Hijack this log 08Feb04

Hi All!

I've run Spybot S&D and HijackThis (see log below). I've also installed Spyguard. The problem is that everytime I close a folder, the default page of the IE browser changes to a geocities address. Spyguard informs me, I just keep on clicking RESTORE OLD VALUE (about blank), but doing this everytime I have to close folders is too tiring.

Problem started 3 weeks ago when, on a business trip, I used a diskette to save downloaded mail from a business center desktop to my other (office) laptop, which got infected. Now, this other laptop (home) is infected too when I transferred files.

Any help would be appreciated and thanks everyone!

Logfile of HijackThis v1.97.7
Scan saved at 3:20:31 PM, on 08-Feb-04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SAFEOFF\SAFEOFF.EXE
C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\COMMON FILES\LAPLINK\SCHEDULER\LLSCHED.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\CLIKSTAT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\COMMON FILES\LAPLINK\SCHEDULER\LLSCHENG.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.geocities.com/hedda_marie_tolentino/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [O2MemChk] O2memchk.exe 02000000
O4 - HKLM\..\Run: [SafeOFF] C:\Program Files\SafeOFF\SafeOff.exe
O4 - HKLM\..\Run: [SleepManager] C:\Program Files\Sleep Manager\SleepMgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Clik Status Monitor.lnk = C:\Program Files\Iomega\Tools\CLIKSTAT.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab

 

Hi henrymad,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.geocities.com/hedda_marie_tolentino/index.htm

O4 - Startup: PowerReg Scheduler.exe

Then reboot open aan IE window and copy & paste this command in the address bar:
javascript:navigator.userAgent

Let me know what shows up in the window after you enter that.

Regards,

Pieter

 

Hi Pieter,

I did as instructed: logged off, closed IE, ran HijackThis, clicked the two lines and clicked fixed check, closed everything, restarted the laptop, opened IE, typed the command as you instructed on the window, pressed RETURN, and the following appeared: Mozilla/4.0 (compatible; MSIE 5.01; Windows 9.

Is my laptop cured?

Will wait for your response and advanced thanks for the help.

Cheers

 

I'd be surprised if that cured it, but I can't find anything else wrong in your log and your UserAgent values are normal.

If you keep having problems I would advise to install IE6 SP1.

Keep us posted,

Pieter

 

It's back! I'm updating my Viruscan DAT files right now, and to see if the virus or trojan or worm is really gone, I clicked Windows Explorer, clicked Program Files, and guess what: Spyguard tells me that there was an attempt to change the default webpage. I again ran HijackThis, and below is the log:

Logfile of HijackThis v1.97.7
Scan saved at 10:31:16 PM, on 09-Feb-04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SAFEOFF\SAFEOFF.EXE
C:\PROGRAM FILES\SLEEP MANAGER\SLEEPMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\COMMON FILES\LAPLINK\SCHEDULER\LLSCHED.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\CLIKSTAT.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\COMMON FILES\LAPLINK\SCHEDULER\LLSCHENG.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSMAIN.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.geocities.com/hedda_marie_tolentino/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [O2MemChk] O2memchk.exe 02000000
O4 - HKLM\..\Run: [SafeOFF] C:\Program Files\SafeOFF\SafeOff.exe
O4 - HKLM\..\Run: [SleepManager] C:\Program Files\Sleep Manager\SleepMgr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] c:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Clik Status Monitor.lnk = C:\Program Files\Iomega\Tools\CLIKSTAT.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab

I noticed that in the Disk C folder, there are two files that keep on updating itself. One is DESKTOP.INI and the other is FOLDER.HTT (both hidden files). I forgot to tell you that I noticed it the first time when I transferred files last month from the diskette to the laptop. They would appear, then disappear from the diskette. Same thing happened when I clicked and dragged the files. A week ago, a viruscan showed that a virus called Soraci infected one of the diskettes. VScan killed it, but I think there's a different one still inside the laptop(s).

Last thing: if this is a worm, or a trojan, what can I use to kill it? Over the past couple of weeks, I've used 3 diskettes and some 4 zip disks to move files from one laptop to another (something I do almost daily), and it's possible that the disks are infected.

Bottom line: the thing's still here, so a permanent solution is needed.

Thanks a lot for the help (still ongoing).

P.S. I remember that the business center was using IE 6.0 or O.E. 6.0 so I don't know if this will solve it.

Thanks again!

 

Can you open the desktop.ini (in notepad) and post what's inside?

Regards,

Pieter

 

Here it is:

[ExtShellFolderViews]
Default={5984FFE0-28D4-11CF-AE66-08002B2E1262}
{5984FFE0-28D4-11CF-AE66-08002B2E1262}={5984FFE0-28D4-11CF-AE66-08002B2E1262}

[{5984FFE0-28D4-11CF-AE66-08002B2E1262}]
PersistMoniker=file://Folder.htt

[.ShellClassInfo]
ConfirmFileOp=0

I tried clicking the folder.htt icon in the past, but nothing comes out.

Thanks and regards,
henrymad (those DAT files are really taking a long time to download...)

 

Hi henrymad,

Change folder.ini in notepad until it reads:

[.ShellClassInfo]
ConfirmFileOp=0
NoSharing=1

Then save it. It may take a reboot for the changes to take effect.
Please do not delete Folder.htt.
If this works I will want a copy of that one.

Regards,

Pieter

 

Will do and update you on what happens. I assume I don't have to run HijackThis and Fix what I fixed before. I've revised the Folder.Ini as instructed but will reboot later once the VShield download finishes. As usual, after an hour of downloading, the laptop hanged, so I had to start downloading again, from the beginning.

Will keep you posted (I'll be silent for at least the next 8 hours) after I reboot and see what happens.

Again, thanks and regards.

 

Ok. I think I goofed. Here's why.

I revised the INI file as instructed and rebooted the laptop. Then, VSafe (which also rebooted with the new virus definition files after a 2-hour download) informs me that it has detected the Soraci virus in the FOLDER.HTT and asked me what to do. I asked it to clean the file, but VSafe tells me it cannot. So I clicked delete, before I remembered that you instructed me not to.

Guess what: so far, no trouble re attempts to hijack the browser (Spyguard has not been notifying me when I close Explorer window). I also checked the INI file, and what I added (NoSharing=1) is no longer there. The contents are the same as before.

Since my other laptop is infected, I can get a copy of FOLDER.HTT there and send it to you, although when I checked it, the two files (DESKTOP.INI and FOLDER.HTT) on the C drive of the other laptop don't change dates everytime I boot. Is it possible that the WORM embedded itself in another file from which it is working its malicious intent?

Thanks a lot and keep me posted on what to do next. I plan to scan this laptop with the new definitions, see what comes up, and if everything's clean, I plan to do the same with the other laptop. If things don't work out, you'll hear from me (I'll post the HijackThis log of the other laptop in this forum).

Again, many thanks!

Cheers,
henrymad

 

Hi henrymad,

I don't understand. If desktop.ini looks like it did before, then it is still pointing to Folder.htt
If VSafe removed that, I would expect you to get an error report.

Regards,

Pieter

PS Not sure if that came across, but I meant you to not only add NoSharing=1 but also remove the first two blocks from desktop.ini

 

Hey! Happy 2nd year anniversary!

I scanned this (home) laptop using the updated Virus definition files and it detected 3 files with Soraci. 2 are .HTT files (FOLDER.HTT and DC4.HTT). I told VScan to delete and it did. The 3rd file was a Word document. I rebooted and there has been no problem so far. After downloading the new virus def to my other (office) laptop, did the same thing. It discovered 82 files (including a FOLDER.HTM and a README.HTM; maybe the extensions are different because I use WinME there) and cleaned all of them.

Again, I rebooted, and no problem. I did in both laptops what I used to do to trigger Sypguard to tell me that someone tried to hijack the browser, and voila! Nothing. So far, it looks like the laptops are free of the virus.

But wait. I tried scanning my infected zip disks (Iomega zip PCMCIA type) to clean it, and maybe because the disks are old, they got stuck (just kept on reading non-stop), and the virus came in again (after I scanned the C drive, all 90,000+ files in it). Same virus: Soraci. It infected 84 .HTM files (in WIN\HELP..., WIN\TEMP..., WIN\SYSTEMS\OOBE...whatever this means). Cleaned it, and so far, maybe as long as I don't use the infected zip disks again, the laptops will stay clean.

I'll see if there's any trouble in the next few days and keep you posted. If you don't hear from me, that means everything's A-OK.

In the meantime, I'll keep Spyguard, Spybot, and HijackThis on the desktop shortcuts list, and also Wilders on my favorite list. I've also forwarded your web address to those who have similar problems (lots of marketing points for you). Last time I did something like this was almost 6 years ago after reading in Fortune Magazine about a search engine named Google...

Thanks, Pieter and to everyone, and best regards on your 2nd year anniversary!

henrymad

 

Hi henrymad,

I think I recognize the virus' behavior, but the name doesn't mean anything to me and I can't find anything about it.

Redlof used a similar way of infection.

Glad you got it cleaned out. The disks are probably better not used anymore.

Regards,

Pieter