Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Blackdoor.small3.bi and Downloader.agent.7.e

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Schonk1 » February 4th, 2005, 4:40 pm

Sorry, I forgot it.

Logfile of HijackThis v1.99.0
Scan saved at 21:00:53, on 4-2-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert
Advertisement
Register to Remove

Unread postby ChrisRLG » February 5th, 2005, 3:36 pm

Well that log shows you completely clean.

AVG7 'knows' this infection, and has been proved to stop the install of it in the past - not like some of the other AV's. It is good are removing some parts of it too :) with out assistance.

What website were you visiting when it happened - or was it immediatly when you opened IE.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » February 5th, 2005, 5:58 pm

Hello,

The infection took place during the online scan by Symantec. I started your side with the Mozilla browser and chosed your link, as indicated in one of your advices, to the Symantec scanner. This scanner could not work with the Mozilla browser and Symantec asked to start the Microsoft browser, what we did. After the start of the online scan, I had to allow the Spybot Teatimer to let download several ActiveX components, for which Symantec demanded, otherwise the scan could not be run. I remark that the ActiveX configuration has been adjusted according to your advice. At this point the infections started. After the Symantec online scan the security of our computersystem for virussen was disapproved by the online scanner.

Than did a scan with our own AVG7. AVG healed several infection and put the in the Vault, which we emptied. The HJT logfile you got is made after this AVG scan.

Your site and the Symantec-site were the only sites we visited. If these ActiveX components are realy so dangerous that we have to close the system completely, Than there is a great problem in the internet world. Can it be that the IE browser security is so serious damaged that this happens? How can we controll and repair this, if this is true.

Greetings, Schonk1
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » February 5th, 2005, 6:52 pm

Its the business people who write these malware - it makes money, while people respond to popup windows telling them to download this or that and buy this or that, they will continue to push this sort of malware.

They each time we find a fix, release a new version that is hearder to remove each time, hopefully now that M$ has joined the fight we may be able to change the status quo.

M$ are talking to lots of my friendss at other sites to improve thier own anti-malware product - it is in beta at the moment - should hopefully help cure this :) over time.

===============

Could you try this, it is a reprting program - will not cure your system - but may help find something I might have missed.

Make a new Folder for example C:\Dllconpare
http://downloads.subratam.org/DllCompare.exe
Download DllCompare.exe to that folder then run it

Start Program and Click the Run Locate.com and wait a few seconds til the scan says complete.
(default settings usually are sufficient)

Click the Compare button to start the sorting process.

Files in the upper portion have been verified to "exist" as where Files in the bottom section have some form of problem being accessed.
There will be only minimal, if any files listed there... once that Compare scan is complete, and you find you have a few files listed in the lower box.

Click on any of the listed entries to select it.. Right click the mouse and use the Option Rescan Like This

This will run the file through the standard Windows Find and if it does exist, will be removed from the list (to further filter the found objects) Like This

After that if you are left with files that are still not found, click the Make a Log of what was found button, and post that log.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » February 6th, 2005, 9:52 am

Hello ChrisRLG,

'We downloaded Dllcompare and let it scan. The logfile says that there were no files found.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

818 items found: 818 files, 0 directories.
Total of file sizes: 156.918.449 bytes 149,65 M

--------------------End log---------------------


About your suggestion corncerning malware producers and the business world:

Could Symantec be one of these? It seems to me very strange that such a welknown antivirus program developer, used by us for the first time, after we did together everything to clean our system, "delivered" several virusses via ActiveX components. We are very disappointed.

According to what we did up till now, we conclude that our system must be clean, if we don't use IE never again.

Thank's again,

Schonk1
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » February 6th, 2005, 2:55 pm

No symantics/norton are one of the good guys.

Unfortunately the good guys can have legal problems with classifying something for removal.

Take two applications MS-Word and a Gator add on program for getting accurate time from a time server.

With both you have agreed to have the program - OKed the terms and conditions - even if you did not read them - downloaded or installed from a CD.

Now Gators program comes with lots of little extras, which ARE mentioned in its user agreement - that you tick OK to when you installed.

So which one - if any - can Norton AV target.

The problem by and large is not the malware but users not reading all the legal speak in the user agreement, or if reading being able to understand. Now I am not saying that I read all the user agreements for stuff I install - who does.

BTW that is not the same as the stuff you have - this is caught by mainly a driveby download.

What that scan was supoost to show was if any super hidden files were in the system - glad to say none were found.

Next test - a rootkit infection. This is a infection that gains hold before the op system starts - and then hids itself from all views.

RootKit Detector: http://www.haxorcitos.com/ficheros/RKDetectorv0.62.zip

download that and run it -see if it can find any.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » February 7th, 2005, 3:59 pm

Hello ChrisRLG,

We downloaded your RKdetector and used it. Everything happened than in a flash. There was no report or logfile. I tried it on my own system, Windows XP, and had to be very fast with my Pause-key to be able to see the result.
Is this speed normal? For the moment I assume that the program did not find hidden infections.

After having consumed so much of your time and concluding that the system is clean now, we propose to stop our correspondence. Of course with many thanks and wishing you and your team succes with your work and probably in the future a virusless internet.

If this is not possible we hope it s permitted to contact you again.

Schonk1
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » February 7th, 2005, 4:25 pm

sorry - it should have a txt file explaining how to run - from my memory it needs to be run from a DOS box - that way you will be able to copy the DOS box to the posts here.

Sorry also - terminology - a DOS box is also known as a DOS prompt and can be obtained from the run command -

start - > Run -> cmd.exe

A box will open type 'cd C:\xxx\xxx\rkdetector.exe -v' (were xxx is the path to where you have the program)


the DOS box menu will allow you to copy
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 8th, 2005, 8:15 am

woops again

A box will open type 'cd C:\xxx\xxx\rkdetector.exe -v' (were xxx is the path to where you have the program)


should be

A box will open type 'cd C:\xxx\xxx (were xxx is the path to where you have the program)

Then a second line of

rkdetector.exe -v'

Sorry my old DOS cammands are a little rusty.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » February 8th, 2005, 4:11 pm

Hello ChrisRLG,

I think there is some confusion about the operation of RKdetectorv0.62. I understand that it has to work in DOS. In the DOS-box of my own system Windows XP Home edition, it works perfect. However on the problamic machine of my brother which we try to undo of its infections, this program does NOT work, neither under Windows 98 SE, nor under Dos of Windows 98 SE. We get the report that the program must work under WIN 32. Does DOS 7 supports WIN 32?

I ran RKdetector on my own system and the program found some suspicious files and a warning for a "seems to be Hooked" file. Is this dangerous? What can I do with these files. The log looks as follows:

. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright (c) 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 256 services )
-Gathering process List Information... ( Found: 29 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\windows\system32\svchost.exe
c:\program files\common files\symantec shared\security center\symwsc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\smss.exe
c:\windows\system32\csrss.exe
c:\windows\system32\winlogon.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\ahead\incd\incdsrv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\common files\symantec shared\ccsetmgr.exe
c:\program files\common files\symantec shared\ccevtmgr.exe
c:\windows\system32\spoolsv.exe
c:\windows\explorer.exe
c:\program files\common files\symantec shared\ccapp.exe
c:\program files\java\jre1.5.0\bin\jusched.exe
c:\program files\ahead\incd\incd.exe
c:\program files\spybot - search & destroy\teatimer.exe
c:\program files\norton antivirus\navapsvc.exe
c:\program files\norton antivirus\savscan.exe
c:\windows\system32\alg.exe
c:\windows\system32\cmd.exe
c:\program files\messenger\msmsgs.exe
c:\rkdetectorv0.62\rkdetector.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 0 wrong Services )
-Searching for Rootkit Modules........
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\imm32.dll
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\lpk.dll
-------------------------------------------------------------------------------
*SUSPICIOUS MODULE!! c:\windows\system32\usp10.dll
-------------------------------------------------------------------------------
*WARNING! MODULE c:\windows\system32\msvcrt.dll SEEMS TO BE HOOKED
-------------------------------------------------------------------------------
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

C:\RKDetectorv0.62>
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » February 8th, 2005, 4:29 pm

Although it reports those as suspect they are legit.

I am away from my computer at the moment - so don't have all my tools.
I will post back when I get home.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby ChrisRLG » February 9th, 2005, 9:21 am

Well still can't 'see' anything in this log - and those 'tests' have come up clean.

Ca I have an uptodate HJT log please.

And again discribe what and where you are hijacked etc.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » February 9th, 2005, 11:49 am

Dear ChrisRLG,

To avoid misunderstanding: The log file of RKdtectorv0.62 is taken on my own machine, running with Windows XP Home Edition. As far as I know the machine is not infected. I will send you also an HJT logfile and I hope you can, after reading it, confirm that the XP system is free of infections.

The machine which has been infected and on wich we together spend four pages of correspondence, is my brother's machine which runs under Windows 98 SE. The whole infection history of this machine is on the four pages on your site. With the DOS-system of Windows 98 SE we are not able to run the RKdetectorv0.62 program, so we could'nt send you a log taken on the Windows 98 SE machine. Trying to start RKdetector, the machine reports that the program must be run with Win32 I think that this is impossible with DOS7, which is incorporated with Windows 98 SE. I'm not 100% sure about this. Can you confirm this and do you have another solution to run RKdetector on the Windows 98 SE machine?

Schonk1

Here comes the HJT logfile of my own XP machine.

Logfile of HijackThis v1.99.0
Scan saved at 16:52:32, on 9-2-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jan Schonkeren\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.home.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.home.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.home.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert

Unread postby ChrisRLG » February 9th, 2005, 12:04 pm

Yes that is clean - I will check out the rootkit dectector on my win98 machine tonight (at work at present) - I will also review the topic (all pages) to see if I have missed something.

A fresh HJT log might help.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Schonk1 » February 9th, 2005, 3:04 pm

Hello ChrisRLG,

Here you get the HJT logfile, made in the Windows 98 SE system.

Logfile of HijackThis v1.99.0
Scan saved at 20:02:56, on 9-2-05
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MSWORKS\AGENDA\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Works Agenda-herinneringen.lnk = C:\Program Files\MSWorks\Agenda\WKCALREM.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRAM FILES\COPERNIC AGENT\COPERNICAGENT.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.home.nl/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab

Schonk1
Schonk1
Regular Member
 
Posts: 33
Joined: January 27th, 2005, 2:42 pm
Location: Weert
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware