Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[Referred]Ad-aware log. [RESOLVED]


  • This topic is locked This topic is locked

#16
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Cheers for that. My logfile is below:

Regards
Paul

Logfile of HijackThis v1.99.1
Scan saved at 19:33:48, on 05/03/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPAMIHILATOR\SPAMIHILATOR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\SPYWARECONTROL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ltt.org.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ltt.org.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozcomputers.net/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OZ Computers
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\SpywareControl\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {2E675E20-A624-11D9-A5E9-00055DD18EF7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2E675E20-A624-11D9-A5E9-00055DD18EF7} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.ozcomputers.net/home
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
  • 0

Advertisements


#17
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Hi and welcome to GTG :tazz:

Sorry for the late reply,
If you’re still looking to resolve this issue,
Please run through the steps outlined in this Topic
Post back a fresh log when done please

If you have resolved this issue please let us know,
Thanks and again sorry for the late reply,

-Avohir
  • 0

#18
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks.
I am still having the same problems. I have done the majority of the measures listed on the topic, plus other spyware detectors all to no effect.

My latest Hijack this log is below:
Any help with this would be most welcome.]

Regards
Paul


Logfile of HijackThis v1.99.1
Scan saved at 22:48:42, on 05/08/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPAMIHILATOR\SPAMIHILATOR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\SPYWARECONTROL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ltt.org.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ltt.org.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozcomputers.net/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OZ Computers
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\SpywareControl\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {2E675E20-A624-11D9-A5E9-00055DD18EF7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2E675E20-A624-11D9-A5E9-00055DD18EF7} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.ozcomputers.net/home
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
  • 0

#19
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
sorry for the delay... sometimes the real world butts in on my online time :tazz:

your log looks clean, can you detail for me again the problems you're having?
  • 0

#20
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for the reply.

The problems are two fold.
More often than not when I log on to Internet Explorer AVG picks up a Startpage.19 virus.

Also I get occasional redirections. Sometimes it happens every 3 or 4 times I navigate a link, other times I get through the entire seesion without one.

The two main sites it goes for are

h**p://66.230.167.104/sout.php?fc=64
h**p://vv2.i1.topx.cc/index.php?aid=20038

The top one then opens up a [bleep] site, where as the latter appears to be a search engine.

Regards
Paul
  • 0

#21
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Please download SilentRunners from here:
http://www.silentrun...ent Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.
  • 0

#22
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks

I've tried that, the results are below.

Regards
Paul

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Matrox QuickDesk" = "C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe" ["Matrox Graphics Inc."]
"Spamihilator" = ""C:\Program Files\Spamihilator\spamihilator.exe"" ["Michel Krämer"]
"Yahoo! Pager" = "C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Atikey" = "Atitask.exe" ["ATI Technologies, Inc."]
"AtiCwd32" = "Aticwd32.exe" ["ATI Technologies Inc."]
"Matrox Control Center" = "C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe" ["Matrox Graphics Inc."]
"Matrox Color Control" = "C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe" ["Sonnetech Ltd."]
"Matrox Diagnostic" = "C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s" ["Matrox Graphics Inc."]
"EPSON Stylus C42 Series" = "C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"" ["SEIKO EPSON CORPORATION"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Copyright © ahead software gmbh and its licensors"]
"PestPatrol Control Center" = "C:\Program Files\PestPatrol\PPControl.exe" [null data]
"PPMemCheck" = "C:\PROGRA~1\PESTPA~1\PPMemCheck.exe" [null data]
"CookiePatrol" = "C:\PROGRA~1\PESTPA~1\CookiePatrol.exe" [null data]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"Security iGuard" = "C:\Program Files\Security iGuard\Security iGuard.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0CF0B8EE-6596-11D5-A98E-0003470BB48E}\(Default) = "CCHelper Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL" ["8"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareControl\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Dial-Up Networking"
-> {CLSID}\InProcServer32\(Default) = "rnaui.dll" [MS]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]
"{BB7DF450-F119-11CD-8465-00AA00425D90}" = "Microsoft Access Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\soa800.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]
"{0A082D00-EC93-11D0-B1E6-80580BC10627}" = "Corel Media Folder Root Menu Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["$"]
"{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}" = "Folder To Corel Media Folder Menu Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["$"]
"{854AF161-1AE1-11D1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["$"]
"{E856F161-1AE5-11d1-AB9B-00C0F00683EB}" = "Corel Media Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["$"]
"{CDB89701-262F-11D1-AB9C-00C0F00683EB}" = "Corel Media Find Folder"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["$"]
"{F8152501-455F-11D1-B1E6-444553540000}" = "Corel Media Folder Copy Hook Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\GRAPHICS8\PROGRAMS\CMFFLD80.DLL" ["$"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALONE PLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\CPQ_1024.BMP"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]
"Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS]
"Corel MEDIA FOLDERS INDEXER 8" -> shortcut to: "C:\Corel\Graphics8\Programs\MFIndexer.exe" ["Corel Corporation"]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{7E82235C-F31E-46CB-AF9F-1ADD94C585FF}"
-> {CLSID}\(Default) = "Pa&nicware Pop-Up Stopper"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL" ["Panicware, Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{2E675E20-A624-11D9-A5E9-00055DD18EF7}\
"ButtonText" = "Microsoft AntiSpyware helper"
"MenuText" = "Microsoft AntiSpyware helper"

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\MSJAVA.DLL" [MS]


HOSTS file
----------

C:\WINDOWS\HOSTS

maps: 1 domain name to an IP address,
1 of the IP addresses is *not* localhost!


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#23
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Run HijackThis and put check marks next to the following entries:

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O9 - Extra button: Microsoft AntiSpyware helper - {2E675E20-A624-11D9-A5E9-00055DD18EF7} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2E675E20-A624-11D9-A5E9-00055DD18EF7} - (no file) (HKCU)

then close all other open windows and click "fix checked"

Next, open up My Computer and delete the C:\Program Files\Security iGuard folder, if present.

Finally, reboot and post a fresh HijackThis log
  • 0

#24
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks Avohir

I deleted those four lines. The security I guard folder wasn't there.

My new log below.

Regards
Paul

Logfile of HijackThis v1.99.1
Scan saved at 07:27:06, on 05/20/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPAMIHILATOR\SPAMIHILATOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYWARECONTROL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ltt.org.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ltt.org.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozcomputers.net/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OZ Computers
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\SpywareControl\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.ozcomputers.net/home
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
  • 0

#25
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
as near as I can tell thats a clean log, are you still having problems?

if so, please list them for me, so we can dig deeper as to the cause
  • 0

Advertisements


#26
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks Avohir.
Problems don't seem to have completely cleared up.
Since my last post I have logged on three times.
1st time nothing happened
2nd time AVG automatically updated and found a STARTPAGE.19.AN virus in a C:\WINDOWS\SYSTEM\????.DLL file [stupidly I deleted it rather than Vaulted it so I can't recall which file)
3rd time - No AVG update, No virus, but Opening a link from my favourites came up with h**p://ww2.pissfountain.com/search.php?sid=AAAB2O2kNfs%2FBxWVtixRRhFVR9eSHEpdCk5cBaJjJzBDAxET2aLA&qq=spyware+removal which gave me lists of spyware removers, (ironic!)
Neither of my earlier two redirects have happened.
h**p://66.230.167.104/sout.php?fc=64
h**p://vv2.i1.topx.cc/index.php?aid=20038


Regards
Paul
  • 0

#27
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
okay, from what I can tell you have a partially cleaned smitfraud infection that is being blocked from full reinfection by your antivirus. Did you previously have a desktop Hijack? I'm going to run you through the fix for smitfraud, which will hopefully clean up the remnants of it.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

List any files going to be deleted that are running

Exit Task Manager.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

Open Notepad. Copy EVERYTHING in the box below and paste it into a new notepad file. Change the 'Save As Type' to "All Files" and save it as fix.reg on your desktop. Make sure there is NO blank line above REGEDIT4:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn...t/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn...t/srchcust.htm"
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft...ie&ar=iesearch"
"Search Page"="http://www.microsoft...ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.co...n-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsof...earch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft...ie&ar=iesearch"
"Search Bar"="http://search.msn.co...om/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]

[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\VMHomepage]

[-HKEY_CLASSES_ROOT\VMHomepage.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]


Locate fix.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right Click HERE and go to Save As in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Reboot your computer

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
  • 0

#28
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for this. I have followed the instructions. Security IGuard/Virtual Mail and Search maid were not found, nor were the 4 files which needed deleteing (even with hidden files visible). Hoster wouldn't run - came up with an error and crashed. Otherwise all completed.

Active Scan Results:

Incident Status Location

Adware:Adware/nCase No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys???.exe
Adware:Adware/IGuard No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\f.jar-2415a895-72bbcb39.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\f.jar-2415a895-72bbcb39.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\f.jar-2415a895-72bbcb39.zip[BeyondInterface.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3614c7b6.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3614c7b6.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3614c7b6.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3614c7b6.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3614c7b6.zip[Xeyond.class]
Virus:Trj/Downloader.CLW Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3614c7b6.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7c332598-3add1d23.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7c332598-3add1d23.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7c332598-3add1d23.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7c332598-3add1d23.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7212630b-6c78827d.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7212630b-6c78827d.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7212630b-6c78827d.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7212630b-6c78827d.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-74f03983.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-74f03983.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-74f03983.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-74f03983.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-74f03983.zip[Xeyond.class]
Virus:Trj/Downloader.CLW Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-74f03983.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-2e1a2a0e-6c1a1f99.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-2e1a2a0e-6c1a1f99.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-2e1a2a0e-6c1a1f99.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-6299a9bb.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-6299a9bb.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-6299a9bb.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-6299a9bb.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-6299a9bb.zip[Xeyond.class]
Virus:Trj/Downloader.CLW Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-6299a9bb.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3cdde16c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3cdde16c.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3cdde16c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3cdde16c.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3cdde16c.zip[Xeyond.class]
Virus:Trj/Downloader.CLW Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-1603b9cc-3cdde16c.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-461d19eb-607c7118.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-461d19eb-607c7118.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-461d19eb-607c7118.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-774d507d-6c47ac08.class
Virus:Trj/Small.P Disinfected C:\WINDOWS\hosts.sam
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]

HiJack THis Results
Logfile of HijackThis v1.99.1
Scan saved at 23:07:05, on 05/21/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPAMIHILATOR\SPAMIHILATOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\SPYWARECONTROL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ltt.org.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ltt.org.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozcomputers.net/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OZ Computers
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\SpywareControl\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.ozcomputers.net/home
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Regards
Paul
  • 0

#29
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Since your log continues to appear as clean, could you please tell me if you're having problems still?
  • 0

#30
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Yes unfortunately I am still having some problems.
Two out of Three recent logins have found viruses in AVG.

1) Virus - "Java/Byte Verify"
Path: C:\WINDOWS\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
File: IN_S.CLASS-678329EC-463887C4.CLASS

2) Trojan Horse Startpage.19.AN
Path C:\windows\system
File AGA.DLL

Regards
Paul
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP