Hi,
A quick check over at Trend Micro showed that I have the Secthought.C trojan as well as some kind VBS virus on my PC. AVG doesn't detect either but the PC is running a bit choppy. Can you help? Here's the log:
Logfile of HijackThis v1.97.7
Scan saved at 4:14:54 PM, on 2/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\DESKTOP\SECURITY\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8007.5450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
Full Version: Secthought.C & VBS virus
Hi Songseeker,
I don't see Secthought running in your log. Exactly what file or files and location (full path) did Housecall find this trojan?
This item is not related but you can use HJT to fix. Run it with all browsers closed and press fix checked
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab
I don't see Secthought running in your log. Exactly what file or files and location (full path) did Housecall find this trojan?
This item is not related but you can use HJT to fix. Run it with all browsers closed and press fix checked
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab
Hi Jane,
Thanks for your quick response. The House Call scan showed VBS Randpop.A in C:\WINDOWS\System\unknown and Troj Secthought.C in C:\Windows\Downloaded Programs. I realize those aren't the full paths but I can't get House Call to show more than that. Does that help?
And thanks for pointing out the item in the HJ log. I will get rid of that now.
Thanks for your quick response. The House Call scan showed VBS Randpop.A in C:\WINDOWS\System\unknown and Troj Secthought.C in C:\Windows\Downloaded Programs. I realize those aren't the full paths but I can't get House Call to show more than that. Does that help?
And thanks for pointing out the item in the HJ log. I will get rid of that now.
Do you have the file names please?
Try going here. Panda gives you an option to save a report at the end which you can copy and paste back here (it would not be a bad idea to get a second opinion anyway)
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
Also, since SecondThought is actually spyware, please download, get the updates and scan with Adaware:
Updating it first before scanning is very important - please do not skip that step.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
After download and installing first, please update the program important to get the updates first before scanning Just open Adaware and click on *Check for Updates Now* and then *Continue*. Let them download and install......then press the *Scan now* button. Let it fix what it finds.
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Finally, scan once more with HijackThis and post a fresh log, along with the Panda scan results :)
Try going here. Panda gives you an option to save a report at the end which you can copy and paste back here (it would not be a bad idea to get a second opinion anyway)
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
Also, since SecondThought is actually spyware, please download, get the updates and scan with Adaware:
Updating it first before scanning is very important - please do not skip that step.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
After download and installing first, please update the program important to get the updates first before scanning Just open Adaware and click on *Check for Updates Now* and then *Continue*. Let them download and install......then press the *Scan now* button. Let it fix what it finds.
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
Finally, scan once more with HijackThis and post a fresh log, along with the Panda scan results :)
For that Troj Secthought.C in C:\Windows\Downloaded Programs Files..this of course is the extent of the files in that folder so it will be interesting which one they think is buggered with a trojan. you could of course dump the last three and if it scan clean then you will have satisfied the doctor...and of course even if you ever need those again..when you go to a site they will just be downloaded to you again..
group of downloaded program file
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8007.5450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
group of downloaded program file
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8007.5450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
QUOTE (Hunter @ Mar 15 2004, 02:50 PM)
For that Troj Secthought.C in C:\Windows\Downloaded Programs Files..this of course is the extent of the files in that folder so it will be interesting which one they think is buggered with a trojan. you could of course dump the last three and if it scan clean then you will have satisfied the doctor...and of course even if you ever need those again..when you go to a site they will just be downloaded to you again..
group of downloaded program file
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8007.5450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
group of downloaded program file
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8007.5450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
I have been through that list and we already got rid of Netster:
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/21956dd74bba0b...ip/RdxIE601.cab <---he's deleted that one
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab <---this is his Merriam Webster Toolbar (it's ok)
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab<--and this one I've checked the CSLID against SpywareBlaster and in other logs, not a problem
So I am waiting to see more details on a second (& third) scan with Panda and Adware to see exactly what Housecall is naming there.
Jane,
I am going to head over to Panda and I'll post my results as soon as I get them.
I've already got adaware and Spybot S&D. I will check to see if adaware needs to be upgraded.
Thanks again for helping me with this.
I am going to head over to Panda and I'll post my results as soon as I get them.
I've already got adaware and Spybot S&D. I will check to see if adaware needs to be upgraded.
Thanks again for helping me with this.
Hunter,
If after following Jane's advice these files still show up on my PC I will do that. Thank you!
If after following Jane's advice these files still show up on my PC I will do that. Thank you!
Some more thoughts :
we also have been kicking around that unknown folder and have found that two things can end up that way having to do with wscript.exe and cscript.exe.
example:
I have several report that CScript.exe is
pointed at in the registry as c:\windows\system\unknown\cscript.exe (and
cscript is the default for vbsfile, jsfile, etc)
now in itself neither one of these .exe is a bad thing. cscript.exe is a non microsoft thingie and it is used sometimes in place of the windows authorized wscript.exe.
But most of us for security reasons have disabled the wscript funtion and do not miss it at all since it has been exploited in the past.
I think what you are doing with Jane will make it all go away.. :thumb:
we also have been kicking around that unknown folder and have found that two things can end up that way having to do with wscript.exe and cscript.exe.
example:
I have several report that CScript.exe is
pointed at in the registry as c:\windows\system\unknown\cscript.exe (and
cscript is the default for vbsfile, jsfile, etc)
now in itself neither one of these .exe is a bad thing. cscript.exe is a non microsoft thingie and it is used sometimes in place of the windows authorized wscript.exe.
But most of us for security reasons have disabled the wscript funtion and do not miss it at all since it has been exploited in the past.
I think what you are doing with Jane will make it all go away.. :thumb:
Now since you also said things were running a little rough lately..let me bend your ear some more on other things which are not dangerous...but you might like to look at..
my focus here is on the ..
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
and
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
I have had so many people ask me..
What would cause realsched.exe to run at 100% CPU and
slow down my system?
This is what that thing is for..
realsched - realsched.exe - Process Information
Process File: realsched or realsched.exe
Process Name: RealNetworks Scheduler
Description: Application that is a scheduler program for the RealOne player that prompts for update.
Company: Real Networks
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A
Nevertheless i get rid of it.. :thumb:
I do not want my browser waiting to get updates from a realplayer server that might also be down ..busy..or holding me up to surf.
and you can read this thread about other things that slow down your experience on the internet.
http://www.dslreports.com/forum/remark,8772710~mode=flat
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\REALSCHED.EXE -osboot
This is a resource killer, get rid of it at all costs - Real Networks Scheduler which gets installed with RealOne Player. Under Win9x/ME this task shows as TKBELLEXE, and as EVNTSVC under Windows 2000/XP or REALSCHED depending on which version of RealOne Player you have installed. From our experience, everything that applies to EVNTSVC below, also applies to REALSCHED. RNDAL elsewhere in these Task List pages is a good starting point to read about RealOne Player. Next, a 15-Jun-2002 extract from the RealOne Player License Agreement that is specific to EVNTSVC (the said License Agreement was updated on 25-Nov-2002 by Real Networks and EVNTSVC was replaced by REALSCHED in that version of the License Agreement) : An application Scheduler, known as "evntsvc.exe," is installed along with RealOne Player. Once installed, it runs independently of RealOne Player. The Scheduler does not collect personal information or communicate with RealNetworks’ servers. It is used to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. The Scheduler is also used to automatically launch RealNetworks’ Media Type Helper. The Media Type Helper ensures the system is configured for correct operation of the RealOne Player with Multi-Purpose Internet Mail Extensions ("MIME") types, file extensions, Internet protocols and other media types. If a media type has been assigned a different action by a different application, Media Type Helper may override the association and substitute its own association. Recommendation : If reading about RNDAL did not put you off, then read on. RealPlayer Classic used to be one of the most needed pieces of software on a PC. Its successor, RealOne Player, is vying for the title of the most hated piece of software. For a start, on many PCs EVNTSVC slows down boot-ups unacceptably, using up to 90% of CPU time at times. There have also been reports of EVNTSVC dropping advertising shortcuts onto the desktop during idle times. Next, if you try to disable EVNTSVC via Startup Manager or MSCONFIG, RealOne Player checks to see if it has been deleted from the Registry and re-instates it as a startup item ! To be fair, there is a facility within RealOne Player to "only perform automatic services while RealOne Player is in use". As stated in our write-up for RNDAL, our recommendation is to de-install RealOne Player and either use the classic RealPlayer, or something else such as WinAmp. If you absolutely want to keep RealOne Player, we suggest you rename EVNTSVC.EXE to EVNTSVC.EXE.OLD (or REALSCHED.EXE to REALSCHED.OLD) as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.
and if the reg key still comes up in the hijack log You can delete it.
my focus here is on the ..
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
and
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
I have had so many people ask me..
What would cause realsched.exe to run at 100% CPU and
slow down my system?
This is what that thing is for..
realsched - realsched.exe - Process Information
Process File: realsched or realsched.exe
Process Name: RealNetworks Scheduler
Description: Application that is a scheduler program for the RealOne player that prompts for update.
Company: Real Networks
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A
Nevertheless i get rid of it.. :thumb:
I do not want my browser waiting to get updates from a realplayer server that might also be down ..busy..or holding me up to surf.
and you can read this thread about other things that slow down your experience on the internet.
http://www.dslreports.com/forum/remark,8772710~mode=flat
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\REALSCHED.EXE -osboot
This is a resource killer, get rid of it at all costs - Real Networks Scheduler which gets installed with RealOne Player. Under Win9x/ME this task shows as TKBELLEXE, and as EVNTSVC under Windows 2000/XP or REALSCHED depending on which version of RealOne Player you have installed. From our experience, everything that applies to EVNTSVC below, also applies to REALSCHED. RNDAL elsewhere in these Task List pages is a good starting point to read about RealOne Player. Next, a 15-Jun-2002 extract from the RealOne Player License Agreement that is specific to EVNTSVC (the said License Agreement was updated on 25-Nov-2002 by Real Networks and EVNTSVC was replaced by REALSCHED in that version of the License Agreement) : An application Scheduler, known as "evntsvc.exe," is installed along with RealOne Player. Once installed, it runs independently of RealOne Player. The Scheduler does not collect personal information or communicate with RealNetworks’ servers. It is used to remind AutoUpdate and Message Center to perform their tasks at pre-scheduled intervals. The Scheduler is also used to automatically launch RealNetworks’ Media Type Helper. The Media Type Helper ensures the system is configured for correct operation of the RealOne Player with Multi-Purpose Internet Mail Extensions ("MIME") types, file extensions, Internet protocols and other media types. If a media type has been assigned a different action by a different application, Media Type Helper may override the association and substitute its own association. Recommendation : If reading about RNDAL did not put you off, then read on. RealPlayer Classic used to be one of the most needed pieces of software on a PC. Its successor, RealOne Player, is vying for the title of the most hated piece of software. For a start, on many PCs EVNTSVC slows down boot-ups unacceptably, using up to 90% of CPU time at times. There have also been reports of EVNTSVC dropping advertising shortcuts onto the desktop during idle times. Next, if you try to disable EVNTSVC via Startup Manager or MSCONFIG, RealOne Player checks to see if it has been deleted from the Registry and re-instates it as a startup item ! To be fair, there is a facility within RealOne Player to "only perform automatic services while RealOne Player is in use". As stated in our write-up for RNDAL, our recommendation is to de-install RealOne Player and either use the classic RealPlayer, or something else such as WinAmp. If you absolutely want to keep RealOne Player, we suggest you rename EVNTSVC.EXE to EVNTSVC.EXE.OLD (or REALSCHED.EXE to REALSCHED.OLD) as that is the only way to make absolutely certain that it never runs, and RealOne Player works fine without it.
and if the reg key still comes up in the hijack log You can delete it.
Hi Jane,
Sorry it's taken me so long to get back here. I've been really busy in meat life and haven't had much opportunity to get online.
I've run the Panda scan TWICE. It doesn't show anything wrong with my computer. I tried to get the report both times but got an error message each time in a pop-up window both times. I don't think that site likes me. ;-)
I am running the most current version of ad-aware but both it and Spybot S&D have slowed to a crawl whenever I run them the last couple of days and I have no idea why.
Housecall still shows the same two trojans on my computer but still is no help in showing the full path or file names of these items.
And my PC itself has started to act up. It's slow, choppy, and doesn't shut down properly. It is still bringing up multiple windows when I open my browser.
Anyway, I am posting my latest HJ log. I don't know if it'll do any good but here it is:
Logfile of HijackThis v1.97.7
Scan saved at 10:09:21 AM, on 2/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\SECURITY\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8007.5450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Sorry it's taken me so long to get back here. I've been really busy in meat life and haven't had much opportunity to get online.
I've run the Panda scan TWICE. It doesn't show anything wrong with my computer. I tried to get the report both times but got an error message each time in a pop-up window both times. I don't think that site likes me. ;-)
I am running the most current version of ad-aware but both it and Spybot S&D have slowed to a crawl whenever I run them the last couple of days and I have no idea why.
Housecall still shows the same two trojans on my computer but still is no help in showing the full path or file names of these items.
And my PC itself has started to act up. It's slow, choppy, and doesn't shut down properly. It is still bringing up multiple windows when I open my browser.
Anyway, I am posting my latest HJ log. I don't know if it'll do any good but here it is:
Logfile of HijackThis v1.97.7
Scan saved at 10:09:21 AM, on 2/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\SECURITY\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.netscape.com/home/winsearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.netscape.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://home.netscape.com/home/winsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {5ADA9CAC-04F9-4DD2-ABFD-74D673BE8624} - C:\WINDOWS\_MWOLTB.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINDOWS\_MWOLTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINDOWS\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINDOWS\_MWOLTB.DLL/23/220
O12 - Plugin for .doc: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPDOC.DLL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8007.5450231481
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120...all/xscan53.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/Install...ive/HS_live.cab
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://www.merriam-webster.com/toolbar/webinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Hunter,
I'm looking for those RealPlayerOne files but am unable to find them. Would this be because I removed the registry key that you mentioned?
I'm looking for those RealPlayerOne files but am unable to find them. Would this be because I removed the registry key that you mentioned?
Hunter,
I found that Realsched.exe file but my PC will not let me rename it. What should I do?
I found that Realsched.exe file but my PC will not let me rename it. What should I do?
Regarding the recent slowness issue, it appears you have picked up Norton Antivirus as well? Having both NAV and AVG running resident at the same time will cause significant system slowdowns and possible conflicts as both try to do the same job at the same time (and that would affect Spybot and Adaware scans as well). Disable from start up one of the AV programs and use it as a backup ondemand scanner.
You'll notice in the McAfee online scan instructions below it tells you to temporarily disable any active AVs running. Same reason. Two programs trying to do the same job will cause problems.
Meanwhile, we need to get a file name to make sure that Trend's find is not a false positive (or if it is not, where the heck the infected files are that it says are there)
Try McAfee Free online scan. This says it should give you a report.
http://us.mcafee.com/root/mfs/default.asp
.............................
I really do not think RealPlayer is your problem right now. I'd like to concentrate on this Trend Housecall issue and no, HijackThis isn't giving us any clues either (but then it is not a full system scanner - it is only going to find the things that are running).
You'll notice in the McAfee online scan instructions below it tells you to temporarily disable any active AVs running. Same reason. Two programs trying to do the same job will cause problems.
Meanwhile, we need to get a file name to make sure that Trend's find is not a false positive (or if it is not, where the heck the infected files are that it says are there)
Try McAfee Free online scan. This says it should give you a report.
http://us.mcafee.com/root/mfs/default.asp
QUOTE
How to Use FreeScan
1. Click here and follow the on-screen instructions.
Note: The download time varies based on your Internet connection speed. The file is 1.6 MB and can take up to five minutes to download over a 56-Kbps modem.
2. If a security dialog box appears, you must click Yes to approve the Security Certificate to enable the download of necessary ActiveX controls.
FreeScan will be downloaded upon completion of the ActiveX installation.
3. Select your Scan Location:
---> use this option * Drive C - Use this default option to scan the entire contents of your drive C and get the most thorough scan possible.
* My Documents - Use this option to scan only the files in your My Documents folder.
* Windows Files - Use this option to scan only your Windows system files.
4. Make sure that you temporarily disable any active anti-virus software to avoid conflicts.
5. Click Scan to start scanning files.
The Scan Status area shows the number of files scanned, the total number of infected files, and the name of the current file being scanned.
If an infected file is detected, its name appears in the List of Infected Files. You can also click the virus name in the Virus Name list to view details from the Virus Information Library
1. Click here and follow the on-screen instructions.
Note: The download time varies based on your Internet connection speed. The file is 1.6 MB and can take up to five minutes to download over a 56-Kbps modem.
2. If a security dialog box appears, you must click Yes to approve the Security Certificate to enable the download of necessary ActiveX controls.
FreeScan will be downloaded upon completion of the ActiveX installation.
3. Select your Scan Location:
---> use this option * Drive C - Use this default option to scan the entire contents of your drive C and get the most thorough scan possible.
* My Documents - Use this option to scan only the files in your My Documents folder.
* Windows Files - Use this option to scan only your Windows system files.
4. Make sure that you temporarily disable any active anti-virus software to avoid conflicts.
5. Click Scan to start scanning files.
The Scan Status area shows the number of files scanned, the total number of infected files, and the name of the current file being scanned.
If an infected file is detected, its name appears in the List of Infected Files. You can also click the virus name in the Virus Name list to view details from the Virus Information Library
.............................
I really do not think RealPlayer is your problem right now. I'd like to concentrate on this Trend Housecall issue and no, HijackThis isn't giving us any clues either (but then it is not a full system scanner - it is only going to find the things that are running).
Thanks Jane! I will be back with my results.
Hi again!
I ran the McAfee online scan per your instructions and my results came up clean. Again, I was given no option to get a report. However something curious has occured. After reading your last post I decided to uninstall AVG in favor of Norton. I ran the McAfee scan and then ran Housecall again. No secthoughtb! I had that virus before a few months ago and now I am wondering if Housecall may have detected it because it was locked in AVG's virus vault?
As for VBS_Randpop.A I have located the file. It's called search.vbs and it is located in C:\Windows\System\unknown. I was able to locate it by following the partial path that Housecall showed. It is the only file in the folder. What should I do with it?
Thanks again!
I ran the McAfee online scan per your instructions and my results came up clean. Again, I was given no option to get a report. However something curious has occured. After reading your last post I decided to uninstall AVG in favor of Norton. I ran the McAfee scan and then ran Housecall again. No secthoughtb! I had that virus before a few months ago and now I am wondering if Housecall may have detected it because it was locked in AVG's virus vault?
As for VBS_Randpop.A I have located the file. It's called search.vbs and it is located in C:\Windows\System\unknown. I was able to locate it by following the partial path that Housecall showed. It is the only file in the folder. What should I do with it?
Thanks again!
Yes, delete: search.vbs (at least it was not running but might as well get rid of it)
Well, with all those clean results I am convinced that you really are.
Well, with all those clean results I am convinced that you really are.
Okay, thank you bunches!
You're welcome bunches - we are glad we could help 
banana
We highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :)
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Stay Safe and Happy Surfing
banana We highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :)
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857
Stay Safe and Happy Surfing
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.