Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected at work, please help...[RESOLVED]


  • This topic is locked This topic is locked

#31
fuzzyduck34

fuzzyduck34

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
What a nightmare, the bloody online scan crashed overnight, so I had to restart etc, been messing about all morning, i think things are almost there, but i think there is a dodgy 016 line in my hijack.

Logfile of HijackThis v1.99.1
Scan saved at 14:55:02, on 19/05/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\KERRIDGE\KCML\KCLIENT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Microcat\microcat.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://*.warley.fordstar.com:
https://*.warley.fordstar.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = UUK00331
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =


Rgds

Mark
  • 0

Advertisements


#32
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
The O16 is from the online scan, so it won't take so long to get started next time.

Apart from these two:
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

your log looks good now.

DellDomains.inf should take care of those.

Regards,
  • 0

#33
fuzzyduck34

fuzzyduck34

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Can't fault u, I will keep my fingers crossed.

Many thanks

Mark
  • 0

#34
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
I'll keep this thread open for a while.
Let me know how the computer has been behaving tomorrow. OK?

Regards,
  • 0

#35
fuzzyduck34

fuzzyduck34

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Will do, thanks :tazz:
  • 0

#36
fuzzyduck34

fuzzyduck34

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hey there, Its been a wierd day ! Got back on to my pc this morning, low and behold the problems started up again, tursted sites, toolbar etc, I was slowly loosing patience and tempted to put my foot through the tower ;)

Anyway I managed to get an online scan done, it detected quite a few viruses and infected files. I deleted what it found and re-started my computer, everything was great untill it went to run to my desktop and a warning popped up with the message "Explorer.exe" missing, re-install windows :) After a momentary panic I copied the file off a colleagues pc onto a floppy and used my floppy rescue disc to boot up into dos. From there I copied the file from floppy back to my c:\windows directory. Booted up the pc and magically it worked !! :)

Done my usual hijack log, which was clean and then my suspect AVG scan, which returned clean and no viruses were found :)

My suspicion is that the explorer.exe was infected and in turn it was running the trojan from every boot up and somehow the virus software etc couldnt delete it. I know im probably talking crap cos I don't know much about this, but hey it makes sense to me, sort of ;)

Anyhow everything has been clean since then, so ive shut down for the weekend and im quite confident that it will b ok on monday ! Ive got an FA cup final to goto and a [bleep] virus wasn't gonna spoil my weekend !

Anyway, thanks for all the support and advice uve given me and fingers crosed now everything is sorted.

Thanks again.

Mark :tazz:
  • 0

#37
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Well if explorer.exe was infected or replaced with a Trojan-downloader that would account for a lot of the problems you had.

Can you look back in the logs and see what exactly the online scan removed and how it was named?

Regards,
  • 0

#38
fuzzyduck34

fuzzyduck34

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
No probs, I will get it sorted Monday.

rgds
  • 0

#39
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Thanks. Have a nice weekend. :tazz:
  • 0

#40
fuzzyduck34

fuzzyduck34

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi there, hope u had a good weekend.

The logfile of my virus scan, I must of got rid of it accidently, I do apologise. As it is though my system seems to be running stable with no problems. I just hope it stays this way.
  • 0

Advertisements


#41
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP