0

I keep getting redirected while on Firefox. First the browser goes to yyy65.html, then it shows a random ad. Im sick and tired of it. Im usually fine with handleing viruses and malware. This seems to be beating me.

[IMG]http://img502.imageshack.us/img502/4251/yyy4dc.jpg[/IMG]
[IMG]http://img502.imageshack.us/img502/4792/winpro0lu.jpg[/IMG]

Here is my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:38:01 PM, on 12/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAV.EXE
C:\PROGRAM FILES\KASPERSKY LAB\KASPERSKY ANTI-VIRUS PERSONAL\KAVSVC.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ACCESSORIES\MSPAINT.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autofix /autoclose
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

Please help me fix this problem. I've tried everything I could think of. Im not a newbie, so you can be short with your explainations of whats going on. Thanks a lot guys.


Also: Some of these pop ups have been putting executables(.exe) on my desktop and in my C:\Windows folder.

2
Contributors
4
Replies
5
Views
11 Years
Discussion Span
Last Post by DMR
0

1. Are you sure you posted the entire contents of the HijackThis log file? It looks light on content, even for a Win 98 system.
Also- the log shows no signs of infections, but for the particular infection you have, a HJT log may not give us many clues on a Win 98 system.

Please do the following, and we'll go from there:

At the moment, you have HJT running directly from your desktop, which is not advised; the program should be put in its own separate folder. Create a folder for HJT outside of any Temp/Temporary folders and move HijackThis to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Scan with HijackThis. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

0

Logfile of HijackThis v1.99.1
Scan saved at 8:09:21 AM, on 12/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SpybotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autofix /autoclose
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

Thats all I got.

0

Anyone know how to help me? I don't know if this is a common problem.

0

The infection you have (a Look2Me/VX2 variant) isn't uncommon, but:

A) Due to differences in the underlying structures of Win 98 and Win 2000/XP, HijackThis doesn't give us many (if any) clues as to the exact names/locations of the infected files when used on a Win 98 system. This makes it harder to prescribe an exact fix.

B) The tools that we would normally use to detect and remove current versions of L2M/VX2 infections only work on Win 2000/XP systems.

Download, install, and run the trial version of Webroot's Spy Sweeper; it is compatible with Win 98, and others have had success using it to removing certain versions of the L2M infection.

Please read the Help documentation that gets installed with the program, as it has easy-to-follow instructions for configuring and running the program. You'll want to run as thorough a scan as possible, and post the Sweep Results here if you can.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.