Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

winsterHJK v.2011


  • Please log in to reply

#1
flyrod1000

flyrod1000

    Member

  • Member
  • PipPip
  • 16 posts
I'm new to GTG and am preparing to do battle with winsterHJK v.2011 infection. I run a P3/333 on Win 98 and have read the "Read First Time" Malware suggestions and I have some questions as I proceed through the suggested steps. I have AVG and Adware free editions, both updated, run frequently and reporting no viruses or spyware. My questions are; #1 Do you suggest I also download and run Spybot S & D? #2 I intend to run Trend and/or Panda. Do you suggest both? #3 You advice against more than one anti virus program but tout TDS3 for Trojans. Could I run this with no conflict from AVG? #4 I keep my MSCONFIG startup lean and limited to recognized articles and disable anything new that shows up. When/if prompted to post my msconfig on Hijack This it suggests re-enabling files. Would this include the strange files I have disabled? I've read another post on similar topic by Tristan, where he was advised to locate and delete 3 DLL's from Windows System files. Should I do likewise?
  • 0

Advertisements


#2
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I have had no reply to original post #127154 regarding infection of winsterHJKv.2011. I followed all (combined steps) for other similar posts and have, I believe, defeated the infection, but I would appreciate a tech review of my HJT. I have run CW shredder, Killbox, TDS3, Cleanup 4.0, Spybot S & D, Adware Free, AVG Free, Trend Online and Panda Online. AVG shows nothing, Trend shows 2 entries and Panda shows 13 entries (10 tied to ADware install. I've had no recurring episodes but I would like a HJT review to make sure there are no time-bombs lurking.
Thank you.
Flyrod

Logfile of HijackThis v1.99.1
Scan saved at 8:50:19 AM, on 5/19/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2COMM.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2PRE.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2TRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\TERMINATOR32\TERMIN~2.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\NOTEPAD.EXE
C:\MY DOCUMENTS\SPYWARE\DOWNLOADED PROGRAMS\HIJACKTHIS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {FD25AD19-D6F8-C138-8DFA-A51830DD9D78} - C:\WINDOWS\CRDE32.DLL (file missing)
O2 - BHO: (no name) - {FFF5092F-7172-4018-827B-FA5868FB0478} - (no file)
O2 - BHO: (no name) - {0B362164-20AE-4C8E-803D-7B1BDB0275D3} - C:\WINDOWS\SYSTEM\OPKF.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {8717A955-2A89-002E-CCED-66EDFEA67AA1} - C:\WINDOWS\SYSTEM\CXNY.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -logon
O4 - HKLM\..\Run: [Startup] WinlogonStartup
O4 - HKLM\..\Run: [sre] rundll32.exe sre.dll,Register
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [wupd] C:\WINDOWS\SYSTEM\win32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - https://www.tgfoitwo...sses/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: eplrr - {AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9} - C:\WINDOWS\SYSTEM\eplrr0.dll (file missing)
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
There are a few very big timebombs lurking


Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing

O2 - BHO: Class - {FD25AD19-D6F8-C138-8DFA-A51830DD9D78} - C:\WINDOWS\CRDE32.DLL (file missing)
O2 - BHO: (no name) - {FFF5092F-7172-4018-827B-FA5868FB0478} - (no file)
O2 - BHO: (no name) - {0B362164-20AE-4C8E-803D-7B1BDB0275D3} - C:\WINDOWS\SYSTEM\OPKF.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {8717A955-2A89-002E-CCED-66EDFEA67AA1} - C:\WINDOWS\SYSTEM\CXNY.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\SDHelper.dll (file missing)

O4 - HKLM\..\Run: [sre] rundll32.exe sre.dll,Register

O4 - HKCU\..\RunServices: [wupd] C:\WINDOWS\SYSTEM\win32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O21 - SSODL: eplrr - {AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9} - C:\WINDOWS\SYSTEM\eplrr0.dll (file missing)

Download SpSeHjfix Here.
Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Reboot into safe mode and run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Regards,
  • 0

#4
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Pieter,
Thanks for reviewing my log. I suspected it wasn't totally cleaned.
Here's my SpSeFx log:
(5/21/05 6:50:36 AM) SPSeHjFix started v1.1.2
(5/21/05 6:50:36 AM) OS: Win98 (4.10.1998)
(5/21/05 6:50:36 AM) Language: english
(5/21/05 6:50:36 AM) Win-Path: C:\WINDOWS
(5/21/05 6:50:36 AM) System-Path: C:\WINDOWS\SYSTEM
(5/21/05 6:50:36 AM) Temp-Path: C:\WINDOWS\TEMP\
(5/21/05 6:50:37 AM) Disinfection started
(5/21/05 6:50:37 AM) Bad-Dll(IEP): (not found)
(5/21/05 6:50:37 AM) Bad-Dll(IEP) in BHO: (not found)
(5/21/05 6:50:37 AM) UBF: 4 - UBB: 0 - UBR: 15
(5/21/05 6:50:37 AM) UBF: 4 - UBB: 0 - UBR: 15
(5/21/05 6:50:37 AM) Bad IE-pages: (none)
(5/21/05 6:50:37 AM) Stealth-String found: C:\WINDOWS\TFC.PTN
(5/21/05 6:50:37 AM) File added to delete: c:\windows\tfc.ptn
(5/21/05 6:50:37 AM) Reboot
(5/21/05 6:52:38 AM) SPSeHjFix 2nd Step
(5/21/05 6:52:40 AM) Stealth-String not present. Disinfection succesfully
(5/21/05 6:52:47 AM) Cleaned

I also took out the Trusted Zone entries as none of those addresses were anything I ever used. My first reboot gave my a window: Could not find tfc.ptn. Rebooted and do not get that window now. Do you need a new HTJ log?
Thanks again
Flyrod
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Yes. I think it would be a good idea to have another look at your HijackThis log.

Regards,
  • 0

#6
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I ran my full suite of devices this AM. Everything was clean except Spybot S & D picked up one item.

AVG Free Anti Virus
LavaSoft Adware Free Edition
CW Shredder
SpSeHeFx
SpyBot S & D
Cleanup 4.0
TDS 3 Anto Trojan
Hoster

All my logs for today are in the attached file except HJT which is in body of message.

I can't get rid of the 02 015 trusted zones for crazywinnings and I have never been there. They won't delete on HJT fix.

I don't recognize 016 www.tgfoitwoods site. It's not either trend housecall virus or panda virus.

Is 01 Host dcsresearch the valid site. I use aol.

???09 extra button??Logfile of HijackThis v1.99.1
Scan saved at 12:05:52 PM, on 5/22/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2COMM.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2PRE.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2TRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\SPYWARS\DOWNLOADED PROGRAMS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -logon
O4 - HKLM\..\Run: [Startup] WinlogonStartup
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - https://www.tgfoitwo...sses/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: eplrr - {AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9} - C:\WINDOWS\SYSTEM\eplrr0.dll (file missing)
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Download: DelDomains.inf
Should the link above display the text instead of downloading the file, then copy & paste the text into notepad and save the file as DellDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [Startup] WinlogonStartup

Reboot and post a new HijackThis log.

The java-entries are harmless and the O1 was put there by a install of a DiamondCS product. Most likely TDS3.

Regards,
  • 0

#8
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
This is the cleanest HJT log I've seen so far.gfile of HijackThis v1.99.1

That dell info file was pretty slick, worked great.

Thank a bunch

Jay

Scan saved at 5:33:14 PM, on 5/22/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2COMM.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2PRE.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2TRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\DESKTOP\SPYWARS\DOWNLOADED PROGRAMS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -logon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - https://www.tgfoitwo...sses/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: eplrr - {AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9} - C:\WINDOWS\SYSTEM\eplrr0.dll (file missing)
  • 0

#9
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Almost there :tazz:

Click Start > Run > type or copy&paste regedit /e c:\seczones.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults" > OK

This will create the file c:\seczones.txt
Post the content of that file please.

Regards,
  • 0

#10
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@=""
"http"=dword:00000002
"https"=dword:00000002
"ftp"=dword:00000003
"file"=dword:00000003
"@ivt"=dword:00000001

When we get this cleaned would be a good time to do a full backup and take a snapshot of the setup. I've never done a full sys backup (just documents & projects). What would you recommend?

Thanks
Jay
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Good. :tazz:

Save that file as a backup, just in case.
(If you should need it, rename it to seczones.reg
Use is the same as for the one below)

Copy the part in bold below into notepad and save it as resetzone.reg

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"http"=dword:00000003
"https"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"https"=dword:00000003


Doubleclick that file and confirm you want to merge it with the registry.

Run HijackThis again and post the new log.

Regards,
  • 0

#12
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Is MSGSRVv32.exe an instant messenger program? We don't use instant messenger or aol buddy list. It was put on by a houseguest. Should i Uninstall it?

Also SPOOL32........Are all 32 bit options for newer versions of windows and Win98 is 16 bit. I read where hackers write in for 32 bit systems making 32 bit stuff enablers?

Logfile of HijackThis v1.99.1
Scan saved at 10:00:24 AM, on 5/23/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2COMM.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2PRE.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2TRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\SPYWARS\DOWNLOADED PROGRAMS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -logon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - https://www.tgfoitwo...sses/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: eplrr - {AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9} - C:\WINDOWS\SYSTEM\eplrr0.dll (file missing)
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
http://www.liutiliti...brary/msgsrv32/
msgsrv32.exe is a process which is initiated by Microsoft Windows 9x and ME only. It acts as a 32 bit message server and will never appear in the Windows task list unless there is a problem with it. At any other time it should be left enabled.

http://www.liutiliti...ibrary/spool32/
spool32.exe isa part of the Microsoft Windows Operating System which deals with the spooling of Microsoft Windows print jobs. This process is only executed when this method is selected in the printers configuration properties. This program is important for the stable and secure running of your computer and should not be terminated.

Copy the part in bold below into notepad and save it as elprr.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad\eplrr]

[-HKEY_CLASSES_ROOT\CLSID\{AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
"https"=dword:00000003


Doubleclick that file, confirm you want to merge it with the registry.
Reboot and post a new HijackThis log.

Regards,
  • 0

#14
flyrod1000

flyrod1000

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I understand, and I'll leave them alone. See, a little knowledge is dangerous.

When we're through, I want to do a backup. Regedit Help says to 'export a full registry copy to a text file', go to My Computer and click the registry key. In My Computer there is no key named registry on any toolbar. Just the regular backup function under the File pull down which goes to the Microsoft Seagate backup utility. I intend to a full backup there and burn a disc as soon as I move every file I have into My Docs. A couple of my programs (Printmaster, ect) have their own storage areas. Everything's going into My Docs eventually.

I've also started the habit of running Cleanup 4.0 after each on line session and rebooting. Seems to be running better. I'm amazed at how many files cleanout after just a short on line session. And all this time I prided myself on trying to run a clean, lean machine. Choke............

Here my latest log.Logfile of HijackThis v1.99.1
Scan saved at 2:56:12 PM, on 5/23/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.00 (5.00.2314.1000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2COMM.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2PRE.EXE
C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2TRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\SPYWARS\DOWNLOADED PROGRAMS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -logon
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [GoToMyPC] C:\PROGRAM FILES\CITRIX\GOTOMYPC\G2SVC.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Cleanup War\Downloaded Programs\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .asp: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=http://home.microsoft.com/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - ProtocolDefaults: 'https' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.micro...en/nsmp2inf.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - https://www.tgfoitwo...sses/CFJava.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: eplrr - {AAA66FA9-117C-4B37-A2F1-DA5F30EBCFD9} - (no file)
  • 0

#15
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Your log looks good except for that stubborn O15 :tazz:

About backing up your registry read:
http://support.micro...b;en-us;Q256419
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • ProtocolDefaults
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP