Thanks for your help in advance!

I believe I have some form of an AIM worm/virus/trojan horse. I have a dial up connection, and as soon as it logs on to my ISP, IE opens automatically and trys to load the webpage <www.freewebs.com/yearofl12/staff.html> IE never used to open automatically and I have no idea what that website is. Also, my AIM keeps trying to log on automatically, so I had to remove my saved password. A message now pops up saying 'the AIM hyperlink you've clicked on may require you to be online to work. Please log in first.' This happens about every 1 to 2 minutes.

I ran adaware and spy bot then scanned with 'Hijack this!' and here is my log. I'm trying to follow the protocol for posting and if I am doing anything wrong, please let me know. If someone could examine my log and post any suggestions, I would be deeply indebted!

Logfile of HijackThis v1.97.7
Scan saved at 1:33:54 PM, on 7/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\WINDOWS\SYSTEM\MSGINAV.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\WINDOWS\SYSTEM\HPOID407.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\MY DOCUMENTS\MY EBOOKS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.110.1:80
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
O4 - HKCU\..\RunOnce: [Microsoft Gina V Encryption] MSGINAV.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38065.1484837963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks again!

Ben

 

bump.....

 

Hi Ben,
Sorry for the late reply.

First, press the ctrl+alt+del keys at the same time to bring up the running process panel. If you see the "msginav.exe" there, try and close it if you can. If you can't, continue on with the following.

Open Hijackthis and rescan. Then with only Hijackthis open, and all other browsers closed, place a check beside the following and click *Fix checked:

O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
O4 - HKCU\..\RunOnce: [Microsoft Gina V Encryption] MSGINAV.EXE

(This one is optional to fix but it is a resource hog and isn't needed at startup)
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Please zip up a copy of the msginav.exe (it can be found in the C:\Windows\System folder) and email it to the following addresses for analysis. Include a link back to this thread in the body of the email.
submit At diamondcs.com.au
samples At nod32.com
(replace the At with @)

You may have to make all files and folders viewable.
Open My Computer -->Select the View menu and click Folder Options -->Select the View Tab.
In the Hidden files section select "Show all files". Click "OK"

Then upload the 'msginav.exe' file to Kaspersky for a scan.

Next, go to one (or two) of these on-line antivirus scan and do a FULL system scan: Free Services

Reboot your computer after the scan, and download the latest version of Hijackthis 1.98.0-hotfix.
Create a permanent folder on your C: drive (example: C:\HJT\ ) and put the HijackThis.exe into the permanent folder. HijackThis must run from it's own folder (not the Desktop or Temp folders) as it creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to find the backups easily and restore it from them.

Post a new log here in your next reply.

Regards,

snap