Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hjt log-daddan55


  • Please log in to reply
11 replies to this topic

#1 daddan55

daddan55

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 11 February 2005 - 06:01 AM

heres my logLogfile of HijackThis v1.99.0
Scan saved at 5:46:39 AM, on 2/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\WT\WCMDMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WINUPDT.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\MSASVR.EXE
C:\WINDOWS\SYSTEM\MSECIRT.EXE
C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5403
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\MTDS WEB ACCELERATOR\PBHELPER.DLL
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [o97R37R] MSECIRT.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Zyo5RXdnU] MSASVR.EXE
O4 - Startup: MTDS Web Accelerator.lnk = C:\Program Files\MTDS Web Accelerator\web_accel.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/250
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.mtdata.net
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...322/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

BC AdBot (Login to Remove)

 


m

#2 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 11 February 2005 - 08:20 PM

Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#3 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 11 February 2005 - 09:40 PM

Thanks for sending your HijackThis log.

I need for you to explain how you are using proxy server. This entry is new to me:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5403

Do you know it to be good and legitimate?


Since you will not be able to access this page in safe mode during this fix, please print these instructions now, or save them to your desktop, to help keep track of the steps.


To start, follow this link for instructions to enable 'show all files' for your system.


1 -- After checking yourself against the following instructions, run AdAware and Spybot Search and Destroy:

Please see How to use Ad-Aware to remove Spyware for instructions on how to download, install and then use this software.

Please see How to use Spybot to remove Spyware for instructions on how to download, install and then use this software, which may catch things that Ad-Aware misses.

Please let me know if anything can not be cleaned by these utilities.


2 -- Next, use Control Panel > Add/Remove Programs to remove any of the following malware that you find:

CtxPls
POP!



3 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL

O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe

O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE"
/HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [o97R37R] MSECIRT.EXE

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [Zyo5RXdnU] MSASVR.EXE

And, this is an optional item you may choose to fix:

Application Scheduler is installed along with RealOne Player and is running in startup, and is not needed. Once installed, it runs independently of RealOne Player and consumes resources. You can fix this with HJT, but you will also need to set it not to load in RealPlayer itself to keep it from resetting itself: (1) Start RealOne Player (2) Tools -> Preferences (3) Automatic services in the Categories pane (4) Uncheck all options and then OK

It's also a good idea to rename realsched.exe itself to prevent this from re-installing.

This is the item to fix in HJT:
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

Once you have selected all the items for HJT to fix, and remember to make sure all browsers and program windows are closed except for HijackThis, then click fix checked.


4 -- Reboot into Safe Mode (How do I boot into "Safe" mode?), then use Windows Explorer to delete the following lists of program files and folders, if they still exist.


C:\WINDOWS\SYSTEM\stcloader.exe <-- this file

C:\WINDOWS\SYSTEM\winupdtl.exe <-- this file

C:\WINDOWS\SYSTEM\MSECIRT.EXE <-- this file

C:\WINDOWS\SYSTEM\MSASVR.EXE <-- this file

C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE <-- this file


C:\PROGRAM FILES\CXTPLS\ <-- this folder

c:\Program Files\AutoUpdate\ <-- this folder

Please let me know about any problems with the file/folder deletes.


5 -- Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Please let me know about any problems with the temp file deletes.

Note: If you cannot delete them all at once because you have too many, then click and hold ctrl and highlight a batch of them at a time. Once highlighted, R-click over the highlight and select delete. Rinse, lather, repeat until folder is empty


6 -- Now, reboot normally and run at least two of these online virus scans (Or more if you wish.), reboot after each scan:

RAV<<<Add a check by 'Autoclean', leave everything else as is.

eTrust<<<'Cure' whatever is found, then delete if unsuccessful

Housecall<<<Put on 'Autoclean' and delete what it can't clean.

Panda ActiveScan<<<Accept default settings

If the above find things to clean, please re-run them to be sure the infections are cleared out. If not, please tell me what remains.


Now, reboot once again, and run HijackThis to create a new logfile. Repost it here, and if you had any problems with the steps outlined above, please let us know what they were. Your response and the new logfile will determine the next steps for this fix.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#4 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 February 2005 - 02:16 PM

It's me again.

Please be sure to use the Add Reply button when communicating with me.

Please do not use the New Topic button.

This will ensure we stay inthe same problem thread, and will reduce the burden on our forum staff.

I'll look forward to your next reply.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#5 daddan55

daddan55
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 12 February 2005 - 06:28 PM

Hi Dave,
once again, thanks for you're help. the 127.0.0.1 I believe is part of the web accelerator service that my isp is using. I BELIEVE it to be o.k., but hey.......... I'm here asking for help so..........(ha-ha)I ran ad-aware, panda, spybot, and cleaned everything to my best ability, (which ain't much), and heres my new log:Logfile of HijackThis v1.99.0
Scan saved at 6:14:31 PM, on 2/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\WT\WCMDMGR.EXE
C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5404
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\MTDS WEB ACCELERATOR\PBHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: MTDS Web Accelerator.lnk = C:\Program Files\MTDS Web Accelerator\web_accel.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/250
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.mtdata.net
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...322/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#6 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 12 February 2005 - 06:48 PM

Thanks.

I appreciate the update on the proxy service.


Okay...next up is to add some protections to your computer system. What you are currently running will not prevent re-infection...as you already know :thumbsup:

Once you complete the following steps, please send me a fresh HijackThis log for review.


These are general prevention steps to keep one's computer clean and secure.

These steps are not optional, unless you want a guaranteed re-infection, so be sure to take the actions listed.

1 -- Use a resident AntiVirus Software, and be sure you update your anti-virus software at least once a week. There are several very good free programs available. Grinler offers an outstanding overview at Virus, Spyware, and Malware Protection and Removal Resources

I notice you are currently using only an on-line AV from McAfee. You should implement a resident, real-time scanner. Both AVG and AVAST are free and well thought of in the anti-malware community

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

4 -- Continue to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

5 -- I strongly recommend that you consider using a Firewall. Just by using a Firewall in its default configuration can lower your risk greatly. Check out what Lawrence Abrams has to say at Understanding and Using Firewalls

An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#7 daddan55

daddan55
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 13 February 2005 - 10:35 AM

Hi, Me again.
Well....... I've downloaded all I was instructed, with the exception of a firewall, which i'm looking at now. Everything seems to be great. tried Jason's test, passed with flying colors. Pop-ups beware!. so anyway, heres my latest HJT log:Logfile of HijackThis v1.99.0
Scan saved at 10:36:43 AM, on 2/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WT\WCMDMGR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5404
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\MTDS WEB ACCELERATOR\PBHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: MTDS Web Accelerator.lnk = C:\Program Files\MTDS Web Accelerator\web_accel.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/250
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.mtdata.net
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...322/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#8 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 13 February 2005 - 12:35 PM

Okay...thanks for the update.

I don't see SpywareGuard running, and strongly recommend that you have it run automatically at start up. It's function is to watch over your registry and block any attempts to change it until you explicity approve them. This is very important, since the bleep you have been picking up out on the internet almost always want to change the registry to install itself. If you would rather, Spybot's TeaTimer does the same thing as SpywareGuard.

Also, be sure to use the 'Immunize' function in Spybot, and the 'enable all protections' in SpyWare Blaster, since these will set your system up to not install many many known infections in the first place.

And IE-Spyad will add a great number of known bad sites to your IE restricted zones, and will effectively 'neuter' them should you get hijacked to one, or accidently surf to one.

All three of these options take up almost zero resources on your system.

Finally, I strongly recommend you consider a resident anti-virus. Periodic on-line scans are good diagnostic tools, but are not adequate real-time protection.

Enough sermonizing. :thumbsup: Although we hope to see you better protected, it is ultimately your choice. You've been infected twice now, so you know what's at stake here.

If you have any questions at all about taking the above steps, I'd be happy to answer them.

The HJT log is clean and free of malware. Nice work on the fix :flowers:

Thanks for visisting Bleeping Computer.
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#9 daddan55

daddan55
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 19 February 2005 - 03:44 PM

Hi again,
Thanks for reminding me to enable spywareguard. I overlooked that. I noticed the protection right away. They all caught a potential browser hi-jack, and TOLD me! I had never used these utilities before, and I'm impressed. Thanks again, and I'll make sure to send some kind of donation

#10 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 19 February 2005 - 06:41 PM

You are very welcome. It's a pleasure to help.

Thanks for visiting BleepingComputer.
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous

#11 daddan55

daddan55
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:05:58 AM

Posted 20 February 2005 - 09:16 PM

Hello'
Just when I thought I had everything protected, a dialer, I think, had downloaded, and changed the number to my dial-up connection. I think I removed it, used system restore back to the 19th. It now has the correct #, but I had dialed the connection without knowing, hence my problem. I think I'm going to get hit w/a phone bill for this. Please tell me what to do in this instance. Do I have to pay this bill if it comes, or is there a way out? heres my HJT logLogfile of HijackThis v1.99.0
Scan saved at 9:23:15 PM, on 2/20/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\WT\WCMDMGR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5404
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\PROGRAM FILES\MTDS WEB ACCELERATOR\PBHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: MTDS Web Accelerator.lnk = C:\Program Files\MTDS Web Accelerator\web_accel.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/227
O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\MTDS WEB ACCELERATOR\WEB_ACCEL.EXE/250
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.mtdata.net
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...322/mcfscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

#12 daveai

daveai

  • Members
  • 266 posts
  • OFFLINE
  •  
  • Local time:03:58 AM

Posted 20 February 2005 - 11:05 PM

Thanks for the update.

You will need to talk to the phone company about the unauthorized call.

You need to make sure you have implemented the standard "layers of protection" I recommended in order to prevent future infections. No single program or tool is enough to protect your system.

The best way to guard against unwanted outbound traffic is to implement a software firewall that watches for that. I provided a link to information about firewalls in my protections suggestions. I strongly recommend you select one and implement it.

Also, many dialers come in via activex downloads to IE. Have you implemented IE-Spyad, or used the Spybot 'Immunize' function? Both of these help portect you from malicious activex downloads.

And, I will repeat my recommendation from a week ago about anti-virus:

Finally, I strongly recommend you consider a resident anti-virus. Periodic on-line scans are good diagnostic tools, but are not adequate real-time protection.


I also provided you with a link for this last week. Either AVG or AVAST are well thought of, and free.

Finally, in your case, I believe a security oriented HOSTS file may be helpful. Please refer to this link: http://www.mvps.org/winhelp2002/hosts.htm


The restore operation apparantly got rid of the new infection, since it is not showing up in your HijackThis log.

Thanks
daveai
"Applying computer technology is simply finding the right wrench to pound in the correct screw." Anonymous




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users