Post by: Darius_29 on April 08, 2005, 04:40:01 PM
Could you please help me ??
Here is my logfile :
Logfile of HijackThis v1.99.1
Scan saved at 23:18:57, on 08/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WINLOGON.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
C:\PROGRAM FILES\SAGEM WI-FI USB 802.11G\WLANUTL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?bayzm (http://\"http://rl.webtracer.cc/--/?bayzm\") (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rl.webtracer.cc/---/?bayzm (http://\"http://rl.webtracer.cc/---/?bayzm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?bayzm (http://\"http://rl.webtracer.cc/--/?bayzm\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKLM\..\Run: [winlogon.exe] C:\WINDOWS\winlogon.exe
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O4 - Startup: Sagem - Utilitaire réseau pour Clé USB Wi-Fi 802.11g.lnk = C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O19 - User stylesheet: C:\WINDOWS\inf\info.dat
Post by: guestolo on April 08, 2005, 05:30:12 PM
Right click an empty spot on your desktop and select
NEW>>Folder
Name it Locate
Download and UNZIP to that new folder
Locate.zip (http://\"http://www.atribune.org/downloads/locate.zip\")
UNZIP the contents to that newly created folder
Open the Locate folder and Double click to run Locate.bat
Let it finish and then post back the log produced>> the contents of "Report.tx"
in the Locate folder
Post by: Darius_29 on April 08, 2005, 05:58:12 PM
the report.txt is empty.
I have made something wrong ?
Post by: guestolo on April 08, 2005, 06:18:33 PM
Let's try some cleaning on your machine
Could you first
==Download and Install this small program
to help clean your temp folders,cookies, recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
==Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
When installing it may check for updates, but double check
Don't run a scan yet
==Set Windows To Show Hidden Files
* Open My Computer.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Uncheck>Hide Extensions for know file types
* Click OK.
Please Print this out or save these instructions to a Notepad file and save it to your Desktop, also know how to start into safe mode, I'll need you to do that shortly
If unsure, use the link below to help you out
Disconnect from the Internet>>Close all browser windows, including this one
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?bayzm (http://\"http://rl.webtracer.cc/--/?bayzm\") (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rl.webtracer.cc/---/?bayzm (http://\"http://rl.webtracer.cc/---/?bayzm\") (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rl.webtracer.cc/--/?bayzm (http://\"http://rl.webtracer.cc/--/?bayzm\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKLM\..\Run: [winlogon.exe] C:\WINDOWS\winlogon.exe
O19 - User stylesheet: C:\WINDOWS\inf\info.dat
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer into Safe mode (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
Find and delete these files if found
C:\WINDOWS\inf\info.dat <-file
C:\WINDOWS\winlogon.exe <-file
Stay in safe mode
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't restart the computer or log off yet
==Open Ad-Aware>>Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to Normal mode
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page
I don't see any Anti-Virus on your computer
Could you do the following please
If you have your own AV software, install it now, make sure it's fully updated and run a full system scan
If you don't have your own and need a free solution
I highly recommend that you download and install AVG free
from the link below
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down and click on
AVG Free Edition installation files
File Version
avg70free_308a468.exe <-this link or similiar
Save the installer to desktop, double click to install and follow the prompts
Restart the computer if prompted
After installation, ensure you Check for updates>>> run a Full system scan, let it fix what it finds
Restart the computer again
Post back a fresh Hijackthis log
Post by: Darius_29 on April 09, 2005, 05:23:07 AM
I have ran NortonAntivirus2001, it has found nothong. It should Auto start but it doesn't since I am infected.
Here is the new logfile
Logfile of HijackThis v1.99.1
Scan saved at 12:15:05, on 09/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
C:\PROGRAM FILES\SAGEM WI-FI USB 802.11G\WLANUTL.EXE
C:\WINDOWS\NOTEPAD.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rl.webtracer.cc/---/?bayzm (http://\"http://rl.webtracer.cc/---/?bayzm\") (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (http://\"http://rl.webtracer.cc/-/?bayzm\") (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O4 - Startup: Sagem - Utilitaire réseau pour Clé USB Wi-Fi 802.11g.lnk = C:\Program Files\SAGEM Wi-Fi USB 802.11g\WLANUTL.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
Post by: Darius_29 on April 09, 2005, 10:10:33 AM
Norton AntiVirus Quarantine Report
Created: samedi 9 avril 2005 16:51:51
------------------------------------------------------------------------------
File Name
Location
Status Size Virus Name
User Name Machine Name Domain
Date Quarantined
Date Submitted
------------------------------------------------------------------------------
m[1].bin
C:\WINDOWS\Temporary Internet Files\Content.IE5\WLGDYFWF
Quarantined 39.0 KB Trojan.StartPage.M
darius DARIUS N/A
vendredi 8 avril 2005 20:58:08
Not submitted
------------------------------------------------------------------------------
IEAccess2.dll
C:\WINDOWS\SYSTEM
Quarantined 78.0 KB Download.Trojan
darius DARIUS N/A
mercredi 6 avril 2005 22:39:22
Not submitted
------------------------------------------------------------------------------
m[1].bin
C:\WINDOWS\Temporary Internet Files\Content.IE5\KZ69CJ4R
Quarantined 39.0 KB Trojan.StartPage.M
darius DARIUS N/A
samedi 9 avril 2005 16:45:54
Not submitted
------------------------------------------------------------------------------
DHTMLAccess.dll
C:\WINDOWS\SYSTEM
Quarantined 81.0 KB Download.Trojan
darius DARIUS N/A
mercredi 6 avril 2005 22:39:22
Not submitted
------------------------------------------------------------------------------
jpka.dll
C:\WINDOWS\SYSTEM
Quarantined 39.0 KB Trojan.StartPage.M
darius DARIUS N/A
samedi 9 avril 2005 16:45:58
Not submitted
------------------------------------------------------------------------------
emch.dll
C:\WINDOWS\SYSTEM
Quarantined 39.0 KB Trojan.StartPage.M
darius DARIUS N/A
vendredi 8 avril 2005 20:58:22
Not submitted
------------------------------------------------------------------------------
ZoneAlarm has also blocked several entry from 0.0.0.0. (UDP Port 68)
to 255.255.255.255 (DHCP)
Post by: guestolo on April 09, 2005, 10:57:36 AM
You should either upgrade your version of Norton's or uninstall it and use
AVG's newer version both have a better scanning engine
You don't want to run 2 anti-virus on your computer however
Before you do the above
====Download and Install this small program
to help clean your temp folders,cookies, recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
==Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, Save it to your hard disk for now
We'll need it later
Restart your computer into Safe mode
==Open Windows CleanUp!>>START>>Programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't restart the computer yet
Double click to run eScan's Mwav scan
It will self extract
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and save it too a notepad file
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
Restart back to Normal mode and post back a fresh Hijackthis log and the log from eScan's Mwav scan
Post by: Darius_29 on April 11, 2005, 04:49:19 PM
eScan installation failled, so I can't run a scan.
AVG scan had found 2 trojan but I don't have the log anymore since I re-install it...sorry
/unsure.gif\' class=\'bbc_emoticon\' alt=\':unsure:\' /> Here is the new HJT logfile :
Logfile of HijackThis v1.99.1
Scan saved at 23:04:30, on 11/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
SIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
Post by: guestolo on April 11, 2005, 05:05:54 PM
Once was good enough
I take it with AVG installed you uninstalled Norton's
You don't need more than one AV running
Do the following
Do another scan with Hijackthis and put a check next to these entries:
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Run Windows CleanUp! one more time
Restart your computer
Post back a fresh Hijackthis log
Not sure why eScan wouldn't run
You must Save it to disk rather than Open when you click the link
Let me know how everythings running
Also, let me know how your connected to the Internet
Cable>>DSL?
Are you directly connected through a modem or are you running through a Router?
Post by: Darius_29 on April 13, 2005, 12:32:16 PM
AVG has found trojan Startpage.19.AN
in C:\WINDOWS\SYSTEM\knjnf.dll
when I opened IE yesterday.
Nothing has happened today.
Here is the last logfile :
Logfile of HijackThis v1.99.1
Scan saved at 19:12:19, on 13/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = 192.168
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.3.1
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
Post by: guestolo on April 13, 2005, 08:49:24 PM
Hit OK
Copy the contents of the CODE box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop
Code: [Select]
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"Double click on fix.reg and allow to merge to the registry
Restart your computer
Back in Windows
Can you please
download Startdreck.zip startdreck.zip (http://\"http://www.niksoft.at/php/dl.php?f=startdreck.zip\")
UNZIP to its own folder.... DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post this log
Copy and Paste the contents of that log back here
Download and save to Desktop DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button
Post back this log
Could you also post a fresh Hijackthis log too
I'm checking on something to ensure that your clean
Post by: Guest on April 14, 2005, 01:05:46 PM
I've ran the .reg file,
DLLCompare hasn't found any file that were 'not able to be accessed';
I'm connected to Internet by french ADSL and I'm connected with a modem, by Wi-Fi.
Here is StartDreck log file, and then HJT 's one
StartDreck (build 2.1.7 public stable) - 2005-04-14 @ 19:23:46 (GMT +02:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2600.0000
Logged in as darius at DARIUS
»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
*Zone Labs Client=C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
*Norton eMail Protect=C:\Program Files\Norton AntiVirus\POPROXY.EXE
»RunOnce
»RunServices
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
»RunServicesOnce
**iz=rundll32 C:\WINDOWS\JAUTOEDP.DAT,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
»Files
»System/Drivers
»Running Processes
+FF0F6E1D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FF00AE7D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FF00A38D=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FF00D4ED=C:\WINDOWS\SYSTEM\mmtask.tsk
+FF00D339=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
+FF006FD5=C:\WINDOWS\RUNDLL32.EXE
+FF013399=C:\WINDOWS\EXPLORER.EXE
+FF029451=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFFF5611=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FF03B98D=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FF020DF1=C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
+FF0240AD=F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
+FF05B07D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FF0528A5=F:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
»Application specific
Logfile of HijackThis v1.99.1
Scan saved at 19:37:28, on 14/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = 192.168
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.3.1
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
Post by: guestolo on April 14, 2005, 10:15:13 PM
We'll need this later
Download and UNZIP to Desktop Remove.zip
So you now have Remove.reg on the desktop
We'll need this later
[attachment=144:attachment]
Please Print the rest of this out or write it down
I need you to Restart your computer into MS-Dos Mode
START>>Shutdown>>select Restart in MS-DOS mode
OK
At restart you should be at this prompt
C:\WINDOWS>
Type in the below excluding the (Enter), that indicates hitting Enter on your Keyboard>>>Take note of all the spaces too
attrib -r -s -h C:\WINDOWS\JAUTOEDP.DAT (Enter)
del JAUTOEDP.DAT (Enter)
If you want a rundown of what that should all look like with all the spaces, I've included below the same commands with = signs indicating where there should be a single space, you will not input the = sign, just the space
======================================================
attrib=-r=-s=-h=C:\WINDOWS\JAUTOEDP.DAT
del=JAUTOEDP.DAT
======================================================
Use CTRL+ALT+DEL to Restart your computer back to Normal mode
Double click on Remove.reg and allow to merge to the registry
Run CWShredder and click the FIX button, let it fix what it finds
Restart your computer again
Post back a fresh hijackthis log and a Fresh Startdreck log
Post by: Darius_29 on April 16, 2005, 06:13:06 AM
CWShredder hasn't found anything.
Here are HijackThis and Startdreck log :
Logfile of HijackThis v1.99.1
Scan saved at 13:00:55, on 16/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = 192.168
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.3.1
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
StartDreck (build 2.1.7 public stable) - 2005-04-16 @ 13:01:52 (GMT +02:00)
Platform: Windows 98 (Win 4.10.1998 )
Internet Explorer: 6.0.2600.0000
Logged in as darius at DARIUS
»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
*Zone Labs Client=C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
*Norton eMail Protect=C:\Program Files\Norton AntiVirus\POPROXY.EXE
»RunOnce
»RunServices
*TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="F:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=F:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Menu Démarrer\Programmes\Démarrage\Image Transfer.lnk
»Default User
*C:\WINDOWS\Menu Démarrer\Programmes\Démarrage\Image Transfer.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\SYSTEM\autoexec.nt
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FF0F6E61=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FF00AE01=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FF00A3F1=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FF009965=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
+FF003559=C:\WINDOWS\SYSTEM\mmtask.tsk
+FF012E5D=C:\WINDOWS\EXPLORER.EXE
+FF015E11=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FF013365=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FF02D9A1=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FF022939=C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
+FF0244E1=F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
+FF05FB29=C:\WINDOWS\NOTEPAD.EXE
+FF05FAC1=F:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
»NT Services
»Application specific
Post by: guestolo on April 16, 2005, 01:22:56 PM
Can you ensure you still have fix.reg
Make sure you saved it as all files
and named it fix.reg
from the post before
Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
In safe
Do another scan with Hijackthis and put a check next to these entries:
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on fix.reg and allow to merge to the registry
Restart back to Normal mode and post a fresh hijackthis log
Question:
You appear to be running through a proxy server
Indicated by this line in hijackthis
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
Do you recognize the proxy server your running through?
Post by: Darius_29 on April 18, 2005, 04:06:45 PM
I am not running through the proxy of the log anymore.
Logfile of HijackThis v1.99.1
Scan saved at 22:56:40, on 18/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = 192.168
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.3.1
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
Post by: guestolo on April 18, 2005, 11:23:19 PM
Download and UNZIP to dekstop
018fix.zip
So you now have 018fix.reg on the desktop
[attachment=154:attachment]
Double click on 018 fix and allow to merge to the registry
Restart your computer
Back in Windows post back a fresh Hijackthis log
After that
Double click on fix.reg and allow to merge to the registry and post back another hijackthis log afterwards
I just want to compare the 2
Post by: Darius_29 on April 19, 2005, 01:19:38 PM
Here is the first one :
Logfile of HijackThis v1.99.1
Scan saved at 20:11:58, on 19/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = 192.168
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.3.1
Here is the next one :
Logfile of HijackThis v1.99.1
Scan saved at 20:12:39, on 19/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = 192.168
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.3.1
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
Post by: guestolo on April 20, 2005, 07:02:31 PM
You can have hijackthis fix these entries with all other windows closed
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = cache.rez-gif.supelec.fr:3128
O18 - Filter hijack: text/webviewhtml - (no CLSID) - (no file)
After you have fixed checked the above
Merge 018 fix to the registry again
Restart your computer and post back a fresh hijackthis log
Post by: Darius_29 on April 24, 2005, 01:10:23 PM
Everything seems to work quite well, I havn't had any alert for few days now.
Logfile of HijackThis v1.99.1
Scan saved at 22:10:47, on 21/04/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
F:\PROGRAM FILES\CYBERSHOT\SONYTRAY.EXE
F:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/ (http://\"http://www.google.fr/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Program Files\Copernic 2000\CopernicFind.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Image Transfer.lnk = F:\Program Files\CyberShot\SonyTray.exe
O8 - Extra context menu item: Chercher avec Copernic - file://C:\Program Files\Copernic 2000\Search Extension.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_FR_1.1.62-DELEON.DLL/cmbacklinks.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra 'Tools' menuitem: Lancer Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2000\Copernic.exe
O9 - Extra button: Traduire - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra 'Tools' menuitem: &Traduire avec Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2000\Translate.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = 192.168
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.3.1
Post by: guestolo on April 24, 2005, 01:27:14 PM
If everything is running better
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Note: With IE-Spyad installed you may find if you try a scan with hijackthis, it may take a long time or freeze
This is because IE-Spyad adds a long list to the registry and Hijackthis checks this part of the registry>>Seems to be a Windows 98 thing regarding the freezing
IE-Spyad is great on any computer
Another note: I'll leave this topic open for a few days
Good work on getting the latest Critical updates and Service packs from Windows updates
This entry in your log
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
Is set by a Critical update from Windows updates, it's legit, but some running Windows 98 have experienced crashes on there computers with it running
I haven't on my 98SE machine, but let me know if you do in the next few days, thanks
Post by: Darius_29 on May 02, 2005, 01:43:03 PM
Thank you very much for your help, Questolo.
Darius
Post by: guestolo on May 02, 2005, 07:32:16 PM
If you need it reopened, Please PM myself or the site Admin and supply a link to this thread
Take Care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />