[fuzzyduck34]

What a nightmare, the bloody online scan crashed overnight, so I had to restart etc, been messing about all morning, i think things are almost there, but i think there is a dodgy 016 line in my hijack.

Logfile of HijackThis v1.99.1
Scan saved at 14:55:02, on 19/05/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\KERRIDGE\KCML\KCLIENT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Microcat\microcat.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://*.warley.fordstar.com:
https://*.warley.fordstar.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {494b8c10-bdb5-11d1-8373-00a0c901b28c} (KClient.ActiveX.1) -
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = UUK00331
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =


Rgds

Mark

[Advertisements]

The O16 is from the online scan, so it won't take so long to get started next time.

Apart from these two:
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

your log looks good now.

DellDomains.inf should take care of those.

Regards,

[Metallica]

The O16 is from the online scan, so it won't take so long to get started next time.

Apart from these two:
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

your log looks good now.

DellDomains.inf should take care of those.

Regards,

[fuzzyduck34]

Can't fault u, I will keep my fingers crossed.

Many thanks

Mark

[Metallica]

I'll keep this thread open for a while.
Let me know how the computer has been behaving tomorrow. OK?

Regards,

[fuzzyduck34]

Will do, thanks

[fuzzyduck34]

Hey there, Its been a wierd day ! Got back on to my pc this morning, low and behold the problems started up again, tursted sites, toolbar etc, I was slowly loosing patience and tempted to put my foot through the tower

Anyway I managed to get an online scan done, it detected quite a few viruses and infected files. I deleted what it found and re-started my computer, everything was great untill it went to run to my desktop and a warning popped up with the message "Explorer.exe" missing, re-install windows After a momentary panic I copied the file off a colleagues pc onto a floppy and used my floppy rescue disc to boot up into dos. From there I copied the file from floppy back to my c:\windows directory. Booted up the pc and magically it worked !!

Done my usual hijack log, which was clean and then my suspect AVG scan, which returned clean and no viruses were found

My suspicion is that the explorer.exe was infected and in turn it was running the trojan from every boot up and somehow the virus software etc couldnt delete it. I know im probably talking crap cos I don't know much about this, but hey it makes sense to me, sort of

Anyhow everything has been clean since then, so ive shut down for the weekend and im quite confident that it will b ok on monday ! Ive got an FA cup final to goto and a [bleep] virus wasn't gonna spoil my weekend !

Anyway, thanks for all the support and advice uve given me and fingers crosed now everything is sorted.

Thanks again.

Mark

[Metallica]

Well if explorer.exe was infected or replaced with a Trojan-downloader that would account for a lot of the problems you had.

Can you look back in the logs and see what exactly the online scan removed and how it was named?

Regards,

[fuzzyduck34]

No probs, I will get it sorted Monday.

rgds

[Metallica]

Thanks. Have a nice weekend.

[fuzzyduck34]

Hi there, hope u had a good weekend.

The logfile of my virus scan, I must of got rid of it accidently, I do apologise. As it is though my system seems to be running stable with no problems. I just hope it stays this way.

[Metallica]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.