Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

It won´t go away


  • This topic is locked This topic is locked

#1
tatu2000

tatu2000

    New Member

  • Member
  • Pip
  • 7 posts
First of all: I did read the FAQ and tried everything before posting here.
Antivir, F-Prot found nothing.
ADAware found nothing but a couple of cookies.
Spybot found something called DSO.
I ran regedit and located some unusual entries (E2G and the likes).
There is a E2G folder, that won´t go away, even after deleted.
When I reboot the computer F-Prot tells me that some virus code was found inside the file iebhos.dll. This happens everytime, even after removing the E2G folder.
My hijackthis follows:
Logfile of HijackThis v1.98.2
Scan saved at 17:29:36, on 11/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\SISAUDUT.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\AVPERSONAL\AVGCTRL.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\F-SCHED.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\F-STOPW.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\FPAVUPDM.EXE
C:\WINDOWS\SYSTEM\PRUTPCT.EXE
C:\WINDOWS\SYSTEM\PRUTPCT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\MOZILLA FIREFOX\FIREFOX.EXE
C:\ARQUIVOS DE PROGRAMAS\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ognki.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ognki.dll/sp.html#37049
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {96F47AAF-D627-4543-7963-7E1F138D28BF} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1001\en-xu\stmain.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Arquivos de programas\E2G\IeBHOs.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\ARQUIV~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\SYSTEM\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\ARQUIV~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\ARQUIVOS DE PROGRAMAS\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Arquivos de programas\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Arquivos de programas\FSI\F-Prot\F-STOPW.EXE"
O4 - HKLM\..\Run: [FRISK_MONITOR] "C:\Arquivos de programas\FSI\F-Prot\fpavupdm.exe" /RAP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ATLDR.EXE] C:\WINDOWS\ATLDR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PRUTPCT] C:\WINDOWS\SYSTEM\PRUTPCT.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\ARQUIVOS DE PROGRAMAS\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\ARQUIV~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {D9CE2963-8547-4C18-A4CE-DA27278310D8} (Instalador Remoto UOL) - http://download.uol....tiveInstall.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcaf...ed/MInstall.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {E281E771-5E4C-11D5-B3E8-0040C7A63343} (StopX Control) - http://www.centralde...Web/StopWeb.cab
O16 - DPF: {D9EF8235-BC02-11D5-B44E-0040C7A63343} (ChessWebX Control) - http://www.centralde...eb/ChessWeb.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_20.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13....es/MsnPUpld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sul.com.br
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.219.150.4,200.219.150.5
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Welcome to geestogo tatu2000

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ognki.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ognki.dll/sp.html#37049
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {96F47AAF-D627-4543-7963-7E1F138D28BF} - (no file)
O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Arquivos de programas\E2G\IeBHOs.dll (file missing)
O4 - HKLM\..\RunServices: [ATLDR.EXE] C:\WINDOWS\ATLDR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PRUTPCT] C:\WINDOWS\SYSTEM\PRUTPCT.exe
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_20.exe


Then delete the following files (if they exist):

C:\WINDOWS\SYSTEM\PRUTPCT.EXE
C:\WINDOWS\system\ognki.dll/sp.html#37049
C:\WINDOWS\ATLDR.EXE
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
=W32/NETSKY-AD trojan


Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#3
tatu2000

tatu2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thatman: thanks for the welcome message and thanks for the reply. The infected computer belongs to my sister and she nagged me so much that I did some register editing (scary stuff) and used CWShredder and Adaware. I was able to delete the E2G folder. The only sign of infection after that was something that Spybot was finding (DSO Exploit), but not removing.

Tomorrow, after work, I'll go back to her place and try everything you said. There are only two things I'd like to ask before that:

1) what is a "about blank" infection?
2) (this one is really stupid, but plz forgive me) how do I disconnect her comp from the internet? She shares a high-speed connection w/ other ppl in the same building and the modem is NOT in her apartment. Should I disconnect her Ethernet cable?

If you dont have the time to answer, dont sweat. I'll go there tomorrow and post the hjt log here.

Thanks a lot.
  • 0

#4
tatu2000

tatu2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
By the way: she's using Firefox now.
  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi tatu2000

The about blank infection is Coolwebsearch i.e cws

Just unplug the cable from the PC

Kc :tazz:
  • 0

#6
tatu2000

tatu2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello thatman:

I´ve followed your directions and downloaded 1) About:Buster, 2) CleanUp!, 3) CWShredder and 4) Ad-Aware -

I´ve run AboutBuster w/ no meaningful results (at least for me). Log follows:

Scanned at: 15:52:48 on: 15/02/05


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

End of about buster log.

I´ve run CWShredder and CleanUp.

Then I ran Ad-Aware and it found e2give (RegKey DataMiner).

I havent cleaned up the left overs, because I was not quite sure how to do that (dumb me).

I ran HJT and found (AND ERASED) the following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\ognki.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\ognki.dll/sp.html#37049
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\RunServices: [ATLDR.EXE] C:\WINDOWS\ATLDR.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PRUTPCT] C:\WINDOWS\SYSTEM\PRUTPCT.exe
O16 - DPF: {FFFFFFFF-3C18-4A7E-A29D-E24F84B79BF1} - http://216.122.145.208/pi1_20.exe

Then i deleted the following files:

C:\WINDOWS\SYSTEM\PRUTPCT.EXE
C:\WINDOWS\ATLDR.EXE

I couldnt find the itens below. In fact, I didnt know that files with “\” or “=” could exist in Windows. Are these actually file names or am I missing something (Call me dumb again).
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe =W32/NETSKY-AD trojan
C:\WINDOWS\system\ognki.dll/sp.html#37049

I reboot into normal mode and ran the online virus scans:

http://housecall.tre.../start_corp.asp told me there was one infection (Troj Agent-CK) and I erased the file.

http://www.pandasoft...n_principal.htm told me there were 4 infections and only one could be cleaned.

I´ve restarted the computer and the new HJT log is:

Logfile of HijackThis v1.98.2
Scan saved at 17:14:26, on 15/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\F-SCHED.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\F-STOPW.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\FPAVUPDM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ARQUIVOS DE PROGRAMAS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Arquivos de programas\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Arquivos de programas\FSI\F-Prot\F-STOPW.EXE"
O4 - HKLM\..\Run: [FRISK_MONITOR] "C:\Arquivos de programas\FSI\F-Prot\fpavupdm.exe" /RAP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\ARQUIV~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcaf...ed/MInstall.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {E281E771-5E4C-11D5-B3E8-0040C7A63343} (StopX Control) - http://www.centralde...Web/StopWeb.cab
O16 - DPF: {D9EF8235-BC02-11D5-B44E-0040C7A63343} (ChessWebX Control) - http://www.centralde...eb/ChessWeb.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13....es/MsnPUpld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sul.com.br
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.219.150.4,200.219.150.5



Though! It seems the comp is still very infected.


I hope you find the time to help me.

Thanks,

tatu
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi tatu2000

C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe <-- this is the trojan W32/NETSKY-AD trojan

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe<-- this is suspect

The legal one is found in C:\Windows\System\SysTray.Exe
Do a search with Windows Explorer let me know where you find SysTray.Exe

Run the about blank fix a number off times

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

#8
tatu2000

tatu2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hey thatman:


only today I had the opportunity to return to my sister´s house. First thing I did was to search for sistray.exe. Its location is correct (C:/Windows/System) and its size is 32 K.
I guess this is not the culprit.
I´ll run the removal procedure a couple of times and post back the result .

tatu.

ps: thanks again.
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi tatu2000

Please update HijackThis v 1.99.1

Please post a new HJT.Log

Thanks

Kc
  • 0

#10
tatu2000

tatu2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hey thatman:

I´ve dl´ed the latest version of hjt. Log follows. I´m beginning to consider reinstalling Windows :-(


Logfile of HijackThis v1.99.1
Scan saved at 15:40:57, on 18/02/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\LOADQM.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\F-SCHED.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\F-STOPW.EXE
C:\ARQUIVOS DE PROGRAMAS\FSI\F-PROT\FPAVUPDM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\ARQUIVOS DE PROGRAMAS\MOZILLA FIREFOX\FIREFOX.EXE
C:\ARQUIVOS DE PROGRAMAS\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\PT-BR\MSNTB.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Arquivos de programas\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Arquivos de programas\FSI\F-Prot\F-STOPW.EXE"
O4 - HKLM\..\Run: [FRISK_MONITOR] "C:\Arquivos de programas\FSI\F-Prot\fpavupdm.exe" /RAP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\ARQUIVOS DE PROGRAMAS\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .spop: C:\ARQUIV~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .bcf: C:\ARQUIV~1\INTERN~1\Plugins\NPBelv32.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {DA4EB021-5F1C-11D4-B006-00104B98E2C7} (McAfee Clinic Installer Control) - http://download.mcaf...ed/MInstall.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {E281E771-5E4C-11D5-B3E8-0040C7A63343} (StopX Control) - http://www.centralde...Web/StopWeb.cab
O16 - DPF: {D9EF8235-BC02-11D5-B44E-0040C7A63343} (ChessWebX Control) - http://www.centralde...eb/ChessWeb.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by13fd.bay13....es/MsnPUpld.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = sul.com.br
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 200.219.150.4,200.219.150.5

thanks,

tatu
  • 0

#11
tatu2000

tatu2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Pandasoftware found 10+ problems. Log follows:

Incident Status Location

Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup*
Adware:Adware/Hotbar No disinfected Windows Registry
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\bridge.???
Adware:Adware/VirtualBouncer No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/E2Give No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Adware:Adware/FunWeb No disinfected C:\Arquivos de programas\MSN Messenger\riched20.dll
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP