Results 1 to 10 of 10

Thread: Pipas.A removal problems (search hijack)

  1. 2006-02-13, 23:38 #1
    dinges
    dinges is offline
    Junior Member
    Join Date
    Feb 2006
    Posts
    5

    Default Pipas.A removal problems (search hijack)

    Please help.

    I'm having problems with a browser hijack (search hijack). Whenever googling, I get re-directed to the same (commercial) search sites instead of the one I clicked. Only the 3d time does it go to the right one.

    I noticed that when opening google for the first time after a re-boot, it does something I've never noticed before: it searches for google and downloads something. But it takes longer than usual, that's why I noticed.

    I've used Ad-Aware and Spybot S&D several times this weekend (all in all about 20 hrs of run time), each time it found Pipas.A but it returned after rebooting. I understand this is a particularly nasty trojan.

    I do have hi-jack this, and understand a log is probably needed for anyone that helps.

    Peter,
    The Netherlands.
  2. 2006-02-13, 23:49 #2
    dinges
    dinges is offline
    Junior Member
    Join Date
    Feb 2006
    Posts
    5

    Default log-file from infected computer

    Here is the log-file from my infected computer; should I run Spybot and Ad-Aware before making a log and posting it? In this log and in the present state, Pipas.A is present.
    -----------------------------------


    Logfile of HijackThis v1.99.1
    Scan saved at 23:42:15, on 14-02-06
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\CASIO\PHOTO LOADER\PLAUTO.EXE
    C:\PROGRAM FILES\SITECOM WIRELESS LAN\WLANUTL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skynet.be
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - {EAF1FBD8-03D7-5E1D-ADB3-F704F13C3FDC} - Dest068.dll (file missing)
    R3 - URLSearchHook: (no name) - {88214AA4-A8CE-00E9-3374-CD23701C3CCA} - DTOURS.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [SYSTEMS.EXE] C:\PROGRAM FILES\KEYBOARD SPECTATOR PRO\SYSTEMS.EXE
    O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    O4 - HKLM\..\Run: [IrMon] irmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [zantu] JAguAr.exe
    O4 - HKLM\..\Run: [DCC_send] prgsys0984.exe
    O4 - HKLM\..\Run: [csyri.exe] csyri.exe
    O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
    O4 - HKLM\..\Run: [driver64] cmon14.exe
    O4 - HKLM\..\Run: [prgsys0984] trycrt.exe
    O4 - HKLM\..\Run: [jboky.exe] C:\WINDOWS\SYSTEM\jboky.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O4 - HKCU\..\Run: [Preliminary] install2.exe
    O4 - HKCU\..\Run: [defect08] Shaitan1678.exe
    O4 - HKCU\..\Run: [Trayz] vxdman.exe
    O4 - HKCU\..\Run: [sound64] ActionScr.exe
    O4 - HKCU\..\Run: [SAPSTR] UserSp1.exe
    O4 - HKCU\..\Run: [driver32] vxdman.exe
    O4 - Startup: Herinneringen van Microsoft Works Agenda.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office Snelzoeken Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Office Snelstarten.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O4 - Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
    O4 - Startup: Sitecom Wireless LAN Utility.lnk = C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O14 - IERESET.INF: START_PAGE_URL=http://www.skynet.be
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.110,85.255.112.151
  3. 2006-02-14, 18:48 #3
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://swandog46.geekstogo.com/Fixwareout.exe
    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan,
    and check the following items(if there):
    R3 - URLSearchHook: (no name) - {EAF1FBD8-03D7-5E1D-ADB3-F704F13C3FDC} - Dest068.dll (file missing)
    R3 - URLSearchHook: (no name) - {88214AA4-A8CE-00E9-3374-CD23701C3CCA} - DTOURS.dll (file missing)
    O4 - HKLM\..\Run: [zantu] JAguAr.exe
    O4 - HKLM\..\Run: [DCC_send] prgsys0984.exe
    O4 - HKLM\..\Run: [csyri.exe] csyri.exe
    O4 - HKLM\..\Run: [driver64] cmon14.exe
    O4 - HKLM\..\Run: [prgsys0984] trycrt.exe
    O4 - HKLM\..\Run: [jboky.exe] C:\WINDOWS\SYSTEM\jboky.exe
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O4 - HKCU\..\Run: [Preliminary] install2.exe
    O4 - HKCU\..\Run: [defect08] Shaitan1678.exe
    O4 - HKCU\..\Run: [Trayz] vxdman.exe
    O4 - HKCU\..\Run: [sound64] ActionScr.exe
    O4 - HKCU\..\Run: [SAPSTR] UserSp1.exe
    O4 - HKCU\..\Run: [driver32] vxdman.exe
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.110,85.255.112.151

    If you see a new item that wasnt in your last log in your O4 lines in hijackthis, starting with dm... for example:
    O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system\dm***.exe (the *** stand for random letters)
    or starting with hg***.exe for example:
    O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System\hg***.exe
    or starting with cs***.exe for example:
    O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
    Check it as well. If your not sure, leave it and only check the ones I asked you to check
    ===========================================================
    Click Fix Checked. Close HijackThis, and click OK to proceed.


    Finally, please post the contents of report.txt (it should open), along with a new HijackThis log.
  4. 2006-02-15, 04:25 #4
    dinges
    dinges is offline
    Junior Member
    Join Date
    Feb 2006
    Posts
    5

    Default Thank You!!

    THANK YOU SIR!

    You don't know half how happy I am! Good thing you aren't here, because I might kiss you LOL.

    It seems to have been succesful so far, after several reboots it doesn't return, I can google again without being redirected to places I don't want to go. Apart from the files you mentioned I should delete, there was also one that started with dm****.exe and one with cs***.exe

    But I notice that under O16 and O17 I still have some dubious things (zangocash; aboxinst_int12.exe)?

    I've drank one to your health (so, it was chocolate milk; you get the idea )

    One tiny last question: can you recommend a good freeware firewall?

    Again, thanks!

    Peter,
    The Netherlands.

    As requested, the new log and report.txt file


    --------------------------------------------
    Fixwareout ver 1.003
    Last edited 1/12/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\wuqmd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1dedoc
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llams_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ytpme
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\emvaf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\domdnb
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\orcimlh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nbilbaj

    PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Search by size and names...
    C:\WINDOWS\SYSTEM\CSWOY.EXE
    C:\WINDOWS\SYSTEM\CSFCO.EXE
    C:\WINDOWS\SYSTEM\CSDGL.EXE
    C:\WINDOWS\SYSTEM\DMQUW.EXE
    C:\WINDOWS\SYSTEM\DMYVT.EXE
    C:\WINDOWS\SYSTEM\DMIGG.EXE
    C:\WINDOWS\SYSTEM\DMKXO.EXE
    C:\WINDOWS\SYSTEM\DMTEJ.EXE
    C:\WINDOWS\SYSTEM\DMPUK.EXE
    C:\WINDOWS\SYSTEM\DMTHE.EXE
    C:\WINDOWS\SYSTEM\DMVFF.EXE

    »»»»» Misc files
    --------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 2:05:52, on 15-02-06
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\CASIO\PHOTO LOADER\PLAUTO.EXE
    C:\PROGRAM FILES\SITECOM WIRELESS LAN\WLANUTL.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERN~1\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\INTERN~1\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERN~1\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERN~1\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERN~1\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webcrawler.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skynet.be
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    R3 - URLSearchHook: (no name) - {EAF1FBD8-03D7-5E1D-ADB3-F704F13C3FDC} - Dest068.dll (file missing)
    R3 - URLSearchHook: (no name) - {88214AA4-A8CE-00E9-3374-CD23701C3CCA} - DTOURS.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [SYSTEMS.EXE] C:\PROGRAM FILES\KEYBOARD SPECTATOR PRO\SYSTEMS.EXE
    O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    O4 - HKLM\..\Run: [IrMon] irmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [zantu] JAguAr.exe
    O4 - HKLM\..\Run: [DCC_send] prgsys0984.exe
    O4 - HKLM\..\Run: [csyri.exe] csyri.exe
    O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
    O4 - HKLM\..\Run: [driver64] cmon14.exe
    O4 - HKLM\..\Run: [prgsys0984] trycrt.exe
    O4 - HKLM\..\Run: [jboky.exe] C:\WINDOWS\SYSTEM\jboky.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
    O4 - HKCU\..\Run: [Preliminary] install2.exe
    O4 - HKCU\..\Run: [defect08] Shaitan1678.exe
    O4 - HKCU\..\Run: [Trayz] vxdman.exe
    O4 - HKCU\..\Run: [sound64] ActionScr.exe
    O4 - HKCU\..\Run: [SAPSTR] UserSp1.exe
    O4 - HKCU\..\Run: [driver32] vxdman.exe
    O4 - Startup: Herinneringen van Microsoft Works Agenda.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office Snelzoeken Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Office Snelstarten.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O4 - Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
    O4 - Startup: Sitecom Wireless LAN Utility.lnk = C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O14 - IERESET.INF: START_PAGE_URL=http://www.skynet.be
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int12.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.110,85.255.112.151
  5. 2006-02-15, 06:04 #5
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Did you forget to fix the listed items with hijackthis ?
    Start hijackthis fix the items i pointed out, reboot the pc and post a fresh log please
  6. 2006-02-15, 06:43 #6
    dinges
    dinges is offline
    Junior Member
    Join Date
    Feb 2006
    Posts
    5

    Default

    I'm sure I didn't forget to remove these last two entries (under O16). So I ran hijackthis, removed them again, and rebooted. Perhaps I did forget, but I think it very unlikely. Are the housecall and msnphotoupload.cab under O16 normal? The zangocash and O17-thing seem to be gone now.

    Peter.

    --------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 6:35:15, on 16-02-06
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\IRMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\CASIO\PHOTO LOADER\PLAUTO.EXE
    C:\PROGRAM FILES\SITECOM WIRELESS LAN\WLANUTL.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1043,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [internat.exe] internat.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [SYSTEMS.EXE] C:\PROGRAM FILES\KEYBOARD SPECTATOR PRO\SYSTEMS.EXE
    O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
    O4 - HKLM\..\Run: [IrMon] irmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [MsgCenterExe] "C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - Startup: Herinneringen van Microsoft Works Agenda.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Microsoft Office Snelzoeken Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Office Snelstarten.lnk = C:\MSOffice\Office\FASTBOOT.EXE
    O4 - Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
    O4 - Startup: Sitecom Wireless LAN Utility.lnk = C:\Program Files\Sitecom Wireless LAN\WLANUTL.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Onderzoekscentrum - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O14 - IERESET.INF: START_PAGE_URL=http://www.skynet.be
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.co...s/MsnPUpld.cab
  7. 2006-02-15, 12:29 #7
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    That looks fine. why dont we see an antivirus program ?
    Go Get all available critical updates at windows update, it will take more than one trip, http://v4.windowsupdate.microsoft.com/en/default.asp
    Always restart the PC when prompted. Then revisit the windows update site.
  8. 2006-02-15, 19:05 #8
    dinges
    dinges is offline
    Junior Member
    Join Date
    Feb 2006
    Posts
    5

    Default

    Thanks again for all the help.

    It seems my computer is clean again at the moment, I'm even beginning to understand a bit about the content of the hijack-log.

    Getting a good virusscanner and firewall are at the very top of the list. I do not want to go through this again. Things could have been much worse than they have been (complete loss of data).

    do you recommend any good (freeware preferably) virusscanner and or firewall?

    Peter.
  9. 2006-02-15, 20:17 #9
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi
    Several antivirus and firewall programs are mentioned here
    http://forums.spybot.info/showthread.php?t=279

    Regards
    Lonny
  10. 2006-02-20, 00:29 #10
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    As the problem appears to be resolved this topic will be archived.
    If you need it re-opened please send me a pm and provide a link to the topic.
    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules