http://blondes.rompl.com/?bbs4

Discussion in 'adware, spyware & hijack cleaning' started by dion, Apr 5, 2004.

Thread Status:
Not open for further replies.
  1. dion

    dion Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    4
    I have used ad-aware and spybot, but still get a pop-up even if I am not surfing that goes to hxxp://blondes.rompl.com/?bbs4

    The hijack log is as following:
    Logfile of HijackThis v1.97.7
    Scan saved at 03:09:41, on 05/04/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\OFFICESCAN 95\PCCWIN97.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\OFFICESCAN 95\POP3TRAP.EXE
    C:\PROGRAM FILES\OFFICESCAN 95\OFCDOG.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\RAM IDLE LE\RAM_98.EXE
    C:\WINDOWS\MSSTASKS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\ULTIMATEZIP\UZQKST.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
    C:\DION\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://192.168.0.10:8080
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\q2j0wsn2.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\q2j0wsn2.slt\prefs.js)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OfficeScan95] "C:\PROGRAM FILES\OFFICESCAN 95\pccwin97.exe" -HideWindow
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle LE\RAM_98.exe
    O4 - HKLM\..\Run: [Serv] C:\WINDOWS\msstasks.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
    O4 - HKLM\..\RunServices: [OfficeScan95] "C:\PROGRAM FILES\OFFICESCAN 95\Pccwin97.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [RamCleaner] C:\PROGRAM FILES\RAMCLEANER\RAMCLEANER.EXE
    O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip\uzqkst.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Download Images by Picture Finder - C:\PROGRAM FILES\SUPER PICTURE FINDER GRABBER\pf_link.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DD568395-E261-49BA-82A7-71C7A80AE49E} (lawocx.webep) - http://www.lawactive.co.za/webep/lawocx.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37911.0299189815
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 196.25.1.1,196.25.1.9

    Please can you help me o_O

    Altered link to avoid accidental clicking
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Hi dion,

    Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Serv] C:\WINDOWS\msstasks.exe

    Then reboot and do a Find files for:
    msstask* (Note the double s)

    Let me know how many you find, their exact names and where they were located.

    Regards,

    Pieter
     
  3. dion

    dion Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    4
    hi pieter

    there are two files:

    msstasks.exe c:\windows
    msstasks.lgc c:\windows\applog

    i would like to mention that the pop-up only starts up after about an hour with same intervals
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Could you rename C:\WINDOWS\msstasks.exe to msstasks.bak and send a copy to the address in my profile?
    It could be I am thinking of the wrong malware here.
    Or you could upload the file at http://www.kaspersky.com/remoteviruschk.html and let us know the results.

    Regards,

    Pieter
     
  5. dion

    dion Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    4
    hi pieter

    did the check at kaspersky

    have got following:
    msstasks.exe Infected: Trojan.Win32.Harnig.b

    what now?

    thanks
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    Delete the file and give a big yell if the popups dare to come back. :D

    Regards,

    Pieter
     
  7. dion

    dion Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    4
    hi pieter

    thanks

    i left the pc overnight and no more pop-ups

    you have been of great help

    dankie
    dion
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,440
    Location:
    Netherlands
    My pleasure. :)

    Pieter
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.