Correct URL address but goes to same site.

Dear Charles,
As suggested I have started this new thread and e.mailed you the hijackthis log.
Logfile of HijackThis v1.98.2
Scan saved at 10:59:19, on 19/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINDOWS\System32\sgt634eo9eimi0.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\MICHAEL CAREY\Local Settings\Temp\Temporary Directory 1 for progamfiles.zip\HijackThis.exe
C:\hijackthis.log.michael\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=80
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.com/
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\zkrujfo5jgoh9.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\38805.exe
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgt634eo9eimi0.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cl879e1eao.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1046.dll,InstantAccess
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.7adpower.com/dialer/A091100.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.93.232.139:80/iex/ofile.exe?url=http://69.93.232.139:80/dexIT871.exe
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1044_pack_XP.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-it/it/games3.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://198.143.27.18/porn4/Loader.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1046_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O20 - AppInit_DLLs: clf3h4pjap.tlb 9ajhl6tf9pu.tlb m7e7y5r0geat8x.tlb rbiokg61xh.tlb
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\zkrujfo5jgoh9.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\38805.exe
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgt634eo9eimi0.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cl879e1eao.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1046.dll,InstantAccess
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.7adpower.com/dialer/A091100.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.93.232.139:80/iex/ofile.exe?url=http://69.93.232.139:80/dexIT871.exe
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1044_pack_XP.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-it/it/games3.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://198.143.27.18/porn4/Loader.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMSERVICE_1046_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O20 - AppInit_DLLs: clf3h4pjap.tlb 9ajhl6tf9pu.tlb m7e7y5r0geat8x.tlb rbiokg61xh.tlb

Regards

Sus

 

Hi Sus. You have a real mess here but it can be cleaned. A prelim list of things you will need to do will probably take me over an hour to prepare but a couple of things right off.

Delete
C:\Documents and Settings\MICHAEL CAREY\Local Settings\Temp\Temporary Directory 1 for progamfiles.zip\HijackThis.exe
just so we can be positive you will be working with the copy of HJT in
C:\hijackthis.log.michael\HijackThis.exe
when you do the cleanup.

I notice you do not have any XP service packs loaded. You will really want to consider getting SP2 installed if possible. SP1 closed some security holes and is lots better than nothing but SP2 included lots more security fixes so you'll be quite a bit better off with it. It's big so best to get a copy on CD rather than trying to install it via download.

More later - as soon as I get it ready.

 

Newt--Perhaps also need to delete present System Restore points and shut down System Restore until after the problems are cleaned up.
P.S. Who is Michael Carey?

 

The below will get a good start on fixing your problems. Won't do it all this first time but will help. You will need to do exactly what is written and in the order listed so print a copy of this before you start.

You have Avast antivirus but only the email protection piece seemed to be active and I'm not sure how effective it is right now. There are at least 6 virus/trojan infections here so after some cleaning you will need to do online virus scans and cleanings and then reinstall Avast if you have it or else get another AV program. AVG has a good, free version you can download and install but hold off for now.

Download CWShredder but don't use it just yet.

Download LSPFix since you will probably need it later and won't be able to get to the internet until it is run to repair a couple of things.

Now to fix some stuff.

Turn off system restore. Instructions Here.

Press Ctrl-alt-del (all three at the same time) and in task manager, go to the processes tab and kill the control.exe process.

Run Hijackthis, scan, and check the following to be fixed. Note that the items in green are not harmful but are also not needed at startup and will simply slow your system down so I suggest letting HJT stop them along with the bad items.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/sp.htm?id=80
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/sp.htm?id=80

/not sure about this one but remove unless you know for sure it is something you need/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=80

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/sp.htm?id=80
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\zkrujfo5jgoh9.dll
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\System32\38805.exe
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgt634eo9eimi0.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cleaner] C:\WINDOWS\System32\cl879e1eao.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1046.dll,InstantAccess
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

/several of these 016 items are probably safe but several absolutely are not. Since any legit ones will be reloaded when you next visit a site that needs them, remove them all/
O16 - DPF: {00000000-0000-0000-0000-000020030000} - http://www.7adpower.com/dialer/A091100.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} - mhtml:file://C:NXSFT.MHT!http://69.93.232.139:80/iex/ofile.e...80/dexIT871.exe
O16 - DPF: {2AEEAC34-FD74-4142-B891-4B05C0C03C87} - http://akamai.downloadv3.com/binari...044_pack_XP.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-it/it/games3.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://198.143.27.18/porn4/Loader.cab
O16 - DPF: {D7B59209-0ED9-4986-BD4A-527BE836C6B2} - http://akamai.downloadv3.com/binari...ICE_1046_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab

O20 - AppInit_DLLs: clf3h4pjap.tlb 9ajhl6tf9pu.tlb m7e7y5r0geat8x.tlb rbiokg61xh.tlb

Done with HJT for now.

Open My Computer, right-click on your C: drive and left click on properties. Then click the button for a disk cleanup. When it finishes scanning, check to have all items removed except 'compress old files'.
Close My Computer.

Restart your computer in Safe Mode. If you aren't sure how, read the instructions Here.

Open Windows Explorer. Under Tools => folder options => view, set your system to show hidden files and then locate and delete these. Be careful to only remove these exact file names. I've given the full location where I know it but some will require you to search for them.
C:\WINDOWS\System32\38805.exe
C:\WINDOWS\System32\cl879e1eao.exe
C:\WINDOWS\System32\matrixhere.exe
C:\WINDOWS\System32\sgt634eo9eimi0.exe
C:\WINDOWS\System32\zkrujfo5jgoh9.dll
control.exe
control.exe-3b93e1ba.pf
precontrol.exe-27c36166.pf
winlogin.exe

Close Windows Explorer.

Run CWShredder and click the button to Fix rather than just to scan.

Reboot to normal Windows.

Open IE, and copy/paste the following into the window to open Housecall for a scan.

Code:

http://housecall.antivirus.com/housecall/start_frame.asp

Let it clean/fix what it finds. If the browser fails to find the site, run LSPFix and then try again.

Do the same with

Code:

http://www.pandasoftware.com/activescan/

Get a copy of the free AVG antivirus program from

Code:

http://www.sofotex.com/AVG-Anti-Virus-Free-Edition-download_L21.html

and update it then start it so you will be protected from most virus infections.

I don't remember from any earlier thread if you have any anti-spyware programs but if not, you need them.

Download, immediately update, and run Spybot. Let it remove all items it pre-checks. In addition to a scan, also use the immunize feature to protect against future attacks by around 3000 items it blocks. Just click the Immunize icon and then the green Immunize symbol. The latest version is 1.3 and that is the one you will need.

Code:

http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button

Download, immediately update, and run Ad-aware SE. Do a Full Scan and let it remove all items it finds.

Code:

http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

Turn System Restore back on.

Run HJT to create a new log and post it here. There will be more things to clean up. I'm sure I missed at least a couple of things.

 

Hi Sus,

Got your e-mail and I see that you managed to post here as well. As Newt indicated this will take a few passes to clean up.

If any questions about the instructions that Newt gave you, I'll be around tomorrow on and off in the AM US EST.

Regards - Charles

 

Hi Newt, Charles,

Many thanks for the info - boy will this keep me busy. Will certainly get back to you Charles if I need to.
Am just printing it all off so I can make sense of it all !!
Talk later

Kind regards Sus.

PS. Hi Welshjim, Michael is the guy who we lent the computer to on virtual permanent loan!

 

Dear Charles,

I have got as far as checking the show hidden files on Windows explorer but cannot fathom how to locate and delete the files listed within explorer - or am I being dopey again.

Regards Sus

 

Hi Sus,

To search for files:

Start > click on search. When the dog shows up: click on "all files and folders" and type or paste in the files. If you don't find it under the exact match criterea, then use the "a word or phrase" option.

Regards - Charles

 

Dear Charles, I have tries to go into search - but the dog etc is not there!!
Any ideas how to get it back?

Regards Sus.

PS Dear Charles and/or Newt,
What about installing xp SP1 ?, as that is what I am using on this computer,
would it help or make things worse?

 

Hi Sus,

but the dog etc is not there!!

Ok, try another search program - it's free and better than XP's anyway.

http://www.mythicsoft.com/agentransack/pageloader.aspx?page=home

What about installing xp SP1 ?, as that is what I am using on this computer,
would it help or make things worse?

I would wait on SP1 untill this is cleaned up.

Regards - Charles

 

Sus - it is possible that some or all of the bad files are no longer on the PC. Earlier removal work may have gotten rid of them. If you can't find them with Agent Ransack, then don't worry about them as they will be gone.

As to the service pack thing, I agree that you don't want to load any until you are cleaned up. After that, you should load one as soon as possible. SP2 is cumulative so if you load it you will not need SP1. SP2 did a huge amount of security fixing and is the version I'd recommend to you.

At this point, how about running HJT again to generate a new log file and posting that.

 

Hi Newt,

Here is the new log file,

Logfile of HijackThis v1.98.2
Scan saved at 07:13:38, on 21/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis.log.michael\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgt634eo9eimi0.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-it/it/games3.cab

It seems a lot better already eh?

Sus

 

Looks lots better and hopefully performing better as well.

As expected, still a couple things that need fixing.

First item - I really don't see a fully functional antivirus package running. Signs of Avast but only spotty protection. If you have the software, an uninstall, reinstall, and update is in order with all the features turned on. Otherwise, uninstall and try the free AVG program.

O4 - HKLM\..\Run: [Network Security Guard] C:\WINDOWS\System32\sgt634eo9eimi0.exe
I can't find much information about this item which is usually a bad sign. "Network Security Guard" is listed and is supposed to be able to scan Apple Talk networks (not what you have) for potential problems. However, since it has placed an unidentified .exe on your system, I'd get rid of it. Use HJT to delete this entry and then delete the sgt634eo9eimi0.exe file from \system32.


O4 - HKCU\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
This one was listed to be removed in the long list of stuff. Not sure if it just got lost in all the clutter or if you removed the entry and it came back. It's part of Troj/Small-JU (also known as TrojanDropper, Win32.Small.ju, TROJ_SMALL.AZ depending on which AV company you work with) and is responsible for doing the home page redirect to
http: // super-spider. com (spaces included to keep this from being a live URL).
Letting HJT remove the entry and then deleting matrixhere.exe from \system32 should take care of the problem.

O4 - Global Startup: winlogin.exe
Brought to you by the W32.Randex.E trojan (symantec's name). Details Here but the online AV scans should have dealt with this one. If you haven't run them, you need to since there is this baddie for sure and very possibly other infections we aren't seeing from the HJT log.


O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-it/it/games3.cab
I'd also get rid of this one. My warning applets and browser lit up like the 4th of July when I tried to reach this link. Not sure exactly what it is but nothing I'd want near my PC.

 

Nice work Guys

I Suggest you run the brand new version of Cwsredder to
Download CWShredder 2.0: http://www.intermute.com/spysubtract/cwshredder_download.html
that installs it to a folder in program files and places a shortcut on the desktop
run the shortcut click fix not scan.
restart the PC and post a hijackthis log, but not from safe mode please.

 

Phew !!!!!!!!!!

Hi Guys,
I have not been able to download AVG or go to the pandasoftware site - I have done everything else though. I still seem to be blocked getting into some sites - ie windows bbs - Ihave to e.mail the log to my computer and then copy it to the post.
I have reinstalled avast for the time being as I thought it was better than nothing.It seems to be working properly now.




Logfile of HijackThis v1.98.2
Scan saved at 16:57:13, on 21/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\hijackthis.log.michael\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Ihave now managed to download AVG - so I uninstalled Avast - I have down a scan and found 5 more viruses!
What do you suggest I do now - another hijackthis log?

 

Hi Sus,

Was Avast able to clean them up? Yes, post another log.

And remember to use Hostsfilereader, that might clear up the url problem, even if its only temporary.

Regards - Charles

 

Sorry Charles - Please remind me what hostfilereader is and where I can dowload it - can't seem to find it on the comp.!!!!!

Ok sorted hostfile readr no luck - Just run Spybot again and the same things keep coming up even though I am fixing them.
The main ones are _

Internet Explorer Data source object exploit (registry change)
others are windows explorer stream history, and user assistant history,(registry keys) also MS regedit recent open key (registry change). Log activity (backup file).

Is this the problem I wonder - as everything else seems to be a lot better.
Still cannot get onto bbs - google - and several other sites.

 

new log file.
I am wondering what I have done now- as I cannot send or receive e.mail!!!
My head is reeling!!!!

Logfile of HijackThis v1.98.2
Scan saved at 10:40:12, on 22/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\hijackthis.log.michael\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.freeserve.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe
O4 - HKLM\..\Run: [romahere] C:\WINDOWS\System32\matrixhere.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\MICHAEL CAREY\Application Data\My-disgo\MyKey disgo.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\downloaded program files\GoogleToolbar_en_1.1.63-deleon.dll/cmtrans.html
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Hi Sus,

Internet Explorer Data source object exploit (registry change)
others are windows explorer stream history, and user assistant history,(registry keys) also MS regedit recent open key (registry change). Log activity (backup file).

The DSO item is a spybot glitch and the rest of them don't appear to be bad, just informational.

I can't see anything that stikes me as malware in HJT log. Wait until either Newt - Lonny - Dave get a look at it.

Regards - Charles