virus again???

Question

fitchfrog19 0 Junior Poster in Training

19 Years Ago

I used to be able to just type in something in the address bar and press enter and it would take me to the msn search page... now it puts a http:///?%20 before what ever i typed... (example... if i searched for dvds it wouldnt go to the msn website... it would go to the "page can not be displayed website and the address bar would say http:///?%20dvds)

I have adaaware and spybot and i updated them both, ran them and fixed the problems... (besides for the usave one because i think thats how my bearshare runs for free?) i also have AVG free and it said it found 2 viruses but i deleted them as well...

what should i do? i had this problem once before and i did the whole shut system restore off and hijack this and such...

ALSO... before i noticed the 'searching through address bar' not working... a pop up came up, and i dont know if its from windows or a virus but it said windows in the top bar, and the message said i was being tracked and it would be tracking my credit card numbers and passwords and asked if i wanted to know how to fix it... i said no...

please help me!!! i have an older comp with a lot of things saved on it and i cant afford to lose anything from a virus crashing... and i especially cant afford to have my credit #'s and passwords hacked!!!

any help will he GREATLY APPRECIATED!!!

:sad: :sad: :sad:

windows-virus

5 Contributors
35 Replies
325 Views
1 Week Discussion Span
Latest Post 19 Years Ago Latest Post by fitchfrog19

All 35 Replies

helloimtim 0 Junior Poster

19 Years Ago

I had to respond to this one. I see the word bare share. Here is a idea to keep virus and spy ware off your computer and stop having to reformat your hard drive. Quit using file sharing programs. Its that simple. No spy ware, virus, browser will help until you quit downloading stuff from file sharing. Thats 90 percent of the problem and how most people get these problems. Unless your hardcore fire fox user. Then its probably IE to start with eh? Just my 2 cents...

dlh6213 27 Posting Maven

19 Years Ago

I agree with hellotim's opinion about the use of bearshare being a possible entryway for malware.

Any data you have that you feel is important enough to keep, you should be backing up regularly so you don't have to worry about losing it when (not 'if') something happens.

You should get the latest version of hijackthis from here:

http://www.spywareinfo.com/~merijn/

As always, close all browser windows, scan with HJT, save the log, copy and paste it here.

dlh6213 27 Posting Maven

19 Years Ago

You should never click on any popups; you should either right-click and select Close, or use Task Manager to end it.

USave may have been installed via Bearshare, but I don't belive it's a part of it. Here is a bit of info on it:
http://www.liutilities.com/products/wintaskspro/processlibrary/save/

Download Hoster from http://members.aol.com/toadbee/hoster.zip

Now, scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [SYSBA32.EXE] C:\WINDOWS\SYSBA32.EXE
O4 - HKLM\..\RunServices: [NETYS.EXE] C:\WINDOWS\NETYS.EXE
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe

Be sure all windows are closed before hitting the Fix button.

Go to the following and delete the highlighted file or folder:

C:\WINDOWS\SYSBA32.EXE
C:\WINDOWS\NETYS.EXE
C:\PROGRAM FILES\SAVE

I'm not sure about these, do you know what they're for?
O4 - HKLM\..\RunServices: [AVKService] C:\PROGRA~1\EXTEND~1\AVKSER~1.EXE
O4 - HKLM\..\RunServices: [WINLJ32.EXE] C:\WINDOWS\SYSTEM\WINLJ32.EXE
If not, right-click on them, go to Properties, and give us whatever info you can on each of them.

Run Hoster and press Restore Original Hosts, OK, and Exit Program.

Reboot

Close all browser windows, scan with HJT, and post a new log please.

dlh6213 27 Posting Maven

19 Years Ago

also... i didnt have my system restore off like i did before when i did the hijack this... just to let you know before you give me any more advice!!!

I'm not real sure what you mean by this, but if you have System Restore off now, you should turn it back on after your system is cleaned up; if it is on now, you should set a new Restore Point when your system is clean.

crunchie 990 Most Valuable Poster

19 Years Ago

Download about:Buster and unzip it to your Desktop. Doubleclick on AboutBuster.exe to run it and then click on Update > Check for Update. If there is an update available, click on 'Download Update and wait while it downloads. Once downloaded, click on Exit.

When you have done this, boot into Safe Mode (restart your PC and tap F8 as it restarts) and make sure that you can view hidden files and folders.

Close all open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {A9593486-C5F0-338D-36D5-AEC2E367709D} - C:\WINDOWS\NETJT32.DLL

O4 - HKLM\..\RunServices: [APIWE.EXE] C:\WINDOWS\SYSTEM\APIWE.EXE

Close Hijack This and run about:Buster again, click the 'Start' button and then click the 'OK' button. Let it scan (the scan can take some time to complete, so be patient.). Once the first scan has completed, it will ask you if you wish for about:Buster to scan once more. Click Yes and let it scan a second time. Once the second scan has finished, copy and paste the report to Notepad and save it on your drive.

To copy and paste the report to a log file, select (highlight) all of the text produced by the scan with your mouse, right-click and select 'Copy'.

Next, launch Notepad (click Start > Run > type notepad.exe and press enter). When the file is open, rightclick and select Paste. Click on File > Save As and save it in C:\ as Log.txt. Copy the log and post it back in this thread when you have rebooted.

While still in Safe Mode, run a search and make sure that all of the below files in bold have been deleted (if not delete them):

C:\WINDOWS\NETJT32.DLL----file
C:\WINDOWS\SYSTEM\APIWE.EXE----file

Reboot, reset your Home Page and run a Housecall scan. It will get rid of any remaining files. Post a new Hijack This log (and your About Buster log).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

fitchfrog19 0 Junior Poster in Training · Answer 1 · 2005-02-27T15:45:12+00:00

here is the logfile

Logfile of HijackThis v1.99.1
Scan saved at 4:43:14 AM, on 2/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINLJ32.EXE
C:\WINDOWS\NETYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSBA32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AIM\AIM95_C3\AIM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\jbqdi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {61BEF94D-FEB3-6762-1FEA-E8A2F75960A4} - C:\WINDOWS\SDKOV32.DLL
O2 - BHO: Class - {45A0A8DF-EE7E-77F2-7AAD-E2A44CA486A4} - C:\WINDOWS\SYSTEM\ATLCB32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SYSBA32.EXE] C:\WINDOWS\SYSBA32.EXE
O4 - HKLM\..\RunServices: [AVKService] C:\PROGRA~1\EXTEND~1\AVKSER~1.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WINLJ32.EXE] C:\WINDOWS\SYSTEM\WINLJ32.EXE
O4 - HKLM\..\RunServices: [NETYS.EXE] C:\WINDOWS\NETYS.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM95_C3\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe

and about the bearshare... i only have like 10 downloaded songs because i just cancelled kAZaa and got it... i havent even used it in about 2 weeks... i think i clicked on a pop up by mistake instead of clicking no or closing it... ?

fitchfrog19 0 Junior Poster in Training · Answer 2 · 2005-02-27T15:46:20+00:00

also... i didnt have my system restore off like i did before when i did the hijack this... just to let you know before you give me any more advice!!!

fitchfrog19 0 Junior Poster in Training · Answer 3 · 2005-02-27T17:17:39+00:00

the two you asked me about looked like the names of the files that were "viruses" according to the AVG so i deleted them with everything, ran the hoster and here is the new log file... if its okay... can you tell me how to set the new restore point? and should i get rid of adaware and spybot? i got the pop up again about my credit #'s being tracked... its not a pop up like the ads that come up when your looking on the web, it looks like a windows pop up, like when you cant open a program bc you have no memory left... and also there was a little sheild at the bottom by the time and date... saying my computer might be infected?!? and when i clicked on it *before i cleaned it just now* it said i should remove my spyware... :sad:

Logfile of HijackThis v1.99.1
Scan saved at 6:12:40 AM, on 2/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AIM\AIM95_C3\AIM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE
C:\HOSTER[1]\HOSTER\HOSTER.EXE
C:\WINDOWS\WINMI.EXE
C:\WINDOWS\SYSTEM\WINLJ32.EXE
C:\WINDOWS\SYSTEM\WINLJ32.EXE
C:\WINDOWS\SYSTEM\APIWE.EXE
C:\WINDOWS\SYSTEM\WINLJ32.EXE

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A9593486-C5F0-338D-36D5-AEC2E367709D} - C:\WINDOWS\NETJT32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [APIWE.EXE] C:\WINDOWS\SYSTEM\APIWE.EXE
O4 - HKLM\..\RunOnce: [InstMsi0] C:\WINDOWS\SYSTEM\msiexec.exe /regserver
O4 - HKLM\..\RunOnce: [InstMsi1] rundll32.exe C:\WINDOWS\SYSTEM\advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Installer\InstMsi0"
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM95_C3\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe

fitchfrog19 0 Junior Poster in Training · Answer 4 · 2005-02-27T17:19:32+00:00

also... i just checked, by typing something in the address bar and pressing enter, and it is still adding that 20% thing like i said before and saying page can not be displayed?

fitchfrog19 0 Junior Poster in Training · Answer 5 · 2005-02-27T17:22:03+00:00

the pop up i keep getting says its from WINDOWS SECURITY CENTER... and it says "warning: windows firewall detected suspicious network activity on your computer. malicious software codes try to steal your privacy information such as credit card numbers electronic mail accounts financial data and passwords. do you want to protect your computer? yes or no

i just got the pop up again...

fitchfrog19 0 Junior Poster in Training · Answer 6 · 2005-02-28T01:16:09+00:00

i did the buster scan and saved it as text.log... i searched for those 2 things and only the second one was still there so i deleted it... im doing the house call and so far there is 2 non cleanable trojan viruses....

fitchfrog19 0 Junior Poster in Training · Answer 7 · 2005-02-28T01:18:29+00:00

oops, i forgot to say that when i went to open the buster log, its all blocks and symbols???

here is my hijack log

Logfile of HijackThis v1.99.1
Scan saved at 2:18:42 PM, on 2/27/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\WINMI.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\IPHL32.EXE
C:\WINDOWS\SYSTEM\IPHL32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0E2C242A-3E9F-3365-C3C3-1ED04E3BC9F9} - C:\WINDOWS\SYSTEM\IPLE32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [WINMI.EXE] C:\WINDOWS\WINMI.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IPHL32.EXE] C:\WINDOWS\SYSTEM\IPHL32.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM95_C3\AIM.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe

fitchfrog19 0 Junior Poster in Training · Answer 8 · 2005-02-28T02:04:59+00:00

i got the log for buster to work ( i went into safe and did it again..)

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 23

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 23

ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!

should i do a hijack again too now?

fitchfrog19 0 Junior Poster in Training · Answer 9 · 2005-02-28T02:10:02+00:00

also, each time i restart... the little shield with an x in it is at the bottom next to the time... and the bubble pops out of it saying... your virus protection is at risk and there is spyware tracking everything

fitchfrog19 0 Junior Poster in Training · Answer 10 · 2005-02-28T11:33:04+00:00

fitchfrog19 0 Junior Poster in Training

19 Years Ago

im also getting the windows security pop up again

fitchfrog19 0 Junior Poster in Training · Answer 11 · 2005-02-28T12:08:15+00:00

also... now google is my homepage? i didnt do that it just happened... and the searching from the address bar is still adding the 20% thing to whatever i type and going to page not being able to be displayed...

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 12 · 2005-02-28T16:27:26+00:00

Run Hijackthis and go to the process viewer by going to Config, Misc Tools, Process Viewer, to unload all instances of the following running processes;
WINMI.EXE
IPHL32.EXE

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {0E2C242A-3E9F-3365-C3C3-1ED04E3BC9F9} - C:\WINDOWS\SYSTEM\IPLE32.DLL

O4 - HKLM\..\Run: [WINMI.EXE] C:\WINDOWS\WINMI.EXE
O4 - HKLM\..\RunServices: [IPHL32.EXE] C:\WINDOWS\SYSTEM\IPHL32.EXE

O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0011.exe
-Trojan-Downloader.Win32.Small.akz

Reboot into safe mode following the instructions here and navigate to and delete the following if found:

C:\WINDOWS\SYSTEM\IPLE32.DLL----file
C:\WINDOWS\WINMI.EXE----file

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

fitchfrog19 0 Junior Poster in Training · Answer 13 · 2005-02-28T23:55:10+00:00

how do i unload all instances?

there is a 'kill process' 'refresh' and 'run' buttons

fitchfrog19 0 Junior Poster in Training · Answer 14 · 2005-03-01T00:01:01+00:00

also... about that part... there is a c:\windows\winmi.exe and a c:\windows\system\wmiexe.exe

should i "unload all instances" to both of those & the iphl32.exe?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 15 · 2005-03-01T03:07:30+00:00

crunchie 990 Most Valuable Poster

19 Years Ago

Just kill the processes of the files I indicated :).

Danniboy 0 Junior Poster · Answer 16 · 2005-03-01T03:47:49+00:00

save.exe is installed with bearshare but none the less it is NOT important to bearshare running correctly so once uve done a scan with your adware programe delete it and dont worry about it. and i would suggest strongly that u use a firewall (zone alarm?) and you use instead of IE, Mozilla firefox to be sure of your online privacy and security :)

fitchfrog19 0 Junior Poster in Training · Answer 17 · 2005-03-01T07:41:02+00:00

Logfile of HijackThis v1.99.1
Scan saved at 8:39:31 PM, on 2/28/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBKEYBOARD] C:\Program Files\MultiMedia Keyboard\MultiMedia Keyboard\1.1\KbdAp32A.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM95_C4\AIM.EXE (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

i dont really know how to read this stuff like you but i think that winmi exe thing is still in there??? is it still infected/broken?!

fitchfrog19 0 Junior Poster in Training · Answer 18 · 2005-03-01T08:15:57+00:00

my search is working fine now!!! but is the winexe thing mean something didnt fix?

fitchfrog19 0 Junior Poster in Training · Answer 19 · 2005-03-01T08:33:57+00:00

oh yeah... i have no idea what that radio thing is either?! can i delete it?

fitchfrog19 0 Junior Poster in Training · Answer 20 · 2005-03-01T08:34:36+00:00

and i saw that winmiexe thing in the log, but its not on the hijack this to delete it... so i dunno if its really there or not

fitchfrog19 0 Junior Poster in Training · Answer 21 · 2005-03-01T08:36:08+00:00

fitchfrog19 0 Junior Poster in Training

19 Years Ago

i dont know what that real.com thing is either...

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 22 · 2005-03-01T15:39:38+00:00

Try just editing your post or you will end up with the highest post count on DaniWeb :D.
That is a clean log :D.

fitchfrog19 0 Junior Poster in Training · Answer 23 · 2005-03-01T18:40:21+00:00

thanks! and sorry! so i dont need to delete anything else?

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 24 · 2005-03-01T19:17:32+00:00

i have no idea what that radio thing is either?! can i delete it?

You can, but I wouldn't. It is a legitimate entry :).

i dont know what that real.com thing is either

It's associated with Real Player.

so i dont need to delete anything else?

No.

virus again???

Recommended Answers Collapse Answers

All 35 Replies

Recommended Answers