Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack/ Virus help needed- HijackThis log [RESOLVED]

Started by tlcfromtn , Oct 09 2005 09:05 AM

  • This topic is locked This topic is locked

#1
tlcfromtn
Posted 09 October 2005 - 09:05 AM

tlcfromtn

    Member

  • Member
  • PipPip
  • 69 posts
I have got viruses I can't get rid of and Internet Explorer has been hijacked. When I open IE it goes to balabolka.biz for the homepage instead of Yahoo. When I do the control alt delete thing it has popcorn72, Q92194 and MSXMIDI running. I have Windows ME, IE 6 and Netscape 6.2. I tried to follow your steps but some things didn't work. AdAware under Cleaning Engine, I couldn't check "During removal, unload Explorer and IE if necessary". CWShredder just kept showing "file apears to be corrupt. Reinstall the file and try again". Spybot S&D would freeze up when I checked for updates. Here is my HijackThis log after doing all that.

Logfile of HijackThis v1.99.1
Scan saved at 8:03:14 AM, on 10/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\POPCORN72.EXE
C:\WINDOWS\WT\WCMDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\MSXMIDI.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\Q92194.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NAVISCOPE\NAVISCOPE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://balabolka.biz/start.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://balabolka.biz/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://balabolka.biz/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://balabolka.biz/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://balabolka.biz/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.peoplestel.net"); (C:\PROGRAM FILES\NETSCAPE\Users\Default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [SearchAssistant] c:\Q92194.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\RunServices: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...592/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.140,85.255.112.26
  • 0

Advertisements

#2
greyknight17
Posted 09 October 2005 - 09:28 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://balabolka.biz/start.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://balabolka.biz/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://balabolka.biz/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://balabolka.biz/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://balabolka.biz/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://balabolka.biz/start.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [SearchAssistant] c:\Q92194.exe
O4 - HKCU\..\Run: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
O4 - HKCU\..\RunServices: [Autoupdate Service] C:\WINDOWS\msxmidi.exe
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-cent...bin/actxcab.cab

Do you recognize the IP address below? If not, fix it in HijackThis also:

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.140,85.255.112.26

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\msmsgs.exe
C:\WINDOWS\wt\
C:\WINDOWS\SYSTEM\popcorn72.exe
c:\Q92194.exe
C:\WINDOWS\msxmidi.exe

Restart and run BOTH these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here along with the Panda log.
  • 0

#3
tlcfromtn
Posted 09 October 2005 - 07:31 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Trendmicro log-

Detected File Associated Virus Name Action Taken
C:\_RESTORE\TEMP\A0822277.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0822280.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\TEMP\A0843967.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0859129.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0885131.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0885133.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\TEMP\A0903128.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0936996.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0953993.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0953996.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\TEMP\A0986992.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A1013994.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A1014993.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A1014996.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\TEMP\A1043449.CPY WORM_BUCHON.GEN Undeletable
C:\_RESTORE\TEMP\A1043451.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\TEMP\A1043455.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A0697534.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\TEMP\A1045455.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5902.CAB
- A0430201.CPY TROJ_FLUX.E Undeletable
- A0430200.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\ARCHIVE\FS5900.CAB
- A0426110.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5901.CAB
- A0426199.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5912.CAB
- A0571311.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5904.CAB
- A0466204.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5899.CAB
- A0422612.CPY TROJ_SMALL.ASX Undeletable
- A0422619.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5905.CAB
- A0473200.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5906.CAB
- A0474689.CPY TROJ_FLUX.E Undeletable
- A0474695.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\ARCHIVE\FS5907.CAB
- A0506689.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5908.CAB
- A0529529.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5909.CAB
- A0559969.CPY TROJ_FLUX.E Undeletable
- A0559971.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\ARCHIVE\FS5913.CAB
- A0573312.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5917.CAB
- A0576312.CPY TROJ_FLUX.E Undeletable
- A0576314.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\ARCHIVE\FS5918.CAB
- A0609981.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5919.CAB
- A0644979.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5920.CAB
- A0664980.CPY TROJ_FLUX.E Undeletable
- A0664982.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\ARCHIVE\FS5922.CAB
- A0732535.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5923.CAB
- A0747078.CPY TROJ_FLUX.E Undeletable
- A0747080.CPY TROJ_STARTPAG.MY Undeletable
C:\_RESTORE\ARCHIVE\FS5924.CAB
- A0782848.CPY TROJ_FLUX.E Undeletable
C:\_RESTORE\ARCHIVE\FS5925.CAB
- A0790277.CPY TROJ_FLUX.E Undeletable

Edited by tlcfromtn, 09 October 2005 - 07:32 PM.

  • 0

#4
tlcfromtn
Posted 09 October 2005 - 07:35 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Panda Activescan log-

Incident Status Location

Adware:adware/wildtangent No disinfected C:\WINDOWS\wt
Adware:adware/startpage.go No disinfected Windows Registry
Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\unpack\inst43.exe
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\gdnUS1392.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\dgprpsetup.exe
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\IGDUVXE6\connect[1].htm
Possible Virus. No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\85INGPQR\gdnUS1392[1].exe
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\I9UPGH61\m7[1].htm
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Dialer:Dialer.Gen No disinfected C:\_RESTORE\TEMP\A0083868.CPY
Dialer:Dialer.Gen No disinfected C:\_RESTORE\TEMP\A0083871.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0822278.CPY
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\TEMP\A0822280.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0843966.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0859128.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0885127.CPY
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\TEMP\A0885133.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0903129.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0936994.CPY
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\TEMP\A0953996.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0953997.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0986994.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A1013995.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A1014994.CPY
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\TEMP\A1014996.CPY
Adware:Adware/SBSoft No disinfected C:\_RESTORE\TEMP\A1019698.CPY
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\TEMP\A1043449.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A1043450.CPY
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\TEMP\A1043451.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A1043456.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A0697541.CPY
Possible Virus. No disinfected C:\_RESTORE\TEMP\A1045454.CPY
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5902.CAB[A0430198.CPY]
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\ARCHIVE\FS5902.CAB[A0430200.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5900.CAB[A0426108.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5901.CAB[A0426200.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5912.CAB[A0571313.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5904.CAB[A0466201.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5899.CAB[A0422612.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5899.CAB[A0422616.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5905.CAB[A0473201.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5906.CAB[A0474693.CPY]
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\ARCHIVE\FS5906.CAB[A0474695.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5907.CAB[A0506688.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5908.CAB[A0529530.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5909.CAB[A0559968.CPY]
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\ARCHIVE\FS5909.CAB[A0559971.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5913.CAB[A0573314.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5917.CAB[A0576311.CPY]
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\ARCHIVE\FS5917.CAB[A0576314.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5918.CAB[A0609983.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5919.CAB[A0644981.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5920.CAB[A0664979.CPY]
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\ARCHIVE\FS5920.CAB[A0664982.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5922.CAB[A0732534.CPY]
Adware:Adware/MegaSearchEngineNo disinfected C:\_RESTORE\ARCHIVE\FS5923.CAB[A0747080.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5923.CAB[A0747084.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5924.CAB[A0782845.CPY]
Possible Virus. No disinfected C:\_RESTORE\ARCHIVE\FS5925.CAB[A0790280.CPY]
  • 0

#5
tlcfromtn
Posted 09 October 2005 - 07:41 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:21:33 PM, on 10/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NAVISCOPE\NAVISCOPE.EXE
C:\MY DOCUMENTS\HJT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.peoplestel.net"); (C:\PROGRAM FILES\NETSCAPE\Users\Default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...592/mcfscan.cab


I didn't delete WildTangent just yet. My grandson likes to play Pinball so I will have to think about it. I didn't know if you wanted all the logs in one post or separate. Sorry if I did it wrong. Thanks for your help!
  • 0

#6
greyknight17
Posted 09 October 2005 - 08:39 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem if you want to keep WildTangent.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and enable System Restore now.

Check and fix this in HijackThis:

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn72.exe rundll.dll,LoadMouseProfile

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\SYSTEM\popcorn72.exe
C:\WINDOWS\wt
C:\WINDOWS\TEMP\unpack\inst43.exe
C:\WINDOWS\Downloaded Program Files\gdnUS1392.exe
C:\WINDOWS\SYSTEM\dgprpsetup.exe
C:\WINDOWS\Temporary Internet Files\Content.IE5\IGDUVXE6\connect[1].htm
C:\WINDOWS\Temporary Internet Files\Content.IE5\85INGPQR\gdnUS1392[1].exe
C:\WINDOWS\Temporary Internet Files\Content.IE5\I9UPGH61\m7[1].htm

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and run another Panda scan. Post that log here along with a new HijackThis log.
  • 0

#7
tlcfromtn
Posted 13 October 2005 - 12:48 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Incident Status Location

Adware:adware/securityerror No disinfected C:\WINDOWS\SYSTEM\mscornet.exe
Adware:adware/dloader No disinfected C:\WINDOWS\SYSTEM\msblank.html
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/windowenhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils
Adware:Adware/WindowEnhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Adware:Adware/SecurityError No disinfected C:\WINDOWS\SYSTEM\mscornet.exe
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Dialer:Dialer.NO No disinfected C:\_RESTORE\TEMP\GDNUS1~1.0
  • 0

#8
tlcfromtn
Posted 13 October 2005 - 12:49 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
duplicate...edited out...
  • 0

#9
tlcfromtn
Posted 13 October 2005 - 12:50 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
duplicate...edited out...
  • 0

#10
tlcfromtn
Posted 13 October 2005 - 12:51 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
duplicate...edited out...
  • 0

Advertisements

#11
tlcfromtn
Posted 13 October 2005 - 12:51 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
duplicate...edited out...
  • 0

#12
tlcfromtn
Posted 13 October 2005 - 12:52 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
duplicate...edited out...
  • 0

#13
tlcfromtn
Posted 13 October 2005 - 01:10 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:44:37 PM, on 10/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NAVISCOPE\NAVISCOPE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HJT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:81
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.peoplestel.net"); (C:\PROGRAM FILES\NETSCAPE\Users\Default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://mail.yahoo.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\9nxn93v1.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Mozilla Quick Launch] C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP6.EXE -turbo
O4 - HKCU\..\RunServices: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: naviscope.lnk = C:\Program Files\Naviscope\naviscope.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst_current.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...592/mcfscan.cab
  • 0

#14
tlcfromtn
Posted 13 October 2005 - 01:27 PM

tlcfromtn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 69 posts
Sorry for the duplicate posts! IE was running really slow when I submitted them and I don't know how to delete them.
  • 0

#15
greyknight17
Posted 13 October 2005 - 05:42 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and uncheck that same box to enable system restore back.

Delete these:

C:\WINDOWS\SYSTEM\mscornet.exe
C:\WINDOWS\SYSTEM\msblank.html
C:\WINDOWS\rdt.ini
C:\WINDOWS\SYSTEM\SBUtils

Restart and run a new Panda scan. Anything else found (besides HackTool - leave this one alone)? If nothing else, then:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP