Notice how the first one mimics the bottom one (which, if I would guess, would be the legit one). I'd venture a guess that the first one is designed to mimic the real logon, and potentially 'steal' personal or logon information; so change your logon info - passwords, etc. I'm not sure what those two objects do, but if you've used any credit card info to sign up, you might consider contacting your card company and have the account(s) used to sign up closed, and new ones opened in their place; just to be safe.
Post back a new log, and let me know how everything goes.
Scanned using free online scan from trendmicro, it found 1 trojan virus, but I was able to delete it without any errors.
I also cleaned computer using HJT by ticking those you adviced except for the the two:
O4 - Global Startup: D-Link AirPlus.lnk = ? O4 - Global Startup: Digital Line Detect.lnk = ?
SInce these are part of my wi-fi pcmcia card.
Here is the latest scan:
Logfile of HijackThis v1.99.0 Scan saved at 10:56:41 PM, on 2/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
1. Double-click the mwav.exe icon to run it (it'll self extract). 2. Click "Scan". 3. When it completes, post back the results from the 'Virus log information' pane.
After using Escan it still found 7 viruses, even if it was not found by my other anti-virus software.
File C:\WINDOWS\System32\6totiexspr.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\CLUELP.dll infected by "Trojan.Win32.StartPage.ua" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\MRGHELBMS.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\MSEXDVPROP.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\PARSAste.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\RSTILOM.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\My Downloads\backups\backup-20050211-103628-805.dll infected by "VirTool.Win32.Collector" Virus. Action Taken: No Action Taken.
Is it safe to delete these files? or do I really need to purchase the full version of Escan to eliminate these.
By the way, even though anti-virus softwares are scanning through my folder C:\Documents and Settings\Kendrick U. Go\Local Settings\Temporary Internet Files\contents.ie5, I can't seem to locate this folder manually through windows explorer, even if I have show all hidden files and folder on. I can see this folder under C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\contents.ie5 all i see under temporary internet files folder are files, and can't see any subfolders, though clicking properties would indicate that there are at least 14 subfolders.
It's ok if these will 'error' back, or aren't found. To save on typing, just use the mouse to drag-select-copy each line of text, and "Paste" it, into the command prompt.
Locate and
delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Mike.
Message Edited by Midnight Star on 02-12-2005 02:42 PM
Reboot your system; If everything is running ok, let's do the final cleanup...
1. Run "Disk Cleanup" and allow it to remove everything it finds.
2. If you've downloaded MicroWorld AV (MWAV), run it again - but don't scan, just click "Clear Log" and exit the program.
3. Go to www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan".
4. Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.
Sun Feb 13 14:51:22 2005 => ***** Scanning complete. *****
Sun Feb 13 14:51:22 2005 => Total Files Scanned: 113031
Sun Feb 13 14:51:22 2005 => Total Virus(es) Found: 0
Sun Feb 13 14:51:22 2005 => Total Disinfected Files: 0
Sun Feb 13 14:51:22 2005 => Total Files Renamed: 0
Sun Feb 13 14:51:22 2005 => Total Deleted Files: 0
Sun Feb 13 14:51:23 2005 => Total Errors: 3
Sun Feb 13 14:51:23 2005 => Time Elapsed: 01:18:16
Sun Feb 13 14:51:23 2005 => Virus Database Date: 2005/02/11
Sun Feb 13 14:51:23 2005 => Virus Database Count: 117901
Sun Feb 13 14:51:23 2005 => Scan Completed.
Looks good, by the way, I am not sure if its just with my notebook, but when I log on as administrator, I can now see the folder content.ie5 in "my username"/temporary internet files folder, but can't see it when log on as "my username".
Thanks for the help, I will be sleeping better tonight.
Midnight Star
4.8K Posts
0
February 10th, 2005 17:00
Let's see what we can do...
Go to www.trendmicro.com, and then:
1. Click " Free Online Scan".
2. Click " Scan now, it's free".
It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:
1. Select all available drives.
2. Check(tick) " Auto Clean".
3. Click " Scan".
When it completes, post back the full filename of any files that cannot be cleaned or deleted.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://streamhc.redhotnetworks.com/cabs/videox.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
Now, with all windows closed except HiJackThis, click " Fix checked".
What concerns me are these two entrys:
O16 - DPF: {0F9B4CA4-A30F-480A-841D-69B45C50A8F8} (SekureL0gin.SekureKontrol) - http://secure2.comned.com/signuptemplates/AktiveSekurity.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
Notice how the first one mimics the bottom one (which, if I would guess, would be the legit one). I'd venture a guess that the first one is designed to mimic the real logon, and potentially 'steal' personal or logon information; so change your logon info - passwords, etc. I'm not sure what those two objects do, but if you've used any credit card info to sign up, you might consider contacting your card company and have the account(s) used to sign up closed, and new ones opened in their place; just to be safe.
Post back a new log, and let me know how everything goes.
-
Mike.
kengo
4 Posts
0
February 11th, 2005 13:00
Scanned using free online scan from trendmicro, it found 1 trojan virus, but I was able to delete it without any errors.
I also cleaned computer using HJT by ticking those you adviced except for the the two:
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
SInce these are part of my wi-fi pcmcia card.
Here is the latest scan:
Logfile of HijackThis v1.99.0
Scan saved at 10:56:41 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\My Downloads\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /O6 "USB001" /M "Stylus Photo R210"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R210 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3H2.EXE /P30 "EPSON Stylus Photo R210 Series" /M "Stylus Photo R210" /EF "HKCU"
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 1.8\IExifCom.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094479467648
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Midnight Star
4.8K Posts
0
February 11th, 2005 16:00
kengo,
That log is looking good - great work!
-
Let's take the next step...
Download mwav.exe from MicroWorld, then:
1. Double-click the mwav.exe icon to run it (it'll self extract).
2. Click "Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
Mike.
kengo
4 Posts
0
February 12th, 2005 07:00
After using Escan it still found 7 viruses, even if it was not found by my other anti-virus software.
File C:\WINDOWS\System32\6totiexspr.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\CLUELP.dll infected by "Trojan.Win32.StartPage.ua" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\MRGHELBMS.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\MSEXDVPROP.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\PARSAste.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\RSTILOM.dll infected by "Trojan-Downloader.Win32.Small.ahv" Virus. Action Taken: No Action Taken.
File C:\My Downloads\backups\backup-20050211-103628-805.dll infected by "VirTool.Win32.Collector" Virus. Action Taken: No Action Taken.
Is it safe to delete these files? or do I really need to purchase the full version of Escan to eliminate these.
By the way, even though anti-virus softwares are scanning through my folder C:\Documents and Settings\Kendrick U. Go\Local Settings\Temporary Internet Files\contents.ie5, I can't seem to locate this folder manually through windows explorer, even if I have show all hidden files and folder on. I can see this folder under C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\contents.ie5 all i see under temporary internet files folder are files, and can't see any subfolders, though clicking properties would indicate that there are at least 14 subfolders.
Weird.
Ken
Midnight Star
4.8K Posts
0
February 12th, 2005 18:00
Let's try and unregister the following, one at a time, from a command prompt:
regsvr32 /u 6totiexspr.dll
regsvr32 /u CLUELP.dll
regsvr32 /u MRGHELBMS.dll
regsvr32 /u MSEXDVPROP.dll
regsvr32 /u PARSAste.dll
regsvr32 /u RSTILOM.dll
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
C:\WINDOWS\System32\6totiexspr.dll
C:\WINDOWS\System32\CLUELP.dll
C:\WINDOWS\System32\MRGHELBMS.dll
C:\WINDOWS\System32\MSEXDVPROP.dll
C:\WINDOWS\System32\PARSAste.dll
C:\WINDOWS\System32\RSTILOM.dll
Message Edited by Midnight Star on 02-12-2005 02:42 PM
Midnight Star
4.8K Posts
0
February 13th, 2005 16:00
Ken,
Great news ... and good work!
-
Let's go ahead and finish the cleanup...
Reboot your system; If everything is running ok, let's do the final cleanup...
1. Run "Disk Cleanup" and allow it to remove everything it finds.
2. If you've downloaded MicroWorld AV (MWAV), run it again - but don't scan, just click "Clear Log" and exit the program.
3. Go to www.trendmicro.com and click "Free Online Scan", then "Scan now, it's free!". When it's downloaded, select all available drives, then check(tick) "Auto clean", then click "Scan".
4. Run AdAware SE Personal and "perform a full system scan", then Spybot S&D, and "Check for Problems". Let them both remove the residual 'problems' left that HiJackThis couldn't fix.
5. Disable, then re-enable system restore; with a reboot in-between. Then immediately create a new system point manually.
If your having any more problems, post back.
-
Happy surfing,
Mike.
Message Edited by Midnight Star on 02-13-2005 12:43 PM
kengo
4 Posts
0
February 13th, 2005 16:00
Sun Feb 13 14:51:22 2005 => Total Files Scanned: 113031
Sun Feb 13 14:51:22 2005 => Total Virus(es) Found: 0
Sun Feb 13 14:51:22 2005 => Total Disinfected Files: 0
Sun Feb 13 14:51:22 2005 => Total Files Renamed: 0
Sun Feb 13 14:51:22 2005 => Total Deleted Files: 0
Sun Feb 13 14:51:23 2005 => Total Errors: 3
Sun Feb 13 14:51:23 2005 => Time Elapsed: 01:18:16
Sun Feb 13 14:51:23 2005 => Virus Database Date: 2005/02/11
Sun Feb 13 14:51:23 2005 => Virus Database Count: 117901
Sun Feb 13 14:51:23 2005 => Scan Completed.