Skip to main content

YoKenny

363 Posts

December 28th, 2003 16:00

ronananda, C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE is not a good place for Hijack this.

Important for backup reasons: Create a folder on the C: drive called C:\HJT. You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis into this folder.

Troj/Spybot-12G
Reference: http://www.sophos.com/virusinfo/analyses/trojspybot12g.html 

You will have to create a Clean DOS boot diskette on an uninfected system. 

On the other system this can be made by going to Start then Control Panel then Add/Remove Programs then Startup diskette.  (I don't have Win98 so these instructions might not be accurate)

Boot this diskette with the write protect tab moved to the safe position.  i.e. Open

Enter the following DOS commands without quotes:

"C:"

"del C:\WINDOWS\SYSTEM\WINLODR.SCR"

Then remove the diskette and keep in a safe place and reboot Windows.

Run HijackThis from the C:\HJT folder then tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked" if still present.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL (file missing)
O4 - HKLM\..\Run: [Winsock2 driver] WINLODR.SCR
O4 - HKLM\..\RunServices: [RunDLL32] C:\WINDOWS\SYSTEM\cacikyvl.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] WINLODR.SCR
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

Then Reboot.

Please keep your anti virus definitions up to date daily as new infections are coming out rapidly.

Read the last links to make your Internet experience safer.

ChrisRLG

3.9K Posts

December 28th, 2003 16:00

Tick these in hijackthis, AND WITH ALL BROWSER WINDOWS CLOSED, fix ticked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL (file missing)
O2 - BHO: PK IE Plugin - {1E1B2879-88FF-11D3-8D96-D7ACAC95951A} - C:\WINDOWS\SYSTEM\BPKWB.DLL

O4 - HKLM\..\Run: [Winsock2 driver] WINLODR.SCR
O4 - HKCU\..\Run: [LTM2] C:\WINDOWS\litmus\MSGSRV32.exe
O4 - HKCU\..\RunOnce: [Winsock2 driver] WINLODR.SCR

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/294215b6952562218505/netzip/RdxIE601.cab

These should be ticked UNLESS they are your required search and home pages.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html

I assume these were added on purpose - if not tick to remove.
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx

This is a randomly named file and as such is most probably malware, BUT if you know of it do not tick.
O4 - HKLM\..\RunServices: [RunDLL32] C:\WINDOWS\SYSTEM\cacikyvl.exe

Then reboot to safe mode and delete these files or folders. (Some you may need to search your computer for using windows search, ensure that you also look in system and hidden holders)

Folder > C:\WINDOWS\litmus\
File > > (Find location in your computer - if more than one is found - ask me which one to delete) WINLODR.SCR
And if ticked
File > > C:\WINDOWS\SYSTEM\cacikyvl.exe

Then reboot and post a fresh log for me to check.

ronananda

5 Posts

December 29th, 2003 16:00

ChrisRLG: I did as you suggested.  I cleared all the items you indicated.  What I noticed was that the "winlodr" file came back.  However, when I ran hijack in safe mode, they did not return.  I deleted the "litmus" file, the others I could not find.

I am now able to access msconfig, and regedit.

Here is my latest log:

Logfile of HijackThis v1.97.7
Scan saved at 1:28:36 PM, on 12/29/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTOIMPACT 4.2\ABMTSR.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" +c
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Album Fast Start.lnk = C:\Program Files\Ulead Systems\Ulead PhotoImpact 4.2\ABMTSR.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx
O16 - DPF: Yahoo! Finance MarketTracker - http://finance.yahoo.com/jmt/mt.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - http://www.investors.com/member/ocx/WonList.ocx
O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - http://www.investors.com/member/ocx/PFMngr.ocx
O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - http://www.investors.com/member/ocx/WonSearchX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

What should I do next?

Thank you both for responding to my request.

YoKenny

363 Posts

December 29th, 2003 17:00

ronananda, your log looks clean. Congratulations.

Looks like you have Ad-aware set to run automatically on every boot up. This is good.

I would remove the following two entries with HijackThis:
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)

Please read the following links to improve your Internet experience.

I recommend SpywareBlaster and IE-SPYAD updated frequently avilable by reading these pages to prevent unwanted things installing on your system.

Was this post helpful?

View All

No Events found!

Top