popuper / intmonp - multiple instances

grantw · 05-29-2005, 05:19 AM

Hi, my first post here so apologies if I miss out anything, I seem to have been infected by this popuper / intmonp problem and am having a nightmare with it. If im not connected to the internet the PC runs fine, 30 seconds after connecting to the internet I am getting multiple instances of popuper.exe and intmonp.exe running, these continue to increase into the 100's / 1000's before the PC locks up. I have run Ad Aware / Spybot with the latest updates and also my AV program, none of which have helped. I am posting two HJT files below, the first one is before connecting to the internet, the second one was taken after connecting to the net, just before the PC locked up:

Logfile of HijackThis v1.99.1
Scan saved at 12:22:25, on 29/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\CMD32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Program Files\Network Associates\PGP for Windows 98\PGPservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O6...::/on-line.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect/...rypt/npkcx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab

After connecting to the internet:

Logfile of HijackThis v1.99.1
Scan saved at 12:24:05, on 29/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\CMD32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\LOGFILES\P5281700.SO
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\POPUPER.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\SYSTEM\INTMONP.EXE
C:\WINDOWS\POPUPER.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Program Files\Network Associates\PGP for Windows 98\PGPservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O6...::/on-line.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect/...rypt/npkcx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab

Any help would be greatly appreciated as my main PC is currently unusable.

Thanks, Grant

**Omerr** · 05-29-2005, 05:33 AM

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

grantw · 05-29-2005, 05:57 AM

Thanks for the quick response. I have temporarily stopped this from happening - I found a file msmsgs.exe that had been allowed access through my firewall, I disabled the access and the problem is now not occurring at the moment.

Thanks, Grant

**Omerr** · 05-29-2005, 05:59 AM

Hey grantw and thanx for your patience. This file really is a part from a hijack in your computer, please wait until I give you a reply with instructions how to act, I am sure we will solve your problem.

P.S.
Your message was fine, no worries here :)

**Omerr** · 05-29-2005, 10:50 AM

Hello again.
Before we start fixing the problem, I will need you to check something:

Please go to the following dir:

Quote:

C:\WINDOWS\SYSTEM\

Please find there MSMSGS.EXE, right click it and choose Properties. Then, choose the Version tab and give me as much information as you can find there.

Thanx.

grantw · 05-29-2005, 11:55 AM

Hi Omerr, I located the file, there is no version tab though - just the general tab showing file size (5.31kb) created date etc etc.

Thanks, Grant

**Omerr** · 05-29-2005, 01:01 PM

Hello again.
OK then, one last thing before starting the fix:
I would like you to upload this file:
C:\WINDOWS\SYSTEM\MSMSGS.EXE
to Kaspersky online file scanner, just copy the path into the box and click Submit.
Then, copy and paste the results here.

grantw · 05-29-2005, 01:08 PM

Here we go:

Scanned file: MSMSGS.EXE

MSMSGS.EXE - infected by Trojan-Downloader.Win32.Zlob.l

Statistics:
Known viruses: 131210 Updated: 29-05-2005
File size (Kb): 6 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

MicroBell · 05-30-2005, 01:46 AM

Omerr:

I'm going to start this one...as it's a complicated hijacker. You may finish it though..if you like.

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log…..

If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg

Download and install CleanUp http://cleanup.stevengould.org/

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes that were identified as related and any of the processes named in the list a bit further down.

C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\popuper.exe
C:\WINDOWS\System32\intmonp.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\SYSTEM\CMD32.EXE

Doubleclick smitfraud.reg and confirm you want to merge it with the registry.

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Run Killbox...

*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\System32\hp596C.tmp
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\intmon.exe
C:\WINDOWS\SYSTEM\msmsgs.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O...m::/on-line.exe
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect...Crypt/npkcx.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-24.cab

Delete the following folders IF you have them....

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

Download Hoster http://www.greyknight17.com/spy/Hoster.exe

Run the program and select "Restore Hosts File"

Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"

Now run the cleanup utility and reboot/logoff when prompted.

Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not.

I also need you to scan this file as you did the other...C:\WINDOWS\SYSTEM\cmd32.exe Report your findings.

grantw · 05-30-2005, 03:11 AM

Thanks for the clear instructions, the only thing that happened that differed was that I didnt get the 'Click "No" at the Pending Operations prompt' from killbox.

Here is my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:02:24, on 30/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\CMD32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe
O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Program Files\Network Associates\PGP for Windows 98\PGPservice.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html

Also scanned that other file as requested, if I remeber correctly this file is picked up by my AV but it seems to come back after being 'treated':

Scanned file: cmd32.exe

cmd32.exe - infected by Trojan-Downloader.Win32.Delf.cb

Statistics:
Known viruses: 131283 Updated: 30-05-2005
File size (Kb): 8 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

Thanks for your help, Grant

MicroBell · 05-30-2005, 01:48 PM

Grant:

Yea..I thought it was bad...but wanted to confirm before removing it.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\WINDOWS\SYSTEM\CMD32.EXE

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES

C:\WINDOWS\SYSTEM\cmd32.exe

Once rebooted..post another hijackthis log.

grantw · 05-31-2005, 12:47 PM

I did as suggested and then ran a new HijackThis log which looked like everything was OK. Before I got chance to post the log I got called away on business and will not be back at the problem PC for some time.

Please assume this issue is fixed and many many thanks for all your help.

cheers, grant

MicroBell · 05-31-2005, 01:54 PM

Ok Grant...Moving this to resolved...

Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

05-29-2005, 05:19 AM	#1 (permalink)
grantw Registered User Join Date: May 2005 Posts: 6 OS: win98	popuper / intmonp - multiple instances Hi, my first post here so apologies if I miss out anything, I seem to have been infected by this popuper / intmonp problem and am having a nightmare with it. If im not connected to the internet the PC runs fine, 30 seconds after connecting to the internet I am getting multiple instances of popuper.exe and intmonp.exe running, these continue to increase into the 100's / 1000's before the PC locks up. I have run Ad Aware / Spybot with the latest updates and also my AV program, none of which have helped. I am posting two HJT files below, the first one is before connecting to the internet, the second one was taken after connecting to the net, just before the PC locked up: Logfile of HijackThis v1.99.1 Scan saved at 12:22:25, on 29/05/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ATI2EVXX.EXE C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\WINDOWS\SYSTEM\CMD32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\MSMSGS.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Program Files\Network Associates\PGP for Windows 98\PGPservice.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O6...::/on-line.exe O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect/...rypt/npkcx.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab After connecting to the internet: Logfile of HijackThis v1.99.1 Scan saved at 12:24:05, on 29/05/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ATI2EVXX.EXE C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\WINDOWS\SYSTEM\CMD32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\WINDOWS\SYSTEM\MSMSGS.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE C:\WINDOWS\SYSTEM\LOGFILES\P5281700.SO C:\WINDOWS\POPUPER.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\WINOA386.MOD C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\POPUPER.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\SYSTEM\INTMONP.EXE C:\WINDOWS\POPUPER.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Program Files\Network Associates\PGP for Windows 98\PGPservice.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O6...::/on-line.exe O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect/...rypt/npkcx.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab Any help would be greatly appreciated as my main PC is currently unusable. Thanks, Grant

05-30-2005, 01:46 AM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,965 OS: Windows XP-Pro SP2	Omerr: I'm going to start this one...as it's a complicated hijacker. You may finish it though..if you like. Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Ok..on to the log….. If you have a highspeed connection please Run an online virus scan from TrendMicro Please select the “autoclean” option when prompted to do so. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. Please read these instructions carefully and print them out! Be sure to follow ALL instructions! Download this file: http://www.bleepingcomputer.com/files/reg/smitfraud.reg Download and install CleanUp http://cleanup.stevengould.org/ Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found: Security IGuard Virtual Maid Search Maid Exit Add/Remove Programs. IMPORTANT Be sure you know how to VIEW HIDDEN FILES Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the processes that were identified as related and any of the processes named in the list a bit further down. C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\popuper.exe C:\WINDOWS\System32\intmonp.exe C:\WINDOWS\System32\intmon.exe C:\WINDOWS\SYSTEM\CMD32.EXE Doubleclick smitfraud.reg and confirm you want to merge it with the registry. Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Run Killbox... In the killbox program, select the Delete on Reboot* option. Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C: C:\wp.exe C:\wp.bmp C:\bsw.exe C:\Windows\sites.ini C:\Windows\popuper.exe C:\Windows\System32\helper.exe C:\Windows\System32\intmonp.exe C:\Windows\System32\msmsgs.exe C:\Windows\System32\ole32vbs.exe C:\Windows\system32\msole32.exe C:\WINDOWS\System32\hp596C.tmp C:\WINDOWS\System32\shnlog.exe C:\WINDOWS\System32\intmon.exe C:\WINDOWS\SYSTEM\msmsgs.exe Return to Killbox, go to the File menu, and choose "Paste from Clipboard". Click the red-and-white "Delete File"* button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Run HijackThis and put checkmarks in front of he following items. Close all windows except HijackThis and click Fix checked: O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://dl.ad-ware.cc/D4VbraANxe5w-O...m::/on-line.exe O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - https://www.mir3europe.com/nProtect...Crypt/npkcx.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-24.cab Delete the following folders IF you have them.... C:\Program Files\Search Maid C:\Program Files\Virtual Maid C:\Windows\System32\Log Files C:\Program Files\Security IGuard Reboot into normal mode. Download Hoster http://www.greyknight17.com/spy/Hoster.exe Run the program and select "Restore Hosts File" Download DelDomains.inf Right-click and select..... Save Target As To use: Right-click and select....... Install (no need to restart) Note This will remove all entries in the "Trusted Zone" Now run the cleanup utility and reboot/logoff when prompted. Once done reboot into Normal Mode and post a new HijackThis log file to confirm what was removed and if it's clean or not. I also need you to scan this file as you did the other...C:\WINDOWS\SYSTEM\cmd32.exe Report your findings. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-30-2005, 01:48 PM	#11 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,965 OS: Windows XP-Pro SP2	Grant: Yea..I thought it was bad...but wanted to confirm before removing it. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\WINDOWS\SYSTEM\CMD32.EXE Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click YES C:\WINDOWS\SYSTEM\cmd32.exe Once rebooted..post another hijackthis log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-31-2005, 01:54 PM	#13 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,965 OS: Windows XP-Pro SP2	Ok Grant...Moving this to resolved... Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself! __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

05-29-2005, 05:33 AM	#2 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hi and welcome to TSF. I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p Please be patient with me during this time.

05-29-2005, 05:57 AM	#3 (permalink)
grantw Registered User Join Date: May 2005 Posts: 6 OS: win98	Thanks for the quick response. I have temporarily stopped this from happening - I found a file msmsgs.exe that had been allowed access through my firewall, I disabled the access and the problem is now not occurring at the moment. Thanks, Grant

05-29-2005, 05:59 AM	#4 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hey grantw and thanx for your patience. This file really is a part from a hijack in your computer, please wait until I give you a reply with instructions how to act, I am sure we will solve your problem. P.S. Your message was fine, no worries here :)

05-29-2005, 11:55 AM	#6 (permalink)
grantw Registered User Join Date: May 2005 Posts: 6 OS: win98	Hi Omerr, I located the file, there is no version tab though - just the general tab showing file size (5.31kb) created date etc etc. Thanks, Grant

05-29-2005, 01:01 PM	#7 (permalink)
Omerr TSF Enthusiast Join Date: Feb 2005 Location: Israel Posts: 1,032 OS: XP Proffesional	Hello again. OK then, one last thing before starting the fix: I would like you to upload this file: C:\WINDOWS\SYSTEM\MSMSGS.EXE to Kaspersky online file scanner, just copy the path into the box and click Submit. Then, copy and paste the results here.

05-29-2005, 01:08 PM	#8 (permalink)
grantw Registered User Join Date: May 2005 Posts: 6 OS: win98	Here we go: Scanned file: MSMSGS.EXE MSMSGS.EXE - infected by Trojan-Downloader.Win32.Zlob.l Statistics: Known viruses: 131210 Updated: 29-05-2005 File size (Kb): 6 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0

05-30-2005, 03:11 AM	#10 (permalink)
grantw Registered User Join Date: May 2005 Posts: 6 OS: win98	Thanks for the clear instructions, the only thing that happened that differed was that I didnt get the 'Click "No" at the Pending Operations prompt' from killbox. Here is my new HijackThis log: Logfile of HijackThis v1.99.1 Scan saved at 11:02:24, on 30/05/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\ATI2EVXX.EXE C:\WINDOWS\SYSTEM\PGPSDKSERV.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPSERVICE.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\ATIPTAXX.EXE C:\WINDOWS\SYSTEM\CMD32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP FOR WINDOWS 98\PGPTRAY.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe O4 - HKLM\..\RunServices: [PGPSDKSVC] C:\WINDOWS\SYSTEM\PGPsdkServ.exe O4 - HKLM\..\RunServices: [PGPSERVICE] C:\Program Files\Network Associates\PGP for Windows 98\PGPservice.exe O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP for Windows 98\PGPtray.exe O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html Also scanned that other file as requested, if I remeber correctly this file is picked up by my AV but it seems to come back after being 'treated': Scanned file: cmd32.exe cmd32.exe - infected by Trojan-Downloader.Win32.Delf.cb Statistics: Known viruses: 131283 Updated: 30-05-2005 File size (Kb): 8 Virus bodies: 1 Files: 1 Warnings: 0 Archives: 0 Suspicious: 0 Thanks for your help, Grant

05-31-2005, 12:47 PM	#12 (permalink)
grantw Registered User Join Date: May 2005 Posts: 6 OS: win98	I did as suggested and then ran a new HijackThis log which looked like everything was OK. Before I got chance to post the log I got called away on business and will not be back at the problem PC for some time. Please assume this issue is fixed and many many thanks for all your help. cheers, grant