Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijack this log please


  • Please log in to reply
7 replies to this topic

#1 Lyna

Lyna

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 16 May 2005 - 12:44 AM

hi all, i have some problems, AVG pics up this trojan called "trojan collected.AE", if i delete it or heal it, it will eventaully return, one thing for sure is that it always comes back when i connect to the net, and this website also pops up, i forgot the address www... somthing to do with acid server or somthng. im not sure if this is related to the trojan but when ever i save a jpeg on my pc the name of the picture appears without the g, looking like this "picture.jpe", it should be "picture.jpeg" ??. i have updated and used spybot SD and adaware and i have took the panda sofware active online scan, and the trojan still pops up when i connect to the net, please help me get rid of it, my computer seems to load much slower then usual when i start it up,

heres the log file

Logfile of HijackThis v1.99.1
Scan saved at 5:33:00 PM, on 5/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\DS.EXE
C:\WINS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://xtramsn.co.nz/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ZFREE
F1 - win.ini: run=hpfsched
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O3 - Toolbar: procforrect - {0FD67BCE-3D36-47DF-D9B2-AE92092E5496} - C:\PROGRAM FILES\GPL INFO LONG\PHONESAVE.DLL (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~2\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Windows] SYSTEM.EXE
O4 - HKLM\..\Run: [REGRUN] C:\DS.EXE
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINS.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [Windows] SYSTEM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra 'Tools' menuitem: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://fdl.msn.com/public/chat/msnchat3.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://content.communities.msn.com/cs/MsnPUpld.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

Edited by Lyna, 16 May 2005 - 12:47 AM.


BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:41 PM

Posted 16 May 2005 - 02:12 PM

Hello Lyna,

You have Backdoor.Heplane, which is a back door Trojan that allows a remote attacker to have unauthorized access to the compromised computer. It also acts as a proxy server. :thumbsup:

Run Symantec Online virus scanner
http://security.symantec.com/sscv6/default...id=ie&venid=sym

Let it delete whatever it finds.

***************************************************

Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to.

***************************************************


You have several suspicious files we need to check.
Go to
Jotti's malware scan press the Browse button, and find C:\DS.EXE , then upload and scan it.

Then run it again and put in C:\WINS.EXE

Let me know the result of each scan.
Copy and paste the outputs to this thread.

The output should look something like this sample:

File: GoogleToolbarInstaller.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: CEXE

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.51 seconds taken)
BitDefender No viruses found (0.97 seconds taken)
ClamAV No viruses found (0.39 seconds taken)
Dr.Web No viruses found (0.52 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus No viruses found (0.74 seconds taken)
mks_vir No viruses found (0.21 seconds taken)
NOD32 No viruses found (0.42 seconds taken)
Norman Virus Control No viruses found (0.40 seconds taken


Then resubmit a fresh Hijackthis log along with the Jotti virus log Scans.

Edited by SifuMike, 16 May 2005 - 02:31 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 17 May 2005 - 08:05 PM

yay! its SifuMike,

ok, i took the Symantec Online virus scanner, it found quite abit of stuff but it did not delete them, here was the list of the things it found:

c:\ds.exe is infected with Adware.MediaTicket
c:\ezStub.exe is infected with Adware.Ezula
c:\Program Files\hijackthis\backups\backup-20050228-162032-135 is infected with MHTMLRedir.Exploit
c:\WINDOWS\NDNuninstall4_34.exe is infected with Adware.NDotNet
c:\WINDOWS\NDNuninstall4_50.exe is infected with Adware.NDotNet
c:\WINDOWS\NDNuninstall4_50-1.exe is infected with Adware.NDotNet
c:\WINDOWS\NDNuninstall4_80.exe is infected with Adware.NDotNet
c:\WINDOWS\NDNuninstall4_88.exe is infected with Adware.NDotNet
c:\WINDOWS\Temporary Internet Files\Content.IE5\CO2JZU4A\ds[1].exe is infected with Adware.MediaTicket
c:\WINDOWS\Temporary Internet Files\Content.IE5\OSZCY531\sponsors[1].html is infected with Adware.CDT
c:\WINDOWS\Downloaded Program Files\gsda.dll is infected with Adware.GameSpyArcade
c:\WINDOWS\Downloaded Program Files\nz.exe is infected with Dialer.GBDial
c:\WINDOWS\SYSTEM\STUB.EXE is infected with Adware.Ezula


i then ran A2 it found some stuff, i got rid of them,
and heres the results from jotti's malware scan:

[DS.exe]

File: ds.exe
Status: INFECTED/MALWARE
MD5 25cf1defd774be3fcdedf101c3917000
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Dropper.PurityScan.G
ClamAV Found Trojan.Dropper.Purityscan.F
Dr.Web Found Trojan.PurityAd
F-Prot Antivirus Found nothing
Fortinet Found W32/LowZone.A-tr
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.PurityScan.g
mks_vir Found nothing
NOD32 Found Win32/TrojanDropper.PurityScan.G.gen
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* File length: 241729 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\TEMP\installer.exe.
* Deletes file C:\WINDOWS\TEMP\installer.exe.

[ Changes to registry ]
* Creates value "REGRUN"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Modifies value "CurrentLevel"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "Flags"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1001"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1004"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1200"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1201"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1206"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1400"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1402"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1405"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1406"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1407"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1601"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
* Sets value "1604"="" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3".
VBA32 Found Embedded.Installer.Adware.PurityScan (probable variant)


[WINS.EXE]

File: wins.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f94e144018127424a3214a9f53bd4b24
Packers detected: -
Scanner results
AntiVir Found TR/Proxy.Fireby.A
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.FirewallBypass (probable variant)
ClamAV Found nothing
Dr.Web Found Trojan.Proxy.326
F-Prot Antivirus Found nothing
Fortinet Found W32/Staprew.B-bdr
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Fireby.b
mks_vir Found Trojan.Proxy.Fireby.B
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* File length: 49152 bytes.

[ Changes to registry ]
* Creates value "Anti-Virus Update Scheduler V1.39.12R"="c:\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".
* Sets value "c:\sample.exe"="c:\sample.exe:*:Enabled:Server" in key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List".
* Creates key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List".
* Sets value "c:\sample.exe"="c:\sample.exe:*:Enabled:Server" in key "HKLM\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List".

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 752.

[ Process/window information ]
* Will automatically restart after boot (I'll be back...).
VBA32 Found Trojan-Proxy.Win32.Fireby.b

And lastly the new hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:04:14 PM, on 5/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\DS.EXE
C:\WINS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://xtramsn.co.nz/home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ZFREE
F1 - win.ini: run=hpfsched
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O3 - Toolbar: procforrect - {0FD67BCE-3D36-47DF-D9B2-AE92092E5496} - C:\PROGRAM FILES\GPL INFO LONG\PHONESAVE.DLL (file missing)
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~2\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Windows] SYSTEM.EXE
O4 - HKLM\..\Run: [REGRUN] C:\DS.EXE
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINS.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [Windows] SYSTEM.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra 'Tools' menuitem: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://fdl.msn.com/public/chat/msnchat3.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://content.communities.msn.com/cs/MsnPUpld.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

Edited by Lyna, 17 May 2005 - 08:08 PM.


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:41 PM

Posted 17 May 2005 - 09:44 PM

Hello Lyna,

Your log looks better, but we still have to fix some items. :thumbsup:

*************************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.


Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.
C:\DS.EXE
C:\WINS.EXE


*************************************************

While in Safe Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://xtramsn.co.nz/home

If you do not know the following application, fix it.
O3 - Toolbar: procforrect - {0FD67BCE-3D36-47DF-D9B2-AE92092E5496} - C:\PROGRAM FILES\GPL INFO LONG\PHONESAVE.DLL (file missing)

O4 - HKLM\..\Run: [Windows] SYSTEM.EXE
O4 - HKLM\..\Run: [REGRUN] C:\DS.EXE
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINS.EXE
O4 - HKLM\..\RunServices: [Windows] SYSTEM.EXE


*************************************************
Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold (Do not be concerned if they do not exist)
C:\DS.EXE <==file
C:\WINS.EXE <==file
SYSTEM.EXE <==file You will have to search for this file. It may be in C:\WINDOWS\system32\ or C:\WINDOWS\


c:\ezStub.exe <==file
c:\WINDOWS\NDNuninstall4_34.exe <==file
c:\WINDOWS\NDNuninstall4_50.exe <==file
c:\WINDOWS\NDNuninstall4_50-1.exe <==file
c:\WINDOWS\NDNuninstall4_80.exe <==file
c:\WINDOWS\NDNuninstall4_88.exe <==file
c:\WINDOWS\Downloaded Program Files\gsda.dll <==file
c:\WINDOWS\Downloaded Program Files\nz.exe <==file
c:\WINDOWS\SYSTEM\STUB.EXE <==file



*************************************************
Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues Tab and the Applications Tab.
To prevent accidently running the Issues Tab and Applicatons tabs, clear all check boxes are under them.

*************************************************
Finally, reboot and post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 17 May 2005 - 09:46 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 17 May 2005 - 11:27 PM

its gone!, that trojan colleted.ae and that web site pop-up doesn't appear when i connect to the net anymore, but i still have that jpeg problem though..
heres the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 4:28:09 PM, on 5/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNDAL.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ZFREE
F1 - win.ini: run=hpfsched
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O3 - Toolbar: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {37C8204D-97C3-4127-BB28-1BFF3FA2F7DA} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1601.0\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~2\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~2\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra 'Tools' menuitem: @C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\PROGRAM FILES\FAILSAFE\GUARDIE\PNIE.DLL
O9 - Extra button: SWFDecompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://fdl.msn.com/public/chat/msnchat3.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Control) - http://content.communities.msn.com/cs/MsnPUpld.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/co...X.cab?9,0,712,0
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:41 PM

Posted 17 May 2005 - 11:50 PM

Hello Lyna,

The log looks clean, congratulations! :thumbsup: Good job on the cleanup!

Please read and follow
How did I get infected?, With steps so it does not happen again!


Now, your jpe problem. :flowers:

when ever i save a jpeg on my pc the name of the picture appears without the g, looking like this "picture.jpe", it should be "picture.jpeg" ??.


JPE file
An optional extension used for JPEG files. Some Sony cameras have an option for simultaneously recording a low-res file for e-mail attachments that is saved as a .JPE along with the high-res .JPG file. Some Minolta cameras use the .JPE extension for images that contain embedded color profiles, and .JPG for ones that do not. Most image editors treat .JPE files as ordinary JPEGs, while other applications do not recognize the file type at all.


I you really cannot stand to have the file with a jpe extension, try renaming a sample file to jpeg.
For example, picture.jpe renamed to picture.jpeg
A .JPE file is generally a .JPEG which has had its final G truncated to give
a 3 letter suffix.

Edited by SifuMike, 17 May 2005 - 11:51 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Lyna

Lyna
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:41 PM

Posted 18 May 2005 - 05:08 AM

ok, thanx, but theres another thing i wana ask u, ive had this problem since the first time u helped me, i dont no if its from a virus or if i accidently deleted somthin i shouldnt have. its my desktop, theres two problems, firstly if i move a icon, lets say the recycling bin and position it in the far right hand corner ( all the other icons are on the left), the next time i start up the computer the icons all become arranged again, basically i cant move them. and the second problem is with my task bar, its always set to auto hide, and if i uncheck it in the taskbar properties it goes back to normal but when i shut down and start the pc up again it goes back to being on auto hide, the task bar is really strange it has two quick launches and a blank tool bar, again its like before if i get rid of the blank toolbar and extra quick launch they re-appear the next time i start the computer, if your confused i can caputer a screen image for u.
Can u help me fix this? or do i have to post a new topic in the Windows area of the forums?

Edited by Lyna, 18 May 2005 - 05:13 AM.


#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:41 PM

Posted 19 May 2005 - 03:02 PM

Hello Lyna,

This article tell how to arrange the icons and what the options do.
http://www.spcug.org/reviews/vlba0301.htm

Rt. click on the desktop, and you get a box with several choices.
The first item is "Arrange Icons By".

Mine is set like this: Align to Grid is checked and Show Desktop Icons is checked. All other are unchecked.

Of coarse, you do not have to set yours like this, you have many choices.

second problem is with my task bar, its always set to auto hide, and if i uncheck it in the taskbar properties it goes back to normal but when i shut down and start the pc up again it goes back to being on auto hide

,

You might try putting a check on the "keep taskbar on top of other windows"


If this did not solve your problem, then I suggest you post your question at our Windows forum.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users