Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HELP! Startpage.19.J Trojan Horse

Started by _TerNaTiVa_ , Jun 09 2005 07:36 PM

  • This topic is locked This topic is locked

#1
_TerNaTiVa_
Posted 09 June 2005 - 07:36 PM

_TerNaTiVa_

    New Member

  • Member
  • Pip
  • 6 posts
Ok. I had the Smitfraud Trojan Horse and I was able to remove it, but not succesfully enough since I still have the starpage problem and the pop-ups are driving me nuts.
Here I paste the HijackThis Log tto make things faster because I use this PC to work and this Trojan is delaying me a lot.
I must tell you, since I am Argentinian that "Archivos de Programa" is the equivalent to "Program Files". Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:18:41 p.m., on 09/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INET20057\WINLOGON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\VTTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\POPCORN64.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGWB.DAT
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\SYSTEM\msblank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=C:\WINDOWS\INET20057\WINLOGON.EXE
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {551D1321-D8FB-11D9-B0B7-00002AE7E6C7} - C:\WINDOWS\SYSTEM\EFOJ.DLL
O2 - BHO: HBO Class - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - C:\WINDOWS\inet20057\3.00.05.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn64.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE
O8 - Extra context menu item: Descargar usando FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_link.htm
O8 - Extra context menu item: Descargar TODO con FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_all.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = web
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.100.1,200.51.254.251,200.51.254.254
O18 - Filter: text/html - {551D1320-D8FB-11D9-B0B7-000045AB435C} - C:\WINDOWS\SYSTEM\EFOJ.DLL
O18 - Filter: text/plain - {551D1320-D8FB-11D9-B0B7-000045AB435C} - C:\WINDOWS\SYSTEM\EFOJ.DLL
  • 0

Advertisements

#2
insipid
Posted 16 June 2005 - 05:54 PM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
I apologize for the delay getting to your log, the helpers here are very busy. If you are still having malware troubles, I will be glad to help. Due to the length of time passed, I need to see a new HijackThis Log.

Please post a new HJT log in this thread.
  • 0

#3
_TerNaTiVa_
Posted 16 June 2005 - 10:15 PM

_TerNaTiVa_

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, thanks for your reply. I've been dealing with this problem for some days now. I don't have the Startpage.19.J Trojan anymore.
However everytime Internet Explorer runs it starts with "C:/WINDOWS/SYSTEM/msblank.html" page, I have not idea of what this is and I don't seem to be able to change it.
Also at start it asks for my authorization to install something from "DialerPlatform Limited", which I don't give. After that a window which says "For Your Instant Access Please Click Yes" appears, I don't have the "no" option for this one so I just press Alt+F4 to close it without agreeing.
I know I have a problem with some M3U , CoolWWWSearch and CoolWebSearch entries because Ad-Aware and Spybot Search & Destroy keeps finding them and "solving" them. CWShredder shouls do something about it but it doesn't.

(Remember "Archivos de Programa" is the spanish for "Program Files")
Ok, here the hijack this log:



Logfile of HijackThis v1.99.1
Scan saved at 01:04:14 a.m., on 17/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INET20057\WINLOGON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\VTTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\POPCORN64.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\ARCHIVOS DE PROGRAMA\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\ARCHIVOS DE PROGRAMA\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\SYSTEM\msblank.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=C:\WINDOWS\INET20057\WINLOGON.EXE
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn64.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE
O8 - Extra context menu item: Descargar usando FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_link.htm
O8 - Extra context menu item: Descargar TODO con FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = web
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.100.1,200.51.254.251,200.51.254.254



THANKS SO MUCH!!!
  • 0

#4
insipid
Posted 17 June 2005 - 11:21 AM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
_TerNaTiVa_, not to worry about the Spanish in the log, I've seen it many times :tazz:. I know you already have CWShredder, but please download it anyway to make sure you have the latest version.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.
  • 0

#5
_TerNaTiVa_
Posted 18 June 2005 - 09:37 PM

_TerNaTiVa_

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I've done everything exactly as you've told me.
Must tell you that the "C:\WINDOWS\SYSTEM\msblank.html" as my startpage is still there as well as the requestion to install DialerPlatform Limited's software and the "For Your Instant Access Please Click Yes" window. I keep doing what I told I did about them.

*Here I post the AboutBuster logs (I know you said you may need it later but just in case):
AboutBuster 5.0 reference file 30
Scan started on [18/06/05] at [11:13:06 p.m.]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:13:07 p.m.


AboutBuster 5.0 reference file 30
Scan started on [18/06/05] at [11:15:52 p.m.]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:15:53 p.m.

*Here I post the SpSeHjfix log:
(6/18/05 11:18:43 p.m.) SPSeHjFix started v1.09
(6/18/05 11:18:43 p.m.) OS: Win98SE A (4.10.67766446)
(6/18/05 11:18:43 p.m.) Language: español
(6/18/05 11:18:44 p.m.) Disinfect started
(6/18/05 11:18:44 p.m.) Bad-Dll(IEP): (not found)
(6/18/05 11:18:44 p.m.) Bad-Dll(IEP) in BHO: (not found)
(6/18/05 11:18:44 p.m.) UBF: 4
(6/18/05 11:18:44 p.m.) UBB: 2
(6/18/05 11:18:44 p.m.) UBR: 15
(6/18/05 11:18:44 p.m.) Bad IE-pages:
(6/18/05 11:18:44 p.m.) Stealth-String not found:
(6/18/05 11:18:44 p.m.) Not infected->END

*Here I post the Kaspersky OnLine Scan results (Amazing program by the way, it found trojans that none of the other online scanners nor AVG had):
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Sunday, June 19, 2005 00:09:32
Operating System: Microsoft Windows 98 SE
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/06/2005
Kaspersky Anti-Virus database records: 126839
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 9968
Number of viruses found: 7
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 932 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\maxd.exe Infected: Trojan.Win32.Dialer.ay
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnAR1956.exe Infected: Trojan-Downloader.Win32.Small.ayl
c:\WINDOWS\Downloaded Program Files\gdnAR1956.exe Infected: Trojan-Downloader.Win32.Small.ayl
c:\WINDOWS\ef.exe Infected: Trojan.Win32.Delf.gq
c:\WINDOWS\winsocks5.exe Infected: Trojan-Proxy.Win32.Small.bt
c:\WINDOWS\uninstIU.exe Infected: Trojan.Win32.Agent.eo
c:\WINDOWS\inet20057\winlogon.exe Infected: Trojan-Downloader.Win32.CWS.gen
d:\descargas\kyodaimahjonggv18.75loaderrp.zip/rp_kyodai_loa.rar/LOADER.EXE Infected: HackTool.Win32.Fumn
d:\descargas\kyodaimahjonggv18.75loaderrp.zip/rp_kyodai_loa.rar Infected: HackTool.Win32.Fumn
d:\descargas\kyodaimahjonggv18.75loaderrp.zip Infected: HackTool.Win32.Fumn

Scan process completed.

OK. I HAVEN'T DONE ANYTHING ABOUT THESE TROJANS JUST BECAUSE I DON'T WANT TO MAKE IT WORSE. I'LL WAIT FOR YOUR REPLY AND THEN DO WHATEVER YOU TELL ME TO.


*Finally, the Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 12:25:53 a.m., on 19/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\INET20057\WINLOGON.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\VTTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\SYSTEM\msblank.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=C:\WINDOWS\INET20057\WINLOGON.EXE
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE
O8 - Extra context menu item: Descargar usando FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_link.htm
O8 - Extra context menu item: Descargar TODO con FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = web
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.100.1,200.51.254.251,200.51.254.254



THANKS AGAIN FOR HELPING ME!!!
  • 0

#6
insipid
Posted 18 June 2005 - 10:51 PM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Rescan with HijackThis and place a checkmark next to the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\SYSTEM\msblank.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: run=C:\WINDOWS\INET20057\WINLOGON.EXE
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\INET20057\WINLOGON.EXE


Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.


Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.


Please delete these files using Windows Explorer(if present):

C:\WINDOWS\INET20057\WINLOGON.EXE
c:\WINDOWS\SYSTEM\maxd.exe
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnAR1956.exe
c:\WINDOWS\ef.exe
c:\WINDOWS\winsocks5.exe
c:\WINDOWS\uninstIU.exe
d:\descargas\kyodaimahjonggv18.75loaderrp.zip <<This entire zip file.

Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

Reboot normally and post a fresh HJT log for review.
  • 0

#7
_TerNaTiVa_
Posted 19 June 2005 - 08:25 AM

_TerNaTiVa_

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok. Did everything. All files deleted except for "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnAR1956.exe.
Now when I rebooted Windows normally, it said that it couldn't run WINLOGON.EXE, I guess that's good, and that I should delete all the information referring to it in WIN.INI.
I'll wait for your reply before doing anything. THANKS AGAIN!

Logfile of HijackThis v1.99.1
Scan saved at 11:14:27 a.m., on 19/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\VTTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F1 - win.ini: run=C:\WINDOWS\INET20057\WINLOGON.EXE
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: Descargar usando FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_link.htm
O8 - Extra context menu item: Descargar TODO con FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = web
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.100.1,200.51.254.251,200.51.254.254
  • 0

#8
insipid
Posted 19 June 2005 - 09:14 PM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Ok, just the winlogon.exe entry left to fix.

b]Boot into Safe Mode:[/b]
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Fix this item with HJT:

F1 - win.ini: run=C:\WINDOWS\INET20057\WINLOGON.EXE

Don't forget to close all windows before clicking 'Fix Checked'.

Delete this folder:

C:\WINDOWS\INET20057\

Next, click Start >> Run and type 'Sysedit' (without the quotes) in the box that appears. Copy and paste the contents of win.ini in a reply to this thread. Win.ini will be long, if you need to, cut it in half and make two posts. Just make sure you don't leave anything out :tazz:.
  • 0

#9
_TerNaTiVa_
Posted 23 June 2005 - 03:05 PM

_TerNaTiVa_

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Done. I'm not getting any message anymore, and I'm starting to think everything is ok! :tazz:
As you asked, this are the contents of win.ini. THANKS!

[windows]
load=
run=
NullPort=None
device=hp deskjet 3320 series,hpz9xd07,USB001

[Desktop]
Wallpaper=C:\WINDOWS\SYSTEM\WP.BMP
TileWallpaper=0
WallpaperStyle=0

[intl]
iCountry=52
ICurrDigits=2
iCurrency=0
iDate=1
iDigits=2
iLZero=1
iMeasure=0
iNegCurr=1
iTime=0
iTLZero=1
s1159=a.m.
s2359=p.m.
sCountry=Mexico
sCurrency=$
sDate=/
sDecimal=.
sLanguage=esm
sList=,
sLongDate=dddd, dd' de 'MMMM' de 'yyyy
sShortDate=dd/MM/yy
sThousand=,
sTime=:

[Fonts]

[Compatibility]
_3DPC=0x00400000
_BNOTES=0x224000
_LNOTES=0x00100000
ACAD=0x8000
ACT!=0x400004
ACROBAT=0x04000000
AD=0x10000000
ADW30=0x10000000
ALARMMGR=0x0040000
ALDSETUP=0x00400000
AMIPRINT=0x04000000
AMIPRO=0x04000010
APORIA=0x0100
APPROACH=0x0004
BALER=0x08000000
BMAPP=0x0004
CASMONEY=0x00200000
CAVOIDE=0x00200000
CCMAIL=0x00200000
CCMCWFY=0x80
CHARISMA=0x2000
CONFIG=0x00400000
CORELDRW=0x48000
CORELPNT=0x08000000
COSTAR=0x0004
CP=0x0040
CROSSTIE=0x00000400
DARCH=0x80
DESIGNER=0x00002000
DIRECTOR=0x00800000
DPLANNER=0x00200000
DRAW=0x2000
DS40=0x8000
DTWIN20=0x00000400
EAP=0x0004
ED=0x00010000
EXCEL=0x1000
EXPASTRO=0x04000000
EXTYPWND=0x00200000
FAXVIEW=0x04000000
FAXWORKS=0x00000400
FH4=0x00E08000
FLW2=0x8000
FMPRO=0x00200000
FREEHAND=0x8000
FULLTEXT=0x20000000
GIFTMAKE=0x20000000
GUIDE=0x1000
HDW=0x04800000
HGW=0x8000
HGW2EXE=0x8000
HGW3EXE=0x8000
HJDRAW=0x00400000
IDAPICFG=0x00400000
IDRAW=0x04008000
ILLUSTRATOR=0x8000
IMPROV2=0x00000000
INFOCENT=0x04000000
INSIGHT=0x00000400
INSTAL1=0x00400000
INSTALL=0x00400000
INTERMIS=0x10000000
IS20INST=0x00000000
IVIHEALT=0x00400000
JEOPARDY=0x00200000
JW=0x00000000
KALOAD2=0x00400000
KEYCAD=0x8000
LE_ADMIN=0x00400000
LUI=0x20000000
MAILSPL=0x10000000
MAKER=0x00200000
MAPS1=0x04008022
MATH=0x00000001
MAVIS=0x00200000
MCOURIER=0x0800
MFWIN20=0x02000000
MILESV3=0x1000
MILESV40=0x4
MOZART=0x40000000
MSARTIST=0x00100000
MSBHUMAN=0x4
MSREMIND=0x10000000
MVIEWER2=0x40200000
MYINV=0x00200000
MYST=0x08000000
NAFTA1=0x4008022
NBAMW4V4=0x04000000
NETSET2=0x0100
NOTES=0x200000
NOTSHELL=0x0001
OPERATOR=0x02000000
OUTPOST=0x00000000
OWLAPP=0x00400000
PACKRAT=0x0800
PAINTER=0x00000000
PAWC8DC3=0x00400000
PAWIN=0x4
PEACHW=0x04800004
PIXIE=0x0040
PLANIT=0x0004
PLANNER=0x2000
PLUS=0x1000
PM4=0xA000
PM5APP=0x8000
PP4=0x00000000
PR2=0x2000
PRINTHLP=0x0004
QAPLUSW=0x0004
QLIIFAX=0x00400000
QUAKE=0x80
QW=0x08000000
RELAY=0x20000000
REM=0x8022
RR2CD=0x00200000
RX=0x00000400
RXL=0x00000400
SETUP=0x00000000
SIDEKICK=0x0004
SLEEPER=0x10000000
SOL=0x00400000
SPCB=0x04008000
SPORTJEP=0x00200000
SPWIN20=0x00400000
ST2=0x4008022
STRAUSS=0x40000000
STRAV=0x40000000
SCHUBERT=0x40000000
SSBWIN=0x00200000
SWCWIN=0x00800004
TCVWIN=0x00200000
TCW=0x00400000
TCWIN=0x0004
TERRAIN=0x00400000
TISETUP=0x00200000
TL6=0x08000000
TME=0x0100
TMSWIN=0x20000000
TMTWIN=0x00200000
TMTWINCD=0x00200000
TOUCHUP=0x00400000
TURBOTAX=0x00080000
VB=0x0200
VEWINFIL=0x00400000
VISIO=0x00000004
VISIOHM=0x00000004
VISION=0x0040
W4GL=0x4000
W4GLR=0x4000
WGW=0x00440000
WIN2WRS=0x1210
WINCIM=0x4
WINLINK=0x20000000
WINPHONE=0x0004
WINSIM=0x2000
WINTACH=0x00200000
WORDSCAN=0x02200000
WPWINFIL=0x00000006
WPWIN60=0x00000400
WPWIN61=0x02000400
WSETUP=0x00200000
XPRESS=0x00000008
ZETA01=0x00400000
ZIFFBOOK=0x00200000
NOTIFIER=0x400000

[Compatibility32]
CLWORKS=0x00A00000
MCAD=0x00600000
PHOTOSHP=0x00208000
PODW=0x00200000
SPSSWIN=0x00200000
TYPSTRY2=0x00200000
V32VM20=0x02000000
VISIO=0x00000000
VISIOHM=0x00000000
WINPHONE=0x00000004
WRDART32=0x00400000
SHELL=0x80000000
USTATION=0x80000000

[Compatibility95]
CHAOS OV=0x80000000
CONF=0x00000002
MSDEV=0x00000002
IMAGE32=0x80000000
INST32=0x80000000

[ModuleCompatibility]
ACEROOBE=0x0004
AIRNFM=0x0002
ALDNCD=0x0002
AMRES=0x0002
ATM=0x0002
ARCHANGEL=0x0002
CSNOV=0x0002
DEFDEMO=0x0002
DIBWND=0x0002
DIB=0x0002
DS=0x0001
EMLIB=0x0002
EMSAVE=0x0002
FH4=0x0002
GEDIT=0x0002
GEORGE=0x0002
GVBSETUP=0x0002
HRWCD=0x0002
ISLFAXPR=0x0002
KIDDESK=0x0002
KIDSTYPE=0x0000
KNPS=0x0002
LIONKING=0x0002
MAUI_DRV=0x0002
MGXWMF=0x0002
MEMMAP=0x0002
MSARTIST=0x0002
MSCRWRTR=0x0002
MSCUISTF=0x0001
MVIEWER2=0x0002
MWAVSCAN=0x0002
MYINV=0x0002
OLESVR=0x0002
PDOXWIN=0x0002
PLANIT=0x0002
PP3=0x0002
PP4=0x0002
PPPP=0x0002
PXDSRV2=0x0002
REVIEWRT=0x0002
ROULETTE=0x0002
RRIRJ=0x0002
RR1=0x0002
RR2CD=0x0002
STL_DLG=0x0002
TECO=0x0001
TER=0x0002
TLW0LOC=0x0002
TMSWIN=0x0002
USA=0x0002
VOICE=0x0002
WFXVIEW=0x0004
WINFORM=0x0002
WPWIN61=0x0002

[TrueType]
FontSmoothing=0

[mci extensions]
mid=Sequencer
rmi=Sequencer
wav=waveaudio
avi=AVIVideo
cda=CDAudio
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=Sequencer
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2

[MCICompatibility]
QTWVideo=0x0001
MCIXSND=0x0001
GDAnim=0x0001

[mciavi]

[Desktop_Shell]
Current=Win

[Pscript.Drv]
ATMWorkaround=1

[Ports]
LPT1:=
LPT2:=
LPT3:=
COM1:=9600,n,8,1,x
COM2:=9600,n,8,1,x
COM3:=9600,n,8,1,x
COM4:=9600,n,8,1,x
FILE:=

[embedding]
Package=Paquete,Paquete,packager.exe,picture
midfile=Secuencia MIDI,Secuencia MIDI,C:\WINDOWS\mplayer.exe /mid,picture
SoundRec=Archivo de sonido,Archivo de sonido,C:\WINDOWS\sndrec32.exe,picture
mplayer=Clip multimedia,Clip multimedia,C:\WINDOWS\mplayer.exe,picture
PBrush=Imagen de Paintbrush,Imagen de Paintbrush,C:\Archiv~1\Acceso~1\MSPAINT.EXE,picture
Paint.Picture=Imagen de mapa de bits,Imagen de mapa de bits,C:\Archiv~1\Acceso~1\MSPAINT.EXE,picture
Wordpad.Document.1=Documento de WordPad,Documento de WordPad,C:\Archiv~1\Acceso~1\WORDPAD.EXE,picture
Imaging.Document=Documento de imagen,Documento de imagen,C:\WINDOWS\KodakImg.Exe,picture
WangImage.Document=Documento de imagen,Documento de imagen,C:\WINDOWS\KodakImg.Exe,picture
avifile=Clip de vídeo,Clip de vídeo,C:\WINDOWS\mplayer.exe /avi,picture

[Extensions]

[Devices]
hp deskjet 3320 series=hpz9xd07,USB001

[PrinterPorts]
hp deskjet 3320 series=hpz9xd07,USB001,15,45

[Sounds]
SystemDefault=,

[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=MPEGVideo
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
asf=MPEGVideo2
asx=MPEGVideo2
ivf=MPEGVideo2
lsf=MPEGVideo2
lsx=MPEGVideo2
mp2v=MPEGVideo
wax=MPEGVideo2
wvx=MPEGVideo2
wm=MPEGVideo2
wma=MPEGVideo2
wmv=MPEGVideo2



[Mail]
MAPI=1
MAPIX=1

[FontSubstitutes]
Helv=MS Sans Serif
Tms Rmn=MS Serif
Times=Times New Roman
Helvetica=Arial
MS Shell Dlg=MS Sans Serif
MS Shell Dlg 2=MS Sans Serif
Monotype.com=Andale Mono

[Correo]
CMC=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
MAPI=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
  • 0

#10
insipid
Posted 23 June 2005 - 09:09 PM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Looks good :tazz: Please post a new HijackThis log to make sure.
  • 0

#11
_TerNaTiVa_
Posted 24 June 2005 - 03:56 PM

_TerNaTiVa_

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Now I really thikn we've made it! :tazz:
Here's the HijackThis log. THAAAAAANKS!!!

Logfile of HijackThis v1.99.1
Scan saved at 06:48:29 p.m., on 24/06/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\VTTIMER.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGCC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGEMC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
D:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\OSA.EXE
D:\ARCHIVOS DE PROGRAMA\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARCHIVOS DE PROGRAMA\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\JCCATCH.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FGIEBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [smapp] C:\Archivos de programa\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARCHIV~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Inicio de Office.lnk = D:\Archivos de programa\Microsoft Office\Office\OSA.EXE
O4 - Startup: Búsqueda rápida de Microsoft.lnk = D:\Archivos de programa\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Descargar usando FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_link.htm
O8 - Extra context menu item: Descargar TODO con FlashGet - D:\ARCHIVOS DE PROGRAMA\FLASHGET\jc_all.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\ARCHIVOS DE PROGRAMA\FLASHGET\FLASHGET.EXE
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = web
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.100.1,200.51.254.251,200.51.254.254
  • 0

#12
insipid
Posted 25 June 2005 - 09:15 AM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Have HijackThis fix this entry:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = web


and your log is clean :tazz:

To reduce re-infection potential for malware in the future:

Please read Tony Klein's article: So how did I get infected in the first place?.

It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupd...t.aspx?ln=en-us regularly and install ALL critical updates.

It would be a good idea to install a firewall if you don't have one . Here are a few free ones:
Kerio Personal Firewall
Zone Alarm
Sygate Personal Firewall

I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.

Finally, I suggest downloading and trying Mozilla Firefox browser. Firefox is a free fully functional browser. It's much safer than Internet Explorer.
  • 0

#13
insipid
Posted 02 July 2005 - 05:45 PM

insipid

    Visiting Staff

  • Member
  • PipPipPip
  • 313 posts
Glad we could help. :tazz:

As this issue appears resolved, this topic is closed. If you need it reopened, please contact a staff member.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP