Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Hijack help please Hijack help please
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 09-29-2004, 09:48 AM   #1 (permalink)
Registered User
 
Join Date: Sep 2004
Posts: 6
OS: win98


Hijack help please
Dear TSF

I live in the land of car hijacks (South Africa) but reckon the local guys have nothing on what is in my computer.

Please could you have a look at my log and let me know what needs doing.

Thanks for all you help. Much appreciated.

Mark

Logfile of HijackThis v1.98.2
Scan saved at 06:37:25, on 2004/09/29
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
M:\win95\polrun\winc95r1.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
C:\WINDOWS\SYSTEM\0D62J9LSPHYRHE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\FDNO.DAT
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\VIRUS STUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uct.ac.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.uct.ac.za/cache.pac
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XXIK46~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinCerberus] m:\win95\polrun\winc95r1.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\533134.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfee Framework Service] C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE /ServiceStart
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [avinst] avinst
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDHTML_1027.dll,InstantAccess
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\0D62J9LSPHYRHE.EXE
O4 - Startup: AvSynMgr.lnk = C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt1_x.cab
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
markle2sparkle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-29-2004, 11:52 AM   #2 (permalink)
General Manager (Administrator)
 
Horse's Avatar
 
Join Date: Oct 2003
Location: Durban South Africa
Posts: 4,127
OS: WIN XP PRO

My System

Blog Entries: 1
Send a message via MSN to Horse Send a message via Skype™ to Horse
Hello and welcome to TSF

Well, well, how ironic that a “local guy” is going to help you sort out your system………………… LOL

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Download StartChmFix and run it.

Your Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite to clean out all the temp folders. Do not run it yet.

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (You must kill them one at a time).

C:\WINDOWS\TEMP\FDNO.DAT

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofind.com/show.php?id=18&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\XXIK46~1.DLL
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDHTML_1027.dll,InstantAccess
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\0D62J9LSPHYRHE.EXE
O9 - Extra button: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file)
O9 - Extra button: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {0BAE2EEA-61B5-4C1D-B81B-FCFDB6DDD911} - (no file) (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O13 - DefaultPrefix: http://www.heretofind.com/show.php?id=18&q=
O13 - WWW Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Home Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Mosaic Prefix: http://www.heretofind.com/show.php?id=18&q=
O13 - Gopher Prefix: http://www.heretofind.com/show.php?id=18&q=
O16 - DPF: {706F3805-27D7-478D-80E5-E25D2BB030B3} (VacPro.internazionale_ver3) - http://www.advnt01.com/dialer/internazionale_ver3.CAB

Please remember to close any open windows and browsers before fixing any entries.

In Hijack This, hit the Fix checked button.

Do you know what the following entries are?

O4 - HKLM\..\Run: [WinCerberus] m:\win95\polrun\winc95r1.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\533134.EXE

Reboot into Safe Mode (hit F8 key until menu shows). Delete the following Files/Folders if they still exist.

C:\WINDOWS\SYSTEM\0D62J9LSPHYRHE.EXE<<< This File

Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart you the file should run by itself and startup and clean all those files.

Reboot into Normal Mode

Run an online scan at Trend Micro or RAV Antivirus.
Please select the “autoclean” option when using Trend Micro.

Please post a fresh Hijack This log so that we can check if your system is clean.

I do not subscribe to threads so please PM me the link when you have posted your new log. Please do not post your log in the PM, only the link
Horse is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-30-2004, 01:43 AM   #3 (permalink)
Registered User
 
Join Date: Sep 2004
Posts: 6
OS: win98


Hijack help
Thanks for the reply.

Have done what you suggested.

A few issues
1. Seem to have resistance in removing
02- BHO: (no name) - {467FAEB.....
and 04 - HKCU\..\Run: [romahere2] .....
2. Not sure what those entries are that you queried. Am on a university network (IT dept. not so helpful with registry stuff. Would rather nuke it) with Norton antivirus- relevance?
3. Don't seem to be having any joy with the online scans. Can't access "network busy" etc.

Hijack this log appended.

Thanks a million, Mark

Logfile of HijackThis v1.98.2
Scan saved at 10:28:50, on 2004/09/30
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
C:\WINDOWS\SYSTEM\VJMIZ94YNL9ME.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIRUS STUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uct.ac.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.uct.ac.za/cache.pac
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\T4UKJO~1.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinCerberus] m:\win95\polrun\winc95r1.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\533134.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfee Framework Service] C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE /ServiceStart
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [avinst] avinst
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\VJMIZ94YNL9ME.EXE
O4 - Startup: AvSynMgr.lnk = C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt1_x.cab
markle2sparkle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-30-2004, 01:53 AM   #4 (permalink)
General Manager (Administrator)
 
Horse's Avatar
 
Join Date: Oct 2003
Location: Durban South Africa
Posts: 4,127
OS: WIN XP PRO

My System

Blog Entries: 1
Send a message via MSN to Horse Send a message via Skype™ to Horse
Hi Markle

Your log looks clean apart from those non-deletions. I'm going to refer them to a Moderator and I'll get back to you. The strange thing is the CLID's are the same but the file names have changed. Let you know as soon as possible. How is your system running now though??
Horse is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-30-2004, 05:01 AM   #5 (permalink)
General Manager (Administrator)
 
Horse's Avatar
 
Join Date: Oct 2003
Location: Durban South Africa
Posts: 4,127
OS: WIN XP PRO

My System

Blog Entries: 1
Send a message via MSN to Horse Send a message via Skype™ to Horse
Hi Mark

Open Hijack This and check the following entries:-

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\T4UKJO~1.DLL

O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\VJMIZ94YNL9ME.EXE

Reboot in Safe Mode and delete the following file if it still exists:-

C:\WINDOWS\SYSTEM\VJMIZ94YNL9ME.EXE

Go back and run an online scan at Trend Micro and then post a new Hijack This log.
Horse is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-30-2004, 08:21 AM   #6 (permalink)
Registered User
 
Join Date: Sep 2004
Posts: 6
OS: win98


another go at the pie
Hello again

Thanks for your time.

As requested I followed your instructions.

Attached is my log.

Mark


Logfile of HijackThis v1.98.2
Scan saved at 05:16:13, on 2004/09/30
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIRUS STUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uct.ac.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.uct.ac.za/cache.pac
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\KE9YGB~1.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinCerberus] m:\win95\polrun\winc95r1.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\533134.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfee Framework Service] C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE /ServiceStart
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [avinst] avinst
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\VJMIZ94YNL9ME.EXE
O4 - Startup: AvSynMgr.lnk = C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
markle2sparkle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-30-2004, 10:47 AM   #7 (permalink)
General Manager (Administrator)
 
Horse's Avatar
 
Join Date: Oct 2003
Location: Durban South Africa
Posts: 4,127
OS: WIN XP PRO

My System

Blog Entries: 1
Send a message via MSN to Horse Send a message via Skype™ to Horse
Hi Mark

I see the files are back again. I'll have to get the heavy guns in to sort it out. Appreciate your patience.
Horse is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 09-30-2004, 03:12 PM   #8 (permalink)
Old Timer
 
jgvernonco's Avatar
 
Join Date: Sep 2003
Location: Northern Arizona
Posts: 7,957
OS: Vista Home Premium, SP 27


Well ain't this a mug of doodoo.

This is a new baddie. I will have to beg your patience while we make the following repairs and see what happens. (No, I am not putting your system out of it's misery...I fully expect it to survive).

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed:

winc95r1.exe
533134.EXE
VJMIZ94YNL9ME.EXE





Check and fix the following in HijackThis if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\KE9YGB~1.DLL
O4 - HKLM\..\Run: [WinCerberus] m:\win95\polrun\winc95r1.exe
O4 - HKLM\..\Run: [pnpsvc_lock] C:\WINDOWS\SYSTEM\533134.EXE
O4 - HKCU\..\Run: [Uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [romahere2] C:\WINDOWS\SYSTEM\VJMIZ94YNL9ME.EXE



Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\KE9YGB~1.DLL
m:\win95\polrun\winc95r1.exe
C:\WINDOWS\SYSTEM\533134.EXE
C:\WINDOWS\SYSTEM\VJMIZ94YNL9ME.EXE



Run an online virus scan at TrendMicro or RAV Antivirus. Select the Autoclean option if you use TrendMicro.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.
jgvernonco is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 10-01-2004, 04:19 AM   #9 (permalink)
Registered User
 
Join Date: Sep 2004
Posts: 6
OS: win98


Woohoo!
Dear All

I seem to have my browser back in the land of the living. Hope my woohoo is not premature.

Here's my log. Your help is much appreciated.

Regards, Mark


Logfile of HijackThis v1.98.2
Scan saved at 01:12:25, on 2004/10/01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\NOVELL\CLIENT32\NWRECMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\NAPRDMGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\UPDATERUI.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIRUS STUFF\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.uct.ac.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.uct.ac.za/cache.pac
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfee Framework Service] C:\PROGRAM FILES\NETWORK ASSOCIATES\COMMON FRAMEWORK\FRAMEWORKSERVICE.EXE /ServiceStart
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O4 - HKCU\..\Run: [avinst] avinst
O4 - Startup: AvSynMgr.lnk = C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .2: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/game...ts/y/wt1_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
markle2sparkle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 10-01-2004, 04:25 AM   #10 (permalink)
Registered User
 
Join Date: Sep 2004
Posts: 6
OS: win98


Ps.
Oh, and by any chance you folks now how can avoid this junk again?On a university network so virus protection limited to Norton.

Mark
markle2sparkle is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 10-01-2004, 05:03 AM   #11 (permalink)
General Manager (Administrator)
 
Horse's Avatar
 
Join Date: Oct 2003
Location: Durban South Africa
Posts: 4,127
OS: WIN XP PRO

My System

Blog Entries: 1
Send a message via MSN to Horse Send a message via Skype™ to Horse
Hi Mark

Yep your log is clean. Good job! I'm not sure how your network functions but the following programs pretty much protect against spyware intrusions. All are free and excellent programs. Of course they don't prevent everything but minimise the level considerably. Good luck.

You need a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad
Horse is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:01 PM.