Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HiJackThis Log. Please analyse.


  • Please log in to reply
16 replies to this topic

#1 Irene

Irene

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 14 May 2005 - 11:06 AM

I have already run both Spybot and AdAware several times:
Spyware gets removed but always returns.
Computer is extremely slow, and Internet Explorer opens unwanted extra screens.

Please help!
Thank you very much in advance!

Irene, the Netherlands.
-------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 17:52:01, on 14-5-2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {EC937BF7-8B4D-4550-9BF3-83E949D32BBD} - C:\WINDOWS\SYSTEM\DHPK.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Filter: text/html - {A56F1DC4-A638-4D30-A47C-E4272397A378} - C:\WINDOWS\SYSTEM\DHPK.DLL
O18 - Filter: text/plain - {A56F1DC4-A638-4D30-A47C-E4272397A378} - C:\WINDOWS\SYSTEM\DHPK.DLL

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 AM

Posted 14 May 2005 - 12:16 PM

Hello Irene,

Download CW-Shredder at the link below: (don't run it yet)
http://cwshredder.net/bin/CWShredder.exe

Download 'SpSeHjfix'. >>> http://www.derbilk.de/SpSeHjfix109.zip (don't run it yet)

Clean out temporary and TIF files.
Go to Start > Run and type in the box: cleanmgr.
Let it scan your system for files to remove.
Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin



Make sure you know how to boot into - SafeMode.
To use the F8 method:

Restart the computer.
As the computer restarts, press and hold down the F8 key until the Windows ME startup menu appears.
Choose Safe mode from the startup menu, and then press Enter. Windows starts in Safe mode

If you need more help doint that, here are more ways to start your computer in the Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Reboot into safe mode.

Disconnect from the Internet and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix', and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

Now run the Shredder - Hit The FIX button!

Reboot and repeat the process above.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'

Edited by SifuMike, 14 May 2005 - 12:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Irene

Irene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 14 May 2005 - 01:13 PM

Thank you SifuMike!
I did exactly what you advised me to do.
Here are the two new logs you requested:
------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 20:07:56, on 14-5-2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

---------------------------------

(5-14-05 19:58:19) SPSeHjFix started v1.09
(5-14-05 19:58:19) OS: WinME (4.90.73010104)
(5-14-05 19:58:19) Language: nederlands
(5-14-05 19:58:31) Disinfect started
(5-14-05 19:58:31) Bad-Dll(IEP): (not found)
(5-14-05 19:58:31) Bad-Dll(IEP) in BHO: (not found)
(5-14-05 19:58:31) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\DHPK.DLL
(5-14-05 19:58:31) Searchassistant Uninstaller - Keys Deleted
(5-14-05 19:58:31) UBF: 6
(5-14-05 19:58:31) UBB: 2
(5-14-05 19:58:31) FilterKey: HKCR\text/html (deleted)
(5-14-05 19:58:31) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5-14-05 19:58:31) FilterKey: HKCR\CLSID\{A56F1DC4-A638-4D30-A47C-E4272397A378} (deleted)
(5-14-05 19:58:31) FilterKey: HKCR\text/plain (deleted)
(5-14-05 19:58:31) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5-14-05 19:58:31) FilterKey: HKCR\CLSID\{A56F1DC4-A638-4D30-A47C-E4272397A378} (error while deleting)
(5-14-05 19:58:31) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EC937BF7-8B4D-4550-9BF3-83E949D32BBD} (deleted)
(5-14-05 19:58:31) BHO-Key: HKCR\CLSID\{EC937BF7-8B4D-4550-9BF3-83E949D32BBD} (deleted)
(5-14-05 19:58:31) UBR: 11
(5-14-05 19:58:31) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(5-14-05 19:58:31) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5-14-05 19:58:31) Stealth-String found: C:\WINDOWS\RUNHEHP.CAB
(5-14-05 19:58:31) File added to delete: c:\windows\system\dhpk.dll
(5-14-05 19:58:31) File added to delete: c:\windows\system\dhpk.dll
(5-14-05 19:58:31) File added to delete: c:\windows\temp\se.dll
(5-14-05 19:58:31) File added to delete: c:\windows\runhehp.cab
(5-14-05 19:58:31) Reboot
(5-14-05 20:04:09) SPSeHjFix 2nd Step
(5-14-05 20:04:09) RunServicesOnce-Key: (alex)
(5-14-05 20:04:17) Cleaned

---------------------------------------
Is there more action needed?
Thanks again for your help so far!!!

Regards,
Irene

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 AM

Posted 14 May 2005 - 03:12 PM

Hello Irene,

Your computer looks much better. We still have to "fix" some items. :thumbsup:


How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =




Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab. To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Irene

Irene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 14 May 2005 - 04:17 PM

Hello again, SifuMike :thumbsup:

Did once more what you advised.
Computer runs very smooth again! :flowers:

Here's my new log:
----------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:10:50, on 14-5-2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

-------------------------------------------
Thank you VERY MUCH for your help!
The world is a better place with people like you on it :trumpet:

Irene, the Netherlands

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 AM

Posted 14 May 2005 - 04:27 PM

Hello Irene,

The log looks clean, congratulations! :thumbsup: Good job on the cleanup! :flowers:

Please read and follow How did I get infected?, With steps so it does not happen again!

Edited by SifuMike, 14 May 2005 - 04:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Irene

Irene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 20 May 2005 - 04:06 AM

Help again needed :thumbsup:
The very same poblem is back.
I don't understand why - my pc is protected to the max with a firewall, antivirus program, Spybot, Winpatrol, Adaware, ScanSpyware, CCleaner, Mozilla Firefox instead of Explorer...

Anyway, here's a new log. I already see what the problem is.
Shall I follow the exact same steps as SifuMike advised previously?
Thank you.
-----------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:02:58, on 20-5-2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\DOWNLOADS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {061CCCDF-F94A-4CCF-A503-BD3229AE5608} - C:\WINDOWS\SYSTEM\ILME.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O18 - Filter: text/html - {1182C657-D24C-4765-9BC2-0391A81D73EA} - C:\WINDOWS\SYSTEM\ILME.DLL
O18 - Filter: text/plain - {1182C657-D24C-4765-9BC2-0391A81D73EA} - C:\WINDOWS\SYSTEM\ILME.DLL

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 AM

Posted 20 May 2005 - 11:15 AM

Hello Irene,

I think got reinfected, as I see some RO's, R1's, O2's, and O18's that were not there in your last log. :thumbsup:

*****************************************

Download StartDreck from http://www.niksoft.at/download/startdreck.htm
Once it is downloaded, extract the file into c:\startdreck.
(don't run it yet)

Download CWShredder at the link below: (don't run it yet)
http://cwshredder.net/bin/CWShredder.exe

Download 'SpSeHjfix'. >>> http://www.derbilk.de/SpSeHjfix109.zip (don't run it yet)

*****************************************

Clean out temporary and Temporary Internet Files.
Go to Start > Run and type in the box: cleanmgr.
Let it scan your system for files to remove.
Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin


*****************************************

Make sure you know how to boot into - SafeMode

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Reboot into safe mode.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.
Save the log, as I need to see it.


Now run the CWShredder - Hit The FIX button!

Reboot and repeat the process above.

*****************************************

Navigate to c:\startdreck and double-click on Startdreck.exe
Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
Files> Autostart Folders
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)
Exit StartDreck
And Post the log in this thread.

*****************************************
Reboot and post a fresh HJT log, the'SpSeHjfix log, and the Startdreck log.

Edited by SifuMike, 20 May 2005 - 04:52 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Irene

Irene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 20 May 2005 - 05:47 PM

Hello Mike, thanks again for your help :thumbsup:

Here are the three logs you requested:

Logfile of HijackThis v1.99.1
Scan saved at 0:42:14, on 21-5-2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\DOWNLOADS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab





(5-14-05 19:58:19) SPSeHjFix started v1.09
(5-14-05 19:58:19) OS: WinME (4.90.73010104)
(5-14-05 19:58:19) Language: nederlands
(5-14-05 19:58:31) Disinfect started
(5-14-05 19:58:31) Bad-Dll(IEP): (not found)
(5-14-05 19:58:31) Bad-Dll(IEP) in BHO: (not found)
(5-14-05 19:58:31) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\DHPK.DLL
(5-14-05 19:58:31) Searchassistant Uninstaller - Keys Deleted
(5-14-05 19:58:31) UBF: 6
(5-14-05 19:58:31) UBB: 2
(5-14-05 19:58:31) FilterKey: HKCR\text/html (deleted)
(5-14-05 19:58:31) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5-14-05 19:58:31) FilterKey: HKCR\CLSID\{A56F1DC4-A638-4D30-A47C-E4272397A378} (deleted)
(5-14-05 19:58:31) FilterKey: HKCR\text/plain (deleted)
(5-14-05 19:58:31) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5-14-05 19:58:31) FilterKey: HKCR\CLSID\{A56F1DC4-A638-4D30-A47C-E4272397A378} (error while deleting)
(5-14-05 19:58:31) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EC937BF7-8B4D-4550-9BF3-83E949D32BBD} (deleted)
(5-14-05 19:58:31) BHO-Key: HKCR\CLSID\{EC937BF7-8B4D-4550-9BF3-83E949D32BBD} (deleted)
(5-14-05 19:58:31) UBR: 11
(5-14-05 19:58:31) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(5-14-05 19:58:31) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5-14-05 19:58:31) Stealth-String found: C:\WINDOWS\RUNHEHP.CAB
(5-14-05 19:58:31) File added to delete: c:\windows\system\dhpk.dll
(5-14-05 19:58:31) File added to delete: c:\windows\system\dhpk.dll
(5-14-05 19:58:31) File added to delete: c:\windows\temp\se.dll
(5-14-05 19:58:31) File added to delete: c:\windows\runhehp.cab
(5-14-05 19:58:31) Reboot
(5-14-05 20:04:09) SPSeHjFix 2nd Step
(5-14-05 20:04:09) RunServicesOnce-Key: (alex)
(5-14-05 20:04:17) Cleaned


(5-21-05 0:18:12) SPSeHjFix started v1.09
(5-21-05 0:18:12) OS: WinME (4.90.73010104)
(5-21-05 0:18:12) Language: nederlands
(5-21-05 0:18:20) Disinfect started
(5-21-05 0:18:21) Bad-Dll(IEP): se.dll
(5-21-05 0:18:21) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\ILME.DLL
(5-21-05 0:18:21) Searchassistant Uninstaller - Keys Deleted
(5-21-05 0:18:21) UBF: 6
(5-21-05 0:18:21) UBB: 2
(5-21-05 0:18:21) FilterKey: HKCR\text/html (deleted)
(5-21-05 0:18:21) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5-21-05 0:18:21) FilterKey: HKCR\CLSID\{1182C657-D24C-4765-9BC2-0391A81D73EA} (deleted)
(5-21-05 0:18:21) FilterKey: HKCR\text/plain (deleted)
(5-21-05 0:18:21) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5-21-05 0:18:21) FilterKey: HKCR\CLSID\{1182C657-D24C-4765-9BC2-0391A81D73EA} (error while deleting)
(5-21-05 0:18:21) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{061CCCDF-F94A-4CCF-A503-BD3229AE5608} (deleted)
(5-21-05 0:18:21) BHO-Key: HKCR\CLSID\{061CCCDF-F94A-4CCF-A503-BD3229AE5608} (deleted)
(5-21-05 0:18:21) UBR: 10
(5-21-05 0:18:21) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5-21-05 0:18:21) Stealth-String found: C:\WINDOWS\RUNHEHP.CAB
(5-21-05 0:18:21) File added to delete: c:\windows\system\ilme.dll
(5-21-05 0:18:21) File added to delete: c:\windows\system\ilme.dll
(5-21-05 0:18:21) File added to delete: c:\windows\runhehp.cab
(5-21-05 0:18:21) Reboot
(5-21-05 0:19:43) SPSeHjFix 2nd Step
(5-21-05 0:19:43) RunServicesOnce-Key: (alex)
(5-21-05 0:19:51) Cleaned


(5-21-05 0:23:16) SPSeHjFix started v1.09
(5-21-05 0:23:16) OS: WinME (4.90.73010104)
(5-21-05 0:23:16) Language: nederlands


(5-21-05 0:29:18) SPSeHjFix started v1.09
(5-21-05 0:29:18) OS: WinME (4.90.73010104)
(5-21-05 0:29:18) Language: nederlands
(5-21-05 0:29:20) Disinfect started
(5-21-05 0:29:20) Bad-Dll(IEP): (not found)
(5-21-05 0:29:20) Bad-Dll(IEP) in BHO: (not found)
(5-21-05 0:29:20) UBF: 4
(5-21-05 0:29:20) UBB: 1
(5-21-05 0:29:20) UBR: 10
(5-21-05 0:29:20) Bad IE-pages:
(5-21-05 0:29:21) Stealth-String found: C:\WINDOWS\RUNHEHP.CAB
(5-21-05 0:29:21) File added to delete: c:\windows\runhehp.cab
(5-21-05 0:29:21) Reboot





StartDreck (build 2.1.7 public stable) - 2005-05-21 @ 00:38:01 (GMT +02:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as at IRENE

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*Taakcontrole=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*Personal Firewall=C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
*Preventon RealTime Antivirus=C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
*LoadQM=loadqm.exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
»RunServicesOnce
**z=rundll32 C:\WINDOWS\RUNHEHP.CAB,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programma's\Opstarten\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programma's\Opstarten\Microsoft Office.lnk
»Local Machine
»System/Drivers
»Running Processes
+FFEFA42F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFE287=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE0B63=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE78B3=C:\WINDOWS\EXPLORER.EXE
+FFFFFC87=C:\WINDOWS\RUNDLL32.EXE
+FFFDA7F7=C:\STARTDRECK\STARTDRECK.EXE
»Application specific



Hope this helps :flowers:

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 AM

Posted 20 May 2005 - 08:32 PM

Hello Irene,

Startdreck is a big help. :thumbsup: It shows me the problem file for the temp se.dll issue is still there.

»RunServicesOnce
**z=rundll32 C:\WINDOWS\RUNHEHP.CAB,DllGetClassObject


Killbox tutorial:
http://forum.malwareremoval.com/viewtopic.php?t=320

Download KillBox to the desktop.

Run Killbox program, in the field labeled "Full Path of File to Delete" enter

C:\WINDOWS\RUNHEHP.CAB

select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the Yes button

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

*********************************************

IMPORTANT: Killbox must accept this file path for the se.dll to be removed.

If Killbox " cannot find file" C:\WINDOWS\RUNHEHP.CAB, then you will need to reboot to DOS mode and delete it from DOS command.

To delete in DOS mode, insert your Windows Me Boot Disk, and restart computer.
When it reboots to DOS prompt, type in: C: and press the ENTER key.
Then type in : cd windows and press the ENTER key.
Then type in : del RUNHEHP.CAB and press the ENTER key...confirm file delete ( Y for Yes).
Then type in EXIT and remove boot disk and let computer boot to normal windows mode.

*********************************************
  • Download DLLCompare.
  • Double-click on DllCompare.exe to run the program.
  • Click "Run Locate.com" and it will scan your system for files.
  • Once the scan has finished click "Compare" to compare your files to valid Windows files.
  • Once it has finished comparing click "Make a Log of what was found".
  • Click "Yes" at the View Log file? prompt to view the log.
  • Copy and paste the entire log into this topic.
  • If you accidentally close out of the log it is also saved as log.txt to where you saved DllCompare.exe.
  • Click "Exit" to exit DLLCompare.

*********************************************

Please repost a new HijackThis log, a new Startdreck log and the DLLCompare log.

Edited by SifuMike, 20 May 2005 - 08:56 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Irene

Irene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 22 May 2005 - 03:33 AM

Alright, Mike, here we go again :thumbsup:
-----------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:22:08, on 22-5-2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOADS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

-----------------------------------------------------------------------------------------
StartDreck (build 2.1.7 public stable) - 2005-05-22 @ 10:24:47 (GMT +02:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as Irene at IRENE

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*Taakcontrole=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*Personal Firewall=C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
*Preventon RealTime Antivirus=C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
*LoadQM=loadqm.exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*WinPatrol=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
»RunServicesOnce
**cb=rundll32 C:\WINDOWS\RUNHEHP.CAB,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programma's\Opstarten\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programma's\Opstarten\Microsoft Office.lnk
»Local Machine
»System/Drivers
»Running Processes
+FFEF0C95=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF4AF9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFEAC5=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFE009=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFD581=C:\WINDOWS\RUNDLL32.EXE
+FFFE25F1=C:\WINDOWS\EXPLORER.EXE
+FFFD3791=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD0C91=C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
+FFFD4489=C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
+FFFD52F5=C:\WINDOWS\TASKMON.EXE
+FFFDAEF9=C:\WINDOWS\LOADQM.EXE
+FFFED009=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
+FFFE8971=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFE4281=C:\STARTDRECK\STARTDRECK.EXE
»Application specific

---------------------------------------------------------------
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :flowers:"
________________________________________________

726 items found: 726 files, 0 directories.
Total of file sizes: 136.627.248 bytes 130,30 M

--------------------End log---------------------


That's it Mike :trumpet:








Edit: I did an Ad-Aware scan and this is what it found:


Ad-Aware SE Build 1.05
Logfile Created on:zondag 22 mei 2005 11:13:45
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R46 17.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):7 total references
Windows(TAC index:3):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


22-5-2005 11:13:45 - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4293856405
Threads : 5
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Besturingssysteem Microsoft® Windows® Millennium
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel-kerncomponent
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294920953
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Besturingssysteem Microsoft® Windows® Millennium
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bits VxD-berichtserver
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294961861
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : mmtask.tsk

#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294959113
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:5 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294845937
Threads : 14
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Besturingssysteem Microsoft® Windows ® 2000
CompanyName : Microsoft Corporation
FileDescription : Windows Verkenner
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:6 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294784913
Threads : 3
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Besturingssysteem Microsoft® Windows® Millennium
CompanyName : Microsoft Corporation
FileDescription : Systeemwerkblad-applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : SYSTRAY.EXE

#:7 [PFWALL.EXE]
FilePath : C:\PROGRAM FILES\WANADOO\PC FIREWALL\
ProcessID : 4294773905
Threads : 5
Priority : Normal
FileVersion : 2.0.39.1028
ProductVersion : 2.0
ProductName : Wanadoo PC Firewall
CompanyName : Wanadoo
FileDescription : Wanadoo PC Firewall
LegalCopyright : Copyright © Wanadoo Nederland B.V. en/of licentiegever 2004

#:8 [AVREALTIME.EXE]
FilePath : C:\PROGRAM FILES\WANADOO\ANTIVIRUS\
ProcessID : 4294788233
Threads : 4
Priority : Normal
FileVersion : 2.0.20.510
ProductVersion : 2.0
ProductName : Wanadoo Anti Virus
CompanyName : Wanadoo
FileDescription : AV Realtime
LegalCopyright : Copyright © Wanadoo Nederland B.V. en/of licentiegever 2004

#:9 [TASKMON.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294791925
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
LegalCopyright : Copyright © Microsoft Corp. 1998
OriginalFilename : TASKMON.EXE

#:10 [LOADQM.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294815481
Threads : 4
Priority : Normal
FileVersion : 5.4.1103.3
ProductVersion : 5.4.1103.3
ProductName : QMgr Loader
CompanyName : Microsoft Corporation
FileDescription : Microsoft QMgr
InternalName : LOADQM.EXE
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : LOADQM.EXE

#:11 [WINPATROL.EXE]
FilePath : C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\
ProcessID : 4294889481
Threads : 2
Priority : Normal
FileVersion : 9, 1, 0, 0
ProductVersion : 9.1.0.0
ProductName : WinPatrol Monitor
CompanyName : BillP Studios
FileDescription : WinPatrol System Monitor
InternalName : WinPatrol Monitor
LegalCopyright : Copyright © 1997- 2005 BillP Studios
OriginalFilename : Scotty
Comments : Let Scotty the Windows Watchdog patrol your system.

#:12 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294871409
Threads : 4
Priority : Normal
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : wmiexe.exe

#:13 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294738445
Threads : 3
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Windows Object Recognized!
Type : RegData
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*
Category : Vulnerability
Comment : Possible virus infection, BAT file extension compromised
Rootkey : HKEY_CLASSES_ROOT
Object : batfile\shell\open\command
Value :
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*

Windows Object Recognized!
Type : RegData
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*
Category : Vulnerability
Comment : Possible virus infection, COM file extension compromised
Rootkey : HKEY_CLASSES_ROOT
Object : comfile\shell\open\command
Value :
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*

Windows Object Recognized!
Type : RegData
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*
Category : Vulnerability
Comment : Possible virus infection, executable file extension compromised
Rootkey : HKEY_CLASSES_ROOT
Object : exefile\shell\open\command
Value :
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*

Windows Object Recognized!
Type : RegData
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*
Category : Vulnerability
Comment : Possible virus infection, PIF file extension compromised
Rootkey : HKEY_CLASSES_ROOT
Object : piffile\shell\open\command
Value :
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*

Windows Object Recognized!
Type : RegData
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*
Category : Vulnerability
Comment : Possible virus infection, SCR file extension compromised
Rootkey : HKEY_CLASSES_ROOT
Object : scrfile\shell\open\command
Value :
Data : "c:\program files\wanadoo\antivirus\avfilemon.exe" %1 %*

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 5
Objects found so far: 5


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Disk Scan Result for C:\WINDOWS\SYSTEM
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

Disk Scan Result for C:\WINDOWS\TEMP\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

MRU List Object Recognized!
Location: : C:\WINDOWS\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : .DEFAULT\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad


MRU List Object Recognized!
Location: : .DEFAULT\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 12

11:15:24 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:38.590
Objects scanned:31988
Objects identified:5
Objects ignored:0
New critical objects:5

Edited by Irene, 22 May 2005 - 04:21 AM.


#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 AM

Posted 22 May 2005 - 10:11 AM

Hello Irene,
Looks like the file C:\WINDOWS\RUNHEHP.CAB is still there. :thumbsup:

Did you run do everything I said in my last post? Or did you skip some steps?
We have to remove C:\WINDOWS\RUNHEHP.CAB to get your system clean.


Reboot into Safe Mode - you can do this by restarting your computer and continually tapping F8 until a menu appears, Use your up arrow key to highlight Safe Mode, then hit enter.

To delete in DOS mode, insert your Windows Me Boot Disk, and restart computer.
When it reboots to DOS prompt, type in: C: and press the ENTER key.
Then type in : cd windows and press the ENTER key.
Then type in : del RUNHEHP.CAB and press the ENTER key...confirm file delete ( Y for Yes).
Then type in EXIT and remove boot disk and let computer boot to normal windows mode.

Tell me if you complete the above step or if you have a problem with this.

Reboot your system and ignore the errors you WILL get after reboot.

Now run Startdreck and we will see if the file is gone.
Navigate to c:\startdreck and double-click on Startdreck.exe
Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
Files> Autostart Folders
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)
Exit StartDreck
And Post the log in this thread.

Post a new HiJackThis log and StartDreck log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Irene

Irene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 22 May 2005 - 11:00 AM

Deleted the file from DOS this time and got the error upon rebooting as you predicted. ;)

Here's the new logs:


StartDreck (build 2.1.7 public stable) - 2005-05-22 @ 17:57:10 (GMT +02:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as Irene at IRENE

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*Taakcontrole=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*Personal Firewall=C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
*Preventon RealTime Antivirus=C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
*LoadQM=loadqm.exe
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*WinPatrol=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programma's\Opstarten\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programma's\Opstarten\Microsoft Office.lnk
»Local Machine
»System/Drivers
»Running Processes
+FFEF06F7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF409B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFE0A7=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFFEA6B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE6D4B=C:\WINDOWS\EXPLORER.EXE
+FFFEE39B=C:\WINDOWS\TASKMON.EXE
+FFFEEE9B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD3FE3=C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
+FFFD7577=C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
+FFFD1C37=C:\WINDOWS\LOADQM.EXE
+FFFD59B3=C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
+FFFDBABB=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFC544F=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
+FFFB9FEB=C:\STARTDRECK\STARTDRECK.EXE
»Application specific



Logfile of HijackThis v1.99.1
Scan saved at 17:57:56, on 22-5-2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WANADOO\PC FIREWALL\PFWALL.EXE
C:\PROGRAM FILES\WANADOO\ANTIVIRUS\AVREALTIME.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\STARTDRECK\STARTDRECK.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\DOWNLOADS\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Personal Firewall] C:\Program Files\Wanadoo\PC Firewall\PFWall.exe
O4 - HKLM\..\Run: [Preventon RealTime Antivirus] C:\Program Files\Wanadoo\Antivirus\AVRealTime.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:03:14 AM

Posted 22 May 2005 - 12:23 PM

Hello Irene,

Horray! :thumbsup: That bad file is not in the StartDreck log.

The log looks clean! :flowers: Good job on the cleanup!

How is your computer working?

Please read and follow
How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Irene

Irene
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 22 May 2005 - 01:46 PM

YES! :thumbsup:

Computer runs fine, but shouldn't I also delete some of those R0-things from the Hijack Log?

Thanks for all the help Mike. :flowers:

I hope this won't happen again, especially since I have taken all measures.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users