1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Need some help with a Hijackthis log

Discussion in 'Malware and Virus Removal Archive' started by BillB, 2004/11/07.

Thread Status:
Not open for further replies.
Page 1 of 2
  1. 2004/11/07
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    I'm trying to help out a friend with their PC. They said it was locking up as soon as the desktop loaded, but they were able to get into safe mode just fine. I had them bring the PC to me to check out. I have not been able to get it to lock up (currently it has been running about 8 hours straight), but I did update AVG, Spybot, and Adaware and all 3 found some things to delete. AVG found 2 downloader type viruses which it removed (this may have been causing their lockup problem since they have cable internet). There was a pop-up that started about two minutes after boot which opened an IE window, but after all the scans that no longer happens. It seems to be ok now, but I wanted someone to look at the HJT log just to be sure it's clean. Any advice would be appreciated;

    Logfile of HijackThis v1.98.2
    Scan saved at 9:35:01 PM, on 11/7/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\SYSTEM\UJDH.EXE
    C:\WINDOWS\SVCHOST.EXE
    C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\SPW\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msnmember.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE "
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [loads.exe] C:\WINDOWS\medload.exe
    O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Lunmtky] C:\WINDOWS\SYSTEM\ujdh.exe
    O4 - HKCU\..\Run: [Clock] C:\WINDOWS\dpvsetup.exe
    O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunServices: [Lunmtky] C:\WINDOWS\SYSTEM\ujdh.exe
    O4 - HKCU\..\RunServices: [Clock] C:\WINDOWS\dpvsetup.exe
    O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.webpcfos.com/webpcfos/Citrix/wfica.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) -
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.0.6.12/ttinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D7F0CC2E-FB09-4B38-B9A7-6807CBCD4859} (NMChatX Control) - http://download.netmarble.com/NMChatX/NMChatX.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
    O16 - DPF: {8AB662FD-CFE0-4D68-96B8-128AFA3C68A6} (CPrtTmpControl Object) - http://eshare.hpphoto.com/download/setup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
     
    BillB,
    #1
  2. 2004/11/07
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Fix the following, delete the executables and clear all temps, C:\Windows\Applog, TIFs and run disk cleanup in safe mode. Should be good to go after that, but post a fresh log anyway.

    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [loads.exe] C:\WINDOWS\medload.exe
    O4 - HKCU\..\Run: [Lunmtky] C:\WINDOWS\SYSTEM\ujdh.exe
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) -
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll


    Wouldn't hurt to run an online virus scan or two either.
     
    noahdfear,
    #2


  3. to hide this advert.

  4. 2004/11/08
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Dave,

    I fixed the entries in HJT and deleted the executables last night. I didn't have time to do the cleanup stuff. I'll do that tonight and post back with a new HJT log.

    Thanks very much,

    Bill
     
    BillB,
    #3
  5. 2004/11/08
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Dave,

    I did the disk cleanup tonight and I've created another HJT log. Thanks again for the help.

    Logfile of HijackThis v1.98.2
    Scan saved at 7:35:20 PM, on 11/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\DPVSETUP.EXE
    C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\SPW\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msnmember.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE "
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Clock] C:\WINDOWS\mshta.exe
    O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunServices: [Clock] C:\WINDOWS\mshta.exe
    O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.webpcfos.com/webpcfos/Citrix/wfica.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.0.6.12/ttinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D7F0CC2E-FB09-4B38-B9A7-6807CBCD4859} (NMChatX Control) - http://download.netmarble.com/NMChatX/NMChatX.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
    O16 - DPF: {8AB662FD-CFE0-4D68-96B8-128AFA3C68A6} (CPrtTmpControl Object) - http://eshare.hpphoto.com/download/setup.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
     
    BillB,
    #4
  6. 2004/11/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks clean, although I do still recommend an online virus scan to be sure. Good work Bill. :)

    Several unnecessary startup items (04 entries) you could kill to free up some resources. You can check them out and decide which they do and don't need at the following locations. Can either be removed with HJT or unchecked in msconfig.

    Windows Startup Online Repository

    AnswersThatWork-Task List Programs
     
    noahdfear,
    #5
  7. 2004/11/08
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Dave,

    Thanks for all your help. I'll check out the startup items before I return it to try to get it running as smooth as possible. Again, thanks very much for the help.


    Bill
     
    BillB,
    #6
  8. 2004/11/08
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Happy to help. :)
     
    noahdfear,
    #7
  9. 2004/11/09
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Dave,

    Wanted to see if you would take a look at the HJT log one more time. I hooked the PC up to my network to get online and do the virus scan at RAV and while online I checked for Spybot, Adaware, Spyware Blaster, and AVG updates. RAV found 3 infected files that I deleted. When I ran Adaware, it found 30 some things including files, registry keys, etc. that it took care of. I guess I'm just paranoid but I wanted to make sure this thing is clean before I return it.

    Thanks,

    Bill

    Logfile of HijackThis v1.98.2
    Scan saved at 6:40:03 PM, on 11/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\AUTOLFN.EXE
    C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\SPW\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msnmember.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE "
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Clock] C:\WINDOWS\lasss.exe
    O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunServices: [Clock] C:\WINDOWS\lasss.exe
    O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.webpcfos.com/webpcfos/Citrix/wfica.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://media.toontown.com/toontown/sv1.0.6.12/ttinst.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D7F0CC2E-FB09-4B38-B9A7-6807CBCD4859} (NMChatX Control) - http://download.netmarble.com/NMChatX/NMChatX.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
    O16 - DPF: {8AB662FD-CFE0-4D68-96B8-128AFA3C68A6} (CPrtTmpControl Object) - http://eshare.hpphoto.com/download/setup.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL
     
    BillB,
    #8
  10. 2004/11/09
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Log looks clean, Bill. Glad to see you ran that RAV scan. :) Not at all surprised Ad-aware found what it did either. HJT is very limited in it's reporting of keys and files, and this junk places itself all over the drive and registry. I would also recommend running a registry cleaner. I like RegSeeker.

    Additional recommendation (if you haven't already done so ;) )
    Open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click IE tweaks and at least lock the HOSTS file.
    Then download and install IESpyad
     
    noahdfear,
    #9
  11. 2004/11/09
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Dave,

    Thanks for taking one last look for me. I just wanted another check before I said I was done with it.

    I had already done the immunize thing in Spybot, it's one of the first things I do after installing and any time there are updates. Locking the hosts file was greyed out in the IE Tweaks, though, so I couldn't do that.

    I'm going to apply IESpyads next and I'll run the reg cleaner also. This thing should be squeaky clean when it's returned. How long it stays that way I don't know. I just did this back in August and it was worse than this.

    Thanks again for all your help,

    Bill
     
    BillB,
    #10
  12. 2004/11/10
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Fix these also
    O4 - HKCU\..\Run: [Clock] = whatever exe its using now
    O4 - HKCU\..\RunServices: [Clock] " "
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - >http://media.toontown.com/toontown/...6.12/ttinst.cab


    Then go check these files at both of these online subamitals
    And tell us what they say please.
    C:\WINDOWS\dpvsetup.exe
    C:\WINDOWS\mshta.exe
    C:\WINDOWS\lasss.exe
    C:\WINDOWS\AUTOLFN.EXE
    C:\WINDOWS\SVCHOST.EXE
    Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html
    Online malware scan-Submit a file: http://virusscan.jotti.dhs.org/
     
    Lonny Jones,
    #11
  13. 2004/11/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Good catch Lonny! I didn't even notice that the clock entry had changed it's executable. :( When I checked out the mshta.exe it appeared to be legit, but I also see now that it is if running from the proper location, which it wasn't. Glad you're looking over my shoulder. ;)
     
    noahdfear,
    #12
  14. 2004/11/10
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Lonny and Dave,

    I fixed the entries you mentioned in HJT, the two clock entries had filenames of spoolsv.exe, they were previously mshta.exe. I could not find files called svchost.exe or autolfn.exe. The mshta.exe and dvpsetup.exe files were in the windows\system folder. The lasss.exe and the spoolsv.exe files have the same icon in explorer, a magnifying glass (strange). I didn't have time to hook the PC up to my network and post the files to the sites you mentioned during lunch, I'll do that tonight and post back when I get a response. I'll also post a new HJT log at that time as well.

    Thanks,

    Bill
     
    BillB,
    #13
  15. 2004/11/10
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Lonny and Dave,

    Ok, here is a new HJT log followed by the scan results from the second site that was in Lonny's post. I could not copy the results from the first site but they were pretty much the same for all 4 files. I've deleted the lasss.exe and spoolsv.exe files but haven't emptied the recycle bin as yet.

    Logfile of HijackThis v1.98.2
    Scan saved at 5:33:50 PM, on 11/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\SPW\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://msnmember.msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.ce1.attbb.net:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net;<local>
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE "
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\RunServices: [Devldr16] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www.webpcfos.com/webpcfos/Citrix/wfica.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {D7F0CC2E-FB09-4B38-B9A7-6807CBCD4859} (NMChatX Control) - http://download.netmarble.com/NMChatX/NMChatX.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - http://www.webpcfos.com/webpcfos/websabre/HTEweb.cab
    O16 - DPF: {8AB662FD-CFE0-4D68-96B8-128AFA3C68A6} (CPrtTmpControl Object) - http://eshare.hpphoto.com/download/setup.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

    Service load: 0% 100%

    File: spoolsv.exe
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    Packers detected: UPX

    AntiVir No viruses found (0.14 seconds taken)
    Avast No viruses found (1.51 seconds taken)
    BitDefender BehavesLike:Trojan.StartPage (probable variant) (0.58 seconds taken)
    ClamAV Trojan.Startpage-127 (0.41 seconds taken)
    Dr.Web No viruses found (0.57 seconds taken)
    F-Prot Antivirus W32/Startpage.EB (0.06 seconds taken)
    Kaspersky Anti-Virus Trojan.Win32.StartPage.nv (0.60 seconds taken)
    mks_vir No viruses found (0.34 seconds taken)
    NOD32 No viruses found (0.46 seconds taken)
    Norman Virus Control Sandbox: W32/Malware; [ General information ]

    * File length: 54272 bytes.

    [ Changes to filesystem ]
    * Deletes file bA.
    * Creates file C:\ups.exe.

    [ Changes to registry ]
    * Creates key "HKCU\Software\Microsoft\Clock ".
    * Sets value "OF "= "c:\sample.exe" in key "HKCU\Software\Microsoft\Clock ".
    * Sets value "SF "= "c:\ups.exe" in key "HKCU\Software\Microsoft\Clock ".
    * Creates value "Clock "= "c:\ups.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run ".
    * Sets value "prc_id "= "1050758453" in key "HKCU\Software\Microsoft\Clock ".
    * Modifies value "Start Page "= "http://www.findwhatevernow.com" in key "HKCU\Software\Microsoft\Internet Explorer\Main ".

    [ Process/window information ]
    * Creates a mutex mutexSSetter.
    * Will automatically restart after boot (I'll be back...). (0.92 seconds taken)

    Service load: 0% 100%

    File: Mshta.exe
    Status: OK
    Packers detected: None

    AntiVir No viruses found (0.14 seconds taken)
    Avast No viruses found (1.51 seconds taken)
    BitDefender No viruses found (0.34 seconds taken)
    ClamAV No viruses found (0.33 seconds taken)
    Dr.Web No viruses found (0.47 seconds taken)
    F-Prot Antivirus No viruses found (0.06 seconds taken)
    Kaspersky Anti-Virus No viruses found (0.57 seconds taken)
    mks_vir No viruses found (0.20 seconds taken)
    NOD32 No viruses found (0.35 seconds taken)
    Norman Virus Control No viruses found (0.41 seconds taken)


    Service load: 0% 100%

    File: lasss.exe
    Status: INFECTED/MALWARE
    Packers detected: UPX

    AntiVir No viruses found (0.14 seconds taken)
    Avast No viruses found (1.51 seconds taken)
    BitDefender BehavesLike:Trojan.StartPage (probable variant) (0.56 seconds taken)
    ClamAV Trojan.Startpage-127 (0.32 seconds taken)
    Dr.Web No viruses found (0.49 seconds taken)
    F-Prot Antivirus W32/Startpage.EB (0.06 seconds taken)
    Kaspersky Anti-Virus Trojan.Win32.StartPage.nv (0.59 seconds taken)
    mks_vir No viruses found (0.34 seconds taken)
    NOD32 No viruses found (0.46 seconds taken)
    Norman Virus Control Sandbox: W32/Malware; [ General information ]

    * File length: 54272 bytes.

    [ Changes to filesystem ]
    * Deletes file bA.
    * Creates file C:\ups.exe.

    [ Changes to registry ]
    * Creates key "HKCU\Software\Microsoft\Clock ".
    * Sets value "OF "= "c:\sample.exe" in key "HKCU\Software\Microsoft\Clock ".
    * Sets value "SF "= "c:\ups.exe" in key "HKCU\Software\Microsoft\Clock ".
    * Creates value "Clock "= "c:\ups.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run ".
    * Sets value "prc_id "= "1050758453" in key "HKCU\Software\Microsoft\Clock ".
    * Modifies value "Start Page "= "http://www.findwhatevernow.com" in key "HKCU\Software\Microsoft\Internet Explorer\Main ".

    [ Process/window information ]
    * Creates a mutex mutexSSetter.
    * Will automatically restart after boot (I'll be back...). (0.91 seconds taken)

    Service load: 0% 100%

    File: Dpvsetup.exe
    Status: OK
    Packers detected: None

    AntiVir No viruses found (0.14 seconds taken)
    Avast No viruses found (1.53 seconds taken)
    BitDefender No viruses found (0.36 seconds taken)
    ClamAV No viruses found (0.33 seconds taken)
    Dr.Web No viruses found (0.47 seconds taken)
    F-Prot Antivirus No viruses found (0.06 seconds taken)
    Kaspersky Anti-Virus No viruses found (0.57 seconds taken)
    mks_vir No viruses found (0.20 seconds taken)
    NOD32 No viruses found (0.36 seconds taken)
    Norman Virus Control No viruses found (0.46 seconds taken)
     
    BillB,
    #14
  16. 2004/11/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Looks to me the only things left to do would be, delete the ups.exe file from C: if present, and in regedit navigate to HKCU\Software\Microsoft and delete the clock key. Oh, and empty the recycle bin. Maybe Lonny will have something to add though.
     
    noahdfear,
    #15
  17. 2004/11/10
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Dave,

    The registry keys are gone, the recycle bin has been emptied and the ups.exe file wasn't there. I'm glad I checked the board again this morning, I was going to return the PC tonight. I'm holding on to it to make sure everything if fixed.

    Thanks again for the help on this.

    Bill
     
    BillB,
    #16
  18. 2004/11/10
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    You bet, Bill. :) Wait to see of Lonny has anything to add.
     
    noahdfear,
    #17
  19. 2004/11/10
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Looks good to me, those redclientapps should be fixed but its a minor thing
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
    ===============

    If you still have the files send them to me please, they will need to be put in a zip and if possible password/encrypt them, ups.exe to if its there
    , the others and especialy dpvsetup.exe since nothing was found
    >This address<

    Whoops, I guess not o-well thats ok, we were all posting at the same time it seams :)

    You have SpyBot 1.3 , have you ran Ad-Aware SE to ?
     
    Lonny Jones,
    #18
  20. 2004/11/10
    BillB Lifetime Subscription

    BillB Well-Known Member Thread Starter

    Joined:
    2003/03/18
    Messages:
    750
    Likes Received:
    0
    Hi Lonny,

    Sorry about that. I deleted the files that were shown to be infected, guess I was a little quick on the trigger. I can copy off dpvsetup.exe and send that to you, the ups.exe file wasn't there. I can zip up the file and password it, but what do you suggest to encrypt it?

    I have run SpyBot and Adaware both on this machine. Both are current and up to date also.

    I went ahead and deleted the entries you mentioned. I want to get it as clean as possible before returning it.

    Thanks again for the help. Let me know if you still want the dvp file.


    Bill
     
    BillB,
    #19
  21. 2004/11/10
    Lonny Jones

    Lonny Jones Inactive Alumni

    Joined:
    2002/12/16
    Messages:
    2,252
    Likes Received:
    0
    Yes do send the file please. any password will do, we usualy use "infected" :)
    Thanks
     
    Lonny Jones,
    #20
Page 1 of 2
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...