The problem is that I can't download those things! when I try to open the pages I get redirected to the about:blank page. The same for when I try to get Microsoft updates. Any suggestions?
-
IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
PLease help remove Trojan
Please help!
I have Windows 98. I think I have a Trojan. Internet shortcuts seem to have been added to my favorites folder without asking, my homepage is repeatedly changed (no matter how many times I change it back) and every time I try to visit certain websites I am automatically "hijacked" and taken to a different site (which itself claims to be a spyware remover but I am sceptical about this).
In order to combat this problem, I downloaded something called "HijackThis" which scanned my computer and gave me a list of files. Now I have to decide which ones to delete. The problem is I am not sure which ones are innocent and I don't want to remove anything vital. The list is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 02:53:05, on 20/01/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\KINGSOFT\POWERWORD 2003\XDICT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\MOBSYNC.EXE
C:\WINDOWS\DESKTOP\CHINESE STUFF\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whsmithonline.co.uk/redir.asp?page=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 62.189.6.78 _sip._tls.sip1.callserve.com
O1 - Hosts: 62.189.6.78 _sip._ssl.sip1.callserve.com
O1 - Hosts: 62.189.6.79 _sip._tls.sip2.callserve.com
O1 - Hosts: 62.189.6.79 _sip._ssl.sip2.callserve.com
O1 - Hosts: 62.189.6.85 _sip._tls.sip5.phoneserve.com
O1 - Hosts: 62.189.6.85 _sip._ssl.sip5.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._tls.sip6.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._ssl.sip6.phoneserve.com
O1 - Hosts: 62.189.6.93 _sip._tls.sip7.phoneserve.com
O1 - Hosts: 62.189.6.93 _sip._ssl.sip7.phoneserve.com
O1 - Hosts: 62.189.6.108 _sip._tls.sip8.phoneserve.com
O1 - Hosts: 62.189.6.108 _sip._ssl.sip8.phoneserve.com
O1 - Hosts: 62.189.6.61 _sip._tls.sip17.phoneserve.com
O1 - Hosts: 62.189.6.61 _sip._ssl.sip17.phoneserve.com
O1 - Hosts: 62.189.6.62 _sip._tls.sip18.phoneserve.com
O1 - Hosts: 62.189.6.62 _sip._ssl.sip18.phoneserve.com
O2 - BHO: (no name) - {D81ECD21-69B3-11D9-B842-0009B0C4FF95} - C:\WINDOWS\SYSTEM\CJPEIM.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Timer] C:\WINDOWS\TIMER.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.whsmithonline.co.uk/redir.asp?page=home
I think all the ones which end in "about:blank" are dodgy but I'm not sure about the callserve and phoneserve ones, as I use the callserve to make phonecalls. PLease could you advise me which ones to remove?
On the same day I discovered the Trojan problem, I also had an error message saying that my virus scan program (McAfee) could not start because the file "avsynch.dll" was missing or outdated. Is this the cause or the result of the Trojan's arrival?
Thank you very, very much for your help.
I have Windows 98. I think I have a Trojan. Internet shortcuts seem to have been added to my favorites folder without asking, my homepage is repeatedly changed (no matter how many times I change it back) and every time I try to visit certain websites I am automatically "hijacked" and taken to a different site (which itself claims to be a spyware remover but I am sceptical about this).
In order to combat this problem, I downloaded something called "HijackThis" which scanned my computer and gave me a list of files. Now I have to decide which ones to delete. The problem is I am not sure which ones are innocent and I don't want to remove anything vital. The list is as follows:
Logfile of HijackThis v1.97.7
Scan saved at 02:53:05, on 20/01/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\KINGSOFT\POWERWORD 2003\XDICT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\MOBSYNC.EXE
C:\WINDOWS\DESKTOP\CHINESE STUFF\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whsmithonline.co.uk/redir.asp?page=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WHSmith Online
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O1 - Hosts: 62.189.6.78 _sip._tls.sip1.callserve.com
O1 - Hosts: 62.189.6.78 _sip._ssl.sip1.callserve.com
O1 - Hosts: 62.189.6.79 _sip._tls.sip2.callserve.com
O1 - Hosts: 62.189.6.79 _sip._ssl.sip2.callserve.com
O1 - Hosts: 62.189.6.85 _sip._tls.sip5.phoneserve.com
O1 - Hosts: 62.189.6.85 _sip._ssl.sip5.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._tls.sip6.phoneserve.com
O1 - Hosts: 62.189.6.86 _sip._ssl.sip6.phoneserve.com
O1 - Hosts: 62.189.6.93 _sip._tls.sip7.phoneserve.com
O1 - Hosts: 62.189.6.93 _sip._ssl.sip7.phoneserve.com
O1 - Hosts: 62.189.6.108 _sip._tls.sip8.phoneserve.com
O1 - Hosts: 62.189.6.108 _sip._ssl.sip8.phoneserve.com
O1 - Hosts: 62.189.6.61 _sip._tls.sip17.phoneserve.com
O1 - Hosts: 62.189.6.61 _sip._ssl.sip17.phoneserve.com
O1 - Hosts: 62.189.6.62 _sip._tls.sip18.phoneserve.com
O1 - Hosts: 62.189.6.62 _sip._ssl.sip18.phoneserve.com
O2 - BHO: (no name) - {D81ECD21-69B3-11D9-B842-0009B0C4FF95} - C:\WINDOWS\SYSTEM\CJPEIM.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [Timer] C:\WINDOWS\TIMER.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Powerword 2003.lnk = C:\Program Files\Kingsoft\Powerword 2003\XDICT.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: PowerWord (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.whsmithonline.co.uk/redir.asp?page=home
I think all the ones which end in "about:blank" are dodgy but I'm not sure about the callserve and phoneserve ones, as I use the callserve to make phonecalls. PLease could you advise me which ones to remove?
On the same day I discovered the Trojan problem, I also had an error message saying that my virus scan program (McAfee) could not start because the file "avsynch.dll" was missing or outdated. Is this the cause or the result of the Trojan's arrival?
Thank you very, very much for your help.
- Status
- Not open for further replies.
1 - 3 of 4 Posts
although I DID manage to download the newer Hijack This, it won't run. When I try to open it I get an error message claiming that it is a movie which cannot be played..... what can I do?
1 - 3 of 4 Posts
- Status
- Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
