1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HIJACK Help

Discussion in 'Virus & Other Malware Removal' started by Cams, Oct 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Cams

    Cams Thread Starter

    Joined:
    Mar 1, 2001
    Messages:
    45
    Hello,

    I've been trying to clean up a computer of a young collegiate who is obviously devoted to downloads. I have run msconfig and turned off almost everything and have run ad-aware and spybot many times and still can't seem to clear everything. Here is the Hijack log. Any help is most appreciated.

    Thanks,
    Cams

    Logfile of HijackThis v1.97.3
    Scan saved at 12:23:34 PM, on 10/16/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bates.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {D2DF8D12-3328-4160-ABC7-875F28D376A0} - C:\WINDOWS\SYSTEM\OPENGLY32.DLL
    O2 - BHO: (no name) - {9553D860-DF77-41DD-A33B-C73D6AA139E2} - C:\WINDOWS\SYSTEM\WINTSRUST.DLL
    O2 - BHO: (no name) - {20c9ba1e-1b0a-4225-88b0-da00caed77b6} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\SYSTEM\BPV1D.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: (no name) - {FE175E66-B807-4D0B-9C44-4178FA3A305F} - (no file)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSWMDA.DLL (file missing)
    O3 - Toolbar: shxtrfraeae - {073ae0cb-5391-4036-8d09-f723eb270194} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.103/012eac358500bc7d0105/netzip/RdxIE.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.4125462963
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.220.226.126/activex/AxisCamControl.ocx
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
    first thing to do is re-enable everything in msconfig then
    download AdAware 6 181
    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and tick "Automaticly try to unregister objects prior to deletion" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it.

    then
    Download Spybot - Search & Destroy from http://security.kolla.de


    After installing, first press Online, and search for, put a check mark at, and install all updates.
    Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then post a new hijackthis log to check what is left
     
  3. Cams

    Cams Thread Starter

    Joined:
    Mar 1, 2001
    Messages:
    45
    I have followed all your instructions. Here is the latest log.

    Thanks

    Logfile of HijackThis v1.97.3
    Scan saved at 3:11:22 PM, on 10/16/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\3COM_DMI\3CDMINIC.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\ACTIONAGENT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\EVENTAGT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\DLT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\IAP.EXE
    C:\DMI\WIN32\BIN\WIN32SL.EXE
    C:\DMI\WIN32\BIN\DELLDMI.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\CHARITYBUY.EXE
    C:\WINDOWS\SYSTEM32\SERVICE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\DEFAULT\HXIUL.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\DEFAULT\CLIENT\HELPEXP.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\DEFAULT\CLIENT\PRINTMONITOR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DMK7U0TZ.EXE
    C:\WINDOWS\SYSTEM\DMK7U0TZ.EXE
    C:\WINDOWS\EMSW.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bates.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {D2DF8D12-3328-4160-ABC7-875F28D376A0} - C:\WINDOWS\SYSTEM\OPENGLY32.DLL
    O2 - BHO: (no name) - {9553D860-DF77-41DD-A33B-C73D6AA139E2} - C:\WINDOWS\SYSTEM\WINTSRUST.DLL
    O2 - BHO: (no name) - {20c9ba1e-1b0a-4225-88b0-da00caed77b6} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\SYSTEM\BPV1D.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: (no name) - {FE175E66-B807-4D0B-9C44-4178FA3A305F} - (no file)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSWMDA.DLL (file missing)
    O3 - Toolbar: shxtrfraeae - {073ae0cb-5391-4036-8d09-f723eb270194} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [Buddyizer] C:\Program Files\Aimster\Buddyizer.exe
    O4 - HKLM\..\Run: [Eac_Download] C:\PROGRAM FILES\COMMON FILES\EACCELERATION\DOWNLOAD.EXE -k
    O4 - HKLM\..\Run: [Webcelerator] C:\Program Files\Acceleration Software\Webcelerator\webcel.exe runstart
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [ddeproc] C:\Program Files\Acceleration Software\Webcelerator\ddeproc.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BFILPSVYC] C:\WINDOWS\BFILPSVYC.exe
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\YFQAMDX.EXE
    O4 - HKLM\..\Run: [ADH] C:\WINDOWS\ADH.exe
    O4 - HKLM\..\Run: [CharityBuy IE Plugin] C:\WINDOWS\CHARITYBUY
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
    O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [3Com DMI Agent] C:\WINDOWS\SYSTEM\3com_dmi\3CDMINIC.EXE
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [ActionAgent] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\ACTIONAGENT.EXE
    O4 - HKLM\..\RunServices: [DEventAgent] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\EVENTAGT.EXE
    O4 - HKLM\..\RunServices: [DLT] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\DLT.EXE
    O4 - HKLM\..\RunServices: [Iap] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\IAP.EXE
    O4 - HKLM\..\RunServices: [WIN32SL] c:\dmi\win32\bin\win32sl.exe -i -p -r
    O4 - HKLM\..\RunServices: [DellDmi] C:\DMI\WIN32\BIN\DELLDMI.EXE
    O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.103/012eac358500bc7d0105/netzip/RdxIE.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.4125462963
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.220.226.126/activex/AxisCamControl.ocx
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
    Now you have re-enabled all the running programs we can see what we are dealing with

    There is a lot to work out here so give us a bit of time

    the first thing I've noticed is a nasty trojan (peper.a)that is very difficult to remove.

    The only way we have found is to Download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then run a full system scan.
    That will remove any other trojans found also & I suspect a few entries to be trojan.


    I will attempt to prepare a list of what needs to go , but please post another log after using the TDs-3 anti trojan
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all browser windows & press fix checked

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {D2DF8D12-3328-4160-ABC7-875F28D376A0} - C:\WINDOWS\SYSTEM\OPENGLY32.DLL
    O2 - BHO: (no name) - {9553D860-DF77-41DD-A33B-C73D6AA139E2} - C:\WINDOWS\SYSTEM\WINTSRUST.DLL
    O2 - BHO: (no name) - {20c9ba1e-1b0a-4225-88b0-da00caed77b6} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\SYSTEM\BPV1D.DLL
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: (no name) - {FE175E66-B807-4D0B-9C44-4178FA3A305F} - (no file)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSWMDA.DLL (file missing)
    O3 - Toolbar: shxtrfraeae - {073ae0cb-5391-4036-8d09-f723eb270194} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O4 - HKLM\..\Run: [Buddyizer] C:\Program Files\Aimster\Buddyizer.exe
    O4 - HKLM\..\Run: [Eac_Download] C:\PROGRAM FILES\COMMON FILES\EACCELERATION\DOWNLOAD.EXE -k
    O4 - HKLM\..\Run: [Webcelerator] C:\Program Files\Acceleration Software\Webcelerator\webcel.exe runstart
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ddeproc] C:\Program Files\Acceleration Software\Webcelerator\ddeproc.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BFILPSVYC] C:\WINDOWS\BFILPSVYC.exe
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\YFQAMDX.EXE
    O4 - HKLM\..\Run: [CharityBuy IE Plugin] C:\WINDOWS\CHARITYBUY
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
    O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.103/012eac358500bc...etzip/RdxIE.cab

    then
    reboot & delete the folowing folders
    C:\PROGRAM FILES\ALSET\
    C:\Program Files\Acceleration Software
    C:\PROGRAM FILES\COMMON FILES\EACCELERATION
    C:\Program Files\Aimster

    & these files
    C:\WINDOWS\CHARITYBUY.EXE
    C:\WINDOWS\SYSTEM32\SERVICE.EXE
    C:\WINDOWS\EMSW.EXE
    C:\WINDOWS\BS3.DLL
    C:\WINDOWS\BFILPSVYC.exe
    C:\WINDOWS\SYSTEM\YFQAMDX.EXE
    C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL

    Then reboot
    Run an online antivirus check from at least one of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/

    and then post a new hijackthis logto see what we have missed
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
    before you fix these entries please upload the .dll files to http://www.lavahelp.com/submit/ so they can check them and include them in the next upodate if they are bad as I suspect they are
    O2 - BHO: (no name) - {D2DF8D12-3328-4160-ABC7-875F28D376A0} - C:\WINDOWS\SYSTEM\OPENGLY32.DLL
    O2 - BHO: (no name) - {9553D860-DF77-41DD-A33B-C73D6AA139E2} - C:\WINDOWS\SYSTEM\WINTSRUST.DLL
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\SYSTEM\BPV1D.DLL
     
  7. Cams

    Cams Thread Starter

    Joined:
    Mar 1, 2001
    Messages:
    45
    Here is the log after running TDS-3. I should note that on reboots I kept running it and getting the two files below. The name of the executable always changed too. I will send the DLL's and run HIJACK with your removal suggestions and repost.

    Thanks for all your help.
    Cams




    Scan Control Dumped @ 17:01:24 16-10-03
    Positive identification: TrojanDownloader.Win32.VB.s
    File: c:\windows\system\kfmj8u3.exe

    Positive identification: TrojanDownloader.Win32.VB.s
    File: c:\windows\system\evwx3.exe


    Logfile of HijackThis v1.97.3
    Scan saved at 5:02:09 PM, on 10/16/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\3COM_DMI\3CDMINIC.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\ACTIONAGENT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\EVENTAGT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\DLT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\IAP.EXE
    C:\DMI\WIN32\BIN\WIN32SL.EXE
    C:\DMI\WIN32\BIN\DELLDMI.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\DIGSTREAM\DIGSTREAM.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM32\SERVICE.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\DEFAULT\HXIUL.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\DEFAULT\CLIENT\HELPEXP.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\DEFAULT\CLIENT\PRINTMONITOR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\EMSW.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\JMKZKUG.EXE
    C:\WINDOWS\SYSTEM\XDDOX0.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bates.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {D2DF8D12-3328-4160-ABC7-875F28D376A0} - C:\WINDOWS\SYSTEM\OPENGLY32.DLL
    O2 - BHO: (no name) - {9553D860-DF77-41DD-A33B-C73D6AA139E2} - C:\WINDOWS\SYSTEM\WINTSRUST.DLL
    O2 - BHO: (no name) - {20c9ba1e-1b0a-4225-88b0-da00caed77b6} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O2 - BHO: (no name) - {E8B4F3AA-9509-4081-9A85-914D5E9BEC81} - C:\WINDOWS\SYSTEM\BPV1D.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {A85C4A1B-BD36-44E5-A70F-8EC347D9B24F} - C:\WINDOWS\BS3.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {224530A0-C9CB-4AEE-9C0F-54AC1B533211} - (no file)
    O3 - Toolbar: (no name) - {FE175E66-B807-4D0B-9C44-4178FA3A305F} - (no file)
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSWMDA.DLL (file missing)
    O3 - Toolbar: shxtrfraeae - {073ae0cb-5391-4036-8d09-f723eb270194} - C:\WINDOWS\APPLICATION DATA\BRDRIEFRTHCHS.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [Buddyizer] C:\Program Files\Aimster\Buddyizer.exe
    O4 - HKLM\..\Run: [Eac_Download] C:\PROGRAM FILES\COMMON FILES\EACCELERATION\DOWNLOAD.EXE -k
    O4 - HKLM\..\Run: [Webcelerator] C:\Program Files\Acceleration Software\Webcelerator\webcel.exe runstart
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [ddeproc] C:\Program Files\Acceleration Software\Webcelerator\ddeproc.exe
    O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BFILPSVYC] C:\WINDOWS\BFILPSVYC.exe
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Biz1J.exe
    O4 - HKLM\..\Run: [ADH] C:\WINDOWS\ADH.exe
    O4 - HKLM\..\Run: [CharityBuy IE Plugin] C:\WINDOWS\CHARITYBUY
    O4 - HKLM\..\Run: [Bsx3] RunDLL32.EXE C:\WINDOWS\BS3.DLL,DllRun
    O4 - HKLM\..\Run: [service.exe] C:\WINDOWS\system32\service.exe
    O4 - HKLM\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [3Com DMI Agent] C:\WINDOWS\SYSTEM\3com_dmi\3CDMINIC.EXE
    O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [ActionAgent] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\ACTIONAGENT.EXE
    O4 - HKLM\..\RunServices: [DEventAgent] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\EVENTAGT.EXE
    O4 - HKLM\..\RunServices: [DLT] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\DLT.EXE
    O4 - HKLM\..\RunServices: [Iap] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\IAP.EXE
    O4 - HKLM\..\RunServices: [WIN32SL] c:\dmi\win32\bin\win32sl.exe -i -p -r
    O4 - HKLM\..\RunServices: [DellDmi] C:\DMI\WIN32\BIN\DELLDMI.EXE
    O4 - HKCU\..\Run: [Cydoor] CD_Load.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.103/012eac358500bc7d0105/netzip/RdxIE.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.4125462963
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.220.226.126/activex/AxisCamControl.ocx
     
  8. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Derek.............i think we should see if we can get copies of those bho`s nothing comes up for about 3 of em
    I know the powersearch ones but the WINTSRUST.DLL....OPENGLY32.DLL[could be open gl but i have my doubts]...BRDRIEFRTHCHS.DLL
    and a lot more............aty least half the o4`s are not showing anything
    where is he?.which country?


    edit: i just noticed you asked for them a couple of posts back:rolleyes:
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
    Steve the BRDRIEFRTHCHS.DLL is 99% certain to be LOP

    check over the logs for me in case I've missed anything
     
  10. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Cams...............I know this may sound like a broken record already............but this is a very difficult log to clean.

    uninstall tds.....

    http://www.nod32.com/home/home.htm
    go to the above and download the trial copy of NOD32
    and run a full system scan with that....then ,without re-booting check all the ones in Dereks list that are still around and have H/T fix them all.
    nuke the folders/files in the delte list and then re-boot and post another log.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Derek........its possible that cams left IE windows open.........there are a lot of instructions here to take in.I think you got the lot but some bho`s are back as well as some of the o4`s.


    Need to go pick up son from school dance:rolleyes:
    ill be back shortly...GOOD LUCK!!
     
  12. Cams

    Cams Thread Starter

    Joined:
    Mar 1, 2001
    Messages:
    45
    OK. Uninstalled TDS-3 and installed/ran NOD32 and here was the first message:

    trojan Win32/Peper.C found in operating memory. NOD32 cannot clean this infiltration. No action can be applied to memory infiltration.

    It then propogated into multiple examples in windows/system and two examples could not be deleted until restart (and so it goes). I deleted the rest and ran hijackthis. Here is the latest although I'm guessing it is moot until the memory application can be eradicated:

    Logfile of HijackThis v1.97.3
    Scan saved at 6:17:23 PM, on 10/16/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\3COM_DMI\3CDMINIC.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\ACTIONAGENT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\EVENTAGT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\DLT.EXE
    C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\IAP.EXE
    C:\DMI\WIN32\BIN\WIN32SL.EXE
    C:\DMI\WIN32\BIN\DELLDMI.EXE
    C:\PROGRAM FILES\ESET\NOD32KRN.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\WJVIEW.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\ESET\NOD32KUI.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\COUPONSANDOFFERS\COUPONSANDOFFERS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\NYE42N.EXE
    C:\WINDOWS\SYSTEM\ZVCYL.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bates.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:24491
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\TbuD92dS.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [3Com DMI Agent] C:\WINDOWS\SYSTEM\3com_dmi\3CDMINIC.EXE
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [ActionAgent] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\ACTIONAGENT.EXE
    O4 - HKLM\..\RunServices: [DEventAgent] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\EVENTAGT.EXE
    O4 - HKLM\..\RunServices: [DLT] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\DLT.EXE
    O4 - HKLM\..\RunServices: [Iap] C:\PROGRAM FILES\DELL\OPENMANAGE\CLIENT\IAP.EXE
    O4 - HKLM\..\RunServices: [WIN32SL] c:\dmi\win32\bin\win32sl.exe -i -p -r
    O4 - HKLM\..\RunServices: [DellDmi] C:\DMI\WIN32\BIN\DELLDMI.EXE
    O4 - HKLM\..\RunServices: [NOD32kernel] C:\Program Files\Eset\nod32krn.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - Startup: PowerReg Scheduler.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.com/download/zoomify305.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37866.4125462963
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.220.226.126/activex/AxisCamControl.ocx
     
  13. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Ok......we are actually getting somewhere.....Re-booting shoul;d clear the memory.

    I think this could be new variant of the trojan NOD32 SHOULD remove it........Although im unsure whether you get to update the program in the trial version so that may be why its being seen but not dealt with.


    Re-boot into safe mode and do a full scan with NOD32....lets see if we get any luck from there.
     
  14. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Ill hang around.
    ;)
     
  15. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Ive looked around the forum and found a few ideas if the trojan is still around.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172355

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice