Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

popups continue though seemingly clean HJT logs...


  • Please log in to reply

#1
regergely

regergely

    New Member

  • Member
  • Pip
  • 1 posts
Hi All,

(I'm asking for help for my friend, 'cause she has not very much knowledge about malware, so my replies can last quite long due to consulting her... I don't say I would be an expert :tazz: , but at least I do undertsand, what is said the topics...)

So, the problem is, that after she has had tons of malware on her Win98 machine, we could remove most of them using Ad-Aware, HijackThis, and all the instructions taken from various forums, but there has been something left over.

Though the HJT log semmed pretty clean, and Ad-Aware didn't see anything bad either, popups from the following sites didn't stop:
http://www.9ringtone.com/be/index.php
http://www.loadingwe...rmal/yyy34.html
http://www9.paypopup...belnk/belnk.htm
http://isg05.casalem...V2/40509/42412/

After a day of seemingly clean scans, a new line appeared in HJT logs, which is now undeletable (appears on every new run of HJT, although "removed"), this is "Trusted IP range: 67.19.185.246".

After one more day BullEyes and CashBack and NaviSearch have reinstalled, which we have once more managed to completely (?) remove, they don't reinstall on reboot now. But the popups still don't want to stop.

I saw some posts about this type of problems, there is said it can be a new type of VX2, which is quite hard to remove. Though, the VX2 remover plugin for Ad-Aware doesn't even recognize that there would be a VX2 infection. I hope it doesn't require too many complicated actions to clean away this [bleep]...

So finally, here is the HJT log. Am I right, that only the "Trusted IP range: 67.19.185.246" is bad here, all the others are normal? If the answer is "yes", then what the [bleep] starts thene unwanted popups? IE is not used any more on that machine, my friend uses Netscape instead.

(Note: hodito.hu and V-Net are known here in Hungary and these are definitely not malware related.)

Logfile of HijackThis v1.99.1
Scan saved at 13:25:48, on 04/18/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGERPLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINCMD\WINCMD32.EXE
C:\DOKUMENTUMOK\HIJACKTHIS2.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hodito.hu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - terjesztő: V-net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hodito.hu/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\dem8wy7j.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\dem8wy7j.slt\prefs.js)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - Startup: Office Indítópult.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab

Thanks,

Gregory
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP