVG, SpyBot, AdAware, CWShredder and Hijackthis. Soooo, now am going to post all the logs I have (including the system.ini, which is first).

I hope someone can help me, I seriously need to work on my homework for college! PLEEEEEEEEEAAASE!!


HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:21 AM, on 4/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\WP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CJSTCOM.EXE
C:\WINDOWS\SYSTEM\CJSTMON.EXE
C:\MY DOCUMENTS\MISC\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
F1 - win.ini: load=C:\TNT2-64\vi_grm.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9ED0A39A-FAA2-52BA-76F2-B402CEF4CE8D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - HKCU\..\RunServices: [WindowsFY] C:\WP.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.co...x/plx_upldr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyho...mdh/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll



===================================

SYSTEM.INI:
[boot]
shell=Explorer.exe
system.drv=system.drv
user.exe=user.exe
gdi.exe=gdi.exe
sound.drv=mmsound.drv
dibeng.drv=dibeng.dll
comm.drv=comm.drv
mouse.drv=mouse.drv
keyboard.drv=keyboard.drv
*DisplayFallback=0
drivers=mmsystem.dll power.drv
oemfonts.fon=vgaoem.fon
fonts.fon=vgasys.fon
fixedfon.fon=vgafix.fon
386Grabber=vgafull.3gr
display.drv=pnpdrvr.drv

[keyboard]
keyboard.dll=
oemansi.bin=
subtype=
type=4

[boot.description]
system.drv=Standard PC
mouse.drv=Standard mouse
keyboard.typ=Standard 101/102-Key or Microsoft Natural Keyboard
aspect=100,96,96
display.drv=NVIDIA RIVA TNT2 Model 64

[386Enh]
ebios=*ebios
woafont=dosapp.fon
mouse=*vmouse, msmouse.vxd
device=*dynapage
device=*vpd
device=*int13
keyboard=*vkd
display=*vdd,*vflatd
device=TURBOVCD.VXD
device=*COMBUFF
EMMExclude=C000-CFFF

[NonWindowsApp]
TTInitialSizes=4 5 6 7 8 9 10 11 12 13 14 15 16 18 20 22

[power.drv]

[drivers]
wavemapper=*.drv
MSACM.imaadpcm=*.acm
MSACM.msadpcm=*.acm
wave=mmsystem.dll
midi=mmsystem.dll

[iccvid.drv]

[mciseq.drv]

[mci]
cdaudio=mcicda.drv
sequencer=mciseq.drv
waveaudio=mciwave.drv
avivideo=mciavi.drv
videodisc=mcipionr.drv
vcr=mcivisca.drv
MPEGVideo=mciqtz.drv
MPEGVideo2=mciqtz.drv

[vcache]

[MSNP32]

[Password Lists]
ANITA=C:\WINDOWS\ANITA.PWL

[drivers32]
msacm.lhacm=lhacm.acm
VIDC.VDOM=vdowave.drv
VIDC.IV50=ir50_32.dll
msacm.iac2=C:\WINDOWS\SYSTEM\IAC25_32.AX
VIDC.YUY2=msyuv.dll
VIDC.UYVY=msyuv.dll
VIDC.YVYU=msyuv.dll
VIDC.WMV3=wmv9vcm.dll

[TTFontDimenCache]
0 4=2 4
0 5=3 5
0 6=4 6
0 7=4 7
0 8=5 8
0 9=5 9
0 10=6 10
0 11=7 11
0 12=7 12
0 13=8 13
0 14=8 14
0 15=9 15
0 16=10 16
0 18=11 18
0 20=12 20
0 22=13 22


===================================
CWShredder:

**** Run Keys ****

RUN: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
RUN: [TaskMonitor] C:\WINDOWS\taskmon.exe
RUN: [SystemTray] SysTray.Exe
RUN: [LoadQM] loadqm.exe
RUN: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
RUN: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
RUN: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
RUN: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
RUN: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
RUN: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
RUN: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
RUN: [WindowsFY] C:\WP.EXE


**** Browser Helper Objects ****

BHO: [Yahoo! Companion BHO] C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
BHO: [AcroIEHlprObj Class] C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
BHO: [C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL] C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
BHO: [] C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL


**** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX
TOOLBAR: [Yahoo! Toolbar] C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
TOOLBAR: [ICQ Toolbar] C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL


**** IE Extensions ****

IEExt: [Web Browser Applet Control] C:\WINDOWS\SYSTEM\MSJAVA.DLL
IEExt: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe
IEExt: [Yahoo! Messenger] C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
IEExt: [C:\WINDOWS\SYSTEM\MSJAVA.DLL] C:\WINDOWS\SYSTEM\MSJAVA.DLL


**** Hosts File Entries ****



**** IE Settings ****

IEBypass: <local>
Default Page: http://www.microsoft...er=6&ar=msnhome
Default Search: http://www.microsoft...=ie&ar=iesearch
Local Page: C:\WINDOWS\SYSTEM\blank.htm
Search Bar: http://google.icq.co...earch_frame.php
Search Page: http://google.icq.com


**** IE Context Menu (Right click) ****

IEContext: [&ICQ Toolbar Search] res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML


**** Layered Service Providers ****

LSP: MS.w95.spi.tcp
LSP: MS.w95.spi.udp
LSP: MS.w95.spi.rsvptcp
LSP: MS.w95.spi.rsvpudp


**** Blocked Control Panel Items ****

BLOCKED: []


**** Downloaded Program Files ****

Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso4.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]


**** Windows Services ****



**** Custom IE Search Items ****

SEARCH: [SearchAssistant] about:blank
SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
SEARCH: [CustomSearch] http://red.clientapp...rch/search.html


**** Complete IE Options ****

IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.yahoo.com
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://google.icq.com
IEOPT: [Show_ChannelBand] no
IEOPT: [FullScreen] no
IEOPT: [LastCheckedHi]
IEOPT: [Window_Placement] ,
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] yes
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NoUpdateCheck]
IEOPT: [NscSingleExpand]
IEOPT: [Disable Script Debugger] yes
IEOPT: [NoJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [AutoSearch]
IEOPT: [AddToFavoritesExpanded]
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Use FormSuggest] no
IEOPT: [Save Directory] C:\My Documents\Misc\
IEOPT: [Use Custom Search URL]
IEOPT: [Search Bar] http://google.icq.co...earch_frame.php
IEOPT: [Check_Associations] yes
IEOPT: [NoWebJITSetup]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Use Search Asst] no
IEOPT: [NoSaveAsPOSTWarning]
IEOPT: [Prev Use Search Asst] yes
IEOPT: [Prev Search Page] http://red.clientapp...//www.yahoo.com
IEOPT: [Prev Search Bar] http://red.clientapp.../search/ie.html
IEOPT: [Prev Use Custom Search URL]
IEOPT: [Default_Page_URL] http://www.microsoft...er=6&ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Search Page]
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] C:\WINDOWS\SYSTEM\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.yahoo.com
IEOPT: [Custom_Key] MICROSO
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [FullScreen] no
IEOPT: [Search Bar] http://red.clientapp...rch/search.html
IEOPT: [AutoSearch]
IEOPT: [Check_Associations] yes

Edited by Lady_Rocker, 16 April 2005 - 08:52 PM.

  • 0

Advertisements


#2
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Okay, I followed the user "fsmn" posts (since he has the same OS) (http://www.geekstogo...udc-t16563.html) and now I too have a BLACK DESKTOP with no access to the full Display Properties... I also used (AGAIN)

AVG
SpyBot
AdAware
CWShredder
AboutBuster
TheClearner
AND HijackThis (which follows)

PLEASE SEND HELP!!

Logfile of HijackThis v1.99.1
Scan saved at 5:00:53 PM, on 4/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\THE CLEANER\TCA.EXE
C:\THE CLEANER\TCM.EXE
C:\WP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
F1 - win.ini: load=C:\TNT2-64\vi_grm.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9ED0A39A-FAA2-52BA-76F2-B402CEF4CE8D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [tcactive] C:\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\PROGRAM FILES\ICQTOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.co...x/plx_upldr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyho...mdh/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\SYSTEM\MSSARU.DLL

Edited by Lady_Rocker, 17 April 2005 - 01:08 AM.

  • 0

#3
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
RE-DID the whole procedure... printed the topic "You Must Read This Before Posting A HijackThis Log"... found a WORM in C:\WINDOWS\SYSTEM\msmsgs.exe and removed it (lucky I dont use it anymore)... and ran another HijackThis scan with the following log:

Logfile of HijackThis v1.99.1
Scan saved at 8:52:31 PM, on 4/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\TNT2-64\VI_GRM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\THE CLEANER\TCA.EXE
C:\THE CLEANER\TCM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F1 - win.ini: load=C:\TNT2-64\vi_grm.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9ED0A39A-FAA2-52BA-76F2-B402CEF4CE8D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [tcactive] C:\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.co...x/plx_upldr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyho...mdh/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\SYSTEM\MSSARU.DLL
  • 0

#4
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

C:\WINDOWS\SYSTEM\msmsgs.exe and removed it (lucky I dont use it anymore)...

That malware file doesn't have anything to do with Messenger - it just happens to be named the same - just located in a different folder. ;)

Alright, let's get this party started! :tazz:

This is a new infection and I have only fixed it on XP so far...so if you have any problems at all following any of the directions let me know! Even if you have deleted some files, go ahead and follow all of the directions to be sure we get them all ;)

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT* Be sure to show hidden files:

*Open My Computer.
*Select the View menu and click Folder Options.
*Select the View Tab.
*In the Hidden files section select Show all files.
*Click OK.


Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes, if found:

WP.EXE

Exit Task Manager.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field) MAKE SURE TO ENTER ALL FILE PATHS!:

C:\wp.exe
C:\wp.bmp
C:\WINDOWS\sites.ini
C:\WINDOWS\popuper.exe
C:\WINDOWS\System\helper.exe
C:\WINDOWS\System\intmonp.exe
C:\WINDOWS\System\msmsgs.exe
C:\WINDOWS\System\ole32vbs.exe
C:\WINDOWS\System\msole32.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts. If you recieve an error message "PendingRenameOperation...." and your computer doesn't restart, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System\Log Files <-where the trojans were hidden!
C:\Program Files\Security IGuard

Reboot into normal mode.

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log and let me know if you can now change the properties of the desktop.

Edited by bananafanafo, 17 April 2005 - 10:29 PM.

  • 0

#5
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
WOW! I finally got control of my Desktop, YIPPEEE ;)

BUT, there are *ahem* two slight problems:

1] While the ActiveScan was running (which was about 10PM last nite for me), I fell asleep and was unable to save any results. The last I saw, tho, was about 13 trojans were detected! OUCH!

2] I just ran the HijackThis (log below), and noticed that some of the items I was supposed to remove (like the Security iGuard and the WP.EXE) are still on the log. How could that be? I followed the directions to the TEE! hmmmmm ;)

Well, I'm now awaiting your EXPERT advice before I >> :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 6:20:39 AM, on 4/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\TNT2-64\VI_GRM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\THE CLEANER\TCA.EXE
C:\THE CLEANER\TCM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F1 - win.ini: load=C:\TNT2-64\vi_grm.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {9ED0A39A-FAA2-52BA-76F2-B402CEF4CE8D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [tcactive] C:\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.co...x/plx_upldr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyho...mdh/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\SYSTEM\MSSARU.DLL
  • 0

#6
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Did you see if ActiveScan found a bunch of items that said "no disinfected" - most likely all of the Trojans were disinfected. I highly recommend running ActiveScan again and posting the log so we can kill what it didn't.

And as far as the items still in your log...no worries the files are gone, we just haven't "fixed" them with HiJackThis yet ;)

I will review your log while you're (hopefully) running ActiveScan again :tazz:

Edited by bananafanafo, 19 April 2005 - 03:01 PM.

  • 0

#7
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Make sure you are disconnected from the Internet and that all programs and windows are closed. Place a check next to the following items, if found, and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O2 - BHO: (no name) - {9ED0A39A-FAA2-52BA-76F2-B402CEF4CE8D} - (no file)

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKCU\..\Run: [WindowsFY] C:\WP.EXE

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {18B954C0-ADC2-11D9-8EDC-0000E2247E2B} - (no file) (HKCU)

O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.co...x/plx_upldr.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.co...laxoInstall.cab
O16 - DPF: {07637823-C894-4A52-B3F9-5D777FD8E36A} - http://www.mydailyho...mdh/install.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxres...m/Preloader.dll

O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\SYSTEM\MSSARU.DLL


Reboot into Safe Mode and delete these files if found (in bold):

C:\WINDOWS\SYSTEM\MSSARU.DLL
C:\WINDOWS\SYSTEM\ms.exe

Reboot into normal mode.

Launch Notepad, and copy/paste the box below into a new notepad file. Change the "save as" type to "All Files". Save it as Unreg.bat on your Desktop.

regsvr32 /u C:\WINDOWS\SYSTEM\MSSARU.DLL

Locate Unreg.bat on your Desktop and double-click on it.

Post a new HiJackThis log.
  • 0

#8
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
WOW! Awesome! Right now I am at work. I have printed out the complete topic and as soon as I get home, I will rerun the ActiveScan, save the log, post to this topic, disconnect from the internet THEN run and follow your recommendations for the my HijackThis Log... :tazz:

Rest assured I most certainly will be sharing this experience with my Computer Science Professor ;)
  • 0

#9
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I'll keep an eye out for your post :tazz: (Computer Science Major here too ;) )
  • 0

#10
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Okay, here is the rescanned log from ActiveScan, looks to be a bit nerve-wracking... :tazz:



Incident Status Location

Adware:Adware/SaveNow No disinfected C:\WINDOWS\SYSTEM\MSSARU.DLL
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\ezPopStub.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet
Adware:Adware/SaveNow No disinfected C:\WINDOWS\SYSTEM\MSSARU.DLL
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/QuickSearch No disinfected C:\Program Files\QuickSearch
Adware:Adware/MyDailyHoroscopeNo disinfected Windows Registry
Adware:Adware/WildTangent No disinfected C:\WINDOWS\wt
Adware:Adware/Zango No disinfected Windows Registry
Adware:Adware/WhenUSearch No disinfected C:\WINDOWS\SYSTEM\mssaru.dll
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\SYSTEM\stlb2.xml
Adware:Adware/Otx No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\PRELOADER.DLL
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/SaveNow No disinfected C:\WINDOWS\SYSTEM\mssaru.dll
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Adware:Adware/Trymedia No disinfected C:\My Documents\Misc\Downloads\GoldMinerSESetup-dm.exe
Adware:Adware/eZula No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70A5.TMP
Adware:Adware/eZula No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70B2.TMP
Adware:Adware/eZula No disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70D1.TMP
Adware:Adware/QuickSearch No disinfected C:\Program Files\FileSubmit\Baseball\TBEZA127Q.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\FileSubmit\Baseball\NNEZTA388.exe
Adware:Adware/SaveNow No disinfected C:\VVSN_STAT0641Inst.exe
==========
I'll be offline now to follow your "fixing" instructions for the HijackThis
  • 0

Advertisements


#11
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please read these instructions carefully

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field - make sure to get ALL of them):

C:\WINDOWS\SYSTEM\ezPopStub.exe
C:\WINDOWS\SYSTEM\MSSARU.DLL
C:\WINDOWS\SYSTEM\stlb2.xml
C:\WINDOWS\DOWNLOADED PROGRAM FILES\PRELOADER.DLL
C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\NDNuninstall6_38.exe
C:\My Documents\Misc\Downloads\GoldMinerSESetup-dm.exe
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70A5.TMP
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70B2.TMP
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq70D1.TMP
C:\Program Files\FileSubmit\Baseball\TBEZA127Q.exe
C:\Program Files\FileSubmit\Baseball\NNEZTA388.exe
C:\VVSN_STAT0641Inst.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.

After your computer reboots, delete these folders:

C:\Program Files\QuickSearch
C:\Program Files\NewDotNet
C:\WINDOWS\wt

Post a new HiJackThis log.

Edited by bananafanafo, 20 April 2005 - 09:49 AM.

  • 0

#12
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above.  After that LAST file path has been entered press the YES button at both prompts so that your computer restarts.


I had a little problem with the Killbox. It did not ask me if I want to reboot after each entry, as a matter of fact, after the last entry, it NEVER asked me if I wanted to reboot (nor offered any options to), so I manually rebooted. Does this action affect the performance of the Killbox program? I hope not.

And OH! WOW! Does it pay off to be a Computer Science Major? Certain classes are required for my majors (Public Admin/Acctg/Human Resources) and because I love computers, I was thinking of adding in a FOURTH MAJOR! hee hee..

Edited by Lady_Rocker, 20 April 2005 - 03:24 PM.

  • 0

#13
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You have to have "Delete on Reboot" option clicked and it WILL prompt you twice. If it's on "standard file kill", then no it won't ask you if you want to reboot. :tazz:

You might actually want to try to run Killbox again (probably deleted some files) with DELETE ON REBOOT clicked ;)

Then, Can I see a new HiJackThis log?
  • 0

#14
solshne

solshne

    New Member

  • Member
  • Pip
  • 6 posts
Hi there - if it's any help, I have just removed the Trojan-Spy.HTML.Smitfraud.c from a friends WIN 2000NT using the posted methods, so the fix works on that O/S as well as XP - thanks!!!
  • 0

#15
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Thank you :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP