Tech Support Guy banner
  • Please post in our Community Feedback thread for help with the new forum software! If you are having trouble logging in, please Contact Us for assistance.
Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
6 Posts
Discussion Starter · #1 ·
I picked up a virus through my Internet Explorer 6.0, and as a result picked up a hijacking webpage along with a bundle of Trojans. I successfully deleted the hijacking webpage, but a bundle of infected files remained. My AVG 6.0 Anti-virus software instantly picked up the the infected files and healed most of them and placed them in my virus vault. But everytime I restore those "healed" files from my virus vault to their original place on my computer, I get the virus detected message again. The actual names of the files in my virus vault and the actual virus name associated with them are: olehelp.exe, which has the virus name Trojan horse Startpage.3.AR. I manually deleted this file as it became increasingly clear that this was malware ; msdos.exe and it has Backdoor.Jeemp.A , and it was deleted by my F-Prot Anti-Virus software as it said that the msdos.exe file could not be disinfected, but could only be deleted. So I did. I hope to get someones confirmation that I did the right thing in deleting those files, and that they were malware. Now the other file in my virus vault is xwxload.exe, and it has the virus name of Trojan horse Downloader.X . Is it alright to delete this one as well, and is it malware ? One last question is regarding my CWShredder and the fact that it does not pickup a file named CWS.Control during the scanning process, but does show that file on the summary or logfile. Also, I went in my registry and clicked edit and then find, and keyed in control.exe, and 2 listings of CWS.Control showed in my registry. They are listed this way: CWS.Control and CWS Control without the period in between as if that makes any difference. Is it alright to manually delete those 2 listings from my registry. Here is an actual copy of my CWShredder logfile. When olehelp.exe was on my computer, it was listed right underneath where CWS.Control is listed on my CWShredder logfile. Thanks for your time. CWShredder v1.53.4 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/files/hijackthis.zip

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: User

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8778 bytes, A)
Found line in Win.ini: load=essspk.exe
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2101 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT
 

·
Registered
Joined
·
6 Posts
Discussion Starter · #3 ·
Currently I have the hijackthis software, and have ran it several times and it has not picked up anything interms of malware or spyware as it was the CWShredder software that did in fact delete the hijacking webpage that I had initially. Also, it will not show the xwx.load.exe in the Temporary Internet file, or the CWS.Control. Here is the hijackthis logfile as requested. Again, Thank You for your time in helping me with this. Logfile of HijackThis v1.97.7
Scan saved at 10:27:58 PM, on 3/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
F1 - win.ini: load=essspk.exe
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - HKCU\..\Run: [Star Downloader] C:\PROGRAM FILES\STAR DOWNLOADER\STARDOWN.EXE
O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37884.6387268519
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.69.188.185
 

·
Registered
Joined
·
420 Posts
Hi Doc77 , On the IE Toolbar , Click ''Windows Update'' and install all available critical updates that apply to your computer.

... A couple more recommendations ,

On the IE Toolbar , Click Tools > Internet Options > Advanced , Scroll down to Security and put a check in ''Empty Temporary Internet Files Folder when browser is closed''. Click apply.

Create a New Folder in C:\ and name it -> ie-spyads . Download IE-SPYAD.ZIP Extract the IE-spyad files to the new C:\IE-spyad Folder , Click Install.bat , Select option's #2 and #4.

Good luck
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top