Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ms32.sys And Haxdoor Tool


  • Please log in to reply
23 replies to this topic

#1 rainbow_warrior

rainbow_warrior

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 16 January 2007 - 01:54 AM

I was reading email on pine logged on remotely via ssh when avg found trojan downloader ms32.sys. AVG had just completed a complete scan and found nothing, but it was updated halfway through the scan, or perhaps this trojan suddenly became active when I installed java and openoffice two days ago. It was in c:\ The first time, avg crashed. Everything else seemed normal, but when I tried to restart avg, the computer crashed and it took two tries to restart. I found ms32.sys in c:\ and avg detected it again. When I clicked ``heal,'' avg reported that it healed the file, but in fact moved it to the vault.

Searching Google, it appears this file is not associated with windows. In a derkeiler discussion, I found the haxdoor tool (said to fix some trojans associated with ms32.sys) by David Lipman and downloaded the half megabyte file. When I first tried to run the tool, it gave some error messages, apparently not being able to connect to McAfee, but I immediately had a stream of alerts from Spybot's teatimer about changes to search and browser pages (to microsoft-related netries). I tried allowing the changes for the time being, but I think I have some other tool set to protect these entries (I forgot where it is) and the attempts to change continued. Then I tried to deny the change, but the screen filled up with reports of denied changes.

Some hours later, I tried the tool again. It successfully connected to ftp.nai.speedera.net and began downloading stuff. Had it warned me the size of the file, I might have tried to download it on a computer with a T1 connection instead of this computer at under 2 Kbyte/sec. (It might not be possible without further instructions because I don't see any of it on the desktop or in the folder McAfee it used.) I returned to find a message of all clean and stating that a html report had been created. The directions said it would be displayed and saved, but the background was plain wallpaper with no desktop, and when I restart the computer, I don't find the report saved.

So right now I can't restart the teatimer. What is messing with the start and search settings (maybe only for ie, not firefox)? Following is a new HJT log, followed by an older one I had saved.

I notice that the older log has a suspicious looking entry

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

which is not there now.

Logfile of HijackThis v1.99.1
Scan saved at 12:34:22 AM, on 1/16/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: OpenOffice.org 2.1.lnk.disabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: Tornado 21 -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

and the old log:

Logfile of HijackThis v1.99.1
Scan saved at 3:27:23 PM, on 1/1/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGW.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
C:\WINDOWS\DESKTOP\PUTTY.EXE
C:\PROGRAM FILES\MOZILLA THUNDERBIRD\THUNDERBIRD.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: Yahoo! Poker -
O16 - DPF: Tornado 21 -
O16 - DPF: Yahoo! Blackjack -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
O16 - DPF: Yahoo! NHL StatTracker -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

Thanks for your help.

BC AdBot (Login to Remove)

 


#2 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 21 January 2007 - 04:41 PM

Here is an update on what happened. After a few more reboots the continuing requests to change start page etc. ceased, for no apparent reason. The teatimer now runs without detecting anything unusual. Even before the original post, avg apparently found a file A0007836.cpy in c:\_restore\TEMP which was the same length, apparently a copy of the file ms32.sys deleted from root (650 Kb). Opened in notepad, it was mostly unreadable, but contained some text which, however, did not explain it. This folder was huge, about 250 kB, or about a tenth of available disc space. None of the files could be deleted, but avg would always catch it if I accessed A0007836.cpy. Most of these files were records of what some antivirus or antispyware scan did.

I found the screen to disable system restore. Now there are no files in _restore\TEMP, and the other _restore\ folders are now quite small. Virus scan is not finding anything now.

I might mention that none of Spybot S&D, Adaware, Superantispyware free, and Avast! free found the infected file. (I normally have Avast! disabled in the Spybot startup tool.)

Following is a new log. I think it is the same as the previous one, except that the teatimer is turned back on.

Logfile of HijackThis v1.99.1
Scan saved at 4:08:39 PM, on 1/21/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGW.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\SSH COMMUNICATIONS SECURITY\SSH SECURE SHELL\SSHCLIENT.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: OpenOffice.org 2.1.lnk.disabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...s/yinst0401.cab
O16 - DPF: Tornado 21 -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:38 PM

Posted 27 January 2007 - 04:58 PM

Hello rainbow_warrior and welcome to the BC HijackThis forum. I see no signs of any viruses or malware in the log. It is clean.

Are you still experiencing any issues? If so, post back with what is going on and we'll go from there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 28 January 2007 - 02:34 PM

Hi OldTimer

Thanks for your help. There are issues, but maybe using aol for dial-up connection is the major reason.

1. If you try to shut down with aol connected, it may just disconnect you nd not even reboot.

2. If you try to shut down with aol disconnected but still on the screen, it may reboot instead of shutting down.

3. If you type window -> u -> enter, with shut down selected in thew box, it seems more likely to reboot than if you actually click the confirm button with the mouse.

4. The cursor often locks up when several things are active at once. For instance, starting an adaware scan while a scheduled daily avg scan and daily avg update are running, and trying to load thunderbird. Sometimes control-alt-delete followed by cancel "close program" is enough to recover the cursor. Sometimes Adaware shows up as not responding and end program followed by program-not-responding end program works. Other times either nothing happens when trying control-alt delete, or it goes to blue screen press any key to continue, usually followed by a crash, or an error message and sometimes Thunderbird, sometimes the system crashes. I upgraded from 64 M of RAM to 512 M of RAM. The stability got marginally worse when we partitioned the local drive to load kubuntu, about 5.5 Gigabyte each. I don't use kubuntu currently, because I am not sure I want to combine it with aol.

So what do you think? Is it just the way windows ME is, and aol is, or is there something I should do?

David

#5 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 28 January 2007 - 02:38 PM

Hi

One other thing I forgot. Why does adaware always find about 8 mru items from realplayer even though I already deleted them and didn't use realplayer?

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:38 PM

Posted 28 January 2007 - 02:56 PM

Hi rainbow_warrior. The reboot/shutdown issues my very well be caused by AOL. Unless there is a reason to shut the system down or reboot it with programs running you should always close down all of the open applications first before performing a shutdown or reboot.

As for the cursor locking up, I can see why. If a program is doing a system scan (like AVG or AdAware) then it should be allowed to run its course unhindered. Trying to perform multiple scans at the same time and then opening up additional programs usually doesn't work well. If a scan is taking place, let that application do its thing and don't try to open other programs or start other scanners until after that scan is complete.

The MRU items are lists that are kept in the registry. AdAware should be able to remove them if you tell it to. But, programs like TeaTimer can block registry changes so it is best to disable it before doing any registry fixes with programs so the fixes can be carried out properly.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 01 February 2007 - 04:28 PM

Hello again OldTimer

I did try turning off the teatimer, running adaware, deleting everything, and running adaware again immediately. It finds the same 8 MRU items from realplayer. Another thing is that Realplayer won't even start. It reports that the certificate is out of date and a large file must be downloaded and installed. I think maybe I will uninstall it. Can Winamp run on ME? (I noticed that Winamp doesn't seem to have a Linux version, causing me to rely on real in an office I am using.)

Two other issues I can remember with this ME computer.

1. When I update spybot and immunize, it always reports that all however many bad products are blocked, it finds 6 fewer things blocked and says 6 more blocks are available. It doesn't matter much unless someone starts using IE on this computer.

2. I found a link to an older version of zone alarm for this computer because the latest version supposedly won't install on ME. Somebody posted that you might as well install ZA and turn off the updates. I'm not sure how to do that, but I get daily reminders that an important security update is available. Are they trying to update me to the version that doesn't run on ME, or is there really an update for version 6.0?

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:38 PM

Posted 01 February 2007 - 06:17 PM

Hi rainbow_warrior. I don't know what AdAware is finding. MRU's are not bad in and of themselves and RealPlayer might be putting them back itself. If you want, post the items AdAware is finding and we can probably write a registry fix to remove them.

As for WinAmp, here are the system specs from their website faq:What are Winamp's minimum system requirements?
Minimum system requirements

* 500MHz Pentium III or comparable
* 64MB RAM
* 15MB Hard Disk Space
* 16bit Sound Card
* Windows 98 SE, Windows ME, Windows 2000, Windows XP, Windows 2003
* 1x speed or greater CD Burner (Required for Burning)
* 2x speed or greater CDROM (Required for Ripping)

Recommended system requirements

* 1.5 GHz Pentium IV or comparable
* 128MB RAM
* 30MB Hard Disk Space
* 24bit Sound Card
* Windows 2000, Windows XP
* 8x speed or greater CD Burner (Required for Burning)
* 16x speed or greater CDROM (Required for Ripping)
It should run on an ME system if the system has the minimum specs shown above. I have never used WinAmp so I can't say how it is on system resources but any audio program like that is usually resource intensive so I wouldn't run that and a bunch of other programs at the same time.

For Spybot, what version is installed on that machine? The latest is version 1.4. If you don't have that version then I would suggest uninstalling the old version and updating to the new version. If you already have the latest version then an uninstall/reinstall might be in order.

For ZA, there is probably an update available to the version 6. I would think that ZA knows what platform it is running on and would not download and attempt to install a version that is not compatible with the platform that it is running on. To turn off the update check do the following:
  • Start Zone Alarm
  • Click on Overview (on the left-hand menu items)
  • Click the Preferences tab (across the top of the screen)
  • In the Check for updates area select the Manual option
  • Close the ZA window
Also, if you haven't done a disk cleanup in a while it would be a good idea to perform that too. Here's a nice program that takes care of that:

Download ATF Cleaner
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 05 February 2007 - 10:50 PM

Hi OT

I tried uninstalling realplayer. It turns out that aol insists on reinstalling it. After connecting it immediately disconnects until you have accepted the files and rebooted. I also tried uninstalling viewpoint media player. Aol reinstalled that one too, but it didn't require me to accept the files or reboot. Now adaware doesn't find mru tracks from realplayer.

I tried uninstalling a few other programs. Some seem to be gone already. I think starware gave me an error and asked if I wanted to remove it from the add/remove list, which I did. Apparently it is aadware, but I don't find any sign of it. However, "Web savings from ebate" just gives an error that it can't find the file when I try to uninstall, but doesn't inquire whether I want to remove it from the list. Also, hyperload opens an uninstaller wizard and then says it can't find the file, but doesn't offer to remove itself from the list. Is there a trick to removing them from the remove program list?

Another item on the remove list is called "web search." I have no idea what it is, but I found a reference on pchell to "my web search," apparently related to smiley district, which I think I deleted from this computer. It also gives an error that the file can't be found.

In program files I have a folder "PLUS!" with subfolders pinball, spider, and themes, and files plus!.dll, sysagent.exe, and themes.exe.

Thanks for your advice.

David (rainbow_warrior)

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:38 PM

Posted 06 February 2007 - 07:03 AM

Hi rainbow_warrior. Not all programs will remove themselves from the registry. If you like playing in the registry you can find the entries here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Otherwise get a program like Add-Remove Pro

The Plus!folder is an add-on pack for 98/ME. It's from Microsoft.

Since all of this is not malware related these questions should be directed toward the ME forum here: http://www.bleepingcomputer.com/forums/f/9/windows-9598me/ . Those are the people who can help with operating system and application quesitons.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 06 February 2007 - 04:48 PM

Thanks OT

I used Add-Remove Pro. As it happens, it claims the HijackThis uninstall link is nonexistent. I changed the path from Windows\Temp to C:\Program Files\Hijack This\HijackThis.exe /uninstall . It still considers it nonexistent. I notice there is a space between .exe and /uninstall, which I didn't change. Of course I don't want to uninstall Hijack This, but I don't know too much about how registry entries work. I notice that when I run Hijack This, it doesn't list any registry entry for Hijack This. Sorry, my post is not really malware related at this point.

Otherwise, Add-Remove Pro worked well enough.

rainbow_warrior

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:38 PM

Posted 06 February 2007 - 05:38 PM

There's no uninstall file for HijackThis. It's just a commandline switch. ARP might look for an actual file.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 08 February 2007 - 02:23 PM

Hi OT

I purged HJT from the uninstall list.

I turned off automatic update checking for ZoneAlarm. The update notice it gives you just links to the page for downloading the latest version of ZA 6.5, which only runs on XP and 2000. If you try to start the install, you get a message to looks at www.zonelabs.com/OSsupport, which tells you they don't support 1998 or ME after a certain date. There is no obvious way to find ZA 6.0 from the main page, but I found the link on one of the forums. So I suppose it is still there, but hidden, and there would be no updates.

rainbow_warrior

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:38 PM

Posted 09 February 2007 - 06:03 PM

Yup. Many vendors are not supporting 98*Grinler anymore. In that case you have the latest version and it will no longer be updated.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 rainbow_warrior

rainbow_warrior
  • Topic Starter

  • Members
  • 90 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Newark, Delaware
  • Local time:06:38 PM

Posted 11 March 2007 - 07:55 PM

Hi

I went back and ran panda, bitdefender, and kapersky online on this computer, which I hadn't done before, and I ran housecall again. I had posted on the ME forum
http://www.bleepingcomputer.com/forums/t/83869/unstable-at-shutdown/
about the computer restarting when I told it to shut down (often) and the blue-screen error messages on shut down and other times (occasional). I also googled on the error message:
error: 0e: 0028: c02a44a8 but not another message
error: 0e: 0028: c0030d12 which I wrote down more recently.

One of the suggested causes was malware. So I thought I would post back here. Following are logs from panda (two scans), bitdefender (text copy of html file, with a lot of extra carriage returns deleted), kaspersky (text copy of html file), and hijack this. Housecall didn't find anything.

Panda tries to get you to buy software to do the actual removal, and it also times out while you are reading the information it links to. I used regedit to remove the registry found by panda, which must be the one item it called a rootkit, although it just said 1 rootkit and 6 malware without identifying the individual files. The two files in downloaded program files I could not find, even with show all files and don't hide prtected system files. There used to be a whole comet systems folder, which I deleted, and I think I have removed something from ``a better internet'' from this computer. The other four files I left intact but did name changes. Two of those are some kind of log files and don't show up after the name change, but panda still finds the other two after the name change. SAH used to be a big folder in TEMP files which got emptied, but I don't remember those initials coming up as spyware before. cydoor and gator may have come up in some scans before, but not for a while, and I forgot any details.

I thought I had set bitdefender to do a scan only, so that I could look at what it found first, but apparently the setup didn't take effect, because it found something and deleted it.

Kaspersky only found files that were locked.

I removed the remaining yahoo entries that appeared in HJT.

I also uninstalled java and installed java6. The installer warned that java would run better on XP, but did not suggest using java 5 instead. Was I correct to update it?

rainbow_warrior

*******************

Incident Status Location

Adware:adware/cydoor Not disinfected c:\windows\system\cd_clint.dll
Adware:adware/comet Not disinfected c:\windows\downloaded program files\dm.inf
Spyware:spyware/betterinet Not disinfected c:\windows\inf\BIINI.INF
Adware:adware/gator Not disinfected c:\windows\GatorPatch.log
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM\xmltok.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\flash.inf

**********************
Incident Status Location

Adware:adware/comet Not disinfected c:\windows\downloaded program files\dm.inf
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM\virus-sah-xmltok.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\virus-BIINI.INF
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Downloaded Program Files\flash.inf

************************
BitDefender Online Scanner

Scan report generated at: Thu, Mar 08, 2007 - 14:20:54

Scan path: A:\;C:\;D:\;

Statistics

Time

01:23:10

Files

117305

Folders

1487

Boot Sectors

3

Archives

4563

Packed Files

3135

Results

Identified Viruses

1

Infected Files

1

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

1

Engines Info

Virus Definitions

403438

Engine build

AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins

14

Archive plugins

38

Unpack plugins

5

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\WINDOWS\BDIBv4.exe

Infected with: MemScan:Trojan.Downloader.Delf.CY

C:\WINDOWS\BDIBv4.exe

Disinfection failed

C:\WINDOWS\BDIBv4.exe

Deleted

***********************
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 10, 2007 5:22:47 PM
Operating System: Microsoft Windows Millennium Edition
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 10/03/2007
Kaspersky Anti-Virus database records: 264391
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
a:\
c:\
d:\
Scan Statistics
Total number of scanned objects 22715
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 01:21:30

Infected Object Name Virus Name Last Action
c:\_RESTORE\LOGS\vxdsfp.log Object is locked skipped
c:\_RESTORE\LOGS\vxdalt1.log Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbd Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbk Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbd Object is locked skipped
c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbk Object is locked skipped
c:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
c:\WINDOWS\TEMP\ZLT02c77.TMP Object is locked skipped
c:\WINDOWS\SchedLog.Txt Object is locked skipped
c:\WINDOWS\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
c:\WINDOWS\Application Data\AVG7\Log\emc.log Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\cert8.db Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\key3.db Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\parent.lock Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\search.sqlite Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\Cache\_CACHE_MAP_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\Cache\_CACHE_001_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\Cache\_CACHE_002_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\Cache\_CACHE_003_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\urlclassifier2.sqlite Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\history.dat Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\k4eioj06.default\formhistory.dat Object is locked skipped
c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
c:\WINDOWS\Cookies\index.dat Object is locked skipped
c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped
c:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
c:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
c:\WINDOWS\WIN386.SWP Object is locked skipped
c:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
c:\WINDOWS\Internet Logs\OEMCOMPUTER.ldb Object is locked skipped
c:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
c:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
c:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
c:\Program Files\America Online 8.0\idb\STYLE.LST Object is locked skipped
c:\Program Files\America Online 8.0\idb\APP9515.LST Object is locked skipped
c:\Program Files\America Online 8.0\idb\main.idx Object is locked skipped
c:\Program Files\America Online 8.0\idb\sap.dat Object is locked skipped
c:\Program Files\America Online 8.0\idb\sysnews.lst Object is locked skipped
c:\Program Files\America Online 8.0\idb\Apps.Lst Object is locked skipped
c:\Program Files\America Online 8.0\idb\spool.lst Object is locked skipped
c:\Program Files\America Online 8.0\idb\Diction.lst Object is locked skipped
c:\Program Files\America Online 8.0\idb\Toolbar.lst Object is locked skipped
c:\Program Files\America Online 8.0\idb\APP9712.LST Object is locked skipped
c:\Program Files\America Online 8.0\organize\puffshatley.aby Object is locked skipped
c:\Program Files\America Online 8.0\organize\puffshatley.abi Object is locked skipped
c:\Program Files\America Online 8.0\Global.org Object is locked skipped
c:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
c:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
c:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
c:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
Scan process completed.

********************
Logfile of HijackThis v1.99.1
Scan saved at 7:53:54 PM, on 3/11/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\SSH COMMUNICATIONS SECURITY\SSH SECURE SHELL\SSHCLIENT.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://security.kolla.de/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ACCESS~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\ACCESSORIES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: OpenOffice.org 2.1.lnk.disabled
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: Tornado 21 -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...ebscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users