TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Guest_Dan on January 14, 2005, 11:04:02 AM

Title: Problems on Windows ME with hijacking
Post by: Guest_Dan on January 14, 2005, 11:04:02 AM

I am running Windows ME and I am having problems with hijacking, please can some one help me with this.

I have posted my hijack this anyone any ideas.

Logfile of HijackThis v1.99.0
Scan saved at 14:56:12, on 14/01/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\DESKTOP\FXAGENTB.EXE
C:\WINDOWS\TEMP\TD_0009.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = www.blueyonder.co.uk
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\PROGRAM FILES\ATI MULTIMEDIA\TV\EXPLBAR.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28177.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28177.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28177.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab28177.cab\")
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28177.cab (http://\"http://messenger.zone.msn.com/binary/MineSweeper.cab28177.cab\")
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clie...nts/y/ct1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct1_x.cab\")
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrc...kr.cab28578.cab (http://\"http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab (http://\"http://www.bitdefender.com/scan/Msie/bitdefender.cab\")
O16 - DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} - http://64.156.31.147/100039/uk/gegames/dslgeaccess.exe (http://\"http://64.156.31.147/100039/uk/gegames/dslgeaccess.exe\")
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/i.../bridge-c46.cab (http://\"http://static.windupdates.com/cab/CDTInc/ie/bridge-c46.cab\")
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab (http://\"http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab\")
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = a
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 194.117.157.4

Title: Problems on Windows ME with hijacking
Post by: guestolo on January 15, 2005, 08:44:36 PM

Sorry for the delay Dan, you may have the newer VX2 infection

Let's check and then take steps to remove it

We need a few tools to identify the Nasties on your computer

Can you Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.

When it's done click the Make a log of what was found button and post it back here

One last request
Download and save to desktop
VX2 Finder (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")
Open it and click the "Click to Find VX2.betterinternet"
When it's done scanning click the Make log and post it back here

One last tool>>Download and Unzip to a folder
findit.zip (http://\"http://www.thatcomputerguy.us/downloads/findit9xme.zip\")
Open the folder and double click on the Find.bat file
Ignore any File not found messages
Give this time to run, don't stop it, may take up to 10 to 15 minutes
When it produces a log
Please copy and paste the log on your next response.

After you post the logs, please don't restart the computer again until further instructions
If you do Reboot, we will have to make new logs

Also post back a fresh Hijackthis log