[pc plodder]

HELP!!!!!!!

Can someone please check this log for me.

Problem is when i click settings the control panel takes anything up to 1 min to open same problem with Realplayer and sometimes on the web some sites are soooo slow to open.

Ran AVG 6 with the latest update and it found 4 viruses (trojans)

File name Virus

C:\SVKUUF~1.EXE Downloader Femad L
C:\GHGSWK~1EXE as above
C:\MDMHELPV.EXE Downloader Femad K
C:\MDMHELPV.EXE Downloader Femad M

All these are in the virus vault at present as they can't be healed.
Could this be the problem?
I have run Adaware (latest version) Spybot and CWS all latest but this only showed up on AVGs' virus check.
The other thing i'd like to know is how did they get past my firewall (Sygate free edition) and AVG, as AVG usually warns if a virus attack is underway. Anyway here's the log
Logfile of HijackThis v1.97.7
Scan saved at 15:13:16, on 25/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\MSMSGS.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\AOL 7.0\AOLTRAY.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.aol.co.uk
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Windows Messenger ] c:\windows\msmsgs.exe /passportlogon /delaysync /shortpackets
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...7875.5175925926
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/244e0ae...ip/RdxIE601.cab

Thanks

Steve

P.S Just been infected with another damn trojan.

It seems to come in via MDMHELPV.exe. Sygate used to ask if i wanted this to acess the network but now it seems to bypass the firewall as it doesn't ask anymore........any ideas?

 

[$teve]

http://vil.nai.com/vil/stinger/
Go to the above site,download and run Stinger.

Re-boot after.

Download AdAware 6 181 from here: http://www.lavasoftusa.com/
Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

Then......

Click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

Then.........

Go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" and "Let windows remove files in use at next reboot"

Then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished mark everything for removal and get rid of it.(Right-click the window and choose"select all" from the drop down menu)

Now re-boot...

Then
Download Spybot - Search & Destroy from http://security.kolla.de

After installing, first press Online, and search for, put a check mark at, and install all updates.
Next, close all Internet Explorer and OE windows, hit 'Check for Problems', and have SpyBot remove all it finds that is marked in RED

Run an online antivirus check from at least one and preferably 2 of the following sites....
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/

Re-boot again.

Then post a new HijackThis log to check what is left.

And when this is all clean...
Consider installing the following:

SpywareBlaster v2.6.1 and SpywareGuard v2.2, to prevent Active-X drive-by installations, as well as provide real-time browser hijacking protection: http://www.wilderssecurity.net/index.html

IE-SPYAD, a registry file that adds a long list of known "sites" to the Restricted Sites of your Internet Explorer: http://www.staff.uiuc.edu/~ehowes/resource.htm

 

[pc plodder]

O.K Will do all you suggested and post the revised log later today.

I have all the programmes you mention from DVK01 postings and will run them all again.
Thanks for your reply
regards
Steve

 

[pc plodder]

Sorry for the delay in reposting. This was caused by power failure in my area.

Have done all you asked and the latest log is shown below.

During the online scan a file came up as infected. it is a zip file named Malta and was downloaded on 29.8.02 so i don't think this is the cause of my problems, however it still needs removing so can i just delete it.

Scan says-:

My documents.Malta\malta.mim (base64)-Win32/[email protected] infected. So could you please advise
Logfile of HijackThis v1.97.7
Scan saved at 11:25:20, on 27/03/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\MSMSGS.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\AOL 7.0\AOLTRAY.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.aol.co.uk
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Windows Messenger ] c:\windows\msmsgs.exe /passportlogon /delaysync /shortpackets
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O9 - Extra button: Freeserve (HKCU)
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37875.5175925926
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/244e0aed5985bc292e06/netzip/RdxIE601.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

P.S I have read a lot of bits and bobs on "dialers" As i know nowt about computing (newbie) could you tell me
A What is a dialer
B How do i know if i have one
C What are the security inplications

Regards
Steve

 

[$teve]

Dialer - A definition:
Programs that use a system, without your permission or knowledge, to dial numbers with extremely high charges.
Security implications are huge if your on dial-up.
You dont have one.

These are a couple of things that are not needed to be running at boot......HijackThis will not delete them,just stop them from auto loading.
Run hijackthis again and put a checkmark against these entries....
.....then,close all browser and outlook windows and "fix checked"

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

As for whatever you want to delete.

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPOR...001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Anything in the virus vault is safe and can be left or removed.

 

[pc plodder]

Thanks for your help Steve.

I take it after i have done all this i will be o.k and no need to submit another Hijack this

Regards
Steve
:up:

 

[$teve]

Should be ok.......post back if you need anything,and read up on dvk`s tips.....they are very informative,copy/paste them and e-mail them around.......kind of like a chain letter