Monkey Proof Posted May 15, 2006 Share Posted May 15, 2006 some more infections that i cant cleanup. the desktop got hijacked with some popup from a anti-malware website that will not leave. there were lots of java exploits that i pretty much cleaned up but obviously some others still exist. all this from my stepdad visiting a poker website so he says, but the history says otherwise Logfile of HijackThis v1.99.1 Scan saved at 10:01:41 PM, on 5/14/2006 Platform: Windows ME (Win9x 4.90.3000) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE C:\WINDOWS\SYSTEM\E_S4I2G1.EXE C:\WINDOWS\S3JHBWVY\COMMAND.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETMSG.EXE O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400" O4 - HKLM\..\Run: [Command] C:\WINDOWS\S3JhbWVy\command.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.91,85.255.112.102 O21 - SSODL: oGkpHcZyPWNnN - {08361909-A29C-B3A3-64D8-9B624DB10F56} - C:\WINDOWS\SYSTEM\SPJ.DLL here is what i found to delete but i want to confirm first C:\WINDOWS\SYSTEM\E_S4I2G1.EXE C:\WINDOWS\S3JHBWVY\COMMAND.EXE O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.114.91,85.255.112.102 O21 - SSODL: oGkpHcZyPWNnN - {08361909-A29C-B3A3-64D8-9B624DB10F56} - C:\WINDOWS\SYSTEM\SPJ.DLL Link to comment Share on other sites More sharing options...
Administrator Tarun Posted May 15, 2006 Administrator Share Posted May 15, 2006 What you've posted to remove is pretty good. A few things can stay though. Radio is clean, it lets you listen to music online. Hidserv is clean. Link. Messenger is clean too, that just gives you a button in IE. The rest can definitely go. If you feel e-trust is missing viruses, try avast!. Link to comment Share on other sites More sharing options...
Monkey Proof Posted May 16, 2006 Author Share Posted May 16, 2006 i deleted Etrust from the machine and downloaded Avast. so far i'm impressed with Avast. it's a little slow scanning on thier machine but i figure it's becouse they are still running WindowsME. i'll test it out on their machine for a few days but i think i'm going to install it on my laptop. now all i have to do is talk them into using Firefox instead of IE. Link to comment Share on other sites More sharing options...
Recommended Posts