Jonah.
"Downloaded Program Files" are invisible
#1
Posted 22 December 2004 - 03:03 PM
Jonah.
#2
Guest_thatman_*
Posted 27 December 2004 - 12:35 AM
You have a ATPartners.dll, Win32/TrojanDownloader.Rameh.C trojan
Please run a free online virus scan here (tick the "Auto Clean" checkbox):
http://housecall.antivirus.com/
And a free trojan scan here:
http://www.moosoft.com/
Reboot your PC.
If you would please, rescan with HijackThis and post a fresh log in this same topic, and we'll remove what's left.
kc
#3
Posted 30 December 2004 - 10:24 AM
Logfile of HijackThis v1.98.2
Scan saved at 5:06:35 PM, on 12/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\EXPLORER.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
D:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
D:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
D:\THE CLEANER\TCA.EXE
D:\THE CLEANER\TCM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\DOCUMENTS\DAD\HIJACKTHIS.EXE
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0rnmrwr9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0rnmrwr9.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] D:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [WinPatrol] D:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [tcactive] D:\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] D:\Program Files\Norton Internet Security\NISSERV.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) - http://kitcentral.wa...ct/instwact.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musi...ad/mnviewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game17.zylom....gamesplayer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
Cheers,
Jonah.
#4
Posted 30 December 2004 - 01:06 PM
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.
Then get the latest version of HijackThis (1.99) and post a new log made with that.
Regards,
Pieter
#5
Posted 30 December 2004 - 06:09 PM
Logfile of HijackThis v1.99.0
Scan saved at 12:57:03 AM, on 12/31/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\EXPLORER.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
D:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
D:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
D:\THE CLEANER\TCA.EXE
D:\THE CLEANER\TCM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\DOCUMENTS\DAD\HIJACKTHIS.EXE
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0rnmrwr9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://D%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\0rnmrwr9.slt\prefs.js)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [iamapp] D:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [WinPatrol] D:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [tcactive] D:\THE CLEANER\tca.exe
O4 - HKLM\..\Run: [tcmonitor] D:\THE CLEANER\tcm.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] D:\Program Files\Norton Internet Security\NISSERV.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab28578.cab
O16 - DPF: {91F52A42-C10D-49A7-B941-882C657C604F} (Installation Helper Object) - http://kitcentral.wa...ct/instwact.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://netscape.musi...ad/mnviewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game17.zylom....gamesplayer.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
Cheers,
Jonah.
#6
Posted 30 December 2004 - 07:41 PM
How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.
Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.
It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.
These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox .
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
It's okay to delete the Hijack This folder if everything is working okay.
After doing all these, your system will be thoroughly protected from future threats.
#7
Posted 30 December 2004 - 08:26 PM
Jonah.
#8
Posted 30 December 2004 - 10:19 PM
Is that something you created? Are you missing any programs?
Are you making sure that all files are showing? Even those that Microsoft recommends not be available for viewing?
#9
Posted 01 January 2005 - 11:57 PM
Type: ActiveX Cache Folder
Location: C:\Windows
Size: 11.3MB
Contains: 31 Files, 0 Folders
Attributes: "Read Only" is checked. "Hidden" and "Archive" are unchecked. "System" is ghosted.
I've heard of "superhidden" files, but I can't remember where. Could this be something to do with it? At the moment it doesn't seem to be causing a problem, but when I had to delete C:\windows\Downloaded Programs File\ATPartners.inf it disturbed me to find it was invisible. Fortunately when I performed "Find" it listed it and I was able to delete it using the results of "Find".
A new priblem I have now is with Firefox which I would love to use. Unfortunately a couple of sites which are visited regularly from this computer need a Java plugin, and invite me nicely to click here and download the plugin. However I have already downloaded it. I'm new to Firefox and don't really know anything about Java anyway. Is there some setting I need to change somewhere? An example of the type of thing that won't load is on the games page of my Internet Provider:
http://web.wanadoo.n...hp-20549-1.html
When I click on any of the games, I sit through half a minute of advertising (this is normal) then instead of the game starting I get this friendly advice to download Java. Any ideas?
Many thanks,
Jonah.
#10
Posted 02 January 2005 - 02:33 AM
#11
Posted 07 January 2005 - 01:47 PM
Probably in this excellent article:
http://sillydog.org/mshidden.html
TerraFaxx
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users