Issues with your account? Bug us in the Discord!
aww crap
Lord Refa
Creepy, but in a good way
in Zocalo v2.0
Houston, I believe we've been hit by an virus.
Or something annoying and pesky and troublesome like a russian termite in heat.
For starters, it keeps putting this as my exploder homepage:
(DONT CLICK IT! YES? NO!)
hkkp://web.stpfrzyadfffhd.com/e_Ll5tGI_I_QdAbJfvA4rsJktW8y4MDWgkoBcN0OUWQ.html
(edited so no chances for clicking it)
Dont suggest going there.
Then it fills the swap file on drive C:
Or something does..
instead of 1.5 gb of free space, i now have 6.5 mb of free space there...
Ad-aware 6 or antivir dont find anything...
aah.. yes.. then it also adds some extra crap on the exploder browser. Used Mozilla Firefox instead, which hasnt had those same problems since the first time I opened it and it had them...
Now... I really wouldnt want to re-install win98 to fix that thing... Any ideas?
Or something annoying and pesky and troublesome like a russian termite in heat.
For starters, it keeps putting this as my exploder homepage:
(DONT CLICK IT! YES? NO!)
hkkp://web.stpfrzyadfffhd.com/e_Ll5tGI_I_QdAbJfvA4rsJktW8y4MDWgkoBcN0OUWQ.html
(edited so no chances for clicking it)
Dont suggest going there.
Then it fills the swap file on drive C:
Or something does..
instead of 1.5 gb of free space, i now have 6.5 mb of free space there...
Ad-aware 6 or antivir dont find anything...
aah.. yes.. then it also adds some extra crap on the exploder browser. Used Mozilla Firefox instead, which hasnt had those same problems since the first time I opened it and it had them...
Now... I really wouldnt want to re-install win98 to fix that thing... Any ideas?
Comments
1 - Be sure are you are using ad-aware second edition.
2 - Ensure that it is updated.
3 - Be sure you are doing a "full system scan" not just a "smart system scan.
Do you have an full up anti-virus program? ***
If not try out the free (and fairly good) AVG personal.
[url]http://www.grisoft.com/us/us_index.php[/url]
***I just noticed you said you did - but if you get desperate AVG might find something a different program will not.
AdAware can fix it if you have the latest defs...
may take several boots and scans with it for it to clear it.
Problem is some registry entries... Even if you try and change the homepage in tools/options it will end up back there until you get the registry fixed.
;)
anyway. What's a good firewall to use? I used zonealarm and was happy with it, then pc go kablooie, and the guy fixing it put the one I have now..
He didnt do a good job fixing the pc (I had to do it myself eventually), so I dont think the one he likes is much good...
"HOLY SHIT! YOU GOT PINGED BY xxx.xxx.xxx.xxx!!!! RED ALERT!!!!! SHIELDS TO MAXIMUM!!!"
Seriously, its a bloated piece of garbage.
[url]www.kerio.com[/url] Get the free edition. Just don't turn on the web filters. They do work, but they're a PITA sometimes.
That being said, hit up spywareinfo.com and download Hijack THIS! and post the log entry it generates.
Type : Process
Data : REZMMTXT.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\TEMP\
Warning! Win32.TrojanDownloader.Swizzor.br Object found in memory(C:\WINDOWS\TEMP\REZMMTXT.EXE)
"C:\WINDOWS\TEMP\REZMMTXT.EXE"Process terminated successfully
That's the one causing trouble.. Have to edit the registry file (i guess) to remove it from coming back again and again...
ad-aware just freezes over when trying to delete it.
Anyway.. here's the hijackthis log
Logfile of HijackThis v1.98.2
Scan saved at 8:01:32, on 30.10.2004
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PALOMUURI\SYGATE\SMC.EXE
C:\OHJELMATIEDOSTOT\MESSENGER PLUS! 3\MSGPLUS.EXE
C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\CY_BG.EXE
C:\OHJELMATIEDOSTOT\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\OHJELMATIEDOSTOT\AHEAD\INCD\INCD.EXE
C:\OHJELMATIEDOSTOT\GRISOFT\AVG6\AVGCC32.EXE
C:\OHJELMATIEDOSTOT\INTERNET EXPLORER\IEXPLORE.EXE
C:\OHJELMATIEDOSTOT\INTERNET EXPLORER\IEXPLORE.EXE
C:\OHJELMATIEDOSTOT\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\OHJELMATIEDOSTOT\MOZILLA FIREFOX\FIREFOX.EXE
C:\OHJELMATIEDOSTOT\LAVASOFT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.wnksvtijlrgcftsbmcbhi.com/e_Ll5tGI_I9tupsbigLezVP/_UntcIr6ccoLbNBYYUAqrMHuCUjwuUybNST_9Omy.cgi[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.wlljxczinjhgpbazlycu.info/e_Ll5tGI_I_QdAbJfvA4ruMr7Sm0YIH2gkoBcN0OUWQ.htm[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer - toimittaja Elisa Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.fi;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: (no name) - {6DD9A1D1-C969-701A-083B-55799B947B32} - C:\WINDOWS\APPLICATION DATA\SITELOGOREGS\DATEPOLL.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [V66SHELL] V66SHELL.EXE
O4 - HKLM\..\Run: [ELSAChipGuard] C:\WINDOWS\ELSAUTIL\elsavect.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\OHJELM~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\PALOMU~1\SYGATE\SMC.EXE -startgui
O4 - HKLM\..\Run: [RemoteControl] C:\Ohjelmatiedostot\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [InCD] C:\Ohjelmatiedostot\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Vga Blue Fast Admin] C:\WINDOWS\Application Data\moveshowvgablue\option software.exe
O4 - HKLM\..\Run: [AVG_CC] C:\OHJELM~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PALOMUURI\SYGATE\SMC.EXE
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Ohjelmatiedostot\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\OHJELM~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Ford bold] C:\WINDOWS\APPLIC~1\OPTION~1\Default multi spam.exe
O4 - Startup: Microsoft Office.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download with GetRight - C:\Ohjelmatiedostot\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Ohjelmatiedostot\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\OHJELM~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\OHJELM~1\ICQ\ICQ.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Ohjelmatiedostot\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Ohjelmatiedostot\ICQLite\ICQLite.exe
O9 - Extra button: Palvelut - {E0D1FDE0-67F0-11D8-B762-CD2E7ECAB97A} - [url]http://service.kolumbus.fi/[/url] (file missing) (HKCU)
O9 - Extra button: Tuki - {E0D1FDE1-67F0-11D8-B762-CD2E7ECAB97A} - [url]http://tuki.elisa.net/[/url] (file missing) (HKCU)
O9 - Extra button: SMS-viesti - {E0D1FDE2-67F0-11D8-B762-CD2E7ECAB97A} - [url]http://sms.kolumbus.fi/[/url] (file missing) (HKCU)
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - [url]http://support.vugames.com/betasubmission/sysinfo/Si.cab[/url]
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab[/url]
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab[/url]
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - [url]http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab[/url]
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - [url]http://playroom.icq.com/odyssey_web8.cab[/url]
Even with that trojan still running around, my pc is acting more or less better than a while ago. :)
[B]ZoneAlarm is nothing but panicware.
"HOLY SHIT! YOU GOT PINGED BY xxx.xxx.xxx.xxx!!!! RED ALERT!!!!! SHIELDS TO MAXIMUM!!!" [/B][/QUOTE]
Hah hah hah... That just made me fucking laugh for several minutes...! :D
[B]Win32.TrojanDownloader.Swizzor.br Object Recognized!
Type : Process
Data : REZMMTXT.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\TEMP\
Warning! Win32.TrojanDownloader.Swizzor.br Object found in memory(C:\WINDOWS\TEMP\REZMMTXT.EXE)
"C:\WINDOWS\TEMP\REZMMTXT.EXE"Process terminated successfully
That's the one causing trouble.. Have to edit the registry file (i guess) to remove it from coming back again and again... [/b][/quote]
I highly recommend killing it from the registry, booting into safe mode and clearing your temp directory entirely. Then I seriously recommend that you scan your machine with some sort of anti-virus program. If you don't have one, AVG is a decent free alternative to the bloated ones you find on the shelf. (grisoft.com is the url IIRC)
[quote][b]Running processes:
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE - These two are unnecessary, kill by opening task manager, click Options and select "Stop using Task Manager". (unless you actually use it, if not turn it off. 98 needs all the available resources it can get given its horrible memory management.)
C:\WINDOWS\TASKMON.EXE - Not really necessary to run all the time.
C:\OHJELMATIEDOSTOT\CYBERLINK\POWERDVD\PDVDSERV.EXE - Kill
C:\OHJELMATIEDOSTOT\YAHOO!\MESSENGER\YPAGER.EXE - Look towards the end of this post for an alternative.
C:\WINDOWS\SYSTEM\DDHELP.EXE - Not sure what the hell this is off the top of my head, but its not necessary at all. Kill it for now.
[/b][/quote]
[quote]]b\R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.wnksvtijlrgcftsbmcbhi.com/e_Ll5tGI_I9tupsbigLezVP/_UntcIr6ccoLbNBYYUAqrMHuCUjwuUybNST_9Omy.cgi[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.wlljxczinjhgpbazlycu.info/e_Ll5tGI_I_QdAbJfvA4ruMr7Sm0YIH2gkoBcN0OUWQ.htm[/url][/b][/quote]
Next time you run Adaware, go into the options and under the Default button, set the default search page and homepage to whatever values you want. I tried to visit the start page URL and found it to be an invalid one. I suggest that you reset them to whatever value you want and block them from being changed via TweakUI.
[quote][b]R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Linkit
O2 - BHO: (no name) - {6DD9A1D1-C969-701A-083B-55799B947B32} - C:\WINDOWS\APPLICATION DATA\SITELOGOREGS\DATEPOLL.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [V66SHELL] V66SHELL.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\OHJELM~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime (Kill this! No reason for it to run at all. Its just eating up valuable memory that you could use for something else.)
O4 - HKLM\..\Run: [RemoteControl] C:\Ohjelmatiedostot\CyberLink\PowerDVD\PDVDServ.exe (Same as above)
O4 - HKLM\..\Run: [InCD] C:\Ohjelmatiedostot\Ahead\InCD\InCD.exe (Same as above)
O4 - HKLM\..\Run: [Vga Blue Fast Admin] C:\WINDOWS\Application Data\moveshowvgablue\option software.exe (No idea what the hell this is. Recommend you kill this unless you actually need it.
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe (Kill)
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Ohjelmatiedostot\Messenger Plus! 3\MsgPlus.exe" (Kill!)
O4 - HKCU\..\Run: [Ford bold] C:\WINDOWS\APPLIC~1\OPTION~1\Default multi spam.exe (Kill!)
O4 - Startup: Microsoft Office.lnk = C:\Ohjelmatiedostot\Microsoft Office\Office\OSA9.EXE (Kill!)
O8 - Extra context menu item: Download with GetRight - C:\Ohjelmatiedostot\GetRight\GRdownload.htm (Kill! Getright = adware infested)
O8 - Extra context menu item: Open with GetRight Browser - C:\Ohjelmatiedostot\GetRight\GRbrowse.htm (Kill! See above.)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL (Optional)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL (Optional)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\OHJELM~1\ICQ\ICQ.exe (Kill)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\OHJELM~1\ICQ\ICQ.exe (Kill)
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Ohjelmatiedostot\ICQLite\ICQLite.exe (Kill!)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Ohjelmatiedostot\ICQLite\ICQLite.exe (Kill!)
O9 - Extra button: Palvelut - {E0D1FDE0-67F0-11D8-B762-CD2E7ECAB97A} - [url]http://service.kolumbus.fi/[/url] (file missing) (HKCU) (Kill!)
O9 - Extra button: Tuki - {E0D1FDE1-67F0-11D8-B762-CD2E7ECAB97A} - [url]http://tuki.elisa.net/[/url] (file missing) (HKCU) (Kill!)
O9 - Extra button: SMS-viesti - {E0D1FDE2-67F0-11D8-B762-CD2E7ECAB97A} - [url]http://sms.kolumbus.fi/[/url] (file missing) (HKCU) (Kill!)
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - [url]http://support.vugames.com/betasubmission/sysinfo/Si.cab[/url] (Optional)
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab[/url] (Kill!)
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab[/url] (Kill!)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - [url]http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab[/url] (Kill!)
O16 - DPF: {8FA9D107-547B-4DBC-9D88-FABD891EDB0A} - [url]http://playroom.icq.com/odyssey_web8.cab[/url] (Kill!) [/B][/QUOTE]
Man, you had alot of stuff on there you don't need.
As for the alternative I mentioned, I suggest you check out [url=http://www.miranda-im.org/]Miranda IM[/url]. Its capable of communicating over damn near every IM network out there. (Though only MSN, ICQ, AIM, and Yahoo by default. The rest you have to download the plugin for) If you do check it out, be sure to download the latest [url=http://www.miranda-im.org/download/details.php?action=viewfile&id=729]ICQ[/url], [url=http://www.miranda-im.org/download/details.php?action=viewfile&id=581]AIM[/url], [url=http://www.miranda-im.org/download/details.php?action=viewfile&id=1248]Yahoo[/url], and [url=http://www.miranda-im.org/download/details.php?action=viewfile&id=702]MSN[/url] protocols. Some have updated features and/or have been updated due to authentication updates to keep up with the main clients trying to block third-party IM clients. Theres also an updated [url=http://www.miranda-im.org/download/details.php?action=viewfile&id=550]IRC[/url] plugin should you choose to chat via that instead of mirc or whatever you normally use. Miranda IM is an open source client, has zero advertisements/nagging, and is completely free. :)
[B]I highly recommend killing it from the registry, booting into safe mode and clearing your temp directory entirely. [/B][/QUOTE]
Yes! You beat me to it. If you feel removing things from the registry is over your head (many people are intimidated by it) run AVG and Ad-AwareSE in safe mode. Second Edition does a fairly nice job of cleaning up registries ~ and booting in safe mode 'may' help resolve the freeze problem.
Doing a search on that name "Win32.TrojanDownloader.Swizzor.br" and a few shorter variations on it will probably lead you to a specialized 'cleaner' from Symantec for example if need be. It’s basically a little script/program that is designed specifically for removing a very specific problem.
Just FYI ~ many of these new viruses are 'smart' enough to make and effort to disable the popular anti-virus anti-adware programs.
There you can download the RegCleaner 4,3 which isn't a spyware tool, but gives you great leverage over such pesky progs.
Ad-Aware SE and AVG are good programs to use, but I suggest using [URL=http://www.security.kolla.de]Spybot[/URL] in conjunction with the two to add it all up.
Ah thank thee Lord!
I do say this here personal computing unit has been excorcised by the allmighty! :dead: