1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Shows Domain name and IP address

Discussion in 'Virus & Other Malware Removal' started by ashleytripp, Feb 16, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. ashleytripp

    ashleytripp Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    7
    I downloaded Hijack This because I've been having some "weird" computer problems and wanted to get help with that but the log file shows my domain name and IP address. Haven't noticed anyone else's showing that and wondered if that was normal.
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Yes it is normal...lots of logs show either the ISP, such as Earthlink, and the IP they assign, which for dialup usually changes (dynamic) but, if you have your own domain, you of course will show that. I don't think any harm will come of posting a log, at least it is never mentioned...we would know better than to have you post a log. As well, your full name could show too>
     
  3. ashleytripp

    ashleytripp Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    7
    Thanks... wasn't sure. This is my log file. Hoping someone can tell me whether its ok or not.

    Logfile of HijackThis v1.99.1
    Scan saved at 1:56:30 PM, on 16/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I don't see anything close to malware running in the log, what exactly are problems that you have been noticing?
     
  5. ashleytripp

    ashleytripp Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    7
    Yes, I had to completely re-instal everything including Windows and my internet. Now there are things like I check the box that says "do not remember my user name" on msn groups and mail yet I open my browser and I'm still signed in. I've signed myself out manually of msn hotmail and then open my browser and I'm still signed in to groups. I've checked my settings and they're normal. My homepage changed twice as well and my Office 2000 went missing so I had to re-instal that again.
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,
    Well- I will give you these steps in case you don't have these two programs installed yet, they are the newest versions and what you should have.

    You should consider getting some preventive programs, too> one I use is SpywareBlaster:

    http://www.javacoolsoftware.com/

    You may need some updated Runtime files since you have just reinstalled fresh:

    http://www.javacoolsoftware.com/downloadfaq.html

    Those will allow you to install these programs.

    An online scan may show something that is hiding, Hijack in no way shows us everything:


    To get started> scan online at both of these places:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    http://housecall.antivirus.com/housecall/start_corp.asp

    If you have never used them, both of those scans will take a while to get the Active X controls loaded and then scan all files....I would estimate a good 2 hours and have seen it take quite a lot longer. Not much you can do...

    Set the settings to scan all files, Scan the whole computer, all hard drives...whatever each has. AUTOCLEAN should be checked, too. You don't get to scan unless you let the ActiveX control load, that is what gets tiring, but it should finish> it does seem to stop but you should wait and scan!
    Panda will let you save a Report as Activescan.txt when it finishes, which you should post here in your next reply. Housecall only shows you what it found, cleaned, could not fix, or deleted....so, do Panda first and Housecall next to keep the manual filename recording to a minimum, but we should have you post the filenames it found infected, the locations of files, and what the exact trojan name is for each.
    ___________________________
    You will need both of these programs, and these versions...though you might have both, one or the other may be older than what I am posting and will not be as effective as they can be! You need to check the Build of AdAware you have, it's right on the main window, we are using AdAware SE personal edition (the free one) v. 1.05 now, and even though you are just installing it, it will have some detection updates just after you install it, unless you get very lucky!

    SpyBot Search and Destroy v. 1.3> is the latest. The older versions are abandoned and will not give you any more updates!

    Both of those programs are available here:

    http://www.majorgeeks.com/downloads31.html

    Here are the directions for installing, updating, and using them:
    AdAware:

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

    Restart your computer.

    SpyBot 1.3:

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

    Restart your computer.

    If anything is detected by an antivirus scanner, post what if any it found.

    Do Windows Updates> Office may need some updating as you probably know> you need the Office CD to put in, or your Restore type CD with Office on it...when you try for the MSOffice online updates.
     
  7. ashleytripp

    ashleytripp Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    7
    Wow... that took awhile. Here is the log from Panda which I can't understand because I removed all the Gator from the computer a while back and it was supposedly all gone. I ran Panda again after following all of the rest of your instructions and that log is below this one. Thank you again for your help... is there anything I should do about these ones that are still showing up?

    Incident Status Location

    Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cdmxtras\uninst.exe
    Adware:Adware/SaveNow No disinfected Windows Registry
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\bbchk.exe
    Adware:Adware/Gator No disinfected Windows Registry
    Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Internet Optimizer
    Adware:Adware/KeenValue No disinfected C:\Program Files\Common Files\UpdMgr
    Adware:Adware/FunWeb No disinfected C:\Program Files\FunWebProducts
    Adware:Adware/WinTools No disinfected Windows Registry
    Adware:Adware/Comet No disinfected C:\WINDOWS\inf\cc_??.pnf
    Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNRD.inf
    Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
    Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Downloaded Program Files\adm4.inf
    Adware:Adware/MyWebSearch No disinfected Windows Registry
    Adware:Adware/FunWeb No disinfected C:\WINDOWS\SYSTEM\Popular Screensavers.scr
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exdl.exe
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul.exe
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\MQEXDLM.SRG
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\JAVEXULM.VXD
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exdl1.exe
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exdl0.exe
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul1.exe
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\trkgif.exe
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\msbe.dll
    Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\LOCALNRD.INF
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\__unin__.exe
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
    Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Downloaded Program Files\adm4.inf
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll
    Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\LOCALNRD.DLL
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\msbe.dll
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\trkgif.exe
    Virus:Trj/Multidropper.NB Disinfected C:\WINDOWS\ahadp.exe
    Virus:Trj/WmvDownloader.A Disinfected C:\My Documents\My Music\Protected_Aug_10_2004_12_16_26_PM.asf
    Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Common Files\Wise Installation Wizard\WIS4574B9B383144C0F88634796CC739CEF_2_0_2_1.MSI[unk_0021][bdcore.dll]
    Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStatComm.dll
    Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStat.exe

    Incident Status Location

    Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cdmxtras\uninst.exe
    Adware:Adware/SaveNow No disinfected Windows Registry
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe
    Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\bundle.inf
    Spyware:Spyware/Dyfuca No disinfected Windows Registry
    Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
    Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Downloaded Program Files\adm4.inf
    Adware:Adware/MyWebSearch No disinfected Windows Registry
    Adware:Adware/FunWeb No disinfected C:\WINDOWS\SYSTEM\Popular Screensavers.scr
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\MQEXDLM.SRG
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\__unin__.exe
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
    Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Downloaded Program Files\adm4.inf
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll
    Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Common Files\Wise Installation Wizard\WIS4574B9B383144C0F88634796CC739CEF_2_0_2_1.MSI[unk_0021][bdcore.dll]
    Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStatComm.dll
    Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStat.exe
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,
    I cannot believe this..well actually I can...

    Take the list of items found, and go into Add/Remove Programs, look for those names like Gator, etc and uninstall what you find referred to in the found list...

    Things like Twaintech, Bargain Buddy, usually will have an uninstaller that does help with removal.

    New.Net or NewDotNet is one that should be removed...
    Comet Cursor, ExactSearch, MyWebSearch...all those names may be there. You may find NONE there, in that case they are just Registry entries for most part or some Norton items in CONTROL1 etc......I have had those found, too, I am sure they are not active...what I did was set those to IGNORE or EXCLUDE in Norton AV settings, and they were not detected anymore...they may be SpyBot backups or another antivirus program's detections, sort of like a false positive...
    For me, those files could NOT be found anywhere, setting them to Exclude fixed Norton finding them, no problem.


    That's the difference between older and newer versions of the programs (AdAware and SpyBot) and the updates that are added to it all the time...every once in awhile, they pick up something else leftover from a ways back! These things create so many Registry keys, obscure files all over the hard drive!! Takes hours sometimes to clean up even after all the removals> while the removal programs do kill the malware, often bits are left though they are inactive...and cannot do any harm. Folders for instance, are usually left alone...for manual cleanup, and lots of files have to be manually deleted first.

    Let's see what was found and if we can get you cleaned up.

    Just guessing, but do you have anything turned off from startup by using msconfig??? That would keep items from showing in the HJT logs....!!!!! Put checks back into all things in msconfig> Startups please if you had any turned off.


    A Registry cleaner tool would be the easiest for you> I usually run Easy Cleaner 2.0 after a malware procedure...it's good and free and also very effective.

    http://www.majorgeeks.com/download414.html

    Download and install it. Launch it from the Programs menu entry for Easy Cleaner...read help if you like.

    You see the Registry button, hit that and it will start scanning, usually have to pull the Window up a bit to see the blue progress bar down at bottom...when it finishes, the various buttons will be activated, use the "Delete All" one to get rid of all the invalid Registry keys. I have never had it create any problems for machines of all makes used on....BUT>>>>> do NOT repeat NOT use the features called Duplicate files, OR the Unneccesary ones, as I HAVE had those remove some things they should not have.

    I also use the Delete Files (thats the same as Temp and Temporary Internet Files) and Cookies, and I use the others...but you do not need to, such as Shortcuts, Add/Remove programs...they usually do not find anything anyway.

    After you use Easy Cleaner, hopefully a lot less will have to be manually hunted for and removed.

    Restart the computer afterward and post a new Hijackthis log...in Normal mode.

    The items found may be more only the leftover folders , some Registry entries, and a few files...so don't fret, the HJT log would surely have shown us those!!!!

    Where Gator/Claria and buddies can come from:

    Games the kids have installed from CDs they borrow, or downloaded ones. Often they contain minor adware-based things like Brilliant Digital, Gator, and so on.

    The Internet> unaware users perhaps clicking on ads, or the Security warning boxes....popups... and drive-by installs, where you can close the popup but still get infected or even without your knowledge at all.

    Adult Sites> No, not for the things you had/have...usually a lot worse comes in from those, but you cannot rule it out.

    Downloaded music> you bet!
     
  9. ashleytripp

    ashleytripp Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    7
    I downloaded and ran the registry cleaner and I have went to msconfig and turned everything on but there are things in there that aren't even on my computer which is why some were turned off. When Windows starts it says "missing Shortcuts - OSA.EXE" and same for matcli.exe and again for MWSOEMON.EXE and then Error opening IPDIAG32.DLL file cannot start.

    So here is the hijack this file after the restart.... but I took out my domain name and IP address...

    Logfile of HijackThis v1.99.1
    Scan saved at 7:30:12 PM, on 16/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE
    O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPClient.exe" -l
    O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SYMPATICO CONSUMER\IPMon32.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, We'll fix all that...

    In msconfig, re-uncheck Office Fast Find, however you had them...

    and Office startup, no real need for it/them.

    IPDIAG belongs to the ISP software, uncheck that also if you put one in just before....

    Not the MyWebSearch one tho....

    See if any of these are in Add/Remove Programs:

    SpyKiller

    SpywareBegone

    Bestpopupkiller (It isn't)

    Run Hijackthis in Normal mode> ( later we boot to Safe Mode)

    Scan, put checks next to all these in my list and then click "Fix checked":

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE

    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

    O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup

    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan

    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

    Now, do this, so you can see hidden files:

    Open Windows Explorer and at the top, select View>Folder Options>View again...then put a check into "Show all files" and take the checkmark out of "Hide extensions for know file types" and OK.

    In Windows Explorer, navigate to the folders shown that hold files and delete the file:


    C:\WINDOWS\TEMP\RecoverFromReboot.exe

    C:\Program Files\SpyKiller\spykiller.exe /startup
    C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
    C:\FREESCAN\FREESCAN.EXE -FastScan
    C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE


    And, now delete the folders>

    C:\Program Files\MyWebSearch\bar\2.bin
    C:\Program Files\MyWebSearch\bar
    C:\Program Files\MyWebSearch
    C:\Program Files\SpyKiller
    C:\Program Files\BestPopUpKiller
    C:\FREESCAN

    Start>Programs>Acessories>System Tools>Disk Cleanup

    There, delete temp, Temp Internet Files etc.

    Empty the Recycle Bin.


    Restart the computer.

    Control Panel>Internet Options>Delete Files, put a check in "Delete all offline content"...


    Run scans with what you have> checking for detection updates to them first of course...

    Restart between programs/scans.

    Post a new and hopefully the last, HJT log
     
  11. ashleytripp

    ashleytripp Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    7
    I followed all of the instructions but none of the spyware or bestpopupkiller, etc... were there... I even checked through the find feature which came up with no files. Here is the last Hijack This Log File.... crossing my fingers now.... but I'll still say thank you again first. I've added the Panda Log at bottom only because it still does show Altnet, Gator, etc but they don't exist.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:37:39 PM, on 16/02/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\CMMPU.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INCREDIMAIL\BIN\IMAPP.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

    Incident Status Location

    Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cdmxtras\uninst.exe
    Adware:Adware/SaveNow No disinfected Windows Registry
    Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe
    Adware:Adware/Gator No disinfected C:\WINDOWS\TEMP\bundle.inf
    Spyware:Spyware/Dyfuca No disinfected Windows Registry
    Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
    Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Downloaded Program Files\adm4.inf
    Adware:Adware/MyWebSearch No disinfected Windows Registry
    Adware:Adware/FunWeb No disinfected C:\WINDOWS\SYSTEM\Popular Screensavers.scr
    Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\MQEXDLM.SRG
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\TEMP\__unin__.exe
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
    Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\jao.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
    Spyware:Spyware/Altnet No disinfected C:\WINDOWS\Downloaded Program Files\adm4.inf
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.inf
    Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll
    Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Common Files\Wise Installation Wizard\WIS4574B9B383144C0F88634796CC739CEF_2_0_2_1.MSI[unk_0021][bdcore.dll]
    Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStatComm.dll
    Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStat.exe
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, The Hijack log is clean now- that is strange about the Panda scanner finding all those items though.

    If you cannot find anything of those files in the locations shown, I would say they are gone.

    The Panda online scan is what found those? The online scanner here:

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    will let you save a Report when it is done, it is called Activescan.txt----is that what you have posted, or is that an old Log from an installed antivirus program???
     
  13. ashleytripp

    ashleytripp Thread Starter

    Joined:
    Feb 16, 2005
    Messages:
    7
    Yes, all of the bottom log file was from the on-line scanner (Panda) that you posted. I ran everything exactly as you told me and the last scan still picked out those. I know they aren't on my computer though but they were at one time.
    Thank you so much for all of your help and patience... I couldn't have figured this stuff out on my own... this site is great. I'm not sure if its against the rules but I have a family forum and was wondering if I could post a link to this thread so that all my relatives can check this site out.
     
  14. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Certainly, guests are allowed to read till they drop! Just send them the URL to the main page so they can read about the site and gain some knowledge of what we do.
    You just can't post a question or reply until you register with a username and so on...and, you must be 13 I believe is the minimum age..to own a username.

    I still cannot see why you cannot see the files detected by the online scan> if you have hidden files showing, and so on they should be findable...if they exist...one thing could be that they are in some kind of log from an older antivirus program, but that usually would show> where they are etc...so I am at a loss, but can tell you that this is not first time I've run into this in the same week...There are such things as superhidden malwares, but how to get at them can be a little risky and technical, involving editing the Registry for one thing.

    The items may be in a SpyBot log or similar, but again, the path to them should point to SpyBot log file...

    When you use WINDOWS Explorer to go to the folders, like in this example, you do not see either the folder or any file there?

    C:\Program Files\Windows AdStatus\WinStat.exe ???

    You have to expand Program Files main folder, hit the + sign, and look down the list, alphabetically, under W.... still don't see anything?
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Shows Domain name
  1. Teklabobobo
    Replies:
    1
    Views:
    269
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/331351

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice