Thanks for your help in advance!

Discussion in 'adware, spyware & hijack cleaning' started by BIAUSER, Jul 9, 2004.

Thread Status:
Not open for further replies.
  1. BIAUSER

    BIAUSER Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    2
    I believe I have some form of an AIM worm/virus/trojan horse. I have a dial up connection, and as soon as it logs on to my ISP, IE opens automatically and trys to load the webpage <www.freewebs.com/yearofl12/staff.html> IE never used to open automatically and I have no idea what that website is. Also, my AIM keeps trying to log on automatically, so I had to remove my saved password. A message now pops up saying 'the AIM hyperlink you've clicked on may require you to be online to work. Please log in first.' This happens about every 1 to 2 minutes.

    I ran adaware and spy bot then scanned with 'Hijack this!' and here is my log. I'm trying to follow the protocol for posting and if I am doing anything wrong, please let me know. If someone could examine my log and post any suggestions, I would be deeply indebted!

    Logfile of HijackThis v1.97.7
    Scan saved at 1:33:54 PM, on 7/9/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\CISCO SYSTEMS\VPN CLIENT\CVPND.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\HPOOPM07.EXE
    C:\WINDOWS\SYSTEM\MSGINAV.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
    C:\WINDOWS\SYSTEM\HPOIPM07.EXE
    C:\WINDOWS\SYSTEM\HPOID407.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
    C:\MY DOCUMENTS\MY EBOOKS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.110.1:80
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\stimon.exe
    O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
    O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [CVPND] "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" start
    O4 - HKCU\..\RunOnce: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38065.1484837963
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    Thanks again!

    Ben
     
  2. BIAUSER

    BIAUSER Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    2
    bump.....
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Ben,
    Sorry for the late reply.

    First, press the ctrl+alt+del keys at the same time to bring up the running process panel. If you see the "msginav.exe" there, try and close it if you can. If you can't, continue on with the following.

    Open Hijackthis and rescan. Then with only Hijackthis open, and all other browsers closed, place a check beside the following and click *Fix checked:

    O4 - HKLM\..\Run: [Microsoft Gina V Encryption] MSGINAV.EXE
    O4 - HKCU\..\RunOnce: [Microsoft Gina V Encryption] MSGINAV.EXE

    (This one is optional to fix but it is a resource hog and isn't needed at startup)
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    Please zip up a copy of the msginav.exe (it can be found in the C:\Windows\System folder) and email it to the following addresses for analysis. Include a link back to this thread in the body of the email.
    submit At diamondcs.com.au
    samples At nod32.com

    (replace the At with @)

    You may have to make all files and folders viewable.
    Open My Computer -->Select the View menu and click Folder Options -->Select the View Tab.
    In the Hidden files section select "Show all files". Click "OK"

    Then upload the 'msginav.exe' file to Kaspersky for a scan.

    Next, go to one (or two) of these on-line antivirus scan and do a FULL system scan: Free Services

    Reboot your computer after the scan, and download the latest version of Hijackthis 1.98.0-hotfix.
    Create a permanent folder on your C: drive (example: C:\HJT\ ) and put the HijackThis.exe into the permanent folder. HijackThis must run from it's own folder (not the Desktop or Temp folders) as it creates backups in the folder it is ran from, so if you should delete something you needed, you will be able to find the backups easily and restore it from them.

    Post a new log here in your next reply.

    Regards,

    snap
     
Thread Status:
Not open for further replies.