1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Infected with JS.Downloader.Trojan and MHTML.Redir.Exploit

Discussion in 'Virus & Other Malware Removal' started by GMM, Sep 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. GMM

    GMM Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    Hello,
    According to Norton Antivirus 2003 I have the JS.Downloader.Trojan and MHTML.Redir.Exploits Viruses on my computer. It is unable to delete the viruses, it just keeps quarantining them so everytime a scan is run there becomes double the amount of files infected (now up to 1001). I'm not able to delete the contents of the quarantine folder because a message appears saying access is denied. I would appreciate any help you can give me about permanently deleting these viruses.
    Thanks
     
    GMM, Sep 11, 2004
    #1
  2. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Let's take a closer look at what going on then shall we??

    Go to Go to http://www.downloads.subratam.org/hijackthis.zip , and download 'Hijack This!'.
    Unzip to a permanent folder like c:HJT\HijackThis.exe, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please post the contents back here.

    Most of what it lists will be harmless or even required, so do NOT fix anything yet.
    I (or someone here) will be happy to help you analyze the results.
     
    jwbirdsong, Sep 11, 2004
    #2
  3. GMM

    GMM Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    Logfile of HijackThis v1.98.0
    Scan saved at 6:43:42 PM, on 9/11/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe
    C:\Program Files\CasinoOnline\CsRemnd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    C:\PROGRA~1\NORTON~1\navw32.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://law.quinnipiac.edu/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 64.158.223.128 adfarm.mediaplex.com
    O1 - Hosts: 38.119.65.141 ads.morpheus.com
    O1 - Hosts: 64.12.180.86 aimtoday.aol.com
    O1 - Hosts: 66.218.71.188 baseball.fantasysports.yahoo.com
    O1 - Hosts: 69.44.114.16 c1.zedo.com
    O1 - Hosts: 69.50.191.148 c1dcon.d8t.biz
    O1 - Hosts: 195.225.177.22 c1dcon.ewizard.cc
    O1 - Hosts: 66.135.204.10 cgi.ebay.com
    O1 - Hosts: 64.236.22.12 cl.cnn.com
    O1 - Hosts: 66.228.192.50 clicks.traffictrader.net
    O1 - Hosts: 205.188.243.184 client.mapquest.com
    O1 - Hosts: 24.30.203.17 content.rr.com
    O1 - Hosts: 207.25.71.24 dynamic.si.cnn.com
    O1 - Hosts: 216.109.127.6 edit.yahoo.com
    O1 - Hosts: 199.181.132.140 espn.go.com
    O1 - Hosts: 205.188.135.213 esupport.aol.com
    O1 - Hosts: 24.137.12.200 forums.techguy.org
    O1 - Hosts: 64.12.144.53 free.aol.com
    O1 - Hosts: 192.152.243.90 law.quinnipiac.edu
    O1 - Hosts: 216.136.229.11 linksys.custhelp.com
    O1 - Hosts: 216.109.127.60 login.yahoo.com
    O1 - Hosts: 216.10.124.76 mktg.roadrunner.com
    O1 - Hosts: 205.188.187.89 my.screenname.aol.com
    O1 - Hosts: 216.109.126.22 my.yahoo.com
    O1 - Hosts: 63.236.66.7 mysearch.myway.com
    O1 - Hosts: 209.87.178.244 nct.symantecstore.com
    O1 - Hosts: 69.44.114.23 newyork.yankees.mlb.com
    O1 - Hosts: 64.124.56.49 nike.ask.com
    O1 - Hosts: 69.44.114.33 niketown.nike.com
    O1 - Hosts: 198.87.0.105 people-data.com
    O1 - Hosts: 207.25.71.173 polls.cnnsi.com
    O1 - Hosts: 207.250.236.120 pops.freeze.com
    O1 - Hosts: 12.129.205.120 popups.ad-logics.com
    O1 - Hosts: 64.5.217.241 prizeamerica.aavalue.com
    O1 - Hosts: 199.181.132.87 proxy.espn.go.com
    O1 - Hosts: 209.67.153.20 quinnipiacbobcats.collegesports.com
    O1 - Hosts: 207.250.236.107 register.freeze.com
    O1 - Hosts: 198.6.49.101 renewalcenter.symantec.com
    O1 - Hosts: 205.188.180.120 search.aol.com
    O1 - Hosts: 66.135.210.135 search.ebay.com
    O1 - Hosts: 206.204.52.17 search.symantec.com
    O1 - Hosts: 66.218.71.233 search.yahoo.com
    O1 - Hosts: 66.135.194.135 search-lvm.ebay.com
    O1 - Hosts: 206.65.174.7 seattlepi.nwsource.com
    O1 - Hosts: 217.75.98.7 securityresponse.symantec.com
    O1 - Hosts: 198.6.49.121 service1.symantec.com
    O1 - Hosts: 199.181.132.245 sports.espn.go.com
    O1 - Hosts: 216.109.126.241 sports.yahoo.com
    O1 - Hosts: 207.25.71.142 sportsillustrated.cnn.com
    O1 - Hosts: 38.119.65.139 start.morpheus.com
    O1 - Hosts: 205.188.238.103 subs.timeinc.net
    O1 - Hosts: 64.40.109.82 thegolfcourses.net
    O1 - Hosts: 207.46.156.121 v4.windowsupdate.microsoft.com
    O1 - Hosts: 66.55.136.94 vn.msie.tv
    O1 - Hosts: 205.188.139.184 webmail.aol.com
    O1 - Hosts: 66.35.229.145 webpdp.gator.com
    O1 - Hosts: 66.230.167.226 www.008k.com
    O1 - Hosts: 205.188.135.105 www.aim.com
    O1 - Hosts: 64.94.239.33 www.aluriasoftware.com
    O1 - Hosts: 207.171.170.19 www.amazon.co.uk
    O1 - Hosts: 69.42.75.142 www.amazon-x.com
    O1 - Hosts: 66.115.188.11 www.ampland.com
    O1 - Hosts: 204.127.166.136 www.anywho.com
    O1 - Hosts: 205.188.145.214 www.aol.com
    O1 - Hosts: 216.71.203.71 www.basketballteamuniforms.com
    O1 - Hosts: 209.128.108.221 www.bellaonline.com
    O1 - Hosts: 216.92.177.122 www.bestscreensavers.com
    O1 - Hosts: 68.72.72.11 www.bigeast.org
    O1 - Hosts: 209.11.49.183 www.billboard.com
    O1 - Hosts: 69.9.172.47 www.bluepistons.com
    O1 - Hosts: 209.119.77.1 www.bowlinggreengolf.com
    O1 - Hosts: 209.148.221.20 www.canadastarboxing.com
    O1 - Hosts: 204.71.20.123 www.cityofnewhaven.com
    O1 - Hosts: 216.121.96.225 www.clubct.com
    O1 - Hosts: 67.100.215.226 www.college-football-jerseys.info
    O1 - Hosts: 216.193.211.145 www.collegehoopsnet.com
    O1 - Hosts: 164.109.28.3 www.comcast.com
    O1 - Hosts: 63.240.76.72 www.comcast.net
    O1 - Hosts: 69.0.228.223 www.comcast-ne.com
    O1 - Hosts: 208.42.89.60 www.costcutters.com
    O1 - Hosts: 12.130.91.12 www.ctnow.com
    O1 - Hosts: 216.37.47.224 www.culinarymenus.com
    O1 - Hosts: 66.135.192.87 www.ebay.com
    O1 - Hosts: 64.156.187.113 www.expage.com
    O1 - Hosts: 66.35.204.10 www.findlaw.com
    O1 - Hosts: 164.62.7.30 www.ftc.gov
    O1 - Hosts: 66.28.176.251 www.fvotd.com
    O1 - Hosts: 81.211.105.20 www.ga31.com
    O1 - Hosts: 66.163.161.45 www.gametimeusa.com
    O1 - Hosts: 66.218.77.68 www.geocities.com
    O1 - Hosts: 216.239.41.99 www.google.com
    O1 - Hosts: 69.0.68.75 www.hamden.com
    O1 - Hosts: 24.30.204.14 www.help.rr.com
    O1 - Hosts: 66.162.58.150 www.hot97.com
    O1 - Hosts: 69.93.53.43 www.hqmovs.com
    O1 - Hosts: 69.44.114.25 www.ikea.com
    O1 - Hosts: 192.71.68.42 www.ikea-usa.com
    O1 - Hosts: 66.221.197.177 www.infonewhaven.com
    O1 - Hosts: 165.193.123.186 www.infoplease.com
    O1 - Hosts: 205.134.174.212 www.interracialunited.com
    O1 - Hosts: 63.217.29.242 www.intimatediary.com
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe
    O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www.aol.com
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
     
    GMM, Sep 11, 2004
    #3
  4. jwbirdsong

    jwbirdsong

    Joined:
    Nov 6, 2002
    Messages:
    710
    Sorry for the delay...I didn't get an email of your response..


    Print these instructions as you need to have IE closed from all of the fixes listed below.

    Please check your settings so that you are able to Show Hidden Files and Folders

    With ONLY HijackThis running
    Place a check next to these entries:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 64.158.223.128 adfarm.mediaplex.com
    O1 - Hosts: 38.119.65.141 ads.morpheus.com
    O1 - Hosts: 64.12.180.86 aimtoday.aol.com
    O1 - Hosts: 66.218.71.188 baseball.fantasysports.yahoo.com
    O1 - Hosts: 69.44.114.16 c1.zedo.com
    O1 - Hosts: 69.50.191.148 c1dcon.d8t.biz
    O1 - Hosts: 195.225.177.22 c1dcon.ewizard.cc
    O1 - Hosts: 66.135.204.10 cgi.ebay.com
    O1 - Hosts: 64.236.22.12 cl.cnn.com
    O1 - Hosts: 66.228.192.50 clicks.traffictrader.net
    O1 - Hosts: 205.188.243.184 client.mapquest.com
    O1 - Hosts: 24.30.203.17 content.rr.com
    O1 - Hosts: 207.25.71.24 dynamic.si.cnn.com
    O1 - Hosts: 216.109.127.6 edit.yahoo.com
    O1 - Hosts: 199.181.132.140 espn.go.com
    O1 - Hosts: 205.188.135.213 esupport.aol.com
    O1 - Hosts: 24.137.12.200 forums.techguy.org
    O1 - Hosts: 64.12.144.53 free.aol.com
    O1 - Hosts: 192.152.243.90 law.quinnipiac.edu
    O1 - Hosts: 216.136.229.11 linksys.custhelp.com
    O1 - Hosts: 216.109.127.60 login.yahoo.com
    O1 - Hosts: 216.10.124.76 mktg.roadrunner.com
    O1 - Hosts: 205.188.187.89 my.screenname.aol.com
    O1 - Hosts: 216.109.126.22 my.yahoo.com
    O1 - Hosts: 63.236.66.7 mysearch.myway.com
    O1 - Hosts: 209.87.178.244 nct.symantecstore.com
    O1 - Hosts: 69.44.114.23 newyork.yankees.mlb.com
    O1 - Hosts: 64.124.56.49 nike.ask.com
    O1 - Hosts: 69.44.114.33 niketown.nike.com
    O1 - Hosts: 198.87.0.105 people-data.com
    O1 - Hosts: 207.25.71.173 polls.cnnsi.com
    O1 - Hosts: 207.250.236.120 pops.freeze.com
    O1 - Hosts: 12.129.205.120 popups.ad-logics.com
    O1 - Hosts: 64.5.217.241 prizeamerica.aavalue.com
    O1 - Hosts: 199.181.132.87 proxy.espn.go.com
    O1 - Hosts: 209.67.153.20 quinnipiacbobcats.collegesports.com
    O1 - Hosts: 207.250.236.107 register.freeze.com
    O1 - Hosts: 198.6.49.101 renewalcenter.symantec.com
    O1 - Hosts: 205.188.180.120 search.aol.com
    O1 - Hosts: 66.135.210.135 search.ebay.com
    O1 - Hosts: 206.204.52.17 search.symantec.com
    O1 - Hosts: 66.218.71.233 search.yahoo.com
    O1 - Hosts: 66.135.194.135 search-lvm.ebay.com
    O1 - Hosts: 206.65.174.7 seattlepi.nwsource.com
    O1 - Hosts: 217.75.98.7 securityresponse.symantec.com
    O1 - Hosts: 198.6.49.121 service1.symantec.com
    O1 - Hosts: 199.181.132.245 sports.espn.go.com
    O1 - Hosts: 216.109.126.241 sports.yahoo.com
    O1 - Hosts: 207.25.71.142 sportsillustrated.cnn.com
    O1 - Hosts: 38.119.65.139 start.morpheus.com
    O1 - Hosts: 205.188.238.103 subs.timeinc.net
    O1 - Hosts: 64.40.109.82 thegolfcourses.net
    O1 - Hosts: 207.46.156.121 v4.windowsupdate.microsoft.com
    O1 - Hosts: 66.55.136.94 vn.msie.tv
    O1 - Hosts: 205.188.139.184 webmail.aol.com
    O1 - Hosts: 66.35.229.145 webpdp.gator.com
    O1 - Hosts: 66.230.167.226 www.008k.com
    O1 - Hosts: 205.188.135.105 www.aim.com
    O1 - Hosts: 64.94.239.33 www.aluriasoftware.com
    O1 - Hosts: 207.171.170.19 www.amazon.co.uk
    O1 - Hosts: 69.42.75.142 www.amazon-x.com
    O1 - Hosts: 66.115.188.11 www.ampland.com
    O1 - Hosts: 204.127.166.136 www.anywho.com
    O1 - Hosts: 205.188.145.214 www.aol.com
    O1 - Hosts: 216.71.203.71 www.basketballteamuniforms.com
    O1 - Hosts: 209.128.108.221 www.bellaonline.com
    O1 - Hosts: 216.92.177.122 www.bestscreensavers.com
    O1 - Hosts: 68.72.72.11 www.bigeast.org
    O1 - Hosts: 209.11.49.183 www.billboard.com
    O1 - Hosts: 69.9.172.47 www.bluepistons.com
    O1 - Hosts: 209.119.77.1 www.bowlinggreengolf.com
    O1 - Hosts: 209.148.221.20 www.canadastarboxing.com
    O1 - Hosts: 204.71.20.123 www.cityofnewhaven.com
    O1 - Hosts: 216.121.96.225 www.clubct.com
    O1 - Hosts: 67.100.215.226 www.college-football-jerseys.info
    O1 - Hosts: 216.193.211.145 www.collegehoopsnet.com
    O1 - Hosts: 164.109.28.3 www.comcast.com
    O1 - Hosts: 63.240.76.72 www.comcast.net
    O1 - Hosts: 69.0.228.223 www.comcast-ne.com
    O1 - Hosts: 208.42.89.60 www.costcutters.com
    O1 - Hosts: 12.130.91.12 www.ctnow.com
    O1 - Hosts: 216.37.47.224 www.culinarymenus.com
    O1 - Hosts: 66.135.192.87 www.ebay.com
    O1 - Hosts: 64.156.187.113 www.expage.com
    O1 - Hosts: 66.35.204.10 www.findlaw.com
    O1 - Hosts: 164.62.7.30 www.ftc.gov
    O1 - Hosts: 66.28.176.251 www.fvotd.com
    O1 - Hosts: 81.211.105.20 www.ga31.com
    O1 - Hosts: 66.163.161.45 www.gametimeusa.com
    O1 - Hosts: 66.218.77.68 www.geocities.com
    O1 - Hosts: 216.239.41.99 www.google.com
    O1 - Hosts: 69.0.68.75 www.hamden.com
    O1 - Hosts: 24.30.204.14 www.help.rr.com
    O1 - Hosts: 66.162.58.150 www.hot97.com
    O1 - Hosts: 69.93.53.43 www.hqmovs.com
    O1 - Hosts: 69.44.114.25 www.ikea.com
    O1 - Hosts: 192.71.68.42 www.ikea-usa.com
    O1 - Hosts: 66.221.197.177 www.infonewhaven.com
    O1 - Hosts: 165.193.123.186 www.infoplease.com
    O1 - Hosts: 205.134.174.212 www.interracialunited.com
    O1 - Hosts: 63.217.29.242 www.intimatediary.com
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
    O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKCU\..\Run: [msmc] C:\WINNT\system32\msmc.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE <---Optional but Highly recommended to remove, not needed at start and huge resource hog


    THEN WITH ALL OTHER WINDOWS CLOSED ,press "Fix".

    Reboot to safe mode (instructions)

    Find and delete the following files/folders:-
    C:\WINNT\system32\msmc.exe
    C:\Program Files\QuickSearch\ <----ENTIRE FOLDER!!
    C:\Program Files\CasinoOnline\ <----ENTIRE FOLDER!!
    C:\Program Files\Common files\updater <----ENTIRE FOLDER!!

    Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

    [*]C:\Windows\Temp\

    [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temp\

    [*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temp\

    [*]C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <---This will delete your internet cache--including cookies. This is recommended and strongly suggested.

    [*]C:\Documents and Settings\<All other users Profile>\Local Settings\Temporary Internet Files\

    [*]Empty your "Recycle Bin"
    Check for the new version (1.98.2)of HijkackThis by using Config>Misc Tools>"check for online update" button. If the server is busy or just down you can download it from zerosrealm.

    Reboot

    Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
    The above(Hoster) is optional but reccomended.

    You'll need to turn off the System Restore. It may have a copy of the virus/trojan/baddie. This can be done by following the instructions of your OS here.
    Run an online virus scan at BitDefender and/or Panda Online. Please note any virus found and report back with new log.
    Now you can turn System Resore back on
    Then Reboot and post a fresh log back to this thread.
     
    jwbirdsong, Sep 12, 2004
    #4
  5. GMM

    GMM Thread Starter

    Joined:
    Jun 30, 2004
    Messages:
    14
    I could NOT find and delete the following files, all the others were deleted:

    c:\winnt\system32\msmc.exe
    c:\program files\common files\updater

    c:\windows\temp
    c:\documents and settings\<all other users profile>\local settings\temp
    " " " " \temporary internet files

    BitDefender found the following 12 viruses:
    VBS.Trojan.Psyme.C in c:\documents and settings\setup\local settings\temp\temporary internet files\content.IE5\k91G15HN\secure(1).php
    Trojan.Dialer.CF in c:\winnt\system32\d2kndr.exe
    Trojan.Downloader.Gen in c:\winnt\system32\msnk.dll
    Trojan.Downloader.Agent.Av in c:\winnt\system32\rnr.dll
    " " " in c:\winnt\system32\run.dos.dll
    " " " in c:\winnt\system32\telnetxp.exe

    Here is the latest Hijack This Log from version v.1.98.2, Thank you.

    Logfile of HijackThis v1.98.2
    Scan saved at 10:41:36 AM, on 9/13/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\wanmpsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\MsPMSPSv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Winamp3\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\WINNT\system32\ctfmon.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
    C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    C:\Program Files\AOL Companion\companion.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\setup\Local Settings\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://law.quinnipiac.edu/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    O1 - Hosts: 208.48.4.184 adv.alsscan.com
    O1 - Hosts: 64.12.188.24 aolcc.aol.com
    O1 - Hosts: 24.137.12.200 forums.techguy.org
    O1 - Hosts: 192.152.243.90 law.quinnipiac.edu
    O1 - Hosts: 68.22.73.154 search.msn.com
    O1 - Hosts: 198.6.49.121 service1.symantec.com
    O1 - Hosts: 80.86.106.20 www.bitdefender.com
    O1 - Hosts: 67.43.1.57 www.zerosrealm.com
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\\winampa.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [Remndr] "C:\Program Files\CasinoOnline\CsRemnd.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
    O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Global Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\system32\Shdocvw.dll
    O10 - Broken Internet access because of LSP provider 'connwsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O14 - IERESET.INF: MS_START_PAGE_URL=http://www.aol.com
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
     
    GMM, Sep 13, 2004
    #5

  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Infected Downloader Trojan
  1. BenMiller123

    Solved Infected by ransomware

    BenMiller123, Dec 22, 2019, in forum: Virus & Other Malware Removal
    Replies:
    4
    Views:
    464
    Curie
    Dec 29, 2019
  2. Ibrooz

    In Progress Geacata Virus - Eliminate without deleting infected files

    Ibrooz, Oct 30, 2019, in forum: Virus & Other Malware Removal
    Replies:
    1
    Views:
    450
    iMacg3
    Oct 30, 2019
  3. whitehound

    Solved May or may not be infected with nusojog and r.sastts

    whitehound, Mar 26, 2019, in forum: Virus & Other Malware Removal
    Replies:
    22
    Views:
    3,898
    iMacg3
    Apr 3, 2019
  4. aconfusedperson

    In Progress random game macro infected my PC

    aconfusedperson, Mar 11, 2019, in forum: Virus & Other Malware Removal
    Replies:
    14
    Views:
    650
    iMacg3
    Mar 11, 2019
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272857

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice