Solved: trojans, unsure which programmes best, hosts is empty and can't delete it, etc etc

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dandelion

Thread Starter
Joined
Jan 12, 2006
Messages
24
Hi :)

Hope I'm okay to just jump in, as am going slowly crazy! Formatted computer as sick of it seizing up/errors with Spyware Doctor. Tried latter again, but it wouldn't even run this time. Removed it and tried lots of new programmes, as unsure what to replace Spyware Doctor with. Already running ZoneAlarm, Avast, Lavasoft AdAware, Spybot, SpywareGuard. Tried NoAdaware, Free Spy Watcher, WinPatrol, and Arovax Shield, and briefly got half way through a Silencer installation [couldn't see where to stop the permissions 3 other programmes bringing up for every single file/line]. Spy Watcher brought up that have ...

File Path: c:\WINDOWS\hosts
INFECTED WITH ......... W32/Dloadr
and
File Path: c:\WINDOWS\WEB\RELATED.HTM
INFECTED WITH ......... Alexa

Deleted both; came back. Saw got two Hosts files, one of them empty. Deleted the sample one, and can't edit/save or delete the remaining hosts file (am thinking my half-way Silencer installation must have messed it up?) Really puzzled, and don't know which programme is reliable and sorts Hosts file out in order to protect computer. I don't know how to save the Hosts file opened in Notepad as a non-txt-extension file!

Anyway, already errors were happening every couple of minutes, about changing home page from microsoft.com to msn.com [homepage was and is google], and every time this came up, all the other programmes were set off with error messages, but, despite not allowing the changes, spybot brought up that registry changed.

System's WinME. Got XoftSpy trial on now, which hasn't detected anything. TrojanHunter trial found a totally different trojan, which is gone now. (Can't remember it's name ... K...Loader something?.) Have removed WinPatrol, NoAdware, and Free Spywatcher, as they were the one's kicking up all these errors and driving me insane! So I don't know if the errors that were coming up were false positives. Is computer constantly being hijacked when these errors about home page are coming up, and so it must still be happening, even though nothing is giving me the error messages now? And don't know how to sort out the Hosts file.

Would really value advice. Thanks, Cat
 

liquid_flame

Banned
Joined
Jan 8, 2006
Messages
69
also, you said you got the XoftSpy trial, when you run the scan and go to click remove it will ask you to register, which takes time and possibly money.
 

dandelion

Thread Starter
Joined
Jan 12, 2006
Messages
24
Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:52:53, on 12/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PQSC\PROGRAM\SCTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AROVAX SHIELD\AROVAXSHIELD.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\SCTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [Arovax Shield] C:\PROGRAM FILES\AROVAX SHIELD\AROVAXSHIELD.EXE /h
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [XoftSpy] C:\PROGRAM FILES\XOFTSPY\XoftSpy.exe -s
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Mentor - {3892CA40-9B9A-11d4-8D73-00105A296A2A} - "C:\Program Files\tMentor\Mentor for IE5\IE5Help.chm" (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
 

dandelion

Thread Starter
Joined
Jan 12, 2006
Messages
24
liquid_flame said:
also, you said you got the XoftSpy trial, when you run the scan and go to click remove it will ask you to register, which takes time and possibly money.
Thanks. (Was relieved TrojanHunter found the trojan that XoftSpy didn't find!)
 

liquid_flame

Banned
Joined
Jan 8, 2006
Messages
69
Put a check next to the following objects:

C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\TASKMON.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

then click fixed checked

Install CleanUp!

Download and install Ewido Security Suite
During the installation, uncheck the following under Additional Options:

Install background guard
Install scan via context menu
Run Ewido and click OK when prompted to update the program
On the left side of the screen, click update>>Start
When the update is finished, exit Ewido

Start your computer in Safe Mode

Run CleanUp! and go to Options>>Custom CleanUp!
Put a checkmark next to each of the following items:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
Cleanup! All Users
Click OK>>CleanUp!
Exit CleanUp!

Run Ewido Security Suite
Click scanner>>Complete System Scan
Click OK when prompted to clean the problems found
Exit Ewido

then post another HiJackThis logfile here, and tell me how the system is running
 

liquid_flame

Banned
Joined
Jan 8, 2006
Messages
69
paste the above instructions into notepad, and save a copy to your documents, as you will need to study them in safe mode.
 

dandelion

Thread Starter
Joined
Jan 12, 2006
Messages
24
Hi, can't find mprexe now, but have been getting rid of leftover links in regedit from programs deleted earlier. Taskmon not there either. Tried Ewido a while back, and it clashes with WinME. Done Cleanup in safe mode on those settings.

Logfile of HijackThis v1.99.1
Scan saved at 13:55:12, on 12/01/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PQSC\PROGRAM\SCTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\AROVAX SHIELD\AROVAXSHIELD.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\SETUP\AVAST.SETUP

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\SCTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [Arovax Shield] C:\PROGRAM FILES\AROVAX SHIELD\AROVAXSHIELD.EXE /h
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O7 "EPUSB1:" /M "Stylus CX3200"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Mentor - {3892CA40-9B9A-11d4-8D73-00105A296A2A} - "C:\Program Files\tMentor\Mentor for IE5\IE5Help.chm" (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
 

dandelion

Thread Starter
Joined
Jan 12, 2006
Messages
24
(Forgot to say have gone over to Mozilla Firefox and Thunderbird, incase makes a difference.)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top