my computer has been infected

Discussion in 'adware, spyware & hijack cleaning' started by dadobi, Jun 8, 2004.

Thread Status:
Not open for further replies.
  1. dadobi

    dadobi Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    I am a new user to the forum so I apologize in advance if I leave out any important information

    I run AVG, Zone Alarm, adaware and spybot on my system...some how I have messed up and let in some bad guys...I have run both updated adaware and spybot versions on my system before running the attached hijack this log

    I also ran another program called noadware (i think) and it showed W32/Noala.b@MM
    Backdoor.Cabro (listed twice)
    VX2
    W32.Mimail.C
    WildTangent
    (I did not pay the $30 to have their program address these issues)

    Even with the cleaning that I have done I continue to get messages in AVG regarding the following trojans

    Dropper.small.4.bm
    Downloader.Vidia.B
    Revop.C
    Droppersmall.boco
    Downloader.Apropo.D

    oop almost forgot...I am running Window 98SE with a broadband connection...but currently running my regular telephone modem through netzero while trying to get this cleaned up....below is a copy of my Hijackthis log....thanks in advance for your help

    Logfile of HijackThis v1.97.7
    Scan saved at 10:56:31 AM, on 6/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\IHIYHXM.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
    C:\PROGRAM FILES\HP DESKJET 895C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://public.searchbarcash.com/homepages_manager.php?origin=homepage&software_id=0001
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\attune_ce.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\SYSTEM\ihiyhxm.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [BitMagic] C:\Program Files\BitMagic\BitLoader.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Reminder-hpc41004.lnk = C:\Program Files\HP DeskJet 895C Series\ereg\Remind32.exe
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSN Chat Control) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26fac6b754c7ac989303/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37966.53375
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {498A0AC2-A3AC-11D4-80A9-0050DA680987} (HearMe (Firewall) Voice Control) - http://208.185.32.93/util/hearme/hmvcfe.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.168.230.138/activex/AxisCamControl.ocx
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = anvilcom.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.68.20.2,198.68.20.6
     
  2. dadobi

    dadobi Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    infected with trojans and backdoor

    I am a new user to the forum so I apologize in advance if I leave out any important information

    I run AVG, Zone Alarm, adaware and spybot on my system...some how I have messed up and let in some bad guys...I have run both updated adaware and spybot versions on my system before running the attached hijack this log

    I also ran another program called noadware (i think) and it showed W32/Noala.b@MM
    Backdoor.Cabro (listed twice)
    VX2
    W32.Mimail.C
    WildTangent
    (I did not pay the $30 to have their program address these issues)

    Even with the cleaning that I have done I continue to get messages in AVG regarding the following trojans

    Dropper.small.4.bm
    Downloader.Vidia.B
    Revop.C
    Droppersmall.boco
    Downloader.Apropo.D

    oop almost forgot...I am running Window 98SE with a broadband connection...but currently running my regular telephone modem through netzero while trying to get this cleaned up....below is a copy of my Hijackthis log....thanks in advance for your help

    Logfile of HijackThis v1.97.7
    Scan saved at 10:56:31 AM, on 6/8/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\SYSTEM\IHIYHXM.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
    C:\PROGRAM FILES\HP DESKJET 895C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://public.searchbarcash.com/hom...oftware_id=0001
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\attune_ce.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\SYSTEM\ihiyhxm.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [BitMagic] C:\Program Files\BitMagic\BitLoader.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Reminder-hpc41004.lnk = C:\Program Files\HP DeskJet 895C Series\ereg\Remind32.exe
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSN Chat Control) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26fac6b754c7ac...ip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...CAB?37966.53375
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/de...pcaploader1.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1...23/cpbrkpie.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {498A0AC2-A3AC-11D4-80A9-0050DA680987} (HearMe (Firewall) Voice Control) - http://208.185.32.93/util/hearme/hmvcfe.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/de...aploader_v5.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.168.230.138/activex/AxisCamControl.ocx
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeu...ontent/opuc.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = anvilcom.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.68.20.2,198.68.20.6
     
  3. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    This merged your two posts.
     
  4. dadobi

    dadobi Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    Im sorry ...did I do something wrong..I posted in two places cuz I have so much going on I wasnt sure the correct place to ask for help
     
  5. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    You just posted the same thing twice, so I merged them together.

    Run Hijackthis again and check these items and then on Fix:

    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL

    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26fac6b754c7ac...ip/RdxIE601.cab

    Reboot the computer into safe mode

    Make sure you can view all hidden files and folders

    Find and delete these files/folders::(if you don't find them, that is ok)

    C:\Program Files\NZSearch

    Reboot the computer and post a new log here.
     
  6. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    When you are done with that, I would like you to go to a free online virus scan:

    http://housecall.trendmicro.com/

    Just before scanning there is a little box that can be checked that says Autoclean. Check that box.

    Let me know what it finds and what files are infected. Write everything down.
     
  7. dadobi

    dadobi Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    I followed the directions and was able to successfully delete all items there were stated to be deleted...I also deleted in Safe Mode the exe for NZsearch

    I then ran the Trend scan and it said two virus were found that are not cleanable

    Reg Seeker.C (Noncleanable) located in C:\WINDOWS\homereg111.reg
    Reg Seeker.C (Noncleanable) located in C:\WINDOWS\home.reg

    I was given the option to delete these two but did not delete ...awaiting further instructions

    In addition to the above...yesterday...while reading some other posts..I downloaded and installed TDS free trial...I was able to use this program to clean up some stuff...looks like the only thing I might have yet to deal with is this Reg Seeker.C...which is probably what is causing the TDS to give me a notice each time I start it that the AutoStart has changed....I havent been able to locate in the Autostart list that appears suspicious....if you know anything about TDS and this feature ...additional input would be appreciated

    below is most recent log

    Logfile of HijackThis v1.97.7
    Scan saved at 12:08:46 PM, on 6/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\MSWHEEL.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    C:\PROGRAM FILES\HP DESKJET 895C SERIES\EREG\REMIND32.EXE
    C:\PROGRAM FILES\FRANKLIN COVEY\PLANNER\COMPASS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\MY BRIEFCASE\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://public.searchbarcash.com/homepages_manager.php?origin=homepage&software_id=0001
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\attune_ce.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKCU\..\Run: [BitMagic] C:\Program Files\BitMagic\BitLoader.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\RunServices: [BitMagic] C:\Program Files\BitMagic\BitLoader.exe
    O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - HKLM\..\RunOnce: [BitMagic] C:\Program Files\BitMagic\BitLoader.exe
    O4 - HKLM\..\RunOnce: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Reminder-hpc41004.lnk = C:\Program Files\HP DeskJet 895C Series\ereg\Remind32.exe
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Weekly Compass.lnk = C:\Program Files\Franklin Covey\Planner\Compass.exe
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {7944C497-34C7-11D3-B09C-00C04F612FF1} (MSN Chat Control) - http://fdl.msn.com/public/chat/msnchat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26fac6b754c7ac989303/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37966.53375
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1435/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {498A0AC2-A3AC-11D4-80A9-0050DA680987} (HearMe (Firewall) Voice Control) - http://208.185.32.93/util/hearme/hmvcfe.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.168.230.138/activex/AxisCamControl.ocx
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = anvilcom.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 198.68.20.2,198.68.20.6
     
  8. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Delete the contents of the "temp" folder and completely delete the cache folders by doing this:

    Open Internet Explorer. Then click on TOOLS in the top toolbar. Click on "Internet Options..." from the drop-down menu.
    A new smaller window will display. Under the "General" tab, in the middle, are 3 buttons.
    Click the Delete Cookies button - then a small warning box pops up. Click OK.
    Click the Delete Files button - a small warning box pops us. Check the box for "Delete all offline content" and click OK.
    Then on the same General tab, click Clear History, then click OK

    Reboot the computer into safe mode

    Make sure you can view all hidden files and folders

    Find and delete these files/folders::(if you don't find them, that is ok)

    C:\WINDOWS\homereg111.reg
    C:\WINDOWS\home.reg

    Reboot and see if your problems disappear. You might want to run that online AVG again and see if it is clean.

    I don't use TDS, so I can't answer your question. Any questions regarding TDS you can post at this link:

    https://www.wilderssecurity.com/forumdisplay.php?f=10
     
  9. dadobi

    dadobi Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    I have done the cleaning several times during the process of removing everything that I had become aware of on my system...but will again....I also, while awaiting further directions did more research on the Reg Seeker.C and after my readings felt comfortable to enough to use the trend scan to remove the instances of Reg Seeker.C that it said could be deleted...I also then followed your instructions and went into safe mode to look for these files but found no trace of them....I cant help but shake the feeling that there is still some thing that I am missing because of the autostart change notice that I am(or should say was getting in TDS)....TDS has frozen up completely when going through process scan and stopped responding so I have deleted and will address this issue in the other forum that you have suggested

    thank you for your help :)
     
  10. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    Since you did that removal for the Seeker did you run another Antivirus scan?

    If not, go back to trendmicro and do another scan and see what it says:

    http://housecall.trendmicro.com/
     
  11. dadobi

    dadobi Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    6
    yes thanks I have run several different scans...trend micro, panda, AVG, spybot, TDS, Adaware and a new trial with a program called trojan hunter....everything came back clean except the new program trojan hunter which found some suspect files (eight of them ...beginning all the same ...will on type once with each of the different endings listed seperately)

    C:\WINDOWS\SYSTEM\mamma-ss.exe
    (same....................... mamma-dmk-ss.exe
    (same........................mamma-ikw-ss.exe
    (same........................mamma-ez-ss.exe
    (same........................mamma-ai-ss.exe
    (same........................mamma-tvm-ss.exe
    (same........................mamma-bi-ss.exe
    (same........................mamma-dummy.exe
    this program suggested attaching these files to an email and sending to the for them to check out...tried to do this and it crashed my system...so instead I went back and add .old extension to all these postings and rebooted...system seemed fine so then just deleted these 8

    Regarding IST message that I had received from one of the detection programs ...I also found all IST files renamed, rebooted, then deleted...think i have managed to find everything....wish I could be 100% sure...but its a little discouraging to have to run so many different programs because not one or just two programs can handle all the nasties out there

    Are there any free programs that are recommended that I have not tried??
     
  12. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I understand your frustration when you clean things up and you think you have it all and come to find out there is more. I do believe things are looking good for you.

    If the online virus scan is coming back clean, I believe it. As far as the programs, well, there are lots, but this is what I suggest to do, go to this page and read and follow the suggestions:

    https://www.wilderssecurity.com/showthread.php?t=27971
     
Thread Status:
Not open for further replies.