|
#1
February 24th, 2004, 02:05 PM
|
|||
|
|||
|
Downloader.Turown.A
I'm a new subscriber to this forum but you guy's seem to know how to get rid of this Downloader.Turown.A trojan so I'd appreciate any help offered. Here's my hijackthis log, i think the problem is in the 010 sectionof it if thats any help!
Logfile of HijackThis v1.97.7 Scan saved at 13:01:58, on 24/02/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\MSWHEEL.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\MWSVM.EXE C:\WINDOWS\SYSTEM\USBMONIT.EXE C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE C:\WINDOWS\SYSTEM\IEDRIVER\IEDRIVER.EXE C:\PROGRAM FILES\NCASE\MSBB.EXE C:\PROGRAM FILES\VSN\VSN.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\MY DOCUMENTS\STEFF'S STUFF\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchbar.findthewebsiteyouneed.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.allcybersearch.com/ie/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezcybersearch.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch....&version_id=18 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ezcybersearch.com/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - (no file) O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - (no file) O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file) O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - (no file) O2 - BHO: (no name) - {67530D60-1241-11D8-A092-444553540000} - (no file) O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file) O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\PROGRAM FILES\CLEARSEARCH\IE_CLRSCH.DLL (file missing) O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\SYSTEM\MSIEFR40.DLL O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - (no file) O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing) O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Scan Detector] C:\PROGRA~1\PRIMAX\POWERT~1\Pmxdetect.exe O4 - HKLM\..\Run: [PrimaLauncher] C:\WINDOWS\SYSTEM\Launcher.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Typhoon Multimedia for living\8D Scroll Ball Mouse\1.1\LWBWHEEL.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [AME_CSA] rundll32 AmeCSA.cpl,RUN_DLL O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [4ZMQNHQ3P2QW4L] C:\WINDOWS\SYSTEM\Lxiv1Ua.exe O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE" O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [UpdateStats] C:\Program Files\Media\Media\UpdateStats.exe O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\SYSTEM\STLBDIST.DLL,DllRunMain O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE O4 - HKLM\..\Run: [VSN] C:\PROGRAM FILES\VSN\VSN.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [CMVJZQGX] C:\WINDOWS\CMVJZQGX.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [NSCheck] C:\WINDOWS\SYSTEM\NSCHECK.EXE /check O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\.\HXIUL.EXE O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\.\HXDL.EXE -from="TCONTENT.CAB" -to="TCONTENT.CAB" O4 - HKCU\..\Run: [Cydoor] CD_Load.exe O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q O4 - HKCU\..\Run: [DownloadLegalMusic] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML  ownloadLegalMusic:tO4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl O4 - HKCU\..\RunServices: [NSCheck] C:\WINDOWS\SYSTEM\NSCHECK.EXE /check O4 - HKCU\..\RunServices: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\RunServices: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\.\HXIUL.EXE O4 - HKCU\..\RunServices: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\.\HXDL.EXE -from="TCONTENT.CAB" -to="TCONTENT.CAB" O4 - HKCU\..\RunServices: [Cydoor] CD_Load.exe O4 - HKCU\..\RunServices: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q O4 - HKCU\..\RunServices: [DownloadLegalMusic] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML ownloadLegalMusic:tO4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: Sidesearch (HKLM) O9 - Extra button: DownloadLegalMusic (HKLM) O9 - Extra button: Mail (HKCU) O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Broken Internet access because of LSP provider 'csloa.dll' missing O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {89122070-4199-11D4-8BAF-0050045B552C} - http://download.rocketpipe.com/bundles/77.cab O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/w...oft/wtinst.cab O16 - DPF: {A1DC3241-B122-195F-B21A-000000000000} - http://www.xxx-porns.com/download/xxxporn.cab O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://www.thepaymentcentre.com/build/preload.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.3058333333 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/251eacc5577473a...p/RdxIE601.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/fu...tup1.0.0.6.cab O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexi...eInstaller.cab O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/...ler/dwnldr.cab O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOf...O1/wr3ck1t.cab O16 - DPF: {8BC4B4C3-2CA2-44B0-9A36-495EF3946E22} (Flo2_L1 Control) - http://www.nokiagame.com/games/1fpO9...fl/flo2_l1.cab O16 - DPF: {83B67220-025C-416C-8049-398E12764B36} (Flo2_L2 Control) - http://www.nokiagame.com/games/2K1E4...as/flo2_l2.cab O16 - DPF: {B47CD421-1AA8-4FE6-A25A-5824BDADC307} (Flo2_L3 Control) - http://www.nokiagame.com/games/3Uyti...HI/flo2_l3.cab O16 - DPF: {970D1F38-542B-471C-9574-72E1AE852EA1} (Flo2_L4 Control) - http://www.nokiagame.com/games/4eQo0...h3/flo2_l4.cab O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSECS.cab O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab 
|
|
#2
February 24th, 2004, 03:53 PM
|
||||
|
||||
|
Hi buddy welcome to CTH....It's a wonder you can get online at all by the look of that lot!! :no:
First download and run THIS Then download and run cwshredder from www.zerosrealm.com/downloads/CWShredder.zip After that download and run spybot from here http://spybot.eon.net.au/index.php?l...&page=download Check for updates before first run and have it fix all RED entries. click on the Immunize button to protect your PC from known pests and exit. Sometimes Spybot will not remove all on a first run, If it asks you to reboot click yes. It will launch again at startup and finish the job. Post back a new Hijack log when spybot has done it's thing. There will be other stuff to clean up. Where did AVG report the virus is lurking?
|
|
#3
February 24th, 2004, 09:18 PM
|
||||
|
||||
|
Hi steffkelly - before you use any utilities to remove spyware, download LSPFix.exe from here
If you have any problems connecting to the Internet after removing Spyware, unzip it and run it so it reads the list of LSP modules from the Windows registry and verifies that each module is present. Then hit "Finish" and let it automatically correct the misnumbered or missing entries. Reboot afterwards.
|
|
#4
February 25th, 2004, 12:54 AM
|
|||
|
|||
|
spybot seems to be stopping at a file called c2.lop. i have used the Lspfix software and it cleaned up a bit but when i start it up again it shows a file called webhdll.dll, could this be off webhancer and should i remove it? Thanks for the earlier info, here's my hijack this log as of now
Logfile of HijackThis v1.97.7 Scan saved at 23:41:49, on 24/02/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\MSWHEEL.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE C:\PROGRAM FILES\TYPHOON MULTIMEDIA FOR LIVING\8D SCROLL BALL MOUSE\1.1\LWBWHEEL.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\USBMONIT.EXE C:\PROGRAM FILES\VSN\VSN.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\IFUV.EXE C:\WINDOWS\SYSTEM\DSY3FZN2.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\MY DOCUMENTS\STEFF'S STUFF\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\IEASST.DLL O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\SYSTEM\MSIEFR40.DLL O3 - Toolbar: (no name) - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - (no file) O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing) O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINDOWS\SYSTEM\STLBDIST.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Typhoon Multimedia for living\8D Scroll Ball Mouse\1.1\LWBWHEEL.exe O4 - HKLM\..\Run: [AME_CSA] rundll32 AmeCSA.cpl,RUN_DLL O4 - HKLM\..\Run: [4ZMQNHQ3P2QW4L] C:\WINDOWS\SYSTEM\Atv0h.exe O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe O4 - HKLM\..\Run: [VSN] C:\PROGRAM FILES\VSN\VSN.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\.\HXIUL.EXE O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\.\HXDL.EXE -from="TCONTENT.CAB" -to="TCONTENT.CAB" O4 - HKCU\..\Run: [Cydoor] CD_Load.exe O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: Microsoft Office.lnk.disabled O4 - Startup: Microsoft Office Fast Start.lnk.disabled O4 - Startup: CAMEDIA Master.lnk.disabled O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: Sidesearch (HKLM) O9 - Extra button: DownloadLegalMusic (HKLM) O9 - Extra button: Mail (HKCU) O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O10 - Hijacked Internet access by WebHancer O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.3058333333 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/251eacc5577473a...p/RdxIE601.cab O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexi...eInstaller.cab O16 - DPF: {E2F2B9D0-96B9-4B25-B90C-636ECB207D18} - http://www.whenusearch.com/WUInstSECS.cab O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
|
|
#5
February 25th, 2004, 02:37 AM
|
||||
|
||||
|
Hi steffkelly - firstly, lets get rid of Trojan.Peper. Run this uninstaller: http://www.memorywatcher.com/uninst.exe and reboot afterwards.
Webhancer can cause problems if it is not removed correctly. Have a look in Add/Remove Programs in Control Panel and if there is an entry there for Webhancer, Web 3000, Webhancer Agent or WHAgent, uninstall this program and reboot. If there is no entry in Add/Remove programs, looking at your latest log, it seems obvious that Spybot is not going to do the job, download the latest version of Ad-Aware from here (if you already have Ad-Aware installed, make sure that it is the latest version and always go online and update it before you run it). After installing AAW, and before running the program, you must FIRST update the reference file following these instructions. (and you must always do this before you run the program at any later date). Now do the following: Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine: check: "Unload recognized processes during scanning." Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine: Check: "Let Windows remove files in use after reboot." Press "Scan Now" - Check option "Use Custom scanning options" - Check option "Activate In-Depth Scan" - Press "Select drives\folders to scan" - Select the active partition which is usually C: Now press "Next" to let Ad-aware scan your drives. It will find a number of spyware files and registry keys. Right-click in that pane and choose "select all" Now press "Next" again. It will ask you whether you'd like to remove all checked items. Click OK. Finally, close Ad-Aware, and reboot. Run Hijack This again and post back a new log.
|
|
#6
February 25th, 2004, 02:04 PM
|
|||
|
|||
|
Thanks very much AnnMarie, that seems to have helped my connection big time. I reckon it's ok now but here's my latest hijack this log, just in case, once again, much appreciated
Logfile of HijackThis v1.97.7 Scan saved at 13:01:24, on 25/02/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\MSWHEEL.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\TYPHOON MULTIMEDIA FOR LIVING\8D SCROLL BALL MOUSE\1.1\LWBWHEEL.EXE C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\USBMONIT.EXE C:\PROGRAM FILES\VSN\VSN.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\MY DOCUMENTS\STEFF'S STUFF\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Typhoon Multimedia for living\8D Scroll Ball Mouse\1.1\LWBWHEEL.exe O4 - HKLM\..\Run: [AME_CSA] rundll32 AmeCSA.cpl,RUN_DLL O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe O4 - HKLM\..\Run: [VSN] C:\PROGRAM FILES\VSN\VSN.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\.\HXIUL.EXE O4 - HKCU\..\Run: [Cydoor] CD_Load.exe O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: Microsoft Office.lnk.disabled O4 - Startup: Microsoft Office Fast Start.lnk.disabled O4 - Startup: CAMEDIA Master.lnk.disabled O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: DownloadLegalMusic (HKLM) O9 - Extra button: Mail (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.3058333333 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/251eacc5577473a...p/RdxIE601.cab O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
|
|
#7
February 26th, 2004, 12:39 AM
|
||||
|
||||
|
Yep, that got rid of Webhancer.
 Just a few entries to fix and you should be fine. Have a look in Add/Remove Programs in Control Panel for Alset or Help Express. If the program is there, uninstall it and reboot.Close IE and all open windows and run Hijack This again. Check the below entries and click on Fix Checked. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about_:blank R3 - Default URLSearchHook is missing O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing) O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\.\HXIUL.EXE O4 - HKCU\..\Run: [Cydoor] CD_Load.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/251eacc5577473...ip/RdxIE601.cab O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab Reboot, make sure that you can view hidden files and folders, run a search for the below files/folders in bold and delete them. C:\Program Files\Alset CD_Load.exe Post back a new log. What can you tell me about the below application steffkelly? O4 - HKLM\..\Run: [VSN] C:\PROGRAM FILES\VSN\VSN.EXE Also, is your AV still reporting Turown? If so, please post the name of the infected file and the file path.
|
|
#8
February 26th, 2004, 02:27 PM
|
|||
|
|||
|
Hello AnnMarie, i checked out that vsn file, it's actually for sharing photo's across the web, i think my parents use it so i cant get rid of it. AVG isn't reporting the Turown trojan so that must be gone, but my spybot is still getting stuck at that C2.lop file despite running the file at http://www.memorywatcher.com/uninst.exe as you suggested earlier. Any thoughts on that? Anyway here's my latest hijack this log
Logfile of HijackThis v1.97.7 Scan saved at 13:27:51, on 26/02/04 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\LOADQM.EXE C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE C:\WINDOWS\SYSTEM\MSWHEEL.EXE C:\PROGRAM FILES\TYPHOON MULTIMEDIA FOR LIVING\8D SCROLL BALL MOUSE\1.1\LWBWHEEL.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\USBMONIT.EXE C:\PROGRAM FILES\VSN\VSN.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\VSN\VSN.EXE C:\PROGRAM FILES\VSN\VSN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\MY DOCUMENTS\STEFF'S STUFF\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.iol.ie O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings O4 - HKLM\..\Run: [PMXInit] C:\WINDOWS\SYSTEM\pmxinit.exe O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Typhoon Multimedia for living\8D Scroll Ball Mouse\1.1\LWBWHEEL.exe O4 - HKLM\..\Run: [AME_CSA] rundll32 AmeCSA.cpl,RUN_DLL O4 - HKLM\..\Run: [Gene USB Monitor] c:\windows\SYSTEM\USBMonit.exe O4 - HKLM\..\Run: [VSN] C:\PROGRAM FILES\VSN\VSN.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O4 - Startup: Microsoft Office.lnk.disabled O4 - Startup: Microsoft Office Fast Start.lnk.disabled O4 - Startup: CAMEDIA Master.lnk.disabled O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: DownloadLegalMusic (HKLM) O9 - Extra button: Mail (HKCU) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...862.3058333333
|
|
#9
February 26th, 2004, 10:02 PM
|
||||
|
||||
|
Hi steffkelly - thanks for that information re VSN. I hadnt seen the startup before and just wanted to check it out. Re Spybot, thats a bug in the program that was supposed to be fixed a long time ago. If you wish to continue using Spybot, you will have to set it to ignore those entries.
Your log is fine now so you are good to go.
|
|
#10
February 27th, 2004, 12:22 PM
|
|||
|
|||
|
Thanks for all the help AnnMarie
|
 |
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
All times are GMT +1. The time now is 08:55 AM.
