Hijack this log plus question about getting rid of popup

Discussion in 'adware, spyware & hijack cleaning' started by Martin Eden, Mar 10, 2004.

Thread Status:
Not open for further replies.
  1. Martin Eden

    Martin Eden Guest

    Below is a logfile created with Hijack This after running Spybot S&D. I still keep getting an annoying popup that says "Antivirus Alert. Spyworm FBI.4533 sent your browser history to a remote computer" At the bottom there are 2 buttons. "Visti Privacy Outpost site now" and "Visit clean space site now". I don't know if these are legit so I just close the popup. How do I get rid of it?
    Martin

    Logfile of HijackThis v1.97.7
    Scan saved at 2:20:00 PM, on 3/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\WINDOWS\DL.EXE
    C:\WINDOWS\SYSTEM\MGMTKERN.EXE
    C:\AVM.EXE
    C:\WINDOWS\SWCHOST.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
    C:\ATI\ATIDESK\ATISCHED.EXE
    C:\PROGRAM FILES\HP DESKJET 710C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\MRTMNGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\MSPLAYER.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://collections.inhost.info/detect/urgent.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    O1 - Hosts: 69.61.33.183 search.microsoft.com
    O1 - Hosts: 69.61.33.183 www.search.com
    O1 - Hosts: 69.61.33.183 search.com
    O1 - Hosts: 69.61.33.183 teoma.com
    O1 - Hosts: 69.61.33.183 www.alltheweb.com
    O1 - Hosts: 69.61.33.183 www.wisenut.com
    O1 - Hosts: 69.61.33.183 wisenut.com
    O1 - Hosts: 69.61.33.183 www.dmoz.org
    O1 - Hosts: 69.61.33.183 dmoz.org
    O1 - Hosts: 69.61.33.183 www.excite.com
    O1 - Hosts: 69.61.33.183 excite.com
    O1 - Hosts: 69.61.33.183 lycos.com
    O1 - Hosts: 69.61.33.183 www.casino.com
    O1 - Hosts: 69.61.33.183 casino.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [hostctrl] C:\WINDOWS\SYSTEM\hostctrl.exe
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
    O4 - HKLM\..\Run: [mgmtkern] C:\WINDOWS\SYSTEM\mgmtkern.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\rundll32 .exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [Antivirus monitor] c:\avm.exe
    O4 - HKLM\..\Run: [Online Special] C:\WINDOWS\swchost.exe
    O4 - HKLM\..\Run: [MsCheckout] C:\MSSYNCU.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [ActiveMovie] C:\MSPLAYER.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
    O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\iowatch.exe
    O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
    O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
    O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
    O4 - Startup: ATISched.lnk = C:\ATI\ATIDESK\atisched.exe
    O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
    O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Quickbooks Pro\Components\QBAgent\qbdagent2001.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://download3.payoutpal.com/download/dialer/cax.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38019.7379398148
    O19 - User stylesheet: (file missing)
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi Martin,

    First make a folder in My Documents, name it HijackThis or any other suitable name and bring the HijackThis program from Temp to the created folder. This is because the backups made while fixing wont be accessible from the temp folder.

    Next fix the following entries in HijackThis,

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://collections.inhost.info/detect/urgent.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://collections.inhost.info/detect/urgent.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://collections.inhost.info/detect/urgent.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://collections.inhost.info/detect/urgent.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://collections.inhost.info/detect/urgent.html
    all 01 entries
    O4 - HKLM\..\Run: [Dial33] C:\WINDOWS\dlm.exe
    O4 - HKLM\..\Run: [Dial32] C:\WINDOWS\dl.exe
    O4 - HKLM\..\Run: [Online Special] C:\WINDOWS\swchost.exe

    O16 - DPF: {2048B51E-8D74-4762-82CE-B48CF545EEEA} (CAX Object) - http://download3.payoutpal.com/download/dialer/cax.cab

    There will be some more still left but this will surely remove most parts and Experts then can have a look in a more easy log.

    reboot and then post a fresh log.
     
  3. Martin Eden

    Martin Eden Guest

    subratam, I followed your instructions

    Hello subratam,

    I followed your instructions and got rid of some of the stuff and created a new Hijack this log file which is below:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:11:57 PM, on 3/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\WINDOWS\DL.EXE
    C:\WINDOWS\SYSTEM\MGMTKERN.EXE
    C:\AVM.EXE
    C:\WINDOWS\SWCHOST.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
    C:\ATI\ATIDESK\ATISCHED.EXE
    C:\PROGRAM FILES\HP DESKJET 710C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\MRTMNGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\MSPLAYER.EXE
    C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    O1 - Hosts: 69.61.33.183 search.microsoft.com
    O1 - Hosts: 69.61.33.183 www.search.com
    O1 - Hosts: 69.61.33.183 search.com
    O1 - Hosts: 69.61.33.183 teoma.com
    O1 - Hosts: 69.61.33.183 www.alltheweb.com
    O1 - Hosts: 69.61.33.183 www.wisenut.com
    O1 - Hosts: 69.61.33.183 wisenut.com
    O1 - Hosts: 69.61.33.183 www.dmoz.org
    O1 - Hosts: 69.61.33.183 dmoz.org
    O1 - Hosts: 69.61.33.183 www.excite.com
    O1 - Hosts: 69.61.33.183 excite.com
    O1 - Hosts: 69.61.33.183 lycos.com
    O1 - Hosts: 69.61.33.183 www.casino.com
    O1 - Hosts: 69.61.33.183 casino.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [hostctrl] C:\WINDOWS\SYSTEM\hostctrl.exe
    O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
    O4 - HKLM\..\Run: [mgmtkern] C:\WINDOWS\SYSTEM\mgmtkern.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\rundll32 .exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [Antivirus monitor] c:\avm.exe
    O4 - HKLM\..\Run: [MsCheckout] C:\MSSYNCU.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [ActiveMovie] C:\MSPLAYER.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
    O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\iowatch.exe
    O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
    O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
    O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
    O4 - Startup: ATISched.lnk = C:\ATI\ATIDESK\atisched.exe
    O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
    O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Quickbooks Pro\Components\QBAgent\qbdagent2001.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38019.7379398148
    O19 - User stylesheet: (file missing)

    Thanks,
    Martin
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re:subratam, I followed your instructions

    Hi Martin,

    Do NOT make new threads for each POST but continue with your own for similar topic.

    Fix the following entries in HijackThis,

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = ,
    O1 - Hosts: 69.61.33.183 search.microsoft.com
    O1 - Hosts: 69.61.33.183 www.search.com
    O1 - Hosts: 69.61.33.183 search.com
    O1 - Hosts: 69.61.33.183 teoma.com
    O1 - Hosts: 69.61.33.183 www.alltheweb.com
    O1 - Hosts: 69.61.33.183 www.wisenut.com
    O1 - Hosts: 69.61.33.183 wisenut.com
    O1 - Hosts: 69.61.33.183 www.dmoz.org
    O1 - Hosts: 69.61.33.183 dmoz.org
    O1 - Hosts: 69.61.33.183 www.excite.com
    O1 - Hosts: 69.61.33.183 excite.com
    O1 - Hosts: 69.61.33.183 lycos.com
    O1 - Hosts: 69.61.33.183 www.casino.com
    O1 - Hosts: 69.61.33.183 casino.com
    O19 - User stylesheet: (file missing)

    reboot and post the fresh log in your existing thread
     
  5. Martin Eden

    Martin Eden Guest

    Re:subratam, I followed your instructions

    Ok, I got rid of more line items after doing the last Hijack This scan I posted. Then I rebooted and did the following Hijack This scan:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:50:52 PM, on 3/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
    C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
    C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
    C:\WINDOWS\SYSTEM\MGMTKERN.EXE
    C:\AVM.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\MSPLAYER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
    C:\ATI\ATIDESK\ATISCHED.EXE
    C:\PROGRAM FILES\HP DESKJET 710C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\WINDOWS\SYSTEM\MRTMNGR.EXE
    C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [hostctrl] C:\WINDOWS\SYSTEM\hostctrl.exe
    O4 - HKLM\..\Run: [C2K] C:\WINDOWS\CYB2K.EXE
    O4 - HKLM\..\Run: [mgmtkern] C:\WINDOWS\SYSTEM\mgmtkern.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\rundll32 .exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [Antivirus monitor] c:\avm.exe
    O4 - HKLM\..\Run: [MsCheckout] C:\MSSYNCU.EXE
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [ActiveMovie] C:\MSPLAYER.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe
    O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\iowatch.exe
    O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
    O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
    O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
    O4 - Startup: ATISched.lnk = C:\ATI\ATIDESK\atisched.exe
    O4 - Startup: Reminder-hpc41001.lnk = C:\Program Files\HP DeskJet 710C Series\ereg\Remind32.exe
    O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Quickbooks Pro\Components\QBAgent\qbdagent2001.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38019.7379398148

    Thanks for your help!
    Martin
     
  6. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Re:subratam, I followed your instructions

    Hi Martin,
    I will leave this in hands of experts now, who will carry you on from here to a CLEAN computer.
    Wait for sometime and someone will be here pretty soon

    have a good day and, I am glad I could come off to your help in as much little way I could

    take care
     
  7. Martin Eden

    Martin Eden Guest

    Re:subratam, I followed your instructions

    Thank you ! Your help is greatly appreciated!
    Martin
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Martin,

    You do have some very suspicious entries left and some known baddies:
    O4 - HKLM\..\Run: [hostctrl] C:\WINDOWS\SYSTEM\hostctrl.exe

    O4 - HKLM\..\Run: [mgmtkern] C:\WINDOWS\SYSTEM\mgmtkern.exe
    O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\rundll32 .exe internat.dll,LoadKeyboardProfile
    O4 - HKLM\..\Run: [Antivirus monitor] c:\avm.exe
    O4 - HKLM\..\Run: [MsCheckout] C:\MSSYNCU.EXE

    O4 - HKLM\..\Run: [ActiveMovie] C:\MSPLAYER.EXE

    O4 - HKCU\..\Run: [sysinfo] C:\WINDOWS\sysinfo.exe

    Fix the ones above, reboot and delete:
    internat.dll <= NOTE, do NOT delete internat.exe (CWS)
    C:\WINDOWS\sysinfo.exe <= http://securityresponse.symantec.com/avcenter/venc/data/trojan.bedrill.html

    And could you please zip up the following files and mail them to the address in my profile:
    C:\WINDOWS\SYSTEM\hostctrl.exe
    C:\WINDOWS\SYSTEM\mgmtkern.exe
    c:\avm.exe
    C:\MSSYNCU.EXE
    C:\MSPLAYER.EXE

    I will let you know about their nature as soon as possible.

    TIA,

    Pieter
     
Thread Status:
Not open for further replies.