Post by: nimirra on March 27, 2005, 07:01:33 AM
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> I am posting my Log, hoping that someone can help me with the adware, and trojans that seem to have taken up residence with me..
/mad.gif\' class=\'bbc_emoticon\' alt=\':angry:\' /> Logfile of HijackThis v1.99.1
Scan saved at 5:39:17 AM, on 3/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
O2 - BHO: ohb Class - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\RTNEG2.DLL
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [xyczqrk] c:\windows\system\xyczqrk.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
Now, this means nothing to me.. i do know that my search bar, and abetterinternet have been giving me trouble, and that Stubby the trojan has invaded. Are they here? Are they gone? I really do not know anymore. Help..
/sad.gif\' class=\'bbc_emoticon\' alt=\':(\' />also, this xyczqrk .. i have deleted, and isolated, and quarantined.. apparently it is still here. grrr.
Post by: nimirra on March 27, 2005, 06:00:25 PM
Post by: guestolo on March 27, 2005, 07:54:00 PM
O2 - BHO: ohb Class - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\SYSTEM\RTNEG2.DLL
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL (file missing)
O4 - HKLM\..\Run: [xyczqrk] c:\windows\system\xyczqrk.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer
Find and delete these files or folders if found
C:\WINDOWS\SYSTEM\RTNEG2.DLL <-file
c:\windows\system\xyczqrk.exe <-file
C:\PROGRAM FILES\MYSEARCH <-folder
You don't appear to be running any Anti-Virus software on your computer
If it's disabled, enable it and check for updates and run a full system scan
If you don't have one and need a free solution
I very much recommend that you now download and Install AVG 7 free edition
from this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down to
AVG Free Edition installation files
File Version
avg70free_308a468.exe <--click on this link and save the installer to desktop
Double click to Install and restart your computer if prompted
Back in Windows ensure you update and run a Full System Scan
Restart again if bad guys found and fixed
Post back a fresh Hijackthis log afterwards
Could you also download and save to desktop
VX2 Finder.exe (http://\"http://downloads.subratam.org/VX2Finder9x(126).exe\")
Double click to open and
"Click to Find VX2.Betterinternet"
Let it finish it's short scan and Make a log and post it back too
Post by: Guest on March 27, 2005, 08:52:26 PM
fixed all checked items. restarted. searched for files and folder.
xyczqrk.exe is gone
the mysearch folder was gone
no rtneg2.dll found. there was a folder cache32_rtneg2 i left it there.
(it contained two bin files. not dll)
i got the AVG you recommended (thank you), since my norton has lapsed. it said i was virus free.
i also got the vx2finder, and it did not find anything. no log to post.
updated hijack log below..
Logfile of HijackThis v1.99.1
Scan saved at 7:41:39 PM, on 3/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.s9.Website (http://\"http://www.s9.Website\") Removed.com/highquality
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab (http://\"http://www.popcap.com/games/popcaploader_v6.cab\")
Post by: nimirra on March 27, 2005, 08:54:16 PM
Post by: guestolo on March 27, 2005, 10:16:41 PM
If everything is running better
You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Why so far behind on Windows Updates?
You should visit Windows updates and Install all Latest Critical Updates and Service packs
Restart when prompted and revisit Windows updates until you have all latest criticals
Don't install Recommended updates unless they are something you prefer
This is important in keeping your system secure online too...
Can you let me know the names of the 2 bin files in that cache folder, thanks
Post by: nimirra on March 27, 2005, 10:54:54 PM
100dsktptr
msg
and i bought webroots Spy Sweeper. yesterday. is this a good program, or do i still need to get the SpywareBlaster?
and i'm assuming the IE-Spyad is something totally different, and i need this regardless of which spy i'm using..
and as for the windows updates, i always just close every popup type window that i see. my brother visited this weekend, and i think he is the one that opened the door to whatever i got hit with.
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> i'm very paranoid about clicking yes to anything. i trust nothing!
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> but i will go to get the updates *grumbles* if i have to..
i just want to take a sec and say thanks. is this something you do in your spare time? and if so, bless you. as soon as we are sure i am 99.5% clean, i will be making a donation to show my gratitude. the only thing i could have done by myself is format c and reinstall, *eep*.
thanks again..
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: guestolo on March 27, 2005, 11:20:13 PM
Don't delete the Cache folder in the System folder
And yes SpywareBlaster is a totally different program than SpySweeper
Post by: nimirra on March 28, 2005, 12:21:29 AM
all of my scans are now clean and successful. everything is running great now.
thank you very much for your help guestolo.
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> "kings to you" - Count of Monte Cristo
Post by: guestolo on March 28, 2005, 08:50:11 PM
If you need it reopened, please PM a Mod or the site Admin and supply a link
to this thread
take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />