Tech Support banner

Status
Not open for further replies.
1 - 9 of 9 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter #1
I have dialup and keep getting disconnected. It seems like it happens mostly when I am playing chess using yahoo games but that may just be coincidental. I think I got a virus because somehow porn links got put on my desktop at about the same time the disconnects started happening. It also changed some of my old dialers to an overseas number but didn't have the correct username/password.

I searched the internet and I'm pretty sure it's Troj/Hogil-H ( http://www.sophos.com/virusinfo/analyses/trojhogilh.html ). So far I've run Adaware, Spybot, and Spysweeper and delted various spyware entries. I also downloaded Avast A/V and scanned but that didn't help either.

Sorry about the long story but that's what I've done so far. Here is my log from Hijack This. It would be greatly appreciated if you could help me fix this. Thank you.




Logfile of HijackThis v1.99.1
Scan saved at 11:43:35 PM, on 9/23/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\ISP.COM INTERNET SERVICES\DIALER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\URLMAP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isp.com/members/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\82r56otd.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\82r56otd.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: winamp.lnk = C:\Program Files\Winamp\winamp.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi Sean34993.

If you still need help please post a fresh HijackThis log & someone will be by to help you.

Also please keep in mind, that if you do have a porn dialer, you may want to consider unplugging the modem cable when it's not in use. That way you won't accrue long distance charges if it tries to dial out.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #3
Renewed log

I apologize for the older log and thanks for the tip on unplugging the modem. Here is a log that I just ran a few minutes ago. Again thank you for your help.


Logfile of HijackThis v1.99.1
Scan saved at 11:26:27 PM, on 9/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\URLMAP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.isp.com/members/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.isp.com/members/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\82r56otd.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\82r56otd.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: winamp.lnk = C:\Program Files\Winamp\winamp.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi Sean. Your HJT log is clean, but let's run a few scans to make sure you haven't picked up anything else. Please run the following:



Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files, (This may take a while on dialup):
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Standard
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


If Kaspersky doesn't find anything...
Please do an online scan at Panda ActiveScan
This is an 8MB download, which is why i'm having you run it only of Kaspersky comes up negative.
  1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
  2. Click On 'Next'
  3. Enter your e-mail address & click 'Send' ...begins downloading Panda's ActiveX controls.- 8MB
  4. In the next window, & checkmark the following:
    • Disinfect automatically
    • Scan compressed files
    • Scan e-mail files
    • Detect unknown viruses (heuristic)
    • Detect spyware
  5. Begin the scan by selecting All My Computer
    * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
  6. If it finds any malware, it will offer you a report. Click on see report
  7. Then click Save report

Finally, please go to this site, and configure AdAware & Spybot according to the directions found there. Please perform a new scan with each & list any entries they weren't able to remove in your next reply.

In your next reply please post the contents of the Kaspersky Scan, and Panda (if Kaspersky was negative); as well as anything AdAware & Spybot may have caught, but couldn't clean.

Thanks,

RM
 

·
Registered
Joined
·
9 Posts
Discussion Starter #5
I ran Kaspersky and also re-ran Ad-Aware and Spybot with the settings that were suggested. Neither Ad-Aware nor Spybot found anything that couldn't be fixed. Here are the results of the Kaspersky scan:



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 06, 2005 04:39:34
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/10/2005
Kaspersky Anti-Virus database records: 143448
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 25125
Number of viruses found: 3
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 5180 sec

Infected Object Name - Virus Name
c:\_RESTORE\ARCHIVE\FS323.CAB/A0012635.CPY Infected: Trojan-Downloader.Win32.Mediket.bc
c:\_RESTORE\ARCHIVE\FS323.CAB Infected: Trojan-Downloader.Win32.Mediket.bc
c:\_RESTORE\ARCHIVE\FS350.CAB/A0015996.CPY Infected: Trojan.Win32.Dialer.eb
c:\_RESTORE\ARCHIVE\FS350.CAB/A0015997.CPY Infected: Trojan.Win32.Dialer.eb
c:\_RESTORE\ARCHIVE\FS350.CAB Infected: Trojan.Win32.Dialer.eb
c:\Program Files\Netscape\Users\default\Cache\MVAAP1PI.HTM Infected: Trojan.JS.NoClose.c

Scan process completed.
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Please download & install CleanUp!.

Run Cleanup! & configure the program as follows:
  1. Click Options...
  2. Move the arrow down to Custom CleanUp!
  3. Put a check next to the following:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files
    • [X]Scan local drives for temporary files (Please uncheck this option)
    • Cleanup! All Users
  4. Click OK
  5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will delete all the files in your temp folders without making a backup!

===============================================================

We need to purge your infected restore points. To do that, complete the following:
  1. Go to Start->Settings->Control Panel and double-click on the System icon.
  2. On the Performance tab click File System.
  3. Click the Troubleshooting tab
  4. Check 'Disable System Restore'.
  5. Click OK.
  6. Click Yes when you are prompted to restart Windows.
    [*]You may Re-enable System Restore again by following the same steps as
    above except you should uncheck 'Disable System Restore'.
===============================================================

Please run another scan with Kaspersky & post the log here.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #7
Alright, I've ranCleanUp, shut off systome restore and ran the Kaspersky scan again and here are the results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, October 07, 2005 04:01:50
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/10/2005
Kaspersky Anti-Virus database records: 143556
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\

Scan Statistics:
Total number of scanned objects: 16171
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 3737 sec

Infected Object Name - Virus Name
c:\Program Files\Netscape\Users\default\Cache\MVAAP1PI.HTM Infected: Trojan.JS.NoClose.c

Scan process completed.
 

·
Registered
Joined
·
9 Posts
Discussion Starter #8
Another thing, after I used cleanup and turned off sys restore and everything I went online and still got disconnected after about 40 min.
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Sean,

In regards to the modem kicking you off.. At this point it doesn't appear malware related. So lets get you a clean bill of health first, and then have the folks at either the modems (hardware) or networking forum take a look.

Next, it doesn't look like CleanUp! got your Netscape cache, so let's do it manually.
If you are using Netscape 8, please follow these directions. If you are using another version, let me know & I'll post those instructions
  1. Open Netscape
  2. Click the "Tools" button
  3. Click "Privacy" under the Options tree on the left side of the screen.
  4. Click "Cache"
  5. Click "Clear Cache"
  6. Click "Clear"
  7. Click "OK"
Be sure to either empty the Recycle Bin, or run CleanUp! once more.

Please run another Kaspersky scan & post the log here to make sure we got the last entry.
 
1 - 9 of 9 Posts
Status
Not open for further replies.
Top