Logfile from hijackthis

Question

sauronflorik 0 Newbie Poster

18 Years Ago

some days ago i have been hijacked by some trojan...
my ie got a new toolbar (i could remove).
but sometimes i am redirected to some links like abcsearch.com

please help.

thanks,

sauronflorik

here my logfile:
ogfile of HijackThis v1.99.1
Scan saved at 18:55:42, on 28.11.2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\TRAYICON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\CREATIVE\SHAREDLL\CTNOTIFY.EXE
D:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE
D:\PROGRAMME\WINTV\IR.EXE
D:\PROGRAMME\SIEMENS\GIGASET WLAN ADAPTER 54\WLANMONITOR2003.EXE
C:\PROGRAMME\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMME\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMME\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAMME\TROJANCHECK\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.google.de/
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System\TrayIcon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Disc Detector] C:\Programme\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AVGCtrl] D:\PROGRAMME\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = D:\Programme\Microsoft Office\Office\OSA9.EXE
O4 - Startup: AutoStart IR.lnk = D:\Programme\WinTV\ir.exe
O4 - Startup: NkvMon.exe.lnk = D:\Programme\Nikon\NkView6\NkvMon.exe
O4 - Startup: Gigaset WLAN Adapter Monitor.lnk = D:\Programme\Siemens\Gigaset WLAN Adapter 54\WLANMonitor2003.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

windows-virus

5 Contributors
12 Replies
438 Views
5 Months Discussion Span
Latest Post 18 Years Ago Latest Post by DMR

Paddy 6 Posting Whiz in Training

18 Years Ago

You appear to be infected with the "Alexa" malware. This is indicated by the entry: C:\WINDOWS\web\related.htm

Running SpyBot - Search and Destroy will rid you of this annoyance. Besides that, there doesn't seem to be any other problem(s) as far as your HijackThis! log is concerned :D

Paddy 6 Posting Whiz in Training

18 Years Ago

Hmm, well I can't see anything else in the log that would indicate what the problem is, and the fact that you've already run those anti-spyware programs has left me even more stumped lol.

The only other possibility I can think of is that you've installed a program which comes bundled with "legitimate" spyware/adware/malware. Some companies let you use their software for free, providing that you agree to install their spyware. This would also explain why your anti-spyware programs didn't fix the problem - those programs don't remove the bundled, "legitimate" spyware because they know that removing it will corrupt the program that the spyware came bundled with.

If you can come back with a list of programs that are currently installed it might help to shed some light on the subject. Off the top of my head, the following programs come bundled with spyware:

DivX Codec - I've seen the Gator spyware included in this package in the past.
Messenger Plus! - An add-on for MSN Messenger. It comes with an optional sponsor program (i.e. spyware) that you can opt out of during the installation.

Some P2P/filesharing programs like eDonkey, Usenet, etc. have sponsor programs bundled with them, too.

If you can get us a list of programs to check out, or if you want to google each one yourself and see what is said about them, it would eliminate the possibility if nothing else :D

DMR 152 Wombat At Large

18 Years Ago

I'd suggest installing the free SpywareBlaster utility; it blocks known "bad" addresses/domains, including abcsearch. A short tutorial on installing and updating SpywareBlaster can be found here.

Also- you should try running AdAware and SpyBot in Safe Mode if you haven't already; they might be able to find/fix more "nasties" that way:

- Before booting into Safe Mode, open SpyBot and AdAware and use each program's online update feature to make sure that you have the absolutely most current spyware definition databases installed. Do not run scans yet, just close each program when it finishes installing its updates.

- Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).

- Run both utilities (the order doesn't matter) and have each program fix everything it finds.

- Reboot normally.

Paddy commented: Very insightful! I learnt a thing or two ;) +2

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

sauronflorik 0 Newbie Poster · Answer 1 · 2005-11-29T03:12:58+00:00

hey paddy,

thanks for helping.

i forgot to mention that i have already used spybot, ad-aware, antivir and bitdefender but it didn´t work out...

ok, i deleted the C:\WINDOWS\web\related.htm-file but i have still problems.

what else can i do?

You appear to be infected with the "Alexa" malware. This is indicated by the entry: C:\WINDOWS\web\related.htm
Running SpyBot - Search and Destroy will rid you of this annoyance. Besides that, there doesn't seem to be any other problem(s) as far as your HijackThis! log is concerned :D

sauronflorik 0 Newbie Poster · Answer 2 · 2005-11-30T01:00:26+00:00

ok, i run sbsd and ad-aware in windows safe modus.
it found some nastie spyware (alexa...).

i hope i kicked it!

i also downloaded spyblaster and have now 3 anti-spy progs.

@paddy: you were right with alexa...

@DMR:thanks for help

hope my system is clean now.
i will see in some days...

I'd suggest installing the free SpywareBlaster utility; it blocks known "bad" addresses/domains, including abcsearch. A short tutorial on installing and updating SpywareBlaster can be found here.
Also- you should try running AdAware and SpyBot in Safe Mode if you haven't already; they might be able to find/fix more "nasties" that way:
- Before booting into Safe Mode, open SpywareBlaster and AdAware and use each program's online update feature to make sure that you have the absolutely most current spyware definition databases installed. Do not run scans yet, just close each program when it finishes installing its updates.
- Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
- Run both utilities (the order doesn't matter) and have each program fix everything it finds.
- Reboot normally.

Paddy 6 Posting Whiz in Training · Answer 3 · 2005-11-30T01:37:27+00:00

Glad to be of assistance!

DMR: It never even occurred to me to run anti-spyware scans in SafeMode! Learn something new every day ;) Cheers mate! hehe

DMR 152 Wombat At Large Team Colleague · Answer 4 · 2005-12-01T07:42:48+00:00

You're welcome, sauronflorik; glad we could help :)

Paddy,

You might know the reasoning behind Safe Mode scans already, but I'll post the basic info just for reference:

When Windows is running in its normal start-up mode, spyware and virus removal programs can have difficulty removing some malicious infections due to the fact that components of the infections have already loaded themselves at Windows start-up, and are active at the time the removal programs try to delete them. While the removal programs can terminate many of the active nasties, others present more of a problem.

One reason for this is that many infections install multiple files which act as guardians for one another; monitoring each other's "health". When one of the files gets shut down by a removal utility, another guardian file senses this, and restarts (and in some cases actually recreates) the file that was killed. Additionally, infections can use hidden .dll files which are activated at boot-up by obscure registry entries, and these dlls can be quite difficult to detect and deactivate.

In Safe Mode however, Windows loads only a bare minimum of services, drivers, and processes; it ignores most normal startup items, and it does not process the entire registry. This means that many of the "autostart" techniques used by infections are also ignored, making the infections essentially dormant in Safe Mode. The fact that the infections are inactive makes it much easier for removal programs to thoroughly remove them from your system.

sauronflorik 0 Newbie Poster · Answer 5 · 2005-12-01T23:22:56+00:00

ok, i still have a prob :evil: .
sometimes i got redirected from google searching.
the first adress is: 'http://85.255.113.26/' then it apears another page...

what else to do?

megaman99 0 Newbie Poster · Answer 6 · 2006-05-17T14:51:52+00:00

I have the same problem. Please let me know if you fix it?

/j

ok, i still have a prob :evil: .
sometimes i got redirected from google searching.
the first adress is: 'http://85.255.113.26/' then it apears another page...
what else to do?

tayspen 28 <Insert title here> Team Colleague · Answer 7 · 2006-05-18T02:02:39+00:00

Hi megaman99

First of all- welcome to DaniWeb :)

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your questions and HJT log in that thread.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_policies

Thanks for understanding.

DMR 152 Wombat At Large Team Colleague · Answer 8 · 2006-05-18T02:51:56+00:00

ok, i still have a prob :evil: .
sometimes i got redirected from google searching.
the first adress is: 'http://85.255.113.26/' then it apears another page...

You've got a variant of the SpywareQuake scumware; the entire range of IP address range of 85.255.112.0 - 85.255.127.255 is owned by the fine folks who distribute the infections.

Please give us a fresh HJT log (it's been a while since your last post) and we'll take it from there.

DMR 152 Wombat At Large Team Colleague · Answer 9 · 2006-05-18T02:53:36+00:00

megaman99,
tayspen is correct; you need to start your own thread in this forum and post your log in that threead. We will help you out from there.