Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Please Help!


  • Please log in to reply
7 replies to this topic

#1 fernandopujols

fernandopujols

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 29 March 2005 - 11:56 PM

This is my first post. I will do my best to describe the problem before posting the log. Neither AdAware nor SpyBot-S&D have fixed the problem.

I have been getting an About:Blank homepage, but it has also been randomly switching to it while I'm surfing. About once every 30 minutes (even when I'm not running IE) I'll get a pop-up for some spyware "warning" or remover.

I have Windows 98 and a cable connection. PLEASE HELP!!!

Logfile of HijackThis v1.99.0
Scan saved at 11:58:03 PM, on 3/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\FREEDOM.EXE
C:\PROGRAM FILES\COMMON FILES\COMMAND SOFTWARE\DVPAPI9X.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {663FAE81-A069-11D9-A5CB-0011E774A595} - C:\WINDOWS\SYSTEM\CGAE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKLM\..\RunServices: [NETOE32.EXE] C:\WINDOWS\NETOE32.EXE
O4 - HKLM\..\RunServices: [NTKV32.EXE] C:\WINDOWS\NTKV32.EXE
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\IndexCleanerR.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\PROGRAM FILES\ZERO KNOWLEDGE\FREEDOM\IndexCleanerR.exe"
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O16 - DPF: {6D3CED33-9C0A-44BA-AAB9-252EE67A436C} (IEObj Class) - http://fs.adelphia.freedom.net/software/dmx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O18 - Filter: text/html - {10CB9185-A073-11D9-A5CB-00111D4B545A} - C:\WINDOWS\SYSTEM\CGAE.DLL
O18 - Filter: text/plain - {10CB9185-A073-11D9-A5CB-00111D4B545A} - C:\WINDOWS\SYSTEM\CGAE.DLL

BC AdBot (Login to Remove)

 


m

#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:43 AM

Posted 30 March 2005 - 08:24 AM

Hi Fernandopujols,

I notice you have WildTangent installed, This programme is optional but I recommend removing it if its not something you need, See below: WildTangent is Foistware. (see here: for more information) However some people prefer to keep it for their gaming. Please go to the Add/Remove program in the Control Panel and Uninstall/remove Wildtangent.

Please download the latest version of Adaware S E here:
Adaware S E

Install it, but don't run it yet. Click on the globe in the upper right hand corner to get the latest updates.

Please download the:
CWShredder (Standalone version).

Download and install APM from here:
http://www.diamondcs.com.au/index.php?page=apm
(don't run it yet we will get to that in a minute)

Open Hijackthis, take another scan and tick the check-boxes beside to all these entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {663FAE81-A069-11D9-A5CB-0011E774A595} - C:\WINDOWS\SYSTEM\CGAE.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [NETOE32.EXE] C:\WINDOWS\NETOE32.EXE
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partner...lim/install.cab
O18 - Filter: text/html - {10CB9185-A073-11D9-A5CB-00111D4B545A} - C:\WINDOWS\SYSTEM\CGAE.DLL
O18 - Filter: text/plain - {10CB9185-A073-11D9-A5CB-00111D4B545A} - C:\WINDOWS\SYSTEM\CGAE.DLL

Close all open Windows except Hijackthis and click on "fix Checked".

(Notice the randomly named BHO. That one is important.)

**********

Now, start APM.
In the upper window select explorer.exe
In the lower window find and rightclick the O2 - BHO: entry from your HijackThis log.

In the current log it is this file but it may have changed names.

O2 - BHO: (no name) - {663FAE81-A069-11D9-A5CB-0011E774A595} - C:\WINDOWS\SYSTEM\CGAE.DLL

It is the 02 BHO entry with no description, in case it has changed names. It is not tied to any program you recognize.
Select Unload DLL, and click OK on the prompts that follow.

**********

From the Windows Start menu, go to Shut Down and click Restart.

As the computer restarts, press and hold the CTRL key.
Note: On some keyboards you can press and hold the flying Window key. On some computers, the F8 key can be used instead of the CTRL key.

From the Windows Start-up menu, type the number for the Safe Mode option or press F5.

Wait for your desktop to appear. Your computer will run slower, and your icons may appear larger with fewer colors.

The words Safe Mode appear in all corners of your screen.

* Open Windows Explorer, navigate to and delete the following Files/Folders if present:

C:\WINDOWS\TEMP\SE.DLL,DllInstall >>> file
C:\WINDOWS\NETOE32.EXE >>> file

If you decided to take my advice and remove Wild Tangent delete this folder as well:
C:\PROGRA~1\WILDTAngent\ >>>folder

I cannot find anything definitive on this entry, do you know what it relates to. If not please open Windows Explorer, navigate to C:\WINDOWS\ then right click NTKV32.EXE then click properties. Include any information you find with your next post.[Do not delete[/b]
O4 - HKLM\..\RunServices: [NTKV32.EXE] C:\WINDOWS\NTKV32.EXE

Run the CW Shredder. Let it fix everything it finds.

Scan with Ad-Aware SE to automatically remove the txt and html protocol associations and to clean up the remnants of the hijack.

Reboot the Computer in normal mode, then click the "AddReply" button and post a new log in this thread for further review and evaluation.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#3 fernandopujols

fernandopujols
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 30 March 2005 - 10:50 AM

Thanks for your help, Joe. I was unable to run APM because I have Windows 98SE and it was designed for NT4,2K & XP. However, I went ahead and removed the items you suggested on the HJT log, switched into safe mode and followed the instructions. Apparently something worked. My homepage is back to normal, I haven't had any pop-ups and everything's movng a lot faster.

I do have a couple things to follow-up. First, a post-fix HJT log is posted below. I would appreciate knowing if you see any other problems. Second, I searched for the NTKV32.EXE and found only ntkv32.dll, which is an application extension created on March 12, 2005. I don't know what this is, but since it appears to be running fine, I'm not worried about it at the moment. Finally, is there anything I can do to better prevent this from happening again? It's happened several times now, but this was by far the toughest to remove. Since I have a constant cable connection, would a router prevent some of this activity? If so, can you give me some info on using one? I also have Limewire installed, which has seemed to cause some problems for me in the past.

Thanks again for your help. Here's my new log:

Logfile of HijackThis v1.99.0
Scan saved at 10:45:13 AM, on 3/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKLM\..\RunServices: [NTKV32.EXE] C:\WINDOWS\NTKV32.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O16 - DPF: {6D3CED33-9C0A-44BA-AAB9-252EE67A436C} (IEObj Class) - http://fs.adelphia.freedom.net/software/dmx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

#4 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:43 AM

Posted 30 March 2005 - 12:38 PM

Hello again fernandopujols,

I was unable to run APM


My mistake, sorry about that, the infection appears to have disappeared without it in any event.

I would appreciate knowing if you see any other problems.

Just a few minor issues to clear up.
Have you decided to keep Wildtangent? Your choice.

I also have Limewire installed, which has seemed to cause some problems for me in the past.



This is optional, I recommend removing it. See below:
LimeWire - Peer to Peer (P2P) file-sharing client. x.x represents the version number.
Note - as with all P2P sharing programs they are susceptible to various forms of malware

I can't see anything about it in the log.

Finally, is there anything I can do to better prevent this from happening again?/would a router prevent some of this activity?


I will give you some prevention advice when we get the Computer clean.

I searched for the NTKV32.EXE and found only ntkv32.dll,


This entry is still there and appears to be connected to the infection:
O4 - HKLM\..\RunServices: [NTKV32.EXE] C:\WINDOWS\NTKV32.EXE

Open Hijackthis again, take another scan and tick the check-boxes beside this entry.

O4 - HKLM\..\RunServices: [NTKV32.EXE] C:\WINDOWS\NTKV32.EXE

Close all open Windows except Hijackthis and click on "fix Checked".

Enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the View menu and then click Folder Options.
After the new window appears select the View tab.
Scroll down until you see the Show all files radio button and select it.
Press the Apply button and then the OK button and close the My Computer window.
Now your computer is configured to show all hidden files.

* Open Windows Explorer, navigate to and delete the following File:

C:\WINDOWS\NTKV32.EXE >>>File
If its not in that folder take a look in C:\Windows\System and if you still have no luck run a search for it and delete it if you find it.

Also find and delete ntkv32.dllto the recycle bin only for now.

Reboot the Computer in normal mode, then click the "AddReply" button and post a new log in this thread for further review and evaluation.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#5 fernandopujols

fernandopujols
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 31 March 2005 - 09:08 AM

Thanks again, Joe.

To start with, I did uninstall WildTangent, but there are remnants of it still on my machine that I can't find. For one thing, I get the following message every time I start my computer:

Error loading C:PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL

Any idea how to make that go away?

After enabling hidden files, I looked and then searched and could only find ntkv32.dll, still no .exe file. I sent the .dll to the recycle bin. Here's my latest log:

Logfile of HijackThis v1.99.0
Scan saved at 9:13:44 AM, on 3/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O16 - DPF: {6D3CED33-9C0A-44BA-AAB9-252EE67A436C} (IEObj Class) - http://fs.adelphia.freedom.net/software/dmx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

#6 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:43 AM

Posted 31 March 2005 - 09:51 AM

The log looks better now, just WildTangent to clean up. There is a removal tool for it but I think fixing it with HJT will be enough.

Open Hijackthis again, take another scan and tick the check-boxes beside this entry.

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain

Close all open Windows except Hijackthis and click on "fix Checked".

* Open Windows Explorer, navigate to and delete the following Folder:

C:\PROGRAM Files\WILDTAngent <<< folder

Reboot the Computer in normal mode, then click the "AddReply" button and post a new log in this thread for further review and evaluation.

Joe.

Edited by Joe - London, 31 March 2005 - 09:54 AM.

If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#7 fernandopujols

fernandopujols
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 31 March 2005 - 11:36 PM

Here's my latest log:

Logfile of HijackThis v1.99.0
Scan saved at 11:46:06 PM, on 3/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
F1 - win.ini: run=hpfsched
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_2/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\yy1kbnb9.slt\prefs.js)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {67324BE0-A069-11D9-A5CB-00112F7E0DD3} - (no file) (HKCU)
O16 - DPF: {6D3CED33-9C0A-44BA-AAB9-252EE67A436C} (IEObj Class) - http://fs.adelphia.freedom.net/software/dmx.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

Thanks again!

#8 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:43 AM

Posted 01 April 2005 - 02:23 AM

Hi fernandopujols,

The log is now clean. I assume the Wildtangent alert has also gone.

I recommend these simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!

Make sure that you have all the Critical Updates recommended for your Operating System and Internet Explorer. The first defence against infection is a properly patched OS.

Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
Or, with Internet Explorer open, click Tools>Windows Update.

2. Adjust your security settings for ActiveX:
Go to Internet Options>Security tab.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed ActiveX controls', to 'Prompt;
Set the second option, 'Download unsigned ActiveX controls', to 'Disable';
Finally, set 'Initialise and Script ActiveX controls not marked as safe' to 'Disable'.

These recommendations are based on veteran spyware fighter Tony Klein's now classic article, So how did I get infected in the first place? Check it out for even more information.

I also recommend the information in Bleepingcomputer's Simple steps to keep your computer secure!

Thank you for your cooperation during this fix.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users