BleepingComputer.com: HGFEDCBA.EXE

Hi,

I've cleared a quite infected PC using spybot and adaware and following a few threads on this forum and this log is what I'm left with, something is still trying to install itself at startup and connect to the internet

thanks for your help,

Neil

Logfile of HijackThis v1.99.1
Scan saved at 00:05:46, on 18/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\HGFEDCBA.EXE
C:\WINDOWS\SYSTEM\DXVID.EXE
C:\PROGRAM FILES\COMMON FILES\IKQU\IKQUM.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\COMMON FILES\IKQU\IKQUA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\SPYWARE\HJT\HIJACKTHIS.EXE
C:\PROGRAM FILES\COMMON FILES\IKQU\IKQUL.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\PROGRAM FILES\DNS\CATCHER.DLL
O2 - BHO: (no name) - {5B7D8940-F6A9-11D9-ABF8-40E54FC10000} - C:\PROGRAM FILES\LYCOS\IEAGENT\IEAGENT.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Maxifiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [R41_32I] C:\WINDOWS\SYSTEM\R41_32I.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Cf2wY] C:\RCFWQQC.EXE
O4 - HKLM\..\Run: [hgfedcba] c:\windows\system\hgfedcba.exe /install
O4 - HKLM\..\Run: [ijgv] C:\WINDOWS\ijgv.exe
O4 - HKLM\..\Run: [dxvid] c:\windows\system\dxvid.exe /nocomm
O4 - HKLM\..\Run: [ybgpav] C:\WINDOWS\ybgpav.exe
O4 - HKLM\..\Run: [jgp] C:\WINDOWS\jgp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\SYSTEM\SEFE.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [IKQU] C:\PROGRAM FILES\COMMON FILES\IKQU\IKQUM.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {8A518420-AF32-11D3-ABF7-50914FC10000} - http://www.dell.com/ (file missing) (HKCU)
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {73114F20-C575-11D9-ABF8-00028A151027} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {73114F20-C575-11D9-ABF8-00028A151027} - (no file) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/138ae085263525...ip/RdxIE601.cab
O16 - DPF: Software -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O16 - DPF: {261EE805-4893-45A3-8E9E-AD90914CB39A} (VacPro.internazionale_98_ver11) - http://www9.advnt01.com/dialer/internazionale_98_ver11.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

Hello neillyg and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:

• Restart the computer.
  
• As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  
• Use the arrow keys to select the Safe Mode menu item.
  
• Press the Enter key.

Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

R3 - URLSearchHook: (no name) - _{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O2 - BHO: Shorty - {11A4CA8C-A8B9-49c2-A6D3-3F64C9EEBAE6} - C:\PROGRAM FILES\DNS\CATCHER.DLL
O2 - BHO: (no name) - {5B7D8940-F6A9-11D9-ABF8-40E54FC10000} - C:\PROGRAM FILES\LYCOS\IEAGENT\IEAGENT.dll
O3 - Toolbar: Maxifiles - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [R41_32I] C:\WINDOWS\SYSTEM\R41_32I.exe
O4 - HKLM\..\Run: [Cf2wY] C:\RCFWQQC.EXE
O4 - HKLM\..\Run: [hgfedcba] c:\windows\system\hgfedcba.exe /install
O4 - HKLM\..\Run: [ijgv] C:\WINDOWS\ijgv.exe
O4 - HKLM\..\Run: [dxvid] c:\windows\system\dxvid.exe /nocomm
O4 - HKLM\..\Run: [ybgpav] C:\WINDOWS\ybgpav.exe
O4 - HKLM\..\Run: [jgp] C:\WINDOWS\jgp.exe
O4 - HKCU\..\Run: [atiupdpl] C:\WINDOWS\SYSTEM\atiupdpl.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\SYSTEM\SEFE.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [IKQU] C:\PROGRAM FILES\COMMON FILES\IKQU\IKQUM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {73114F20-C575-11D9-ABF8-00028A151027} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {73114F20-C575-11D9-ABF8-00028A151027} - (no file) (HKCU)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/138ae085263525...ip/RdxIE601.cab
O16 - DPF: Software -
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gbn1742.exe
O16 - DPF: {261EE805-4893-45A3-8E9E-AD90914CB39A} (VacPro.internazionale_98_ver11) - http://www9.advnt01.com/dialer/internazionale_98_ver11.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:

• Click Start.
  
• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View tab.
  
• Under the Hidden files and folders heading select Show hidden files and folders.
  
• Uncheck the Hide file extensions for known types option.
  
• Uncheck the Hide protected operating system files (recommended) option.
  
• Click Yes to confirm.
  
• Click OK.

Find the following files/folders and delete them (don't worry if they are already gone):

C:\PROGRAM FILES\DNS\ <--folder
C:\PROGRAM FILES\LYCOS\ <--folder
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\ <--folder
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\PROGRAM FILES\COMMON FILES\IKQU\ <--folder
C:\WINDOWS\ijgv.exe
C:\WINDOWS\ybgpav.exe
C:\WINDOWS\jgp.exe
C:\WINDOWS\SYSTEM\atiupdpl.exe
c:\windows\system\hgfedcba.exe
C:\WINDOWS\SYSTEM\R41_32I.exe
c:\windows\system\dxvid.exe
C:\WINDOWS\SYSTEM\SEFE.EXE
C:\RCFWQQC.EXE
C:\winstall.exe

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:

Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings

If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

AdAware SE v1.06 (if you already have version 1.06 then just start at the step for updating and continue from there).

Download, install, update, configure and run a scan with Ad-aware SE v1.06:

• Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  
• Close ALL windows except Ad-Aware SE.
  
• Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  
• Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
  • In the ‘General’ window make sure the following are selected in green:
    • Under Safety:
      • Automatically save log-file
      
      
    • Automatically quarantine objects prior to removal
      
    • Safe Mode (always request confirmation)
    
    
  • Under Definitions:
    • Prompt to update outdated definitions - set the number of days
  
  
• Click on the ‘Scanning’ button on the left and select in green:
  • Under Driver, Folders & Files:
    • Scan Within Archives
    
    
  • Under Select drives & folders to scan:
    • choose all hard drives
    
    
  • Under Memory & Registry: all green
    • Scan Active Processes
      
    • Scan Registry
      
    • Deep Scan Registry
      
    • Scan my IE favorites for banned URL’s
      
    • Scan my Hosts file
  
  
• Click on the ‘Advanced’ button on the left and select in green:
  • Under Shell Integration:
    • Move deleted files to recycle bin
    
    
  • Under Logfile Detail Level: all green
    • include addtional object information
      
    • DESELECT - include negligible objects information
      
    • include environment information
    
    
  • Under Alternate Data Streams:
    • Don't log streams smaller than 0 bytes
      
    • Don't log ADS with the following names: CA_INOCULATEIT
  
  
• Click the ‘Tweak’ button and select in green:
  • Under ‘Scanning Engine’:
    • Unload recognized processes during scanning
      
    • Scan registry for all users instead of current user only
    
    
  • Under ‘Cleaning Engine’:
    • Let Windows remove files in use at next reboot
    
    
  • Under Log Files:
    • Include basic Ad-aware SE settings in logfile
      
    • Include additional Ad-aware SE settings in logfile
      
    • Please do not check: Include Module list in logfile
  
  
• Click on ‘Proceed’ to save the settings.
  
• Click ‘Start’
  
• Choose 'Perform Full System Scan'
  
• DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  
• Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  
• If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  
• Right-click on the list and choose Select All
  
• Click the Next button to finish removing the items that were found
  
• When finished, REBOOT to complete the removal of what Ad-Aware SE found

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT

hi OldTimer,

thanks for taking the time to help

versions of IE and windows might look a bit different on this log, before you replied I got the latest updates at windows update

followed all the steps ran panda and bitdefender but housecall kept causing IE to terminate

bitdefender could not delete C:/windows/system/icl.dll and nor could I, it also reported it could not delete c:/windows/explorer.exe which it says is infected with win.bube.gen

seem to have acquired something new, don't know how, I've been really careful to close the pop ups which are still appearing - se.dll which keeps reappearing in temp though various scanners delete it !

also still getting something running an installer program at startup and 3 installer pop ups when IE is started ?

cheers,

Neil

Logfile of HijackThis v1.99.1
Scan saved at 07:52:15, on 21/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALONEMESSAGECENTER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\SPYWARE\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {AFB459E5-F7D4-11D9-ABF8-20E7A45DA1B8} - C:\WINDOWS\SYSTEM\ICL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {8A518420-AF32-11D3-ABF7-50914FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O18 - Filter: text/html - {6F901E40-F823-11D9-ABF8-A0F0144240E2} - C:\WINDOWS\SYSTEM\ICL.DLL
O18 - Filter: text/plain - {6F901E40-F823-11D9-ABF8-A0F0144240E2} - C:\WINDOWS\SYSTEM\ICL.DLL
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)

Hi neillyg. Yes you have picked up something new. To remove this one please do the following.

• Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).
  
• Download SpSeHjfix.zip and unzip it to it's own folder. Do not run it yet.
  
• Download CleanUp! and install it. Start CleanUp! and click on the CleanUp! button. Let it run to completion. It may take a few minutes depending on the size of your hard drive so be patient.
  
• Start in Safe Mode Using the F8 method:
  • Restart the computer.
    
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
    
  • Use the arrow keys to select the Safe Mode menu item.
    
  • Press the Enter key.
  
  
• Disconnect from the net and Close ALL OPEN PROGRAMS.
  
• Run SpSeHjfix and click on Start Disinfection.
  When it's finished it will reboot your machine to finish the cleaning process.
  The tool creates a log of the fix which will appear in the folder that SpSeHjfix is located in.
  
• Now run CWShredder and click on the Fix -> button.
  
• Reboot and repeat the above process starting with Step 4.

Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.

Cheers.

OT

thanks OldTimer that does seem a lot cleaner now, how would I have picked up that second infection ?

the only thing that remains now is that Windows Installer dialog on boot up and again 3 times when IE starts, could I see somewhere in the registry what is trying to install ?

cheers,

Neil

Logfile of HijackThis v1.99.1
Scan saved at 09:07:32, on 22/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\SPYWARE\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {8A518420-AF32-11D3-ABF7-50914FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)



(7/22/05 08:53:32) SPSeHjFix started v1.09
(7/22/05 08:53:32) OS: Win98SE A (4.10.67766446)
(7/22/05 08:53:32) Language: english
(7/22/05 08:53:42) Disinfect started
(7/22/05 08:53:42) Bad-Dll(IEP): se.dll
(7/22/05 08:53:42) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\ICL.DLL
(7/22/05 08:53:42) Searchassistant Uninstaller - Keys Deleted
(7/22/05 08:53:42) UBF: 6
(7/22/05 08:53:42) UBB: 1
(7/22/05 08:53:42) FilterKey: HKCR\text/html (deleted)
(7/22/05 08:53:42) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/22/05 08:53:42) FilterKey: HKCR\CLSID\{6F901E40-F823-11D9-ABF8-A0F0144240E2} (deleted)
(7/22/05 08:53:42) FilterKey: HKCR\text/plain (deleted)
(7/22/05 08:53:42) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/22/05 08:53:42) FilterKey: HKCR\CLSID\{6F901E40-F823-11D9-ABF8-A0F0144240E2} (error while deleting)
(7/22/05 08:53:42) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFB459E5-F7D4-11D9-ABF8-20E7A45DA1B8} (deleted)
(7/22/05 08:53:42) BHO-Key: HKCR\CLSID\{AFB459E5-F7D4-11D9-ABF8-20E7A45DA1B8} (deleted)
(7/22/05 08:53:42) UBR: 11
(7/22/05 08:53:42) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(7/22/05 08:53:42) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/22/05 08:53:42) Stealth-String found: C:\WINDOWS\SYSTEM\OEMINGO.INI
(7/22/05 08:53:42) File added to delete: c:\windows\system\icl.dll
(7/22/05 08:53:42) File added to delete: c:\windows\system\icl.dll
(7/22/05 08:53:42) File added to delete: c:\windows\temp\se.dll
(7/22/05 08:53:42) File added to delete: c:\windows\system\oemingo.ini
(7/22/05 08:53:42) Reboot
(7/22/05 08:55:01) SPSeHjFix 2nd Step
(7/22/05 08:55:02) RunServicesOnce-Key: (edited)
(7/22/05 08:55:08) Cleaned


(7/22/05 09:02:40) SPSeHjFix started v1.09
(7/22/05 09:02:41) OS: Win98SE A (4.10.67766446)
(7/22/05 09:02:41) Language: english
(7/22/05 09:02:43) Disinfect started
(7/22/05 09:02:43) Bad-Dll(IEP): (not found)
(7/22/05 09:02:43) Bad-Dll(IEP) in BHO: (not found)
(7/22/05 09:02:43) UBF: 4
(7/22/05 09:02:43) UBB: 0
(7/22/05 09:02:43) UBR: 10
(7/22/05 09:02:43) Bad IE-pages:
(7/22/05 09:02:43) Stealth-String not found:
(7/22/05 09:02:43) Not infected->END

Hi neillyg. That looks better. Let's clean up the leftover keys.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Next, I see no anti-virus program running onthis computer. Choose one of the following free programs and download it, install it, update it and run a full system scan:

• AVG Anti-Virus
  
• Avast Home Edition
  
• BitDefender Free Edition v7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT

Hi OldTimer,

deleted those keys and installed and ran Norton Anti Virus, all now looks clean

also uninstalled a couple of things (HP software) and those installs on startup and ie startup appear to have gone !

thanks again for your help, you guys are stars

here's that log

Logfile of HijackThis v1.99.1
Scan saved at 22:33:56, on 28/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MS HARDWARE\POINT32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\SPYWARE\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\REFRESH.EXE
O8 - Extra context menu item: QuickTranslate - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\edtrans.htm
O8 - Extra context menu item: QuickDefine - C:\Program Files\Common Files\Microsoft Shared\Reference Titles\eddefine.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {8A518420-AF32-11D3-ABF7-50914FC10000} - http://www.dell.com/ (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

Hi neillyg. Yup, that is a clean log. Good job! how are things running? Any other problems?

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

• Open My Computer.
  
• Select the View menu and click Folder Options.
  
• Select the View tab.
  
• In the Hidden files section unselect Show all files.
  
• Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SpywareGuard to catch and block spyware before it can execute.
  
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

• Sygate Personal Firewall
  
• Kerio Personal Firewall
  
• ZoneAlarm

and a good antivirus application like the one you are currently using. It is critical to have both a firewall and antivirus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

monthly. And to keep your system clean run these free malware scanners

• AdAware SE Personal
  
  
• Spybot Search & Destroy

weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT