1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Attacked by PORN

Discussion in 'Virus & Other Malware Removal' started by Mbourque, Feb 3, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Mbourque

    Mbourque Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    172
    Help again please! This XXX site downloaded itself onto kid's computer and would immediately open upon start-up. The toolbar at the top of the page had an UNINSTALL icon so I clicked it. It came up with an error that says: "SAB072.TMP.EXE file linked to missing export WININET.dll:InternetGetConnectedState" but when I clicked OK, it went away and the XXX Icon on my desktop went away too. Ran HJT and OH MY GOD, its LOADED with junk/trash/etc.

    Can you check my HJT log and advise so that I can get the rest of this SCUM off my computer? THANKYOU!

    Logfile of HijackThis v1.99.0
    Scan saved at 1:38:57 PM, on 2/3/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WUVIEWER.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\SYSTIME.EXE
    C:\WINDOWS\SYSTEM\SERVICES\{D3656EC0-756F-11D9-A43C-0006251CD5CA}\SVCHOST.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\SYSTEM\SYSTIME.EXE
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\AMERICA ONLINE 6.0C\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\MY DOCUMENTS\FIX FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    O1 - Hosts: 127.0.0.3 www.greg-tut.com
    O1 - Hosts: 127.0.0.3 nylonsexy.com
    O1 - Hosts: 127.0.0.3 www.nylonsexy.com
    O1 - Hosts: 127.0.0.3 vparivalka.com
    O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
    O1 - Hosts: 127.0.0.3 www.awmdabest.com
    O1 - Hosts: 127.0.0.3 www.sexfiles.nu
    O1 - Hosts: 127.0.0.3 awmdabest.com
    O1 - Hosts: 127.0.0.3 sexfiles.nu
    O1 - Hosts: 127.0.0.3 allforadult.com
    O1 - Hosts: 127.0.0.3 www.allforadult.com
    O1 - Hosts: 127.0.0.3 www.iframe.biz
    O1 - Hosts: 127.0.0.3 iframe.biz
    O1 - Hosts: 127.0.0.3 www.newiframe.biz
    O1 - Hosts: 127.0.0.3 newiframe.biz
    O1 - Hosts: 127.0.0.3 www.vesbiz.biz
    O1 - Hosts: 127.0.0.3 vesbiz.biz
    O1 - Hosts: 127.0.0.3 www.pizdato.biz
    O1 - Hosts: 127.0.0.3 pizdato.biz
    O1 - Hosts: 127.0.0.3 www.aaasexypics.com
    O1 - Hosts: 127.0.0.3 aaasexypics.com
    O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
    O1 - Hosts: 127.0.0.3 virgin-tgp.net
    O1 - Hosts: 127.0.0.3 www.awmcash.biz
    O1 - Hosts: 127.0.0.3 awmcash.biz
    O1 - Hosts: 127.0.0.3 buldog-stats.com
    O1 - Hosts: 127.0.0.3 www.buldog-stats.com
    O1 - Hosts: 127.0.0.3 fregat.drocherway.com
    O1 - Hosts: 127.0.0.3 slutmania.biz
    O1 - Hosts: 127.0.0.3 www.slutmania.biz
    O1 - Hosts: 127.0.0.3 toolbarpartner.com
    O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
    O1 - Hosts: 127.0.0.3 www.megapornix.com
    O1 - Hosts: 127.0.0.3 megapornix.com
    O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
    O1 - Hosts: 127.0.0.3 sp2****ed.biz
    O1 - Hosts: 127.0.0.3 greg-tut.com
    O1 - Hosts: http://213.159.117.203/dkprogs/hosts.txt
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\SYSTEM\porynt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O4 - HKLM\..\Run: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\SERVICES\{D3656EC0-756F-11D9-A43C-0006251CD5CA}\SVCHOST.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\Run: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - HKCU\..\RunServices: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\RunServices: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\RunServices: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0c\aoltray.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O12 - Plugin for .avi: C:\PROGRA~1\NETSCAPE\NAVIGA~1\PROGRAM\PLUGINS\NpAvi32.dll
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.iframedollars.biz
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.iframedollars.biz (HKLM)
    O15 - Trusted IP range: 213.159.117.202
    O15 - Trusted IP range: 213.159.117.202 (HKLM)
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/SurVid/MSSurVid.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab
    O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\SYSTEM\porynt.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\SYSTEM\porynt.dll
     
  2. vwnmbus

    vwnmbus

    Joined:
    Jan 21, 2005
    Messages:
    51
    I'm no expert but i would say getting rid of these lines should help


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

    O1 - Hosts: 127.0.0.3 www.greg-tut.com
    O1 - Hosts: 127.0.0.3 nylonsexy.com
    O1 - Hosts: 127.0.0.3 www.nylonsexy.com
    O1 - Hosts: 127.0.0.3 vparivalka.com
    O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
    O1 - Hosts: 127.0.0.3 www.awmdabest.com
    O1 - Hosts: 127.0.0.3 www.sexfiles.nu
    O1 - Hosts: 127.0.0.3 awmdabest.com
    O1 - Hosts: 127.0.0.3 sexfiles.nu
    O1 - Hosts: 127.0.0.3 allforadult.com
    O1 - Hosts: 127.0.0.3 www.allforadult.com
    O1 - Hosts: 127.0.0.3 www.iframe.biz
    O1 - Hosts: 127.0.0.3 iframe.biz
    O1 - Hosts: 127.0.0.3 www.newiframe.biz
    O1 - Hosts: 127.0.0.3 newiframe.biz
    O1 - Hosts: 127.0.0.3 www.vesbiz.biz
    O1 - Hosts: 127.0.0.3 vesbiz.biz
    O1 - Hosts: 127.0.0.3 www.pizdato.biz
    O1 - Hosts: 127.0.0.3 pizdato.biz
    O1 - Hosts: 127.0.0.3 www.aaasexypics.com
    O1 - Hosts: 127.0.0.3 aaasexypics.com
    O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
    O1 - Hosts: 127.0.0.3 virgin-tgp.net
    O1 - Hosts: 127.0.0.3 www.awmcash.biz
    O1 - Hosts: 127.0.0.3 awmcash.biz
    O1 - Hosts: 127.0.0.3 buldog-stats.com
    O1 - Hosts: 127.0.0.3 www.buldog-stats.com
    O1 - Hosts: 127.0.0.3 fregat.drocherway.com
    O1 - Hosts: 127.0.0.3 slutmania.biz
    O1 - Hosts: 127.0.0.3 www.slutmania.biz
    O1 - Hosts: 127.0.0.3 toolbarpartner.com
    O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
    O1 - Hosts: 127.0.0.3 www.megapornix.com
    O1 - Hosts: 127.0.0.3 megapornix.com
    O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
    O1 - Hosts: 127.0.0.3 sp2****ed.biz
    O1 - Hosts: 127.0.0.3 greg-tut.com
    O1 - Hosts: http://213.159.117.203/dkprogs/hosts.txt

    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\SYSTEM\porynt.dll

    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.searchbarcash.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.ysbweb.com
    O15 - Trusted Zone: *.slotchbar.com
    O15 - Trusted Zone: *.iframedollars.biz
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted Zone: *.searchbarcash.com (HKLM)
    O15 - Trusted Zone: *.searchmiracle.com (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.my-internet.info (HKLM)
    O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
    O15 - Trusted Zone: *.slotch.com (HKLM)
    O15 - Trusted Zone: *.flingstone.com (HKLM)
    O15 - Trusted Zone: *.mt-download.com (HKLM)
    O15 - Trusted Zone: *.blazefind.com (HKLM)
    O15 - Trusted Zone: *.clickspring.net (HKLM)
    O15 - Trusted Zone: *.ysbweb.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.iframedollars.biz (HKLM)
    O15 - Trusted IP range: 213.159.117.202
    O15 - Trusted IP range: 213.159.117.202 (HKLM)

    There is most likely more, But, this looks like a good start.
     
  3. vwnmbus

    vwnmbus

    Joined:
    Jan 21, 2005
    Messages:
    51
  4. Mbourque

    Mbourque Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    172
    I had HJT fix the "Hosts" and the "trusted zones". Ran adaware and it deleted 69 items, one of which was CoolWebSearch so I then ran (or rather, TRIED to run) CWShredder. I have an older copy on this computer so i told it to search for updates and it froze (as in stopped responding) so when I went to close it, i got a message box that says "you have a variant of CWS called CWS.Smartsearch2 which attempted to close CWS. To counter this CWSS is starting with a random string of text in the title bar. CWS is not corrupted" I clicked okay then check for updates again and it again stopped responding and I got the same message. This time I hit FIX and it ran and said system is clean, but I don't believe it! I'm going to try and download a newer version and run it again.

    As I'm typing this, that smutty looking blonde icon for the porno site keeps trying to load.....

    Just for good measure, here's a new HJT since I deleted some items and ran adaware.

    Logfile of HijackThis v1.99.0
    Scan saved at 4:19:16 PM, on 2/3/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\WUVIEWER.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\SYSTIME.EXE
    C:\WINDOWS\SYSTEM\SERVICES\{D3656EC0-756F-11D9-A43C-0006251CD5CA}\SVCHOST.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\WINDOWS\SYSTEM\SYSTIME.EXE
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\AMERICA ONLINE 6.0C\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\MY DOCUMENTS\FIX FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\SYSTEM\porynt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O4 - HKLM\..\Run: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\SERVICES\{D3656EC0-756F-11D9-A43C-0006251CD5CA}\SVCHOST.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\Run: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - HKCU\..\RunServices: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\RunServices: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\RunServices: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0c\aoltray.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O12 - Plugin for .avi: C:\PROGRA~1\NETSCAPE\NAVIGA~1\PROGRAM\PLUGINS\NpAvi32.dll
    O15 - Trusted IP range: 213.159.117.202
    O15 - Trusted IP range: 213.159.117.202 (HKLM)
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/SurVid/MSSurVid.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

    Will post back as soon as I can download and run CWShredder again.
     
  5. vwnmbus

    vwnmbus

    Joined:
    Jan 21, 2005
    Messages:
    51
    Stop this process

    C:\WINDOWS\SYSTEM\WUVIEWER.EXE

    Run HJT again and fix these entries

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\SYSTEM\porynt.dll

    O4 - HKLM\..\Run: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe

    O4 - HKLM\..\RunServices: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe

    O15 - Trusted IP range: 213.159.117.202
    O15 - Trusted IP range: 213.159.117.202 (HKLM)

    Then restart the comp and repost a new log
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Read all these instructions carefully, Print them out and download all the things mentioned before starting

    First download CWshredder from http://www.intermute.com/spysubtract/cwshredder_download.html and install it and update it, DO not run it yet

    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Now boot into safe mode

    How to start your computer in safe mode

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINDOWS\SYSTEM\porynt.dll

    O4 - HKLM\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKLM\..\Run: [Spoolsv32] spools.exe
    O4 - HKLM\..\Run: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe
    O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\SERVICES\{D3656EC0-756F-11D9-A43C-0006251CD5CA}\SVCHOST.EXE

    O4 - HKLM\..\RunServices: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe

    O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\Run: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe

    O4 - HKCU\..\RunServices: [SysTime] C:\WINDOWS\SYSTEM\systime.exe
    O4 - HKCU\..\RunServices: [wuviewer] C:\WINDOWS\SYSTEM\wuviewer.exe


    O15 - Trusted IP range: 213.159.117.202
    O15 - Trusted IP range: 213.159.117.202 (HKLM)


    now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time,

    C:\WINDOWS\SYSTEM\systime.exe
    C:\WINDOWS\SYSTEM\wuviewer.exe
    C:\WINDOWS\SYSTEM\porynt.dll
    C:\WINDOWS\SYSTEM\SERVICES\{D3656EC0-756F-11D9-A43C-0006251CD5CA}\SVCHOST.EXE
    C:\WINDOWS\SYSTEM\spools.exe

    then Run Cwshredder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Run adaware

    Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

    AdAware SE from http://www.lavasoft.de/support/download
    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    and run it before the main adaware scan and follow it's directions
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    NOW REBOOT

    Run an online antivirus check from
    http://housecall.trendmicro.com/

    Make sure autoclean is ticked

    reboot again

    These hijackers are known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)


    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.


    Then post a new hijackthis log to check please
     
  7. Mbourque

    Mbourque Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    172
    Making my way through your list of instructions but I've hit a snag.

    Just as a status report (in order of instructions and actions I took):
    Killbox: c/win.../spools.exe -- file does not exist
    CWShredder was CLEAN
    Delete temp files: ~dfb62c.tmp did not delete--access denied
    ~dfb631.tmp did not delete--access denied
    VX2 was CLEAN

    Ad-aware is where the snag is occurring: it keeps shutting down! The first time I tried to run it identified 54 objects of 80810 scanned and then shut down due to illegal operation in Kernel32.dll. I had to reboot to safe mode to clear off the error message. The second time I ran it, it identified 24 objects of 69754 scanned and had a GPF in Kernel386.exe and I again had to reboot to safe

    What should I do now?????

    ALSO, this computer hits the internet via a wireless PCI card that "talks" to the Router & cable modem that's on my other computer. When I did the above, I unplugged the cable modem like you said, but that through both computers out of commission. Would it be sufficient to disable the network adapter on the infected computer so that I can work on it, or is it NECESSARY that I unplug the cable modem??
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Don't worry about the missing file or the unable to delete temp files

    Yes just disable this computer's internet access ( we tend to assume that the computer is a direct connectioin rather than networked)

    Why adawre is doing that I don't know but I suspect some malware that is blocking adaware and probably other security software

    post a fresh HJT log so we can see what didn't delete or might have mutated
     
  9. Mbourque

    Mbourque Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    172
    Here's the latest HJT log:

    Logfile of HijackThis v1.99.0
    Scan saved at 8:12:08 AM, on 2/4/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\AMERICA ONLINE 6.0C\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\MY DOCUMENTS\FIX FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL (file missing)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0c\aoltray.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O12 - Plugin for .avi: C:\PROGRA~1\NETSCAPE\NAVIGA~1\PROGRAM\PLUGINS\NpAvi32.dll
    O15 - Trusted IP range: 213.159.117.202
    O15 - Trusted IP range: 213.159.117.202 (HKLM)
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/SurVid/MSSurVid.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
  11. Mbourque

    Mbourque Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    172
    I went to the site you recommend for the download, but I don't see an option to Download anything. ??

    Also, I did not run Hoster yet as that procedure was to come after running Adaware and I never got to do that. Should I run hoster now or just wait?
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    it's supposed to autodownload when you click on the link

    right click the link and select save as

    and save the file to to desktop

    If you can't get adaware to run properly skip it for now and we'll try later after doing the others
     
  13. Mbourque

    Mbourque Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    172
    Okay, I got it work by using Internet Explorer as my browser (I normally use Netscape--just a preference thing....) Downloaded, installed and here's the newest HJT log. Next?????

    Logfile of HijackThis v1.99.0
    Scan saved at 6:11:22 PM, on 2/4/05
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\LINKSYS\WMP11 CONFIG UTILITY\WMP11CFG.EXE
    C:\AMERICA ONLINE 6.0C\AOLTRAY.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
    C:\MY DOCUMENTS\FIX FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\g9heivk6.slt\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL (file missing)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
    O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0c\aoltray.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O12 - Plugin for .avi: C:\PROGRA~1\NETSCAPE\NAVIGA~1\PROGRAM\PLUGINS\NpAvi32.dll
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/SurVid/MSSurVid.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - (no file)
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    That looks clear now so the only problem left is getting adaware to run to clear up any other hidden problems

    please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your posts here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    Anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted


    Once I've been able to examine the files it might show what other files were dropped by these pests that have prevented adaware running
     
  15. Mbourque

    Mbourque Thread Starter

    Joined:
    Jan 6, 2004
    Messages:
    172
    Done as requested, Sir! (It kind of hung on the Posting page and I had to STOP and resubmit, and now its posted twice--SORRY)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326390

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice