A few days ago I realized I had a trojan virus, so I've been doing a lot of reading and getting some help to get rid of them. I've used all sorts of programs and it seems like they are gone, but I would like someone to look over my Hijack This log just to make sure. Ok, so here is where I am at. I cleared my restore points by disabling system restore as was suggested. Then I ran housecall. I ran housecall awhile ago and it wouldn't delete the viruses, but this time it did. Must have had something to do with disabling system restore?? Not sure. I ran housecall the first time and it came up with these:
TROJ_SE.100702
TROJ_SE.40717
DIAL_SE.122968
DIAL_SE.122969
It sucessfully deleted these files, and then prompted me to run the test again. So I did and it came up clean. Next, I ran spybot again. Came up clean. Then I ran Ad-aware per the suggested settings. Came up clean. I cleaned up all of my temp. folders, and then restarted the computer. Then, I ran AVG again. This time, AVG came up clean. No trojan. So it looks like housecall did the trick. But I ran Hijack This again and came up with a log, so I will post that here. So everything looks clean to me, but would you look over the log for me and make sure that it looks good? My computer is also pretty sluggish, so maybe you could suggest a few ways that I could speed it up? Something about those 04 files right? Anyways, at the bottom after the log I might ask you a couple related questions if that is alright. So here is the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:25 PM, on 5/25/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=hpfsched
02- BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.D LL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.D LL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~1\InkWatch.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [ Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [ Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [gaqtkj] C:\WINDOWS\SYSTEM\wyzgfy.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EXIF LAUNCHER.LNK = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

So here is the couple questions I had: Did it come up clean? In order for housecall to work, do I need to disable system restore every time? Do I turn system restore back on now, or is there anything special I need to do there? Was there anything I can do to speed it up? I really have no experience with it, but should I get a firewall? Anything else I can do to keep my computer clean? Anyways...hey I really appreciate your help. This stuff is just a bit confusing when you try and do it yourself. So thanks again, and I appreciate any answers you can give me to those questions.

DR

2
Contributors
1
2
Views
12 Years
Discussion Span
Last Post by DMR

Did it come up clean?

Not quite. The following HJT log entry is indicative of an infection:
O4 - HKLM\..\Run: [gaqtkj] C:\WINDOWS\SYSTEM\wyzgfy.exe
Also, the MessengerPlus2 program came/comes bundled with the Lop parasite. Uninstall MessengerPlus2 through your Add/Remove Programs control panel.

In order for housecall to work, do I need to disable system restore every time? Do I turn system restore back on now..

You don't need to disable System Restore in order for HouseCall to work. Have a read of this short article for more info on the matter of System Restore as it relates to malware removel.

Was there anything I can do to speed it up?

If you mean speed up the computer in general, you do have a handful non-critical programs running at startup, and disabling them may speed things up a bit and free up some system resources. However, you may want/use the functionality of some of these programs, so the choice of disabling them is really up to you (note that it's usually better to disable the autostart feature of these programs using their preferences/options settings rather than by removing their entries with HijackThis):

PCHealth
EnsoniqMixer
InkWatch
WorksFUD
Microsoft Works Portfolio
Microsoft Works Update Detection
SchedulingAgent
SSDPSRV
StillImageMonitor
MICROSOFT WORKS CALENDAR REMINDERS.LNK
MICROSOFT OFFICE.LNK
EXIF LAUNCHER.LNK

I really have no experience with it, but should I get a firewall? Anything else I can do to keep my computer clean?

Actually, for a number of reasons, what you should do is upgrade to the latest version of Windows XP.
* ME is an "End of Life" product, meaning that Microsoft no longer supports it.
* Many of the anti-maleware prorams freely-available from Microsoft and other software companies simply will not run on ME. For example- Microsoft's "Defender" antispyware utility, Windows Firewall, and Ewido Security Suite are a few of the programs that we usually use and recommend, but they will not run on Win 95/98/ME. Even HijackThis doesn't give as much system/infection information when run on an ME system as it does when run on a Win 2K or XP system.
* With Windows XP, Microsoft has addressed many of the bugs and security "loopholes" which exist in earlier versions of Windows.

All of that said, here are a few things you can do for your current infection(s):

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

* Download and install the free Cleanup! utility. Don't actually run the program yet, though.

* Open Ad Aware, SpyBot, and AVG, and install the most current updates for those programs. Again- don't run scans yet; just closed the programs once they've updated.

* Close all open programs, especially Internet Explorer.

* Run a scan with HJT, put a check mark in the box to the left of the following entries, and then click the "Fix checked" button.
Close HJT after the fixes have completed:
O4 - HKLM\..\Run: [gaqtkj] C:\WINDOWS\SYSTEM\wyzgfy.exe
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

* Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

* Run Cleanup!. It may take a while for the program to perform its cleaning, so be patient. Close the program when it has finished.

* Run full system scans with your antivirus program, SpyBot, and Ad Aware; have the programs fix all malicious items they find.

* Open Windows Explorer, and in the View->Folder Options menu, click the View tab, scroll down to the "Show all files" option, select that option, and then click OK.

* In Windows Explorer, search for the following file and delete it if it still exists:
C:\WINDOWS\SYSTEM\wyzgfy.exe

* If the following folder stills exists, delete it entirely:
C:\Program Files\Messenger Plus! 2

* Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log.

-

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.