Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan-Spy.HTML.Smitfraud.c on Win98SE[CLOSED]


  • This topic is locked This topic is locked

#16
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
HEY! I have the latest HijackThis. And, yea, I still had no options after clicking the "red circle with the white ex". I dunno, I even re-downloaded the program to make sure and still no option. Anyhoot, I followed the last procedure and here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 9:43:53 PM, on 4/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\TNT2-64\VI_GRM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\THE CLEANER\TCA.EXE
C:\THE CLEANER\TCM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

F1 - win.ini: load=C:\TNT2-64\vi_grm.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [tcactive] C:\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.palt....x/regdload.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28177.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
  • 0

Advertisements


#17
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
If you would like to free up some system resources. Run HiJackThis and put a check next to the following item and click "fix checked" (this is optional):

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

This is an application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog, and some users claim there's no difference with or without it but it usually isn't required. Note - if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.

How is your system running?? :tazz:
  • 0

#18
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
WOW! My computer "WAS" running smoother than before, however, I seem to keep getting some trojan in the Sun Java Program. When I tried to uninstall it, it refuses to be uninstalled! When I get home, I'll run the AVG, then the HijackThis for you to analyze. Other than that, everything is fine, it's just that everyday in the Sun Java folder (under C:\Windows\Application Data\...) there is always at least 2-4 trojans detected in the zip files...

Any recommendations to:
1> how to remove this dang program
2> another Java program I can use
3> HALP! hee hee
  • 0

#19
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Follow the directions below to get rid of the trojans:

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel.
NOTE: Let me know if it just says "Java Plug-in" instead of just "Java" because you won't see all of these options if it does.
The Java Control Panel will appear.

3. Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box will appear.

4. Click Delete Files.
The Delete Temporary Files dialog box will appear.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Delete Files
2. View Applications
3. View Applets


5. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.

6. Click OK on Temporary Files Settings window.

7. Now, click on the "Update" tab and update your program.

Edited by bananafanafo, 25 April 2005 - 06:30 PM.

  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Post a new HiJacKThis log. (This time would you mind coming back to let me know that it's working, thank you! :tazz: )
  • 0

#21
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts

2. Double-click the Java icon (coffee cup) in the control panel.
NOTE: Let me know if it just says "Java Plug-in" instead of just "Java" because you won't see all of these options if it does.
The Java Control Panel will appear.

View Post


Yep, it only says Java Plug-In, so I couldnt follow the rest of the directions because a whole different control panel popped up. :tazz:

Sorry for the delay in responding, am at the last 3 weeks of school so projects and studying galore ;)

But as for everything else (so far), the comp is doing great except for that annoying Java situation... ;)
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
OK, doubleclick on the Java Plug-in icon to bring up the control panel. I can't remember exactly where but there is an update button on it. It should be easy to find. Update it, reboot your computer, follow my instructions in my previous post.

:tazz:
  • 0

#23
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Apparently this update is available:

Java 2 Runtime Environment, v1.5.0_02-b09
----------------------------------------
This is 1.5.0_02-b09

But, my computer keeps blocking the update process. Downloading is okay, but when the installation process, starts I get this message:

MSIEXEC caused an invalid page fault in
module KERNEL32.DLL at 0167:bff9db61.
Registers:
EAX=c00309c4 CS=0167 EIP=bff9db61 EFLGS=00010212
EBX=0056de48 SS=016f ESP=0052fe68 EBP=00530104
ECX=00000000 DS=016f ESI=00000000 FS=48a7
EDX=bff76855 ES=016f EDI=bff79198 GS=0000
Bytes at CS:EIP:
53 8b 15 e4 9c fc bf 56 89 4d e4 57 89 4d dc 89
Stack dump:


What to do? What to do? :tazz:

Edited by Lady_Rocker, 26 April 2005 - 03:48 PM.

  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please run BOTH of these online virus scans to get rid of the java viruses:
TrendMicro's HouseCall - check "Auto Clean"
ActiveScan

The kernel32.dll error well, that's got something to do with Windows Installer Component and updating your Java - apparently they don't like each other very well. That's probably not something I'll be able to help you with as it has to do with your Operating System and not with malware. I suggest posting a topic in the Windows 98 forum - copy the error message from your last post and tell them your were trying to update your Sun Java. They should be able to help you fix it. After that, come back to this thread so we can make sure your system is still clean.
  • 0

#25
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Oki Doki, I'll do that (post in Win98 Section).. in the meantime, I'll keep running the Online Scanners... will post another HijackThis Log afterwards... But as long as that bug in the Java is not fixed, I know I'll keep getting that "trojan" in the Java folder...

BRB...
  • 0

Advertisements


#26
Lady_Rocker

Lady_Rocker

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 168 posts
Bad News. Apparently there was something wrong with the Trend Online Scanner engine and now my computer is a bit berzerko! I tried to follow Trend's recommendations, but to no success, I may need you to help me analyze THEIR error.

:tazz:

I will post a HijackThis Log when I get home (am at school)
  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP