Brian Mac

Discussion in 'adware, spyware & hijack cleaning' started by BRIAN MAC, Jun 12, 2004.

Thread Status:
Not open for further replies.
  1. BRIAN MAC

    BRIAN MAC Registered Member

    Joined:
    Jun 12, 2004
    Posts:
    1
    I have used Spybot S&D which removed a dailer in the fix mode. AVG reported a Trojan Dropper (Dropper Small.4.H) + (Dropper.Inor.J) this virus is stopping AVG from accessing and reading C: Documents and Settings. + My web home page is set to a site called (about:blank) and this cannot be cleared, permanently?

    Below is the Hikackthis scan result. Help!!! please?



    Logfile of HijackThis v1.97.7
    Scan saved at 12:12:52, on 12/06/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    F:\Program Files\java\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Documents and Settings\Brian.BRIAN-TRQBH52QX\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlgll.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlgll.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlgll.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\hlgll.dll/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\hlgll.dll/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\hlgll.dll/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {9E5B027D-2CA2-4536-9CF7-60FFC92E811A} - C:\WINDOWS\System32\hlgll.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
    O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\java\bin\jusched.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37/11221/online.chm::/on-line.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello BRIAN MAC,

    Download CWShredder Click on update, then close all browsers, and then click on Fix, not scan.

    Next, download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

    Reboot the computer.

    Run Hijackthis again and check this item:

    O16 - DPF: {11120607-1001-1111-1000-110199901123} - ms-its:mhtml:file://C:\foo.mht!http://81.211.105.37/11221/online.chm::/on-line.exe

    Reboot. Post a new HJT log along with the log below that I am going to have you get.

    Next, Download: "StartDreck", from here:
    http://members.blackbox.net/hp_links/21/ni.../startdreck.htm

    Unzip to its own folder and start the program,

    Press 'Config'
    Press 'Unmark All'

    Check the following boxes only:
    Registry -> Run Keys
    System/drivers> Running processes
    Press 'Ok'

    Press 'Save' and select the location to save the log file
    (default is the same folder as the application)

    Post the log in this thread.
     
Thread Status:
Not open for further replies.