Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old July 30th, 2004, 01:33 AM
Golden.boy Golden.boy is offline
New Member
 
Join Date: Jul 2004
Posts: 12
Exclamation Proxy.6.B ????

Hey there!!

I think I may also have the Proxy.6.B trojan, but am unable to get rid of it with either AVG, Pest Patrol, Ad-Aware, or my trial version of Trojan Hunter. I just got HijackThis and will post the log below for your perusal. Any help would be greatful!!!

Cheers,

-Golden.boy

Logfile of HijackThis v1.98.0

Scan saved at 9:20:55 PM, on 7/29/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\OFFICE51\SOINTGR.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\ICSMGR.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE

C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE

C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\PROGRAM FILES\3M\PSN2LITE\PSN2LITE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\3M\PSN2LITE\PSNGIVE.EXE

C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

C:\WINDOWS\DESKTOP\MP3\HIJACKTHIS.EXE



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.net

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Canada

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://66.40.16.232/hy/"); (C:\Program Files\Netscape\Users\default\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] systray.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l

O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE

O4 - HKLM\..\Run: [Easykey] easykey.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\2004511222232_MCINFO.EXE /insfin

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - HKLM\..\RunOnce: [Registering itss.dll..] c:\windows\SYSTEM\regsvr32 /s itss.dll

O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\SYSTEM\SYSTEM.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .txt: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
Reply With Quote
  #2  
Old July 30th, 2004, 09:27 AM
tb525 tb525 is offline
Malware Removal Team Advisor
 
Join Date: Sep 2002
O/S: Windows 7 32-bit
Posts: 3,151
Hi Golden.boy, Welcome to CTH.

Run HT again and check the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT 'fix checked'.

You Must restart your computer when you're done.

O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\2004511222232_MCINFO.EXE /insfin

O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\SYSTEM\SYSTEM.EXE

After restarting delete the following:

C:\WINDOWS\SYSTEM\SYSTEM.EXE

Delete the contents of C:\WINDOWS\TEMP
Reply With Quote
  #3  
Old July 30th, 2004, 04:08 PM
Golden.boy Golden.boy is offline
New Member
 
Join Date: Jul 2004
Posts: 12
Half-way there...

Thanks tb525,

So I did as you said but came up with a few probs:

1) I couldn't find the system.exe file (even after "show all files")

2) I deleted all *.tmp files and all files in my C:\WINDOWS\TEMP folder, but couldn't delete ZLT07243.TMP and ~DF437E.TMP. I dunno what to do about these. [I also left all the files in my recycle bin for now, just in case you tell me I did something wrong! ]

3) I thought I had deleted mcafee a long time ago, but the 016 - DPF string of the HT log seems to show me otherwise.

4) Here's the new HT log.

Thanks in advance!!!!

-Golden.boy

Logfile of HijackThis v1.98.0
Scan saved at 11:56:39 AM, on 7/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\OFFICE51\SOINTGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\3M\PSN2LITE\PSN2LITE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\3M\PSN2LITE\PSNGIVE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\MP3\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Canada
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://66.40.16.232/hy/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\Run: [Easykey] easykey.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .txt: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
Reply With Quote
  #4  
Old July 30th, 2004, 04:15 PM
tb525 tb525 is offline
Malware Removal Team Advisor
 
Join Date: Sep 2002
O/S: Windows 7 32-bit
Posts: 3,151
Quote:
I deleted all *.tmp files and all files in my C:\WINDOWS\TEMP folder, but couldn't delete ZLT07243.TMP and ~DF437E.TMP. I dunno what to do about these.
Those files are OK one is from Zone Alarm the other is from the pop up stopper..

Empty the recycle bin. You can also remove those McAfee 016-DPF entries with HijackThis if you wish.

Also run HijackThis and fix this entry:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchmeup.net
Reply With Quote
  #5  
Old August 2nd, 2004, 03:36 PM
Golden.boy Golden.boy is offline
New Member
 
Join Date: Jul 2004
Posts: 12
Probs....

Hey!

Ok, so I turned my computer on today and couldn't open internet explorer or KMD without getting that white popup that says "a prob has occurred and you will lose any unsaved info - cancel/ignore." So I rebooted, restored my registry, and restored all the files in my recycle bin. So, I guess I'm back at square one!!!

I have no idea why this happened, must've been something I deleted.

So.... what should I do differently this time to avoid the same from occurring?

Thanks,

--Golden.boy
Reply With Quote
  #6  
Old August 3rd, 2004, 09:16 AM
tb525 tb525 is offline
Malware Removal Team Advisor
 
Join Date: Sep 2002
O/S: Windows 7 32-bit
Posts: 3,151
Was this the first time you shut the machine down since removing those items? Removing should not have had any effect on the machine.

Run HijackThis and post the log.
Reply With Quote
  #7  
Old August 3rd, 2004, 10:07 PM
Golden.boy Golden.boy is offline
New Member
 
Join Date: Jul 2004
Posts: 12
Ok, here goes...
1) To answer your question, it was the first shut down since removing those items.
2) I "played" around a little on my own and found out that my AVG was scanning the trojan from within my PestPatrol quarantine. So (probably unnecessary, but) I restored from quarantine and healed it with AVG, and now I believe the trojan is gone (I checked with PestPatrol, Ad-aware, AVG). Here's my HT log, whaddya think !!

ps. Thanks for all the help!!

Logfile of HijackThis v1.98.0

Scan saved at 6:09:17 PM, on 8/3/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\OFFICE51\SOINTGR.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\ICSMGR.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE

C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE

C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\PROGRAM FILES\3M\PSN2LITE\PSN2LITE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\3M\PSN2LITE\PSNGIVE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\DESKTOP\MP3\HIJACKTHIS.EXE



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Canada

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://66.40.16.232/hy/"); (C:\Program Files\Netscape\Users\default\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] systray.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l

O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE

O4 - HKLM\..\Run: [Easykey] easykey.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\2004511222232_MCINFO.EXE /insfin

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .txt: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

Reply With Quote
  #8  
Old August 3rd, 2004, 11:26 PM
tb525 tb525 is offline
Malware Removal Team Advisor
 
Join Date: Sep 2002
O/S: Windows 7 32-bit
Posts: 3,151
Go here and upload the following file and scan it. Copy the result and paste it in a reply
C:\WINDOWS\TEMP\2004511222232_MCINFO.EXE

http://www.kaspersky.com/scanforvirus
Reply With Quote
  #9  
Old August 4th, 2004, 01:50 AM
Golden.boy Golden.boy is offline
New Member
 
Join Date: Jul 2004
Posts: 12
Ok...I feel like an idiot cuz I've spent the last 20 mins searching for a file that doesn't appear to exist. I cannot find a 2004511222232_MCINFO.EXE file in my c:\windows\temp folder. I've even allowed "show all files." I must be missing something.....
Reply With Quote
  #10  
Old August 4th, 2004, 02:31 AM
tb525 tb525 is offline
Malware Removal Team Advisor
 
Join Date: Sep 2002
O/S: Windows 7 32-bit
Posts: 3,151
OK, Run HijackThis again and fix the following entry and reboot:

O4 - HKLM\..\Run: [msci] C:\WINDOWS\TEMP\2004511222232_MCINFO.EXE /insfin
Reply With Quote
  #11  
Old August 4th, 2004, 04:57 PM
Golden.boy Golden.boy is offline
New Member
 
Join Date: Jul 2004
Posts: 12
Alrighty, that's done and here's the HT! Soooo this is what spring cleaning feels like!


Logfile of HijackThis v1.98.0

Scan saved at 12:55:29 PM, on 8/4/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)



Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\OFFICE51\SOINTGR.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\PROGRAM FILES\HP CD-WRITER\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\HP CD-WRITER\MMENU\HPCDTRAY.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\ICSMGR.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE

C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE

C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE

C:\PROGRAM FILES\3M\PSN2LITE\PSN2LITE.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\3M\PSN2LITE\PSNGIVE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\DESKTOP\MP3\HIJACKTHIS.EXE



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Canada

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://66.40.16.232/hy/"); (C:\Program Files\Netscape\Users\default\prefs.js)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] systray.exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l

O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe

O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe

O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe

O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\OFFICE51\SOINTGR.EXE

O4 - HKLM\..\Run: [Easykey] easykey.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe

O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [SO5 Integrator Pass One] C:\OFFICE51\SOINTGR.EXE

O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service

O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe

O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .txt: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
Reply With Quote
  #12  
Old August 4th, 2004, 07:30 PM
tb525 tb525 is offline
Malware Removal Team Advisor
 
Join Date: Sep 2002
O/S: Windows 7 32-bit
Posts: 3,151
Your clean..
Reply With Quote
  #13  
Old August 6th, 2004, 03:43 AM
Golden.boy Golden.boy is offline
New Member
 
Join Date: Jul 2004
Posts: 12
Thanks again......couldn't have done it without ya!!
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Proxy guptabio Windows 10 20 February 20th, 2021 01:32 PM
Proxy Error with No Proxy Server Set hooplek Malware Removal 19 May 22nd, 2014 11:07 PM
Proxy For My Proxy/Firewall.. mugsy27 Networking 0 July 15th, 2005 11:17 PM
Windows proxy-WIERD!!, KazaaLite or Limewire w/ proxy Cronodude360 Internet / Browsers 0 September 13th, 2004 09:40 PM
Proxy Mazen Networking 5 June 8th, 2004 07:56 PM


All times are GMT +1. The time now is 01:58 PM.