Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware VBS.Script.429 lose Internet Options


  • Please log in to reply

#1
Menteng

Menteng

    Member

  • Member
  • PipPip
  • 18 posts
Dear Advisors,

Kindly please help me this time :

My Windows 98 SE has been attacked by a lots of Folder.htt/SCRIPT.0 -> VBS.Script.429.
It was detected by Dr.Web CureIt and Action: Moved

The PC status is (what I realize) is:
- WINDOWS EXPLORER : No Tools/Folder Options
No View/Folder Options
No View/As web page

- INTERNET EXPLORER : Connecting to : 66.218.77.68 (Geocities Unavailable site)
Display Address : about:error
No : Tools / Internet Options
Search.live.com

The HJT 99 log is like this now :

Logfile of HijackThis v1.99.1
Scan saved at 10:08:00 AM, on 30-10-2007
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\KINGSTON TECHNOLOGY CO INC\DATATRAVELER 2.0\SAFEEJECT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ADAWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:error
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.cbn.net.id:8080
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [UFDSE98] C:\Program files\KINGSTON TECHNOLOGY CO INC\DataTraveler 2.0\SafeEject.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O4 - Startup: route add.bat.pif = C:\ROUTEA~1.BAT
O12 - Plugin for .aaa: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.1.1.12

Scanning with AdAware
in Normal Mode found nothing.

The Dr.Web report in CSV is :
Folder.htt\Script.0;c:\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\;Archive contains infected objects;Moved.;
folder.htt\Script.0;c:\WINDOWS\folder.htt;VBS.Generic.429;;
folder.htt;c:\WINDOWS;Archive contains infected objects;Moved.;
Folder.htt\Script.0;c:\WINDOWS\SYSTEM\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\WINDOWS\SYSTEM;Archive contains infected objects;Moved.;
Folder.htt\Script.0;c:\WINDOWS\Web\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\WINDOWS\Web;Archive contains infected objects;Moved.;
Folder.htt\Script.0;c:\My Documents\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\My Documents;Archive contains infected objects;Moved.;
DAPBHO.dll;c:\Program Files\DAP;Adware.IEBar;Incurable.Deleted.;
Process.exe;c:\Program Files\HaxFix;Tool.Prockill;Incurable.Deleted.;
CPQSM.EXE;c:\Compaq\SP21135;Probably BACKDOOR.Trojan;Incurable.Deleted.;
Folder.htt\Script.0;c:\Adaware\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\Adaware;Archive contains infected objects;Moved.;
Folder.htt\Script.0;c:\Adaware\HjFix\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\Adaware\HjFix;Archive contains infected objects;Moved.;
Folder.htt\Script.0;c:\Adaware\SpywareGuard\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\Adaware\SpywareGuard;Archive contains infected objects;Moved.;
Folder.htt\Script.0;c:\Adaware\AVZ\avz4en\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\Adaware\AVZ\avz4en;Archive contains infected objects;Moved.;
Comet_VIRUS.ddd;c:\Adaware\TampungVirus;Adware.Comet;Incurable.Deleted.;
webdlg32_dll.VIR;c:\Adaware\TampungVirus;Adware.Hotbar;Incurable.Deleted.;
070413_ONLINE_BITDEFENDER.htm\Script.0;c:\Download\070413_ONLINE_BITDEFENDER.htm;VBS.Generic.429;;
070413_ONLINE_BITDEFENDER.htm;c:\Download;Archive contains infected objects;Moved.;
Folder.htt\Script.0;c:\Download\Folder.htt;VBS.Generic.429;;
Folder.htt;c:\Download;Archive contains infected objects;Moved.;
mirc32.exe;c:\Download\mIRC;Program.mIRC.591;Incurable.Deleted.;
mirc.exe;c:\Download\mirc6;Program.mIRC.603;Incurable.Deleted.;
Silent Runners.vbs;c:\Download\OBAT;Probably BATCH.Virus;Incurable.Deleted.;

Kindly please help me. Your help is appreciated.

thanks,

Lee
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP