|
-
May 25th, 2005, 12:56 PM
#1
 virus and spyware attack
i cant seem to get rid of them.
Logfile of HijackThis v1.99.1
Scan saved at 9:53:56 AM, on 5/25/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\YTRAYMAGICLITE\YTRAYMAGIC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\POP PEEPER\POPPEEPER.EXE
C:\PROGRAM FILES\MSGTAG STATUS\MSGTAGSTATUS.EXE
C:\PROGRAM FILES\VIDEO ADS BLOCKER\ADDBLOCKER.EXE
C:\PROGRAM FILES\WINKEY\WINKEY.EXE
C:\PROGRAM FILES\RESIZE\RESIZEENABLERUNNER.EXE
C:\PROGRAM FILES\CLICKOFF\CLICKOFF.EXE
C:\PROGRAM FILES\GREENBROWSER\GREENBROWSER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\FREE DOWNLOAD MANAGER\FDM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\TEMP\NSP4361.TMP
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://part.3nv.com/brandy
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://part.3nv.com/brandy
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [YTrayMagic Lite 1] C:\PROGRAM FILES\YTRAYMAGICLITE\YTRAYMAGIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [POP Peeper] "C:\PROGRAM FILES\POP PEEPER\POPPEEPER.EXE" -min
O4 - HKCU\..\Run: [MSGTAG] "C:\PROGRAM FILES\MSGTAG STATUS\MSGTAGSTATUS.EXE" /startup
O4 - HKCU\..\Run: [Video Ads Blocker v1.0b Personal] "C:\PROGRAM FILES\VIDEO ADS BLOCKER\ADDBLOCKER.EXE"
O4 - Startup: WinKey.lnk = C:\Program Files\WinKey\WinKey.exe
O4 - Startup: Resize.lnk = C:\Program Files\Resize\ResizeEnableRunner.exe
O4 - Startup: ClickOff.lnk = C:\Program Files\ClickOff\Clickoff.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: For&msAgent - C:\Program Files\Magenta\agent.html
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Video Ads Blocker v1.0b Personal - {FDBB2660-C23B-11D9-A431-00045AA1DA42} - C:\PROGRAM FILES\VIDEO ADS BLOCKER\ADDBLOCKER.EXE
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
-
May 25th, 2005, 05:16 PM
#2
A little bit of work for you  .
-
Go to Add/Remove programs and remove(uninstall) the following, if present:
BetterInternet
The above could appear anywhere within the entry. Be careful not to remove any personal or system software.
===============
Download and install Ad-Aware SE,
If you don't already have it, let's go to Lavasoft's VX2 Cleaner web-page, and follow the instructions to download and install the utility.
-
Next, run AdAware SE Personal, then:
1. Click "Add-Ons".
2. Double-click "VX2 Cleaner"
3. Click "Ok", to "Execute this tool".
4. If nothing is found, click "Ok", then exit the program.
(or)
4. If [color=#ff0000VX2</font] has been found on your system, click "Clean System"
5. Then when it's complelely done, reboot your computer.
6. Repeat steps 1-4 again.
Be sure to follow any instructions it might give while using it.
===============
Download the Adware.Istbar removal utility from Symantec and following the instructions on the same page.
===============
Now, let's open a command prompt by going to the start menu and then select 'Run'.
In the box that pops up type in 'cmd'. The command prompt will open.
OR
You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:
regsvr32 /u CERES.DLL
regsvr32 /u NEM220.DLL
regsvr32 /u Loader.dll
regsvr32 /u MSBE.DLL
regsvr32 /u YSB.DLL
regsvr32 /u mfiltis.dll
It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.
===============
Run HiJackThis then:
1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"
-
Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:
C:\WINDOWS\TEMP\NSP4361.TMP
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.
===============
Still in HiJackThis, click "Scan", then check(tick) the following, if present:
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM220.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.c4tdownload.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.overpro.com (HKLM)
O15 - Trusted Zone: *.megapornix.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.com (HKLM)
O15 - Trusted Zone: *.addictivetechnologies.net (HKLM)
O15 - Trusted Zone: *.f1organizer.com (HKLM)
O15 - Trusted Zone: *.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.topconverting.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
Now, with all windows closed except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"
folders...
C:\PROGRAM FILES\ISTSVC
C:\PROGRA~1\YOURSI~1
C:\WINDOWS\isrvs
files...
C:\WINDOWS\TEMP\NSP4361.TMP
C:\WINDOWS\CERES.DLL
C:\WINDOWS\NEM220.DLL
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\SYSTEM\MSBE.DLL
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".
-
Reboot.
===============
To help protect your system from hostile ActiveX content, or special 'downloadable' files:
Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:
1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.
-
Note: Remember to regularly check for updates.
===============
After rebooting your PC, rescan with hijackthis and post a new log.
Let me know how things are now.
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
