Hijacked by mrhop.dll Have I got rid of it?

Discussion in 'adware, spyware & hijack cleaning' started by major_bodger, May 11, 2004.

Thread Status:
Not open for further replies.
  1. major_bodger
    Offline

    major_bodger Registered Member

    Using a combination of Merijn's website and search info from this forum, I used CWShredder, Adaware and Spybot in combinations of safe mode and full boot to try and get rid of an about:blank hijack which I think came from a mrhop.dll file.

    I had clashing problems installing a firewall with Freeserve and Norton so took it off. Guess who's wishing they'd persevered now!!

    Just before I switched the pc off, I searched for all dll's . mrhop.dll was gone, and I couldn't see any other obvious ones that looked unusual.

    I also searched for all .exe's and there were a few I didn't recognise, including ntload.exe and nsys.exe.

    The first question is, should I keep these?

    I also ran hijack this just before switch off and the log is included below.

    Logfile of HijackThis v1.97.7
    Scan saved at 19:40:41, on 10/05/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\THRUSTMASTER\THRUSTMAPPER\TMTMTSR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\USBDRIVE\SHWICON.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\GARY\VIRUS STUFF\HIJACKTHIS1977\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?p....5&plcid=0x0809
    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [ShowIcon_Justrams_USB Drives Driver v1.19r020] "C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_.../ActiveData.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8111.4283333333
    O19 - User stylesheet: (file missing)



    I've tried to do as much as I can but have now got to the stage where I need expert advice on whether this needs further work. I got a bit confused on the order of doing things!!

    Your help is much appreciated and thanks in advance.

    Gary.
  2. major_bodger
    Offline

    major_bodger Registered Member

    After a little more investigation, it turns out that whatever hijacked my system has also been dialling premium rate numbers through my modem since last February. I didn't spot the dialling because it has also disabled the modem speaker!

    Anyone got any comments on the HJT log?

    Gary
  3. dvk01
    Offline

    dvk01 Global Moderator

    the log looks to be clear

    I've no idea what Ntload.exe is but nsys.exe is a part of netspy keylogger

    The about:blank hijacker is very difficult to fix and frequently reoccurs despite all apparant cleaning. we are still working on a full and guaranteed cure for it.

    this approach has had some reponse, once you have cleaned all obvious signs from the computer
    to see if we can prevent the cws hijackers reinfecting you try this
    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm if you haven't already got one and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255 and 213.159.117.0-213.159.118.255
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked (not many as all the IP numbers are in Russia and very few russian sites have much relevance to most people)


    Now as you might have netspy and others that are hidden I would also do this

    I would strongly recommend downloading and running a specialised anti trojan
    lists here http://www.wilders.org/anti_trojans.htm

    the antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
  4. major_bodger
    Offline

    major_bodger Registered Member

    Many thanks. I'll get onto this asap and get back to you.

    Gary.
  5. major_bodger
    Offline

    major_bodger Registered Member

    I tried a fully updated version of TDS3 three times last night.

    Each time the scan was well underway then I got a blue screen windows error and then when I continued, TDS3 had closed!

    I rebooted afterwards and tried again, in between running the CWS smart killer removal tool, which didn't find anything.

    I have Norton AV which still runs, as does adaware and spybot, but Stinger now also crashes.

    Ah, it's just occurred to me that I didn't do it in safe mode. Would this make any difference? Where do I go from here?

    Thanks,
    Gary.
  6. Pilli
    Offline

    Pilli Registered Member

    Hi major_bodger, Can you disable the "Scan Zip/RAR files & try again.
    Sometimes a corrupt or over large archive file can cause such problems in ME

    Please let us know what happens - Thanks Pilli
  7. Jooske
    Offline

    Jooske Registered Member

    Hi Gary,

    About the TDS stopping, does it happen each time in the same place?
    Did you have all your other scanners disabled, also their resident protection, during the process?

    Do you remember the kind of error message on the blue screen?
    I suppose after so many retries you rebooted after installing TDS by now, which is important, but should not be a reason for blue screens.

    Do you have only one drive and one partition or do you have more partitions?
    It could be if TDS falls over on the same place each time, there is a corrupt file for instance in rar format in that place; normally you would get a normal windows error and TDS close; solution is then to exclude that particular folder from scanning and try again. No blue screen situation normally.

    You could also have a look at the required system files on the TDS site, if you have the same or newer versions. I would expect TDS not to load or error messages, no blue screen situation normally either.

    What might help is (i prefer in safe mode) do a windows scandisk first a general and after an advanced one whioch could put files back in place etc if anything is not all nice there. Helps in lots of cases too.
    After that reboot and try your scans again.

    Besides the HJT log you created already, also get the AutoStartViewer from the free products site at DiamondCS and withj all options checked post that log too, it might show more things which mioght not be in HJT.

    Please post back if any of those things helps here!

    For your internet connection, please also get the free evaluation of Port Explorer (install when off line with all scanners and maybe also your firewall closed and reboot afterwards). this tool shows in one blink of the eye all connections with your system, you can see which application is responsible for it and you might locate a logger or dialer, which you can stop sending/receiving immediately and kill while you look deeper into the application and the data packets which are being send (before you kill it of course). Such hidden processes show up as red, which does not mean all red processes are trojans (we'll explain that later)

    Looking forward to your next experiences, as they might help others tremendously too!
  8. major_bodger
    Offline

    major_bodger Registered Member

    Okay guys, here's an update. It seems the scans stopped because Norton AV was running.

    I ran TDS3 four more times last night, two in safe mode, (so Norton AV is off , I assume) one with 'zip/rar files' on and one without. Then I ran two more in normal boot, with Norton AV disabled, and 'zip/rar files' on and off.

    I forgot to mention before that TDS3 doesn't let me select 'scan NTFS ADS hidden streams' saying the're not supported on any hard drives on my system. (I have no idea what it is so don't know if this is good or bad!)

    All of the scans finished this time, and gave no alarms at all!

    This surprised me, since Derek said that nsys.exe is part of a netspy keylogger and a quick search on google confirmed it.

    Am I okay to just delete it if I can?
    Are there any other files with it?
    More importantly, why didn't it trigger an alarm since it is still there?

    In answer to some of the other questions, I only have a single hard disk with nothing fancy done to it, so I assume it's single partition.

    I forgot to run the autostart viewer so I'll post that log tomorrow, along with another hijackthis log if anyone thinks it'll help.

    Anyone have any comments on progress so far?
    Continued thanks for all of your help,
    Gary
  9. Pilli
    Offline

    Pilli Registered Member

    Hi major_bodger, That particular keylogger may be a commercial legitmate one which is not Trojanic in behaviour though Gavin will confirm that.
    If you can copy the files and .zip them up please send to submit@diamoncs.com.au Then Gavin can verify them.
    TDS3 is anti Trojan program first and formost :)

    NTFS is the file system used by NT ie. XP, W2k etc. Your file system is FAT32 so NTFS is not applicable.

    Pilli
  10. major_bodger
    Offline

    major_bodger Registered Member

    I have zipped and tried to send nsys.exe to Gavin this morning but it bounced back.

    Should the email address be submit@diamondcs.com.au?

    Heres the autostart viewer log that was asked for. It's a good job you guys know what your doing because it means nothing to me!!:-

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for default@OEMCOMPUTER, 05-13-2004
    c:\autoexec.bat
    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP
    C:\WINDOWS\winstart.bat
    @C:\WINDOWS\tmpcpyis.bat
    c:\windows\win.ini [windows]\run
    hpfsched
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKCR\htafile\shell\open\command\
    C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ScanRegistry
    C:\WINDOWS\scanregw.exe /autorun
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TaskMonitor
    C:\WINDOWS\taskmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PCHealth
    C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SystemTray
    C:\WINDOWS\system\SysTray.Exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\LoadPowerProfile
    Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WorksFUD
    C:\Program Files\Microsoft Works\wkfud.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Works Portfolio
    C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Adaptec DirectCD
    C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ThrustTSR
    C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\RegShave
    C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NAV DefAlert
    C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Auto-Protect
    C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton eMail Protect
    C:\Program Files\Norton AntiVirus\POPROXY.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ShowIcon_Justrams_USB Drives Driver v1.19r020
    C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CreateCD
    C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\LoadPowerProfile
    Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SchedulingAgent
    C:\WINDOWS\system\mstask.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\SSDPSRV
    C:\WINDOWS\SYSTEM\ssdpsrv.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\*StateMgr
    C:\WINDOWS\System\Restore\StateMgr.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ScriptBlocking
    C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\SYSTEM\WEBCHECK.DLL
    C:\WINDOWS\SYSTEM\UPNPUI.DLL
    C:\WINDOWS\SYSTEM\AUHOOK.DLL
    C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
    C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
    C:\WINDOWS\Tasks\Scan for Viruses.job
    C:\Program Files\Norton AntiVirus\NAVW32.EXE
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE
    C:\WINDOWS\Tasks\Virus Scan.job
    C:\Program Files\Norton AntiVirus\SCNHNDLR.EXE
    C:\WINDOWS\Tasks\Maintenance-Defragment programs.job
    C:\WINDOWS\DEFRAG.EXE
    C:\WINDOWS\Tasks\Maintenance-ScanDisk.job
    C:\WINDOWS\SCANDSKW.EXE
    C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job
    C:\WINDOWS\CLEANMGR.EXE
    C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Works Calendar Reminders.lnk
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\WINDOWS\Start Menu\Programs\StartUp\Exif Launcher.lnk
    C:\Program Files\FinePixViewer\QuickDCF.exe
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\SYSTEM\mswsosp.dll
    C:\WINDOWS\SYSTEM\msafd.dll
    C:\WINDOWS\SYSTEM\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\VNETSUP\
    C:\WINDOWS\system\vnetsup.vxd
    HKLM\System\CurrentControlSet\Services\VxD\NDIS\
    C:\WINDOWS\system\ndis.vxd
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\VxD\DFS\
    C:\WINDOWS\system\dfs.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VREDIR\
    C:\WINDOWS\system\vredir.vxd
    HKLM\System\CurrentControlSet\Services\VxD\VNETBIOS\
    C:\WINDOWS\system\vnetbios.vxd
    HKLM\System\CurrentControlSet\Services\VxD\ASPIENUM\
    C:\WINDOWS\system\ASPIENUM.VXD
    HKLM\System\CurrentControlSet\Services\VxD\NAVAP\
    C:\PROGRA~1\NORTON~1\NAVAP.VXD
    HKLM\System\CurrentControlSet\Services\VxD\SYMEVNT\
    C:\PROGRA~1\SYMANTEC\SYMEVNT.386


    I also did another hijackthis log to see if anything had changed:-


    Logfile of HijackThis v1.97.7
    Scan saved at 19:54:51, on 13/05/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\THRUSTMASTER\THRUSTMAPPER\TMTMTSR.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\USBDRIVE\SHWICON.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\GARY\VIRUS STUFF\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
    F1 - win.ini: run=hpfsched
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [ThrustTSR] C:\Program Files\Thrustmaster\Thrustmapper\TMTMTSR.exe
    O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [ShowIcon_Justrams_USB Drives Driver v1.19r020] "C:\Program Files\USBDRIVE\shwicon.exe" -t"Justrams\USB Drives Driver v1.19r020"
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/region/reg_eu/techsupp/activedata/ActiveData.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38111.4283333333
    O19 - User stylesheet: (file missing)


    Thanks for your continued collective help and support,
    Gary
  11. major_bodger
    Offline

    major_bodger Registered Member

    Anyone got any info on these latest logs?

    Gary
  12. Jooske
    Offline

    Jooske Registered Member

    Sorry for the typo, submit@diamondcs.com.au with the "d" inside it is right; hope you managed to send it in in the meantime.
    I'm sure the experts will be back with you asap!
  13. major_bodger
    Offline

    major_bodger Registered Member

    Thanks. I assumed that was the case and sent it to Gavin on that address. I haven't heard anything back yet on the result, though.

    Can anyone tell me if these latest readouts above are okay?

    Gary.
  14. dvk01
    Offline

    dvk01 Global Moderator

    Just a bit of tidying up to do

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O19 - User stylesheet: (file missing)
  15. major_bodger
    Offline

    major_bodger Registered Member

    Thanks for that, Derek. I'll do it tonight. I have noticed one problem, possibly as a result of all this clearing out. In Windows Explorer, if I select 'folders' for the left hand window, I only get an empty grey window with no display. All the other settings (search, history etc) for this window seem to work okay. Is there an easy way to fix this?

    Gary.
  16. Jooske
    Offline

    Jooske Registered Member

    It might help in Add/remove to do a repair install on Internet Explorer which is integrated with windows explorer and outlook express. Make sure all anti-virus is closed; after the repair you'll have to reboot and look if it's all ok again. Not sure if a system restore could disturb the repair again!
  17. major_bodger
    Offline

    major_bodger Registered Member

    I've now tidied up my hijackthis log and installed some of the suggested software but I still have my problem with Win Explorer not displaying 'folders' correctly. I have also now got a new problem where Norton AV won't finish a scan and gives me an error message :-

    "Navw32 has caused an error in V32SCAN.DLL and will now close" This doesn't seem to be covered in Symantec's error messages for NAV2001!!

    Whenever I get one thing sorted something else seems to crop up and I'm starting to think I'd be better off reformatting my hard disk and starting again!!

    Any suggestions?

    Gary
Thread Status:
Not open for further replies.