Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log, Please Help!


  • Please log in to reply
16 replies to this topic

#1 krissy203

krissy203

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 08 May 2006 - 11:57 AM

Hello everyone,
Here is the Log. I had problems with AlfaCleaner and the hypotheches.com (as I understand this problem) for the past 3 weeks. I ran ADaware SE, SpyBot and smitRem according to instructions here. I also ran AVG scan, it identified wininet.dll and oleext.dll as infected, and I selected them to be deleted on reboot. I can now only reboot in savemode. The computer shuts down if I start to boot it in normal mode (I am using a pc at work now). I would really appreciate any feedback or help. Thank you so much.
krissy


Logfile of HijackThis v1.99.1
Scan saved at 7:26:32 PM, on 5/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.netscape.com/
F1 - win.ini: load=C:\Netscape\Comm\Program\dtect16.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.cnn.com"); (C:\Program Files\Netscape\Users\kd243\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\SYSTEM\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.5\THGUARD.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [termcaps] C:\WINDOWS\SYSTEM\termcaps.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PageKeeper Lite Jobs.lnk = C:\Program Files\Caere\PageKeepLite30\system\PKJobs.exe
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .org/bin/bladerunner?REQUNIQ=1039230954&REQSESS=334450&118200REQEVENT=&REQINT1=29668&REQAUTH=0: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.6.224.114,128.6.216.19

Edited by krissy203, 08 May 2006 - 11:58 AM.


BC AdBot (Login to Remove)

 


#2 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 12 May 2006 - 01:18 PM

Hi again,

I wanted to say that the wininet.dll file that I deleted was in the /system/ folder, not /system32/ folder.
I am planning to copy a new copy of wininet.dll using a floppy disk. Can I install that new wininet into the /system/ folder, even though it seems that most computer have it under /system32/?

I know that you guys are really busy....I hope I did not ruin my computer!

Thank you again in advance!

#3 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 15 May 2006 - 11:47 AM

Hi,
Well, I added a new winnet.dll file to the /system/ folder, but this did not seem to solve the problem.
Currenly, when I boot in the safe mode, there still seems to be a desktop problem: "Application failed to initialize. Cannot find ibm00003.exe or one of its components".

I came up with 2 conclusions:
1. This probably means that the virus attached itself to some configuration that is being used, even in safe mode. I am on the border of being computer illiterate, and I don't know which configuration is good or bad, and even where they are located.

2. I still cannot boot in Normal mode. This means that I probably deleted something in the initial "delete on reboot" Hijackthis run, but it has nothing to do with the wininet.dll file. Otherwise, since I put a new one in the /system/ folder, it should have booted up properly.

What should I do?
I am really desperate! Please help, anyone!!!!


This is the newest logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:09:44 PM, on 5/14/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.netscape.com/
F1 - win.ini: load=C:\Netscape\Comm\Program\dtect16.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.cnn.com"); (C:\Program Files\Netscape\Users\kd243\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\SYSTEM\winbrume.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.5\THGUARD.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [termcaps] C:\WINDOWS\SYSTEM\termcaps.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PageKeeper Lite Jobs.lnk = C:\Program Files\Caere\PageKeepLite30\system\PKJobs.exe
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .org/bin/bladerunner?REQUNIQ=1039230954&REQSESS=334450&118200REQEVENT=&REQINT1=29668&REQAUTH=0: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.6.224.114,128.6.216.19

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:19 AM

Posted 15 May 2006 - 05:31 PM

Hello krissy203 and welcome to the BC HijackThis forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\SYSTEM\winbrume.dll
O4 - HKLM\..\Run: [termcaps] C:\WINDOWS\SYSTEM\termcaps.exe
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Open My Computer.
  • Select the View menu and click Folder Options.
  • Select the View tab.
  • In the Hidden files section select Show all files.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\WINDOWS\SYSTEM\winbrume.dll
C:\WINDOWS\SYSTEM\termcaps.exe
C:\Program Files\Alset\ <--folder

Step #5

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally (if you can) and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 17 May 2006 - 08:53 AM

Dear Old Timer, thank you so much for your help!
Before I proceeded with the instructions, I had to delete the winintet.dll file I copied because the remaining "imb00003.exe" program was interefering even in the safe mode. It was giving errors - "Explorer performed illegal operation and ....will be closed". I was then back in the "safe mode" window where I had to click OK.

I installed the CCleaner, and ran it. When I chose "delete" option, it gave me an error
"Error in file
C:\Program Files\CCleaner\winsys.ini
line: SpecialKey1=N_INT_TEMP
48- File not found: wininet"

I then chose the "analyze" option and deleted the files it found manually.

The next step was to reboot in normal mode.
I monitored what happens on the screen during the reboot, and here is a rough approximation:
<
NAVDX
Master Boot
...
<
Please wait while...

<WINDOW 98 SCREEN

And then it shut down.

I wonder if this is a result of some configuration that I have inadvertedly deleted or adjusted when I first ran Hijack this and selected "delete on reboot" option. However, I tried to be very careful and selected files with the datestamp of the initial destop problem. (I did get a new "log into windows" prompt that I did not have before, but I just ignore it and made a password).

(When I boot in the safe mode, the "ibm0003.exe" error message comes up again (after the CCleaner)).

Thank you for all of your time. Please let me know if I should do something next.
Here is the latest log:



Logfile of HijackThis v1.99.1
Scan saved at 8:11:22 PM, on 5/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.netscape.com/
F1 - win.ini: load=C:\Netscape\Comm\Program\dtect16.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.cnn.com"); (C:\Program Files\Netscape\Users\kd243\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.5\THGUARD.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PageKeeper Lite Jobs.lnk = C:\Program Files\Caere\PageKeepLite30\system\PKJobs.exe
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .org/bin/bladerunner?REQUNIQ=1039230954&REQSESS=334450&118200REQEVENT=&REQINT1=29668&REQAUTH=0: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.6.224.114,128.6.216.19

Edited by krissy203, 17 May 2006 - 11:26 AM.


#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:19 AM

Posted 21 May 2006 - 02:32 PM

Hi krissy203. The HijackThis log does not show any more issues so I think we are good there. Since you are running Windows 98 let's check the system files with a tool that is part of 98.

Go to this link:

http://www.techadvice.com/w98/S/SFC.htm

and follow the directions for running SFC (System File Checker). It will scan the system and report and missing/corrupted files and allow you to replace them.

Let me know how it turns out.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 22 May 2006 - 07:17 AM

Hi,

I don't have to be connected to the internet to do this, right? I'll try it tonight. Thank you so much.
krissy

Edited by krissy203, 22 May 2006 - 07:25 AM.


#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:19 AM

Posted 23 May 2006 - 07:14 PM

Hi krissy203. No, you do not have to be connected to the internet.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 25 May 2006 - 09:13 AM

Hi Old Timer,
I ran the SFC, and it identified 3 files as "deleted": wininet.dll (from c:\Windows\system), pcdlib32.dll (from c:\Windows) and QTUNinst.dll (from c:\Windows\system). I was able to extract the wininet.dll from the cab file using SFC's instructions. I was not able to extract the other 2 files (SFC said they are missing).
I also tried to extract the files according to the microsoft.com "Q129605" article, using the 98 Windows boot-up disk and the Resource CD, but it did not work.
However, when I later used the "Find" function, computer found these 2 files in the folders where they should be.
Should I assume that these files are not critical and that they are in fact present, but for some reason SFC thinks they are deleted?

Also, I got rid of the "ibm00003.exe" error by following instructions on this website: http://www.dslreports.com/forum/remark,16049196
I used the sysedit function and the error is gone!

So, the current situation is that I can still turn the computer on only in safe mode. I cannot access the internet.

Here is the start-up log from hijackthis. I also ran the sysedit program and I put it after the start-up log. I labelled different sections. (I also have a new hijackthis log, but it looks like it's the same.)

I feel that I am very close to solving this problem. Please, if you have any idea why the computer shuts down (it could be a simple thing, probably), I am willing to try it.
Thank you so much!




StartupList report, 5/24/06, 9:51:42 PM
StartupList version: 1.52.2
Started from : C:\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
PageKeeper Lite Jobs.lnk = C:\Program Files\Caere\PageKeepLite30\system\PKJobs.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
EM_EXEC = c:\mouse\system\em_exec.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
OmniPage = C:\Program Files\Caere\OmniPagePro90\opware32.exe
internat.exe = internat.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
THGuard = "C:\PROGRAM FILES\TROJANHUNTER 4.5\THGUARD.EXE"
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
AVG7_CC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = c:\windows\SYSTEM\mstask.exe
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\windows\NOTEPAD.EXE %1

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=C:\Netscape\Comm\Program\dtect16.exe
run=hpfsched

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 24/5/2006, 21:46:30)

[Rename]
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
NUL=C:\WINDOWS\COOKIES\INDEX.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
SET BLASTER=A220 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS
SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1
SET PATH="%PATH%;c:\matlabr12\bin\win32"
Set tvdumpflags=8

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Scan for Viruses.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...8177.6281018518

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 4,991 bytes
Report generated in 0.080 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only



Here is the sysedit log



C:\WINDOWS\SYSTEM.INI

[boot]
oemfonts.fon=vgaoem.fon
shell=explorer.exe
system.drv=atmsys.drv
drivers=mmsystem.dll power.drv
user.exe=user.exe
gdi.exe=gdi.exe
sound.drv=mmsound.drv
dibeng.drv=dibeng.dll
comm.drv=comm.drv
mouse.drv=lmouse.drv
keyboard.drv=keyboard.drv
*DisplayFallback=0
fonts.fon=vgasys.fon
fixedfon.fon=vgafix.fon
386Grabber=vgafull.3gr
display.drv=pnpdrvr.drv
atm.system.drv=system.drv
SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\PHOTOR~1.SCR

[keyboard]
keyboard.dll=
oemansi.bin=
subtype=
type=4

[boot.description]
system.drv=Standard PC
keyboard.typ=Standard 101/102-Key or Microsoft Natural Keyboard
aspect=100,96,96
display.drv=Intel® 810e Chipset Graphics Driver (DC133 FSB133) 4.11.01.1361
mouse.drv=Logitech

[386Enh]
device=rt32vox.vxd
ebios=*ebios
woafont=dosapp.fon
mouse=*vmouse
device=*dynapage
device=*vcd
device=*vpd
device=*int13
device=*enable
keyboard=*vkd
display=*vdd,*vflatd
Paging=on

[drivers32]
MSACM.L3ACM=C:\WINDOWS\SYSTEM\L3CODECA.ACM
msacm.lhacm=lhacm.acm
VIDC.VDOM=vdowave.drv
MSACM.imaadpcm=imaadp32.acm
MSACM.msadpcm=msadp32.acm
MSACM.msgsm610=msgsm32.acm
msacm.msg711=msg711.acm
MSACM.trspch=tssoft32.acm
vidc.CVID=iccvid.dll
VIDC.IV31=ir32_32.dll
VIDC.IV32=ir32_32.dll
vidc.MSVC=msvidc32.dll
VIDC.MRLE=msrle32.dll
msacm.msg723=msg723.acm
vidc.M263=msh263.drv
vidc.M261=msh261.drv
VIDC.IV50=ir50_32.dll
msacm.iac2=C:\WINDOWS\SYSTEM\IAC25_32.AX
msacm.msaudio1=msaud32.acm

[NonWindowsApp]
TTInitialSizes=4 5 6 7 8 9 10 11 12 13 14 15 16 18 20 22

[power.drv]

[drivers]
MSACM.NSPAC=NSPAC.DLL
MSACM.NSX83=nsx83p16.acm
MSACM.NSMLAW=NSMLAW.DLL
MSACM.VOXACM=VDK16116.ACM
wavemapper=*.drv
MSACM.imaadpcm=*.acm
MSACM.msadpcm=*.acm
wave=mmsystem.dll
midi=mmsystem.dll

[iccvid.drv]

[mciseq.drv]

[mci]
LiveAudioFile=MCILMA.DLL
LiveAudioMetafile=mcilau.dll
cdaudio=mcicda.drv
sequencer=mciseq.drv
waveaudio=mciwave.drv
avivideo=mciavi.drv
videodisc=mcipionr.drv
vcr=mcivisca.drv
MPEGVideo=mciqtz.drv
QTWVideo=C:\WINDOWS\SYSTEM\MCIQTW.DRV

[vcache]

[Password Lists]
DEFAULT=C:\WINDOWS\DEFAULT.PWL
KRISTINA=C:\WINDOWS\KRISTINA.PWL

[nwnp32]

[MSNP32]

[TTFontDimenCache]
0 4=2 4
0 5=3 5
0 6=4 6
0 7=4 7
0 8=5 8
0 9=5 9
0 10=6 10
0 11=7 11
0 12=7 12
0 13=8 13
0 14=8 14
0 15=9 15
0 16=10 16
0 18=11 18
0 20=12 20
0 22=13 22


C:\CONFIG.SYS


DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE
REM [Header]



REM [CD-ROM Drive]
REM DEVICE=C:\CDROM\SSCDROM.SYS /D:MSCD001 /PIO

REM [Miscellaneous]

REM [Display]

DEVICE=c:\windows\setver.exe




C:WINDOWS\PROTOCOL.INI



[ndishlp$]
DriverName=ndishlp$
Bindings=

[protman$]
DriverName=protman$

[data]
version=v4.10.2222
netcards=

[nwlink$]
DriverName=nwlink$
Frame_Type=4
cachesize=0




C:\WINDOWS\WIN.INI




[windows]
load=C:\Netscape\Comm\Program\dtect16.exe
run=hpfsched
NullPort=None
device=Acrobat PDFWriter,PDFWRITR,LPT1:

[Desktop]
Wallpaper=C:\WINDOWS\PHOTOD~1.BMP
TileWallpaper=1
WallpaperStyle=0
Pattern=(None)

[intl]
slanguage=enu
iCountry=1
ICurrDigits=2
iCurrency=0
iDate=0
iDigits=2
iLZero=1
iMeasure=1
iNegCurr=0
iTime=0
iTLZero=0
s1159=AM
s2359=PM
sCountry=United States
sCurrency=$
sDate=/
sDecimal=.
sList=,
sLongDate=dddd, MMMM dd, yyyy
sShortDate=M/d/yy
sThousand=,
sTime=:

[Fonts]

[FontSubstitutes]
Helv=MS Sans Serif
Tms Rmn=MS Serif
Times=Times New Roman
Helvetica=Arial
MS Shell Dlg=MS Sans Serif
Arial Cyr,204=Arial,204
Courier New Cyr,204=Courier New,204
Times New Roman Cyr,204=Times New Roman,204
MT Symbol=Symbol

[Compatibility]
_3DPC=0x00400000
_BNOTES=0x224000
_LNOTES=0x00100000
ACAD=0x8000
ACT!=0x400004
ACROBAT=0x04000000
AD=0x10000000
ADW30=0x10000000
ALARMMGR=0x0040000
ALDSETUP=0x00400000
AMIPRINT=0x04000000
AMIPRO=0x04000010
APORIA=0x0100
APPROACH=0x0004
BALER=0x08000000
BMAPP=0x0004
CASMONEY=0x00200000
CAVOIDE=0x00200000
CCMAIL=0x00200000
CCMCWFY=0x80
CHARISMA=0x2000
CONFIG=0x00400000
CORELDRW=0x48000
CORELPNT=0x08000000
COSTAR=0x0004
CP=0x0040
CROSSTIE=0x00000400
DARCH=0x80
DESIGNER=0x00002000
DIRECTOR=0x00800000
DPLANNER=0x00200000
DRAW=0x2000
DS40=0x8000
DTWIN20=0x00000400
EAP=0x0004
ED=0x00010000
EXCEL=0x1000
EXPASTRO=0x04000000
EXTYPWND=0x00200000
FAXVIEW=0x04000000
FAXWORKS=0x00000400
FH4=0x00E08000
FLW2=0x8000
FMPRO=0x00200000
FREEHAND=0x8000
FULLTEXT=0x20000000
GIFTMAKE=0x20000000
GUIDE=0x1000
HDW=0x04800000
HGW=0x8000
HGW2EXE=0x8000
HGW3EXE=0x8000
HJDRAW=0x00400000
IDAPICFG=0x00400000
IDRAW=0x04008000
ILLUSTRATOR=0x8000
IMPROV2=0x00000000
INFOCENT=0x04000000
INSIGHT=0x00000400
INSTAL1=0x00400000
INSTALL=0x00400000
INTERMIS=0x10000000
IS20INST=0x00000000
IVIHEALT=0x00400000
JEOPARDY=0x00200000
JW=0x00000000
KALOAD2=0x00400000
KEYCAD=0x8000
LE_ADMIN=0x00400000
LUI=0x20000000
MAILSPL=0x10000000
MAKER=0x00200000
MAPS1=0x04008022
MATH=0x00000001
MAVIS=0x00200000
MCOURIER=0x0800
MFWIN20=0x02000000
MILESV3=0x1000
MILESV40=0x4
MOZART=0x40000000
MSARTIST=0x00100000
MSBHUMAN=0x4
MSREMIND=0x10000000
MVIEWER2=0x40200000
MYINV=0x00200000
MYST=0x08000000
NAFTA1=0x4008022
NBAMW4V4=0x04000000
NETSET2=0x0100
NOTES=0x200000
NOTSHELL=0x0001
OPERATOR=0x02000000
OUTPOST=0x00000000
OWLAPP=0x00400000
PACKRAT=0x0800
PAINTER=0x00000000
PAWC8DC3=0x00400000
PAWIN=0x4
PEACHW=0x04800004
PIXIE=0x0040
PLANIT=0x0004
PLANNER=0x2000
PLUS=0x1000
PM4=0xA000
PM5APP=0x8000
PP4=0x00000000
PR2=0x2000
PRINTHLP=0x0004
QAPLUSW=0x0004
QLIIFAX=0x00400000
QUAKE=0x80
QW=0x08000000
RELAY=0x20000000
REM=0x8022
RR2CD=0x00200000
RX=0x00000400
RXL=0x00000400
SETUP=0x00000000
SIDEKICK=0x0004
SLEEPER=0x10000000
SOL=0x00400000
SPCB=0x04008000
SPORTJEP=0x00200000
SPWIN20=0x00400000
ST2=0x4008022
STRAUSS=0x40000000
STRAV=0x40000000
SCHUBERT=0x40000000
SSBWIN=0x00200000
SWCWIN=0x00800004
TCVWIN=0x00200000
TCW=0x00400000
TCWIN=0x0004
TERRAIN=0x00400000
TISETUP=0x00200000
TL6=0x08000000
TME=0x0100
TMSWIN=0x20000000
TMTWIN=0x00200000
TMTWINCD=0x00200000
TOUCHUP=0x00400000
TURBOTAX=0x00080000
VB=0x0200
VEWINFIL=0x00400000
VISIO=0x00000004
VISIOHM=0x00000004
VISION=0x0040
W4GL=0x4000
W4GLR=0x4000
WGW=0x00440000
WIN2WRS=0x1210
WINCIM=0x4
WINLINK=0x20000000
WINPHONE=0x0004
WINSIM=0x2000
WINTACH=0x00200000
WORDSCAN=0x02200000
WPWINFIL=0x00000006
WPWIN60=0x00000400
WPWIN61=0x02000400
WSETUP=0x00200000
XPRESS=0x00000008
ZETA01=0x00400000
ZIFFBOOK=0x00200000

[Compatibility32]
CLWORKS=0x00A00000
MCAD=0x00600000
PHOTOSHP=0x00208000
PODW=0x00200000
SPSSWIN=0x00200000
TYPSTRY2=0x00200000
V32VM20=0x02000000
VISIO=0x00000000
VISIOHM=0x00000000
WINPHONE=0x00000004
WRDART32=0x00400000
SHELL=0x80000000
USTATION=0x80000000

[Compatibility95]
CHAOS OV=0x80000000
CONF=0x00000002
MSDEV=0x00000002
IMAGE32=0x80000000
INST32=0x80000000
BSHELF2k=0x00000002
AGENTSVR=0x00000002

[ModuleCompatibility]
ACEROOBE=0x0004
AIRNFM=0x0002
ALDNCD=0x0002
AMRES=0x0002
ATM=0x0002
ARCHANGEL=0x0002
CSNOV=0x0002
DEFDEMO=0x0002
DIBWND=0x0002
DIB=0x0002
DS=0x0001
EMLIB=0x0002
EMSAVE=0x0002
FH4=0x0002
GEDIT=0x0002
GEORGE=0x0002
GVBSETUP=0x0002
HRWCD=0x0002
ISLFAXPR=0x0002
KIDDESK=0x0002
KIDSTYPE=0x0000
KNPS=0x0002
LIONKING=0x0002
MAUI_DRV=0x0002
MGXWMF=0x0002
MEMMAP=0x0002
MSARTIST=0x0002
MSCRWRTR=0x0002
MSCUISTF=0x0001
MVIEWER2=0x0002
MWAVSCAN=0x0002
MYINV=0x0002
OLESVR=0x0002
PDOXWIN=0x0002
PLANIT=0x0002
PP3=0x0002
PP4=0x0002
PPPP=0x0002
PXDSRV2=0x0002
REVIEWRT=0x0002
ROULETTE=0x0002
RRIRJ=0x0002
RR1=0x0002
RR2CD=0x0002
STL_DLG=0x0002
TECO=0x0001
TER=0x0002
TLW0LOC=0x0002
TMSWIN=0x0002
USA=0x0002
VOICE=0x0002
WFXVIEW=0x0004
WINFORM=0x0002
WPWIN61=0x0002

[TrueType]
FontSmoothing=0
TTifCollisions=1

[mci extensions]
mid=Sequencer
rmi=Sequencer
wav=waveaudio
avi=AVIVideo
cda=CDAudio
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=MPEGVideo
mov=QTWVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo
lam=LiveAudioMetafile
la=LiveAudioFile
pic=QTWVideo
jpg=QTWVideo

[MCICompatibility]
MCIXSND=0x0001
GDAnim=0x0001

[mciavi]

[Desktop_Shell]
Current=Win

[Pscript.Drv]
ATMWorkaround=0

[Ports]
LPT1:=
LPT2:=
LPT3:=
COM1:=9600,n,8,1,x
COM2:=9600,n,8,1,x
COM3:=9600,n,8,1,x
COM4:=9600,n,8,1,x
FILE:=
FAX:=

[embedding]
Package=Package,Package,packager.exe,picture
midfile=MIDI Sequence,MIDI Sequence,C:\WINDOWS\mplayer.exe /mid,picture
SoundRec=Wave Sound,Wave Sound,c:\windows\sndrec32.exe,picture
mplayer=Media Clip,Media Clip,C:\WINDOWS\mplayer.exe,picture
PBrush=Paintbrush Picture,Paintbrush Picture,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
Paint.Picture=Bitmap Image,Bitmap Image,C:\PROGRA~1\ACCESS~1\MSPAINT.EXE,picture
Wordpad.Document.1=WordPad Document,WordPad Document,C:\PROGRA~1\ACCESS~1\WORDPAD.EXE,picture
ComicChat.Room.2=Microsoft Chat Room,Microsoft Chat Room,C:\PROGRA~1\Chat\CChat.exe,picture
Imaging.Document=Image Document,Image Document,c:\windows\KodakImg.Exe,picture
WangImage.Document=Image Document,Image Document,c:\windows\KodakImg.Exe,picture
avifile=Video Clip,Video Clip,C:\WINDOWS\mplayer.exe /avi,picture

[Extensions]
mov=C:\WINDOWS\PLAY32.EXE ^.mov
pic=C:\WINDOWS\VIEW32.EXE ^.pic

[Mail]
MAPI=1
MAPIX=1
CMC=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
MAPIXVER=1.0.0.1
OLEMessaging=1

[Devices]
Capture fax BVRP=Bvrpwfu,FAX:
Acrobat PDFWriter=PDFWRITR,LPT1:
HP DeskJet 895C Series Printer=HPFDJC15,LPT1:

[PrinterPorts]
Capture fax BVRP=Bvrpwfu,FAX:,15,45
Acrobat PDFWriter=PDFWRITR,LPT1:,15,45
HP DeskJet 895C Series Printer=HPFDJC15,LPT1:,15,45

[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
midi=MPEGVideo
mov=MPEGVideo
mp2=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
qt=MPEGVideo
snd=MPEGVideo

[Netscape]
ini=C:\WINDOWS\Netscape.ini

[mcilau]
bandwidth=64000
Transport=UDP

[DrawDib]
pnpdrvr.drv 1024x768x16(565 0)=37,5,5,5

[HPFECP15,lpt1]
DefaultInputMode=4
DefaultOutputMode=6
RelaxState32Timeout=1
DigitalFilterEnable=0

[HPFECP15,HP DeskJet 895C Series Printer,lpt1]
DefaultInputMode=4
DefaultOutputMode=6
RelaxState32Timeout=1
DigitalFilterEnable=0

[SciCalc]
layout=1

[HPFECP15,FILE]
DefaultInputMode=4
DefaultOutputMode=8
RelaxState32Timeout=1

[Sounds]
SystemDefault=,









System Configuration Editor - [C:\AUTOEXEC.BAT]



C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
@C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
@ECHO OFF
SET BLASTER=A220 I7 D1 T2
SET SNDSCAPE=C:\WINDOWS
REM [Header]

REM [CD-ROM Drive]
REM C:\WINDOWS\COMMAND\MSCDEX /D:MSCD001

REM [Miscellaneous]

REM [Display]

@SET CLASSPATH=C:\PROGRA~1\PHOTOD~1.0\ADOBEC~1


@REM Added by MATLAB installer
SET PATH="%PATH%;c:\matlabr12\bin\win32"

Set tvdumpflags=8

Edited by krissy203, 25 May 2006 - 01:19 PM.


#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:19 AM

Posted 30 May 2006 - 05:20 PM

Hi krissy203. Let me ask you this. Are bboth Norton Anti-Virus and AVG running on this machine? You should have one or the other but not both.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 01 June 2006 - 10:01 AM

Hi OT! You are absolutely brilliant!

I uninstalled Norton antivirus, and left AVG, and the computer booted up normally!! Thank you so much!
I then was able to use my dial-up connection to download updates for AVG, Spybot S&D and Ad-Aware.

When I ran AVG, it found 2 viruses,
C:\Program Files\secure32.html (which it said was Spysheriff)
and
C:\tool4.exe

I thought I had already deleted these programs using Hijackthis, but I put them in the AVG vault.

I think that there may still be some remaining issues, because when I tried to run SmitRem (both in Safe and normal modes), the program couldn't run to completion. In safe mode, I got back to the window "Your computer is now running in Safe mode....".

I was wondering if you could advise me what should I do next. Should I go ahead to www.microsoft.com and install the latest windows updates, or should I first perform a few of the online scans you recommended in your first response?

I am so happy I am able to turn the computer on! It's so wonderful that there are people out there, like you, who help out!

Thank you!
krissy203

#12 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 05 June 2006 - 11:36 AM

Hi OT,
Here is my progress so far:
I ran 2 online scans, eTrust and PandaActive scan. Etrust found something in "HijackThis backup", and I deleted it. This is the information from the Panda Active scan:

Incident Status Location

Spyware:
spyware/aveo-attune Not disinfected
c:\programfiles\Aveo
Adware:adware/vog Not disinfected
Windows Registry
Potentially unwanted tool:
Application/Processor Not disinfected
C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:
Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem\Process.exe
Adware:
Adware/HelpExpress Not disinfected C:\WINDOWS\emsw.exe

I also updated IE Internet settings in the Security tab and ran Windows Update.

I don't seem to have the same problem that I had prior to the "desktop proble"--usually, internet explorer would say "IE performed an illegal operation and will be shut down" after I updated the Internet explorer.

I wonder if the fact that I can't run SmitRem program is a problem, maybe I did not delete everything?
Also, after I turn the computer on, a window appears "Welcome to windows". I had to make a password to log-on, and I was wondering if I could get rid of it. (Usually, I just turned the computer on without this window).

Thank you so much for all of your help!
krissy203

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:19 AM

Posted 13 June 2006 - 04:59 PM

Hi krissy203. Sorry for the delay. I was off working on a project.

Let's do this. Boot the computer normally and run a new HijackThis log so I can see what it shows from a normal boot and then we will go from there.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 krissy203

krissy203
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 09 July 2006 - 07:22 PM

Hi Old Timer! Thank you so much for your reply. I just ran some scans in Safe mode and here are the results.
Ad-aware scan: no viruses,
CCleaner (no viruses)
and AVG scan (no viruses).
I noticed that the AVG scan always "changes" the shell32.dll.
For example, under C:\WINDOWS\SYSTEM\shell32.dll it would say -
Result: change ; and then Status: changed.
I wonder if there is some ongoing problem there.

I also ran the SmitRem in safe mode, but again, it did not run to "completion". I understand that at the end of the scan it should generate a results file, but it ends abruptly with a window that says the computer is now in Safe mode, just like when I turn it on.

Here is the Hijack this log, in Normal mode. Could you please look it over and let me know if I need to delete anything?
Thank you so much for all of your help!
krissy203


Logfile of HijackThis v1.99.1
Scan saved at 8:09:24 PM, on 7/9/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Netscape\Comm\Program\aim.exe
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MICROSOFT REFERENCE\BOOKSHELF 2000\QSHELF2K.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPLITE30\SYSTEM\PKJOBS.EXE
C:\WINDOWS\SYSTEM\HPLAMPC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPLITE30\SYSTEM\PKTOPASS.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPLITE30\SYSTEM\PKSLAPI.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Dell
F1 - win.ini: load=C:\Netscape\Comm\Program\dtect16.exe
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.cnn.com"); (C:\Program Files\Netscape\Users\kd243\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PageKeeper Lite Jobs.lnk = C:\Program Files\Caere\PageKeepLite30\system\PKJobs.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Dell Home - {A7C4FF20-DB6D-11D3-85EC-B00F50C10000} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL (HKCU)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O12 - Plugin for .org/bin/bladerunner?REQUNIQ=1039230954&REQSESS=334450&118200REQEVENT=&REQINT1=29668&REQAUTH=0: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = rutgers.edu
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 128.6.224.114,128.6.216.19

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:12:19 AM

Posted 10 July 2006 - 07:22 PM

Hi krissy203. The log looks fine. I do not see any signs of viruses or malware in it.

As for smitrem, unless you have a very old copy it is not supported on Windows 98 and I would not recommend running it on that platform. The results could be unpredictable.

I am not sure what AVG is doing. I have not heard of that before and AVG has no way of "changing" a dll file. It might be reporting that the file has changed since the last scan. Some MS updates or patches could replace that file.

Let's run 1 last scan and see what it shows.

Download Dr.Web CureIt
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options and Change settings
  • Choose the Scan tab and remove the mark at Heuristic analysis.
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click Yes to all if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click File and choose Save Report List
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users