Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log - Trojan Horses


  • This topic is locked This topic is locked
1 reply to this topic

#1 merritt

merritt

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:01 AM

Posted 24 October 2004 - 09:44 PM

Logfile of HijackThis v1.98.2
Scan saved at 9:54:36 PM, on 10/24/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MNMSRVC.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PROGRAM FILES\PAPRPORT\FBDIRECT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\WINDOWS\DESKTOP\TOOLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/sw/searchbar/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.w50.com/sw/searchbar/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com/search/hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hp.yahoo.com/search/hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.w50.com/sw/searchbar/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\hpsgiqbp.slt\prefs.js)
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] "c:\windows\scanregw.exe " /autorun
O4 - HKLM\..\Run: [TaskMonitor] "c:\windows\taskmon.exe"
O4 - HKLM\..\Run: [SystemTray] "SysTray.Exe"
O4 - HKLM\..\Run: [LoadPowerProfile] "Rundll32.exe " powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] "Aticwd32.exe"
O4 - HKLM\..\Run: [AtiKey] "Atitask.exe"
O4 - HKLM\..\Run: [Keyboard Manager] "C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe"
O4 - HKLM\..\Run: [EAPCISetup] "c:\windows\SYSTEM\wizard.exe " c:\windows\SYSTEM
O4 - HKLM\..\Run: [hpsysdrv] "c:\windows\system\hpsysdrv.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] "Rundll32.exe " powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TweakIco] "c:\hp\support\tweakico.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [Fpx] C:\WINDOWS\SYSTEM\mnmsrvc.exe
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: PaperPort OneTouch.lnk = C:\Program Files\PAPRPORT\FBDirect.exe
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/talkingbuddyinstall.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.charter.com/sdccommon/download/tgctlins.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4018/ftp...23/cpbrkpie.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

BC AdBot (Login to Remove)

 


#2 CalamityKen

CalamityKen

  • Members
  • 128 posts
  • OFFLINE
  •  
  • Location:Whitby. Ont.
  • Local time:06:01 AM

Posted 25 October 2004 - 09:14 AM

merritt, welcome.

Please print this out and follow ALL these directions carefully.

Make sure 'show all files' is enabled:
http://service1.symantec.com/SUPPORT/tsgen...=&osv=&osv_lvl=

Boot into Safe Mode by tapping F8 key repeatedly at bootup.
More detailed instructions here:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Go to Add/Remove Programs and uninstall Viewpoint Manager

Delete if still present:

C:\Program Files\BoxTopsShoppingReminder
C:\Program Files\Viewpoint
<== folders

Start HijackThis and tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/sw/searchbar/
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.w50.com/sw/searchbar/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com/search/hp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hp.yahoo.com/search/hp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.w50.com/sw/searchbar/
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O8 - Extra context menu item: Boxtop - file://C:\Program Files\BoxTopsShoppingReminder\System\Temp\boxtopgmills_script0.htm
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/talkingbuddyinstall.exe


Reboot and Install the prevention protection below and help your friends from being infected on the Internet.

Empty the Recycle Bin.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there.
Index.dat Suite helps with this.
http://support.it-mate.co.uk/?mode=Products&p=index.datsuite

Insure that Index.dat Suite is Setup to empty the Temp folders especially
C:\WINDOWS\Temp
then run the Find and create the run.bat and reboot to have it remove what it finds.

Download and install WinPatrol.
http://www.winpatrol.com

Browser settings for increased security:
http://bshagnasty.home.att.net/browsersettings.htm

Install IE-SPYAD then run the install.bat in the ie-spyad folder and SpywareBlaster then keep them up to date as today's Internet is full of nasty infections.
https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD
http://www.javacoolsoftware.com/spywareblaster.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users