Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93081 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Trojan horse PSW.Generic3.tx


  • This topic is locked This topic is locked
21 replies to this topic

#1 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 February 2007 - 11:08 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:42:58 AM, on 2/6/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\TIMERC\TIMERC3.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\TITIME.EXE
E:\1VIRUS & SECURITY STUFF\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f905.mail....e...&y5beta=yes
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: TimeRC 3.0.lnk = C:\Program Files\TimeRC\TimeRC3.exe
O4 - Startup: TiTime.exe
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.37/ttinst.cab
O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (SFClientControl Object) - https://skyfex.net/C...SFClientPro.cab
O16 - DPF: {7238A364-D686-4A88-B1AF-1223D6E9497A} (SFClientFree Object) - https://skyfexfree.n.../ClientFree.cab

    Advertisements

Register to Remove


#2 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 06 February 2007 - 11:31 AM

Hi thewolfeand welcome to Tom Coyote forums

I am currently looking over your log. As I am an Undergraduate, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Thanks for your patience!
dan

#3 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 06 February 2007 - 04:40 PM

Hi thewolfe

Could you clear this point up for me, did you Install this remote admin software?
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service

I can't see that you are running a firewall!
This should suit your systems needs for a firewall: Sygate Personal Firewall
Please Note! that you only need one antivirus and one firewall running on your system

I can not stress enough how important it is that you use a Firewall on your computer - even if you are behind a hardware firewall, such as a router.
For an excellent article on Firewalls, why you should use one and a some of those available, see Computer Safety On line - Software Firewalls.
_____________


Not seeing a lot in your log, will have a deeper look with some scans.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.


Now go to Panda active scan

Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on Local Disks to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
_________________

Your Java is out of date Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says " Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
please include panda scan in your next post and a new hjt log.
Thanks dan

#4 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 February 2007 - 06:29 PM

The server is Remote Admin and that's ok. I'm using AVG, ZA and am behind a router. I'm running Panda now.

#5 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 February 2007 - 06:50 PM

Incident Status Location

Spyware:Cookie/fe.lea.lycos Not disinfected C:\WINDOWS\Cookies\evan@fe.lea.lycos[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\WINDOWS\Cookies\evan@smni[1].txt
Spyware:Cookie/LinkExchange Not disinfected C:\WINDOWS\Cookies\default@linkexchange[1].txt
Spyware:Cookie/Preferences Not disinfected C:\WINDOWS\Cookies\default@preferences[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\default@go[1].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\evan@c2.gostats[3].txt
Spyware:Cookie/LinkExchange Not disinfected C:\WINDOWS\Cookies\evan@linkexchange[1].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\evan@www.web-stat[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Cookies\evan@mediaplex[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\louise@go[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\evan@doubleclick[1].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\evan@c2.gostats[4].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\evan@www.web-stat[3].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\evan@com[3].txt
Spyware:Cookie/Seeq Not disinfected C:\WINDOWS\Cookies\evan@www48.seeq[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\Cookies\evan@rn11[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[3].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\evan@www.web-stat[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\WINDOWS\Cookies\evan@www.affiliatefuel[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[4].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\WINDOWS\Cookies\evan@smni[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\evan@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\evan@atdmt[2].txt
Spyware:Cookie/Buzztone Not disinfected C:\WINDOWS\Cookies\evan@www.buzztone[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\evan@www.myaffiliateprogram[2].txt
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Cookies\evan@advertising[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[6].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\evan@dist.belnk[3].txt
Spyware:Cookie/Mp3s Hits Not disinfected C:\WINDOWS\Cookies\evan@www.mp3shits[1].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\evan@target[1].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\evan@target[4].txt
Spyware:Cookie/Gorillanation Not disinfected C:\WINDOWS\Cookies\evan@ads.gorillanation[1].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\evan@xiti[1].txt
Spyware:Cookie/Buzztone Not disinfected C:\WINDOWS\Cookies\evan@www.buzztone[1].txt
Spyware:Cookie/Xmts Not disinfected C:\WINDOWS\Cookies\evan@xmts[1].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\evan@did-it[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\evan@www.myaffiliateprogram[3].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\Cookies\evan@rn11[3].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[5].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[11].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\evan@www.myaffiliateprogram[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\evan@ath.belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\evan@belnk[3].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\evan@dist.belnk[4].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\evan@ct.360i[1].txt
Spyware:Cookie/Enhance Not disinfected C:\WINDOWS\Cookies\evan@c.enhance[1].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\evan@target[2].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\evan@c2.gostats[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\evan@www.burstbeacon[2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[7].txt
Spyware:Cookie/Rightmedia Not disinfected C:\WINDOWS\Cookies\evan@rightmedia[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\evan@www.myaffiliateprogram[4].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\WINDOWS\Cookies\evan@fe.lea.lycos[2].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\louise@ct.360i[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[10].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\evan@www.web-stat[4].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\evan@www.burstbeacon[3].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\evan@com[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\evan@www.myaffiliateprogram[5].txt
Spyware:Cookie/Buydomains Not disinfected C:\WINDOWS\Cookies\evan@www47.buydomains[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\evan@atwola[1].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\WINDOWS\Cookies\evan@spywarestormer[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\evan@dist.belnk[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\evan@burstnet[1].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[8].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\louise@dist.belnk[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\evan@www.burstbeacon[1].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\WINDOWS\Cookies\evan@spywarestormer[2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\louise@belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\louise@ath.belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\louise@burstnet[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\WINDOWS\Cookies\louise@i.screensavers[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\louise@www.myaffiliateprogram[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\louise@www.burstbeacon[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\WINDOWS\Cookies\louise@entrepreneur[1].txt
Spyware:Cookie/GoStats Not disinfected C:\WINDOWS\Cookies\louise@gostats[2].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\WINDOWS\Cookies\louise@spywarestormer[2].txt
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\louise@xiti[1].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\louise@target[2].txt
Spyware:Cookie/web-stat Not disinfected C:\WINDOWS\Cookies\louise@www.web-stat[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\Cookies\louise@rn11[2].txt
Spyware:Cookie/WinFixer Not disinfected C:\WINDOWS\Cookies\louise@winfixer[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\Cookies\louise@stats1.reliablestats[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\louise@com[2].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\louise@did-it[1].txt
Spyware:Cookie/64.62.232 Not disinfected C:\WINDOWS\Cookies\evan@64.62.232[4].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\evan@ct.360i[3].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\evan@ath.belnk[2].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Cookies\evan@belnk[1].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\evan@yadro[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\evan@www.myaffiliateprogram[6].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\evan@burstnet[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\evan@www.burstbeacon[5].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\evan@atwola[2].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\evan@did-it[1].txt
Spyware:Cookie/Servlet Not disinfected C:\WINDOWS\Cookies\evan@servlet[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\evan@burstnet[4].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\evan@www.burstbeacon[6].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\evan@target[5].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\evan@ct.360i[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\evan@cgi-bin[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\WINDOWS\Cookies\evan@entrepreneur[2].txt
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Cookies\evan@did-it[4].txt
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Cookies\evan@ct.360i[4].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\evan@www.myaffiliateprogram[8].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\evan@cgi-bin[3].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\evan@target[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\evan@cgi-bin[4].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\evan@www.burstbeacon[7].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\anyuser@target[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\anyuser@atwola[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\anyuser@com[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\evan@atwola[3].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[9].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\evan@burstnet[3].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\evan@target[6].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Cookies\evan@go[13].txt
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\evan@burstnet[5].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Cookies\evan@www.burstbeacon[4].txt
===========================================================

Logfile of HijackThis v1.99.1
Scan saved at 4:47:02 PM, on 2/6/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\TIMERC\TIMERC3.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\TITIME.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
E:\1VIRUS & SECURITY STUFF\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f905.mail....e...&y5beta=yes
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [GhostStartService] C:\PROGRAM FILES\SYMANTEC\NORTON GHOST 2003\GHOSTSTARTSERVICE.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - Startup: TimeRC 3.0.lnk = C:\Program Files\TimeRC\TimeRC3.exe
O4 - Startup: TiTime.exe
O8 - Extra context menu item: Atomica... - file:C:\PROGRA~1\ATOMICA\ATOMIC~1\Html\griemenu.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_10\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.37/ttinst.cab
O16 - DPF: {C9E2242D-DC05-4C54-9483-A5C90653F7BC} (SFClientControl Object) - https://skyfex.net/C...SFClientPro.cab
O16 - DPF: {7238A364-D686-4A88-B1AF-1223D6E9497A} (SFClientFree Object) - https://skyfexfree.n.../ClientFree.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

#6 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 06 February 2007 - 06:59 PM

Hi thewolfe, thanks for your returned logs, It's late here now, so will get back to you in the morning. Can you confirm for me that zone alarm your firewall has not been disabled because I'm not seeing it in running processes or start up, I may be going mad but as I said it's late. Thanks dan

#7 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 February 2007 - 07:02 PM

Ops! I don't have ZA on that computer but..........I will.

#8 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 February 2007 - 08:24 PM

And ops again. It's my wifes computer and it's running Win ME so the downloads I have for ZA won't run on it.

#9 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 06 February 2007 - 08:58 PM

The latest. The original file w/ the trojan was C:\Windows system\dllms.dll Then when I "Healed" the above and restarted and the files below popped up and the original is gone. C:\Restore\Temp\A0210280.cpy (Have 9 of those with the file name numbers a little different) I can disable the "Restore Points" and I think that will take care of the 9. What say you?

#10 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 07 February 2007 - 01:32 AM

Please dont flush the restore points just yet! thanks dan

    Advertisements

Register to Remove


#11 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 07 February 2007 - 12:14 PM

Hi thewolfe

And ops again.

It's my wifes computer and it's running Win ME so the downloads I have for ZA won't run on it.


If you use the firewall I gave you this will be fine for the older system, please Install.

For your Information , Windows ME, is no longer supported by Microsoft.
This means that no new patches are being released, no security holes are being fixed, and most software developers are dropping support for it.
I would highly recommend that you upgrade to either Windows 2000 or Windows XP. You can see Microsoft's announcement about dropping Windows 9x/ME support here

________________

Most of the items you are picking up I believe are in system restore which is quite safe I will now flush them from the system.
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re enable system restore here:
Managing Windows Millennium System Restore
Leave the update on java for the moment I dont think the new update is compatable with this machine.

post a new HJT log and let me know how things are running? Don't forget that firewall!
Thanks dan

#12 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 07 February 2007 - 08:47 PM

Thanks, I'll do that in the morning and post back.

#13 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 08 February 2007 - 03:33 PM

This is a tricky little bugger. I flushed the "Restore points", ran AVG and all was well. Started to shutdown the computer and AVG window said the Trojan horse PSW.Generic3.TX was at C:\Windows system\dllms.dll Ran AVG a few more times and it sometimes shows it. If it doesn't the above window pops up. Restore points are still disabled.

#14 dan12

dan12

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 998 posts
  • Interests:Horse riding, computer's

Posted 08 February 2007 - 03:46 PM

Hi thewolfe, re-enable the restore point as detailed please. I will discuss this with my tutor and get back to you. Thanks dan

#15 thewolfe

thewolfe

    New Member

  • Authentic Member
  • Pip
  • 12 posts

Posted 08 February 2007 - 04:21 PM

Thanks for your help.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users