Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

[Referred]Ad-aware log. [RESOLVED]


  • This topic is locked This topic is locked

#31
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
okay, lets hit this with something a little stronger.

I'd like you to use the Kaspersky online scan found here: http://www.kaspersky...oduct=161744315

it has a VERY long scan time, however it is one of the most thorough anti-virus engines available. Please report back with the state of your problems after you've finished with that
  • 0

Advertisements


#32
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks for this, I let in run overnight, it found 7 items (below) and I have deleted them. I will post again soon once I have had time to assess if the problems have ceased.

Regards
Paul

File Name Virus Name Send Delete

c:\WINDOWS\SYSTEM\ActiveScan\imscan.dll Virus.D...ronia.2538 send delete

c:\WINDOWS\Application Data\Sun\J...v1.0\jar\f.jar-2415a895-72bbcb39.zip Trojan....ssLoader.o send delete

c:\WINDOWS\Application Data\Sun\J...0\jar\arr3.jar-2e1a2a0e-6c1a1f99.zip Trojan....ssLoader.k send delete

c:\WINDOWS\Application Data\Sun\J...0\jar\arr3.jar-461d19eb-607c7118.zip Trojan....ssLoader.k send delete

c:\WINDOWS\Application Data\Sun\J...\Dummy.class-32efa63f-2d6a5545.class Trojan.Java.Nocheat send delete

c:\WINDOWS\Application Data\Sun\J...\Dummy.class-774d507d-6b3d4385.class Trojan.Java.Nocheat send delete

c:\best.exe Trojan-...32.Donn.aa send delete

c:\hol903387.exe Trojan-....Dyfuca.av send delete
  • 0

#33
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Just been back on line after a few days away. Sadly problems still abate. Browser keeps redirecting to h**p://66.230.167.104/sout.php?fc=64 and I've had Startpage.19.AN viruses, plus a "java byte verify" virus with Sun Java as before.

Thanks for all your help, but have you any more ideas?

Regards
Paul
  • 0

#34
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
well this is perplexing. Allow me to consult with some experts, and get back to you.
  • 0

#35
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
I'm very sorry for the long delay, this log slipped through the cracks somehow

if you're still there, could you post a fresh HijackThis log?
  • 0

#36
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hello Avohir
I have still been having problems but living with them. However yesterday I searched to this forum and found this message.

http://www.geekstogo...19j-t30600.html

It suggested http://www.derbilk.de/SpSeHjfix112.zip which I used. The log is below. Touch wood this seems to have helped. Last night I had no rogue redirections to dodgy websites nor did AVG pop up with a C:\windows\system\?.dll file. I have had it reappear after a day or so before but my fingers are crossed now!

Regards
Paul

SpseHjfix log

(6/19/05 12:51:31) SPSeHjFix started v1.1.2
(6/19/05 12:51:31) OS: Win98SE A (4.10.2222)
(6/19/05 12:51:31) Language: english
(6/19/05 12:51:31) Win-Path: C:\WINDOWS
(6/19/05 12:51:31) System-Path: C:\WINDOWS\SYSTEM
(6/19/05 12:51:31) Temp-Path: C:\WINDOWS\TEMP\
(6/19/05 12:51:40) Disinfection started
(6/19/05 12:51:40) Bad-Dll(IEP): (not found)
(6/19/05 12:51:40) Bad-Dll(IEP) in BHO: (not found)
(6/19/05 12:51:40) UBF: 4 - UBB: 1 - UBR: 24
(6/19/05 12:51:40) UBF: 4 - UBB: 1 - UBR: 24
(6/19/05 12:51:40) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Default_Search_URL:

(6/19/05 12:51:40) Stealth-String found: C:\WINDOWS\SCHEDLIG.TXT
(6/19/05 12:51:40) File added to delete: c:\windows\schedlig.txt
(6/19/05 12:51:40) Reboot
(6/19/05 12:53:27) SPSeHjFix 2nd Step
(6/19/05 12:53:27) Stealth-String not present. Disinfection succesfully
(6/19/05 12:53:30) Cleaned

My current HJT Log is:


Logfile of HijackThis v1.99.1
Scan saved at 22:29:59, on 06/20/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPAMIHILATOR\SPAMIHILATOR.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\PROGRAM FILES\SPYWARECONTROL\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ltt.org.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.ltt.org.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ozcomputers.net/home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OZ Computers
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\SpywareControl\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Atikey] Atitask.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O5 "LPT1:" /M "Stylus C42"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Matrox QuickDesk] C:\Program Files\Matrox MGA PowerDesk\QDesk\mgaqdesk.exe
O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.ozcomputers.net/home
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
  • 0

#37
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
I apologize for the delay, real world obligations kept me busy for a little while unexpectedly. If you still need help could you please post a fresh HijackThis log?
  • 0

#38
Paul_ltt

Paul_ltt

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Everything seems back to normal now, with several days safe running.

Thanks very much for your assistance.

Regards
Paul
  • 0

#39
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#40
Avohir

Avohir

    Visiting Staff

  • Visiting Consultant
  • 1,002 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP