|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
Stop making mediocre tutorials.The best tutorials are video! Camtasia Studio makes it easy to create engaging, buzz-building screen videos at any size, in any popular format. Download the free trial!
|
|
#1
May 31st, 2004, 06:05 AM
|
|||
|
|||
|
Internet explorer hi-jack.
As of a month or so ago, my father got his computer hi-jacked with "http://search-world.net" that _seems_ to go together with a trojan dialer.
I have a hijack log of it, if you could please help me get this resolved I would be very glad. (I run spy bot, adaware, and avg. Avg deletes the virus/trojan only to have it return, and adaware+spybot do not find the hijack.) Logfile of HijackThis v1.97.7 Scan saved at 3:56:47 AM, on 5/31/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAM FILES\SONY\1394\SCMON.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE C:\WINDOWS\SYSTEM\HPZTSB09.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\ECHOCON.EXE C:\WINDOWS\WINADM.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\RAIN\RAIN.EXE C:\MOUSE\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\MMLGMDA.DLL/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = URL R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = URL O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3 O4 - HKLM\..\Run: [Smart Connect Monitor] C:\Program Files\Sony\1394\SCMon.exe O4 - HKLM\..\Run: [Smart Connect Setup] C:\Program Files\Sony\1394\SCSetup.exe -c O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [OrigRage128Tweaker] "C:\PROGRAM FILES\RAGE 128 TWEAKER\RAGE128TWEAK.EXE" /detectorig O4 - HKLM\..\RunServices: [Rage128Tweaker] "C:\PROGRAM FILES\RAGE 128 TWEAKER\RAGE128TWEAK.EXE" /setclock O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [winadm] C:\WINDOWS\winadm.exe O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Rain.lnk = C:\Rain\Rain.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - URL O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - URL O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - URL O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - URL O16 - DPF: Yahoo! Pool 2 - URL O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - URL O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - URL O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - URL O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!URL
|
|
#2
June 4th, 2004, 02:44 PM
|
|||
|
|||
|
The only thing i can suggest is update your virus definitions, ad-aware definitions and update windows via windows update.
Hopefully this will fix your problem.
|
|
#3
June 4th, 2004, 07:30 PM
|
|||
|
|||
|
Hi [Red],
O4 - Startup: Rain.lnk = C:\Rain\Rain.exe might be associated with a virus unless you know what it is. I'd like you to first perform an online scan at Trend Micro Housecall (link below). Reboot if anything is removed. Run HijackThis, place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked". R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search-world.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-world.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search-world.net R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\MMLGMDA.DLL/sp.html (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search-world.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search-world.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search-world.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search-world.net R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search-world.net R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search-world.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://search-world.net/ O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://www.search-world.net/msits.exe Show hidden files: How to Show hidden files and folders. http://www.xtra.co.nz/help/0,,4155-1916458,00.html Boot into Safe Mode. Here's instructions: http://service1.symantec.com/SUPPOR...01052409420406/ Delete the following items if found: C:\ARCHIVE.MHT! Reboot normally and post a new log. Is this program familiar to you? O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe It appears you have two antivirus programs running. It's considered best to just have one running and uninstall the last one you installed to avoid conflicts. Consider installing Spywareblaster and Spywareguard (links below). Tom
__________________
HijackThis Ad-aware Spybot Search & Destroy SpywareBlaster SpywareGuard Housecall Online A/V Scan Please read the stickys at the top of the forum before posting!
|
|
#4
June 6th, 2004, 02:24 PM
|
|||
|
|||
|
I have already done most of this, thanks to the guys at SWI forums. But it continues to fight back.
Also: Rain is to cool pII prossesors, EchoStrt is part of Echocon, which is the software for The Layla sound system for recording that is on this computer. Update, after restart: Well, the hijack seems to always load at startup. I dont know how its hooking but it sure is. I update my antivirus, spybot, and adaware every day so I am surprised this hasnt been caught yet. Also, trend's housecall doesnt like the idea of installing on a mozilla browser, considering the IE is so hijacked I dare not try to really do much in it. The only installer that I can get that is close to mozilla is netscape, considering netscape is based on the mozilla framework. New log: Logfile of HijackThis v1.97.7 Scan saved at 12:36:17 PM, on 6/6/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAM FILES\SONY\1394\SCMON.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE C:\WINDOWS\SYSTEM\HPZTSB09.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\SYSTEM\ECHOCON.EXE C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE C:\WINDOWS\WINADM.EXE C:\RAIN\RAIN.EXE C:\MOUSE\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\RUNDLL32.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = URL O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3 O4 - HKLM\..\Run: [Smart Connect Monitor] C:\Program Files\Sony\1394\SCMon.exe O4 - HKLM\..\Run: [Smart Connect Setup] C:\Program Files\Sony\1394\SCSetup.exe -c O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE O4 - HKLM\..\Run: [Remndr] "C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [OrigRage128Tweaker] "C:\PROGRAM FILES\RAGE 128 TWEAKER\RAGE128TWEAK.EXE" /detectorig O4 - HKLM\..\RunServices: [Rage128Tweaker] "C:\PROGRAM FILES\RAGE 128 TWEAKER\RAGE128TWEAK.EXE" /setclock O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [winadm] C:\WINDOWS\winadm.exe O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Rain.lnk = C:\Rain\Rain.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - URL O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - URL O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - URL O16 - DPF: Yahoo! Pool 2 - URL O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - URL O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - URL O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - URL
|
|
#6
June 10th, 2004, 08:55 PM
|
|||
|
|||
|
This one really stumps me, it seems no matter what I do it returns. It doesnt have any clear existance. I have figured out where the "dialer.8.u" trojan comes from. *.2awm.com. Well, I would be glad of any suggestions.
I use
Logfile of HijackThis v1.97.7 Scan saved at 6:57:19 PM, on 6/10/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAM FILES\SONY\1394\SCMON.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE C:\WINDOWS\SYSTEM\HPZTSB09.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\WINDOWS\SYSTEM\ECHOCON.EXE C:\WINDOWS\WINADM.EXE C:\RAIN\RAIN.EXE C:\MOUSE\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = URL R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = URL R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = URL R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = URL O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [VortexTray] C:\WINDOWS\au30setp.exe 3 O4 - HKLM\..\Run: [Smart Connect Monitor] C:\Program Files\Sony\1394\SCMon.exe O4 - HKLM\..\Run: [Smart Connect Setup] C:\Program Files\Sony\1394\SCSetup.exe -c O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [Echo Jump Start] EchoStrt.Exe O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb09.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [OrigRage128Tweaker] "C:\PROGRAM FILES\RAGE 128 TWEAKER\RAGE128TWEAK.EXE" /detectorig O4 - HKLM\..\RunServices: [Rage128Tweaker] "C:\PROGRAM FILES\RAGE 128 TWEAKER\RAGE128TWEAK.EXE" /setclock O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [winadm] C:\WINDOWS\winadm.exe O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Rain.lnk = C:\Rain\Rain.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html O9 - Extra button: AIM (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - URL O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - URL O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - URL O16 - DPF: Yahoo! Pool 2 - URL O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - URL O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - URL O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - URL Thanks for any new information, [Red] - URL
|
|
#7
June 11th, 2004, 01:14 PM
|
|||
|
|||
|
I would like you to run the trial version of Trojan Hunter:
http://www.misec.net/trojanhunter/ If it does not find the infection, I'd like you to perform an online virus scan at Trend Micro's Housecall. The link is in my signature. Let us know how it goes. Tom
|
|
#9
June 13th, 2004, 01:53 PM
|
|||
|
|||
|
Here's some more to try:
Trojan Remover http://www.simplysup.com/tremover/download.html DiamondCS TDS-3 http://tds.diamondcs.com.au/ GFI online Scan http://www.trojanscan.com/ Sygate Trojan Scan http://scan.sygatetech.com/pretrojanscan.html Also, make sure you are using the latest Spybot Saarch and Destroy (Version 1.3). Tom
|
|
| Viewing: Dev Shed Forums > System Administration > Antivirus Protection > Internet explorer hi-jack. |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb![[Red] is offline](http://images.devshed.com/fds/statusicon/user_offline.gif){kind=small}
![[Red] User rank is Just a Lowly Private (1 - 20 Reputation Level)](http://images.devshed.com/fds/reputation/reputation_green.gif){kind=small}
![Send a message via MSN to [Red]](http://images.devshed.com/fds/misc/im_msn.gif){kind=small}
Linear Mode
