Computer trouble - Hijack Code included

[johnnymcsponge]

My computer's been infected with a program that's put an application on my desktop with the name 'Access Members Area' for some dodgy website and keeps throwing up boxes getting me to call a $1.50 number through my midem. I've tried to get rid of it using AVG, but that's not worked. I'm sure there's other problems as well slowing down the performance fo my computer. Can anybody help?

-----

Logfile of HijackThis v1.99.1
Scan saved at 13:38:51, on 26/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\KERNELS32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\E_S4I0S2.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WIN32.EXE
C:\WINDOWS\APPLICATION DATA\BSTS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\SVCHOST.EXE
C:\WINDOWS\SYSTEM\VXGAMET2.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://top-find4u.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://top-find4u.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://abcsearch4u.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL (file missing)
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\KJWE.DLL
O2 - BHO: ActiveX Control - {67F666E0-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\MSWYC.DLL (file missing)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\IE2CLTR.DLL
O2 - BHO: IE SP2 AddOn - {794A21C0-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\SPAKA.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\IE2CLTR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\SYSTEM\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O7 "EPUSB1:" /M "Stylus C66"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\RunServices: [Shell] Explorer.exe C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\SYSTEM\win32.exe
O4 - HKCU\..\Run: [Shsl] C:\WINDOWS\Application Data\bsts.exe
O4 - HKCU\..\RunServices: [wupd] C:\WINDOWS\SYSTEM\win32.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {8041E260-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8041E260-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {8041E260-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {8041E260-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .png: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin6.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/336//main.chm::/update.exe
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTickets...refid=3548
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thun32.dll
O21 - SSODL: System - {79CEE220-CD66-11D9-981A-444553540000} - vr_sys.dll (file missing)

-----

 

[johnnymcsponge]

i don't really understand the hijack code, but i don't think all those 'trusted zones' should be there. Is that the problem? How do i get rid of them?

 

[Osiris]

Remove entries at your own risk


C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE O4 - HKLM..RunOnce: [Srv32 spool service] C:WINDOWSSystem32spoolsrv32.exe This is a nasty process! You should fix it and try to delete it manually!

C:\WINDOWS\SYSTEM\E_S4I0S2.EXE This is a unknown process.

C:\WINDOWS\SYSTEM\WIN32.EXE running process. (WIN32.EXE)
Added as a result of the RATEGA VIRUS! This is a nasty process! You should fix it and try to delete it manually!


C:\WINDOWS\APPLICATION DATA\BSTS.EXE This is a unknown process.

C:\WINDOWS\SYSTEM\SVCHOST.EXE running process. (SVCHOST.EXE) This process is not running from the System32 folder as it is supposed to be. This entry is not running from the System32 folder, so it is probably nasty.
Possibly nasty! According to our database this process runs normally in c:\windows\system32\! Check if you know this process and arrange a viruscheck where required.

C:\WINDOWS\SYSTEM\VXGAMET2.EXE This is a unknown process.

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL (file missing)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([F4E04583-354E-4076-BE7D-ED6A80FD66DA] - Result: F4E04583-354E-4076-BE7D-ED6A80FD66DA) has been checked. Must be fixed!
Unnecessary (deactivated) entry that can be fixed.

O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\KJWE.DLL
Nasty Entries found in this registry zone are potentially nasty. This application ([5A5B6916-ED71-4531-8018-E792DD44156E] - Result: 5A5B6916-ED71-4531-8018-E792DD44156E) has been checked. Must be fixed!

O2 - BHO: ActiveX Control - {67F666E0-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\MSWYC.DLL (file missing)
Unnecessarily Entries found in this registry zone are potentially nasty. This application ([67F666E0-CD66-11D9-981A-444553540000] - Result: ) has been checked. Unknown application.

Unnecessary (deactivated) entry that can be fixed.
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\IE2CLTR.DLL
Unknown Entries found in this registry zone are potentially nasty. This application ([08BEC6AA-49FC-4379-3587-4B21E286C19E] - Result: ) has been checked. Unknown application.

O2 - BHO: IE SP2 AddOn - {794A21C0-CD66-11D9-981A-444553540000} - C:\WINDOWS\SYSTEM\SPAKA.DLL (file missing) Unknown application.
Unnecessary (deactivated) entry that can be fixed.

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\IE2CLTR.DLL If you do not know that application, fix it.

O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s Added as a result of the TROJ/AGENT-V TROJAN! Must be fixed!

O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
Possibly nasty This entry should be fixed if this address does not belong to your PC-manufacturer or your 'Internet-Service-Provider (ISP)'. This entry should be fixed if 'http://www.wanadoo.co.uk' is not your PC-manufacturer or your 'Internet-Service-Provider (ISP)'.

O15 - Trusted Zone: *.windupdates.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.searchmiracle.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.searchbarcash.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.skoobidoo.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.my-internet.info
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.xxxtoolbar.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.slotch.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.flingstone.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.mt-download.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.blazefind.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.clickspring.net
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.ysbweb.com
Nasty If you did not add these pages to your trusted pages, they should be fixed.


O15 - Trusted Zone: *.slotchbar.com
Possibly nasty If you did not add these pages to your trusted pages, they should be fixed. If you didn't add '*.slotchbar.com' to your trusted pages, it should be fixed.

O15 - Trusted Zone: *.windupdates.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.searchbarcash.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.searchmiracle.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.skoobidoo.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.my-internet.info (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.slotch.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.flingstone.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.mt-download.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.blazefind.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.clickspring.net (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.ysbweb.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted Zone: *.slotchbar.com (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O15 - Trusted IP range: 67.19.178.84
Possibly nasty If you did not add these pages to your trusted pages, they should be fixed. If you didn't add '67.19.178.84' to your trusted pages, it should be fixed.

O15 - Trusted IP range: 67.19.178.84 (HKLM)
Nasty If you did not add these pages to your trusted pages, they should be fixed.

O16 - DPF: {D8A8A7F1-53EF-41F2-B44D-F3E2E595DC27} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.172.102/336//main.chm::/update.exe
Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTickets...refid=3548
Nasty This entry is possibly nasty. Should be fixed.

O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.156,195.225.176.31
Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain '69.50.176.156,195.225.176.31'? If not, fix this entry.

O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thun32.dll
Unknown

O21 - SSODL: System - {79CEE220-CD66-11D9-981A-444553540000} - vr_sys.dll (file missing)

 

[johnnymcsponge]

Thanks, i managed to sort it. Cheers for your help.