Hello

I have run HiJack This and below is my log:

Logfile of HijackThis v1.98.0
Scan saved at 18:20:39, on 02/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PREVIEW ADSERVICE\PREVADSERV.EXE
C:\PROGRAM FILES\PLAXO\2.1.0.80\INSTALLSTUB.EXE
C:\WINDOWS\SMSS.EXE
C:\PROGRAM FILES\PREVIEW ADSERVICE\PREVADKEEP.EXE
C:\UNZIPPED\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/togetherinternet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Together with 24/7 Internet
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SVCHOST.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Preview AdService] C:\PROGRAM FILES\PREVIEW ADSERVICE\PREVADSERV.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Service Manager] C:\WINDOWS\smss.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/togetherinternet
O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge-c282.cab
O21 - SSODL: Linkaut - {D483EC80-4A8D-11D9-AEE4-444553540000} - C:\WINDOWS\SYSTEM\engkey.dll


Can anyone please tell me which files to remove, if any?

Many thanks
Nicole

It looks like you have two antivirus programs, Mcafee and AVG, running at the same time which can really slow down a computer. One of them needs to be removed. Personally I like AVG much better than Mcafee. Which ever one you keep, make sure it is up to date.

Darrin Seats
Cornerstone Computing
http://www.cs-computing.biz

It looks like you have two antivirus programs, Mcafee and AVG, running at the same time which can really slow down a computer. One of them needs to be removed. Personally I like AVG much better than Mcafee. Which ever one you keep, make sure it is up to date.

Darrin Seats
Cornerstone Computing
http://www.cs-computing.biz

Thanks Darrin...I really appreciate your help! I have removed Mcafee as suggested, and kept AVG.

I still feel something 'isn't quite right'. Can you see anything else that looks sinister in the HJT log file? When I type in www.trinitigiftshop.com (an online store I run), the following appears in my URL bar:

http://uk.search.yahoo.com/search?fr=ieas&p=www.trinitigiftshop.com&y=y


It's as though something has hijacked my browser. What do I do - help??!

Darrin, I found this information on the net with regards to uk.search.yahoo.com (which I feel is hijacking my browser).

Can you interpret for me what this person is saying (I'm wondering how I remove any corrupt files as I'm not a real techie). Thanks for any help.!

Sorry - here's the info on uk.search.yahoo.com:

VBS.QHOSTS
Description Published: 01 October 2003
Description Modified: 11 January 2005

The information below provides details about this virus.

Threat Assessment

Wild: Low

Destructiveness: Medium

Pervasiveness: Very Low

Risk: None

Characteristics

Type: Trojan
Category: Win32
Also known as:: BAT.Qhosts, JS.Qhosts, Win32.Qhosts, Win32.Qhosts.F, Win32.Qhosts.H, Win32.Qhosts.J, QHosts-1 (McAfee)


Immediate Protection Info
eTrust Antivirus 6x/v7* (InoculateIT Engine) 23.62.59 View Removal Instructions
eTrust EZ Antivirus 6.1x 6.0/4942 View Removal Instructions
eTrust InoculateIT 6.0
eTrust Antivirus 6.0 23.62.59 View Removal Instructions
Inoculan/InoculateIT 4.x 44.59 View Removal Instructions
Vet Anti-Virus 10.5x 10.5x/4942 View Removal Instructions
Vet Anti-Virus 10.6x 10.61.4942 View Removal Instructions

* Includes updates for InoculateIT and eTrust InoculateIT 6.0.
Download Signature Files
Scan For Viruses
Cleaning Utilities
Submit a Virus Sample

Description

VBS.Qhosts is a trojan that attempts to redirect Internet domain names, mainly for intercepting queries to search engine web pages such as www.google.com.

The trojan is loaded from a web page, which exploits a vulnerability in Microsoft Internet Explorer to run script with unrestricted access to the system. The vulnerability is addressed in the following Microsoft security bulletin and associated cumulative patch:


http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

Once the malicious script is executed, the trojan will drop a file called AOLFIX.EXE into the Windows temporary directory. It then creates a batch file that will proceed to execute AOLFIX.EXE and delete it after the execution.

AOLFIX.EXE is a batch file compiled into a Windows binary executable by the "bat2exe" utility. Once run it will check if a file called %windows%\winlog exists. If it does, the trojan does nothing and will exit. If the "winlog" file is not found the trojan tries to modify the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\
"EnableDNS"="1"
"NameServer"="69.57.146.14,69.57.147.175"
"HostName"="host"
"Domain"="mydomain.com"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
"ProxyEnable"=dword:00000000
"MigrateProxy"=dword:00000000

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\
"Use Search Asst"="no"
"Search Page"="http://www.google.com"
"Search Bar"="http://www.google.com/ie"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\
""="http://www.google.com/keyword/%%s"
"provider"="gogl"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\
"SearchAssistant"="http://www.google.com/ie"

These settings will make an affected system use the IP addresses 69.57.146.14 and 69.57.147.175 as its DNS servers. They also change the domain name to host.mydomain.com, disable any IE proxy, and set the IE search page to point to www.google.com. These DNS name servers are probably used to redirect name queries to servers run by the trojan's author.

The trojan then checks if %windows%\system32\drivers\etc\services exists. If it finds this file, it will proceed to modify the following registry keys:
(note that the presence of the "services" file generally indicates that the trojan is dealing with Windows 2000 or Windows XP.)

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters
"DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\interfaces\windows
"r0x"="your s0x"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\interfaces\windows
"r0x"="your s0x"

The DataBasePath value is a unicode string, which redirects Windows to load the local hosts file from the directory %windows%\help, instead of the normal location %windows%\System32\drivers\etc.

The trojan will also enumerate and modify every NameServer value found under
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces and HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces
recursively to make sure that the DNS servers are set to 69.57.146.14 and 69.57.147.175 for every network interface present.

Next the trojan will modify the hosts file located in the %windows% directory so that the domain names of some popular search engines will resolve to the IP address 207.44.220.30.

The domain names are as follows:

www.google.akadns.net
www.google.com
google.com
www.altavista.com
altavista.com
search.yahoo.com
uk.search.yahoo.com
ca.search.yahoo.com
jp.search.yahoo.com
au.search.yahoo.com
de.search.yahoo.com
search.yahoo.co.jp
www.lycos.de
www.lycos.ca
www.lycos.jp
www.lycos.co.jp
alltheweb.com
web.ask.com
ask.com
www.ask.com
www.teoma.com
search.aol.com
www.looksmart.com
auto.search.msn.com
search.msn.com
ca.search.msn.com
fr.ca.search.msn.com
search.fr.msn.be
search.fr.msn.ch
search.latam.yupimsn.com
search.msn.at
search.msn.be
search.msn.ch
search.msn.co.in
search.msn.co.jp
search.msn.co.kr
search.msn.com.br
search.msn.com.hk
search.msn.com.my
search.msn.com.sg
search.msn.com.tw
search.msn.co.za
search.msn.de
search.msn.dk
search.msn.es
search.msn.fi
search.msn.fr
search.msn.it
search.msn.nl
search.msn.no
search.msn.se
search.ninemsn.com.au
search.t1msn.com.mx
search.xtramsn.co.nz
search.yupimsn.com
uk.search.msn.com
search.lycos.com
www.lycos.com
www.google.ca
google.ca
www.google.uk
www.google.co.uk
www.google.com.au
www.google.co.jp
www.google.jp
www.google.at
www.google.be
www.google.ch
www.google.de
www.google.se
www.google.dk
www.google.fi
www.google.fr
www.google.com.gr
www.google.com.hk
www.google.ie
www.google.co.il
www.google.it
www.google.co.kr
www.google.com.mx
www.google.nl
www.google.co.nz
www.google.pl
www.google.pt
www.google.com.ru
www.google.com.sg
www.google.co.th
www.google.com.tr
www.google.com.tw
go.google.com
google.at
google.be
google.de
google.dk
google.fi
google.fr
google.com.hk
google.ie
google.co.il
google.it
google.co.kr
google.com.mx
google.nl
google.co.nz
google.pl
google.com.ru
google.com.sg
www.hotbot.com
hotbot.com

If the trojan finds that the services file existed in %windows%\system32\drivers\etc, the hosts file will be placed inside the %windows%\help directory instead.

The trojan will finally create the file %windows%\winlog as a marker and will exit.

Have you tried running Adaware and Spybot? Make sure they are updated and then run them from safe mode. You can get to safe mode by pressing F8 when the computer starts to boot.

In addition to Ad-Aware and Spybot, please do the following:

Go to Windows Update and get the Critical Updates for your system

Get the latest version of HijackThis (currently 1.99.1)

Close all browser windows, scan with the updated hijackthis, post the new log.

You have a worm and a trojan. Reboot into safe mode following the instructions here and navigate to and delete the following:

C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\smss.exe

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.