Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log Please diagnose


  • Please log in to reply
32 replies to this topic

#1 dragon_20716

dragon_20716

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:38 AM

Posted 01 December 2004 - 10:23 PM

Logfile of HijackThis v1.98.2
Scan saved at 10:20:55 PM, on 12/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TEMP\BUNDLE.EXE
C:\WINDOWS\WATRAK.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [SAHBundle] C:\WINDOWS\TEMP\bundle.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\watrak.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRAM FILES\NETWAITING\NETWAITING.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [ModemOnHold] C:\PROGRAM FILES\NETWAITING\NETWAITING.EXE
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
O4 - Startup: hgwtgl.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

BC AdBot (Login to Remove)

 


#2 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 02 December 2004 - 03:58 AM

Hi dragon_20716,

I'll be looking after your log analysis so please be patient whilst I review your log.
I will get back to you as soon as possible with a solution.


I notice that you have multiple posts in this forum. Please use the Add/Reply button when replying to a post and stick to one post. This will avoid valuable resources being wasted.

Edited by penmore, 02 December 2004 - 04:54 AM.


#3 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 02 December 2004 - 08:27 AM

Hi dragon_20716,


You have a TrojanDownloader.Win32.Stubby.c infection as well as other malware. Please follow the instructions below in the order they are given. It may help you if you print these out before actioning them as you won't have access to the Internet when you are running in Safe Mode. This fix involves a number of separate pieces of software - if you are unsure about anything I have asked you to do then please ask before doing the fixes.

You are running HijackThis from a temporary folder. When run from a temporary folder, the backups HijackThis
makes may accidentally get deleted, so please put HijackThis into a permanent folder.
Full instructions on how to do this can be found here:Detailed Explanation
Brief instructions for this are:
  • To create a permanent folder:
  • Click My Computer, then C:\
  • In the menu bar, File->New->Folder.
  • That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
  • Now you have C:\HJT\ folder.
  • Put your HijackThis.exe there.
Please download LSP-Fix from the following link and save it to a location you can find later if necessary.LSP-Fix Download Link
Open LSPFixCheck I know what I'm doing.
Select all listed entries for c:\windows\system\aklsp.dll and only this one!!
Click the right-pointing arrow.
Click Finished
Perform a full scan here: Trendmicro, check AutoClean and let it remove anything it finds.

Perform a second full scan here: Panda Online, follow the instructions on the screed, make sure these are checked:
  • Disinfect automatically
  • Scan compressed files
  • Scan e-mail files
  • Neutralize Trojans
Let active scan remove anything it finds.

Perform a full scan here: BitDefender Free Online Virus Scan
Follow the instructions on the screen.
Tick all the boxes on the left and let Bitdefender remove anything it finds.

Please go to Start >>> Control Panel >>> Add or Remove Programs and remove the following programs.
Most of these removals require and Internet connection to work. Don't be too concerned if you cannot find some of them in the Add/Remove section.
  • MSIETS
  • Internet 404
  • Tools for Internet Explorer
  • Search Toolbar
  • Web Search Toolbar
  • Win-Tools Easy Installer
  • ShopAtHomeSelect Agent
Reboot your computer into Safe Mode.

Run HijackThis
Click on the Scan button and when complete
Put a check beside all of the items listed belowR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [SAHBundle] C:\WINDOWS\TEMP\bundle.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\watrak.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - Startup: hgwtgl.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

Close all open Explorer windows and browsers
Click on the "Fix Checked" button
When complete and all files removed, close the application

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.C:\Program Files\Common Files\WINTOOLS
C:\Program Files\TOOLBAR
C:\WINDOWS\SYSTEM\WINB2S32.DLL >>> File Only
C:\WINDOWS\BXXS5.DLL
C:\WINDOWS\CONSCORR.exe
C:\WINDOWS\TEMP\bundle.exe
C:\C:\Program Files\TOOLBAR
C:\WINDOWS\watrak.exe
C:\Program Files\Common Files\WINTOOLS
hgwtgl.exe >>> You may have to search for this with Windows Explorer
Reboot your machine in normal mode, run HijackThis and post a new log here for review.

#4 dragon_20716

dragon_20716
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:38 AM

Posted 03 December 2004 - 08:43 AM

Sir,
I ran the LSP-Fix, Trendmicro, Panda Online and BitDefender scans. There were many viruses and other malware programs located throughout the system and deleted. However, I noticed that a large number of the programs were not successfully deleted by these scans. I decided to move on through your set of instructions anyway. I am now at the Control Panel >>> Add Remove Programs section of your instructions. There were no MSIETS, Internet 404, Tools for Internet Explorer, Search Toolbar, or ShopAtHomeSelect Agent in the program list. The Web Search Toolbar and the Win-Tools Easy Installer were successfully removed. There are two programs on the Add Remove Programs list that sound similar to those above that I need to ask you about: “Microsoft Internet Explorer 6SP1 and Internet Tools” and “Search Assistant”. Should I leave these programs installed and move on to the next step or should I remove either or both of them?

#5 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 03 December 2004 - 11:12 AM

Hi dragon_20716,

Thanks for getting back to me.

“Microsoft Internet Explorer 6SP1 and Internet Tools” and “Search Assistant”. Should I leave these programs installed and move on to the next step or should I remove either or both of them?


The “Microsoft Internet Explorer 6SP1 and Internet Tools” are legit. The “Search Assistant” removal doesn't work. So, don't remove any of these, just carry on with the fixes as outlined above.

Any malware that is left after these fixes can be cleared with other software, provided you carry on with any additional fixes you are given until you are declared clean.

#6 dragon_20716

dragon_20716
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:38 AM

Posted 03 December 2004 - 08:50 PM

Logfile of HijackThis v1.98.2
Scan saved at 8:42:29 PM, on 12/3/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRAM FILES\NETWAITING\NETWAITING.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1062 (file missing)
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

#7 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 04 December 2004 - 02:14 PM

Hi dragon_20716,

We need to use a special procedure to remove the Spydeleter entry from your machine.
Please follow the removal instructions found here Spydeleter Removal
Note that the link to the file to be downloaded is at the bottom of the page. Let me know if you have any problems with it.

In view of your earlier comments regarding some malware not being removed I would like you to download and run Ad-Aware and SpybotS&D before you fix a couple of stray entries in your log.

Download Spybot and Adaware from the following locations and install them. You should run both programs and clean up what they find.

Before running the scans on both programs, it is mandatory that you update the programs. There are update options in each program when you run them.

Spybot Download and Ad-aware Download

If you would like to learn more about how to use these two programs with the proper settings you can read the tutorials below:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer.

Using Spybot - Search & Destroy to remove Spyware, Malware, & Hijackers from Your Computer.

When you scan with both programs, fix everything that it finds.

Reboot your computer into Safe Mode.

Run HijackThis
Click on the Scan button and when complete
Put a check beside all of the items listed belowR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Close all open Explorer windows and browsers
Click on the "Fix Checked" button
When complete and all files removed, close the application.

Reboot in normal mode, run HijackThis and post a log here for checking.

#8 dragon_20716

dragon_20716
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:38 AM

Posted 05 December 2004 - 06:50 PM

Sir,
I am still getting hit by a popups like the one from "Free Trial Version of CPU Rocket Computer Accelerator". Also I see the following in the address bar: HTTP://adserver.sharewareonline.com/adserv...m/ad0805504.htm.
I think these popups are related to the log files entries "O1 - Hosts: 69.20.16.183 auto.search.msn.com", "O1 - Hosts: 69.20.16.183 search.netscape.com", and "O1 - Hosts: 69.20.16.183 ieautosearch". The reason I think so is that at the bottom of my screen when the popups appear, I see the numbers starting with "69" as in "69.20.16.183" Here is my Log file:

Logfile of HijackThis v1.98.2
Scan saved at 6:35:43 PM, on 12/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\HJT\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ModemOnHold] C:\PROGRAM FILES\NETWAITING\NETWAITING.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RuLaunch.exe" /STARTMONITOR
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab

#9 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 06 December 2004 - 03:04 PM

Hello dragon_20716,

You've done well removing all of the malware so far but unfortunately it has revealed a new infection that is proving difficult to remove because the component parts have been well hidden. With your help, we should be able to remove this, but I need you to do a few things first to help us identify the various files that are causing the problems.

Can you start by downloading VX2Finder from this link:
http://downloads.subratam.org/VX2Finder9x(126).exe
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Copy and paste the entire contents of that log to your next post.

You have previously configured you system to show all hidden files and folders. Could I ask you to just
check again that you can see them as follows: Please ensure that you can see all hidden files/folders as follows:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the View menu and then click Folder Options.
  • After the new window appears select the View tab.
  • Scroll down until you see the Show all files radio button and select it.
  • Press the Apply button and then the OK button and close the My Computer window.
  • Now your computer is configured to show all hidden files.
Next we need to locate all files that have been created since your malware problems started:
  • Open Windows Explorer
  • In the Folders section on the left navigate to c:\windows\system
  • You should now be able to see all the files & folders in the system folder on your right.
  • Click the View tab on the top menu bar and select Details
  • Click View tab again, go down to Arrange Icons and click on by Date from pop-out menu
  • Scroll down to the bottom of the list where you will find the most recently modified files
Carefully write down these file names in full that have been modified since your infections started.

Finally I would like you to do a little test for me. I would like you to open Notepad and enter some text then save
the file to your Desktop. Close Notepad and then delete the file you have just created. Let me know if it asks for
confirmation about sending it to the Recycle bin or does it just delete the file.

Please return to the forum and post:The VX2Finder log
The file list of all files added since your troubles started
Details of how deleting files from the desktop is handled


#10 dragon_20716

dragon_20716
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:38 AM

Posted 06 December 2004 - 09:43 PM

Sir,

The following is my VX2Finder log:

Files Found---
C:\WINDOWS\SYSTEM\DeCNDI.DLL
C:\WINDOWS\SYSTEM\DeNDI.DLL
C:\WINDOWS\SYSTEM\NcSWAN32.DLL


User Agent String---
{8526D0E1-1490-11D9-AE5B-444553540000}

The list of all files added since troubles started is very lengthy. Since this computer is loaded with Word Pad, I may have a better solution. I have taken PRINT SCREEN shots of the list of files and made seven Word Pad documents that are pictures of the file list. Is it possible for me to send you these seven Word Pad Print Screen documents rather than copying down all the file names? This could eliminate the possibility of errors. The only problem is that each file is about 480 KB which is well above the maximum file size attachment limit for this discussion board. I will send you my yahoo email address if that helps. I'm open to other suggestions as well.

As far as the experiment with deleting files from the desktop, the system did ask about the recycle bin. When I selected the recycle bin the file was deleted.

Thanks for all your help so far.

#11 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 07 December 2004 - 11:03 AM

Hi dragon_20716,

This method was developed by Zupe and has been adapted for Win98. It should identify what is causing the problems in a better way.

1. Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder9x.exe
Run Vx2Finder and click on the Click to find VX2.BetterInternet button.

Click the Make Log button.

Save the log some place convenient like My Documents. Include the contents of the log in your next reply here.

2. Please download Findit98.zip file from the bottom of this post.

Unzip the contents to a folder, then open that folder and double click on Find.bat. It will run for a minute, then produce a log (ignore any File not found messages on the screen, it should continue anyway). Please copy and paste that log here as well.


3. Please also open the c:\Windows folder and see if there's a file there called Guard.tmp visible and report that here as well.

From the time you complete the above steps until we post back a fix for you please do not reboot your machine. Because of the different time zones that we are in I have asked one of the other team members to watch this thread and post back to you if I am not available.

Attached Files


Edited by penmore, 07 December 2004 - 11:04 AM.


#12 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 07 December 2004 - 01:38 PM

Hi Hi dragon_20716,,

I need to make a slight correction to my last post:

Please also open the c:\Windows folder and see if there's a file there called Guard.tmp visible and report that here as well.



This should read:

Please also open the c:\Windows\System folder and see if there's a file there called Guard.tmp visible and report that here as well.

#13 dragon_20716

dragon_20716
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:38 AM

Posted 07 December 2004 - 02:01 PM

Sir,
Your last post advises, "From the time you complete the above steps until we post back a fix for you please do not reboot your machine." Do you mean that I must not power down the system whilst awaiting further instructions? The reason I am asking is that a new problem has appeared. If I leave the system on and idle for a period of several hours it locks up. When I try a CTL ALT DEL, I get a warning that the system resources are seriously low and it asks if I want to shut down a program with a short name like APTRXUSC.EXE (sorry, I didn't record the exact name). When I click yes it asks the same question of another program with a different short name which I also failed to record. In the end, the system never does unlock and I have to hit the reset button anyway. Therefore, after I complete the steps you have given me, I will have to shut down the system and not reboot until I receive further instructions. Will that work?
Dragon

#14 penmore

penmore

    Malware Sniffer


  • Members
  • 757 posts
  • OFFLINE
  •  
  • Location:West Coast of Scotland
  • Local time:11:38 AM

Posted 07 December 2004 - 02:13 PM

Hello dragon_20716,

Perhaps I can explain a little the problem with rebooting once you have given the file lists.

When you supply the lists, they contain active files that are the cause of this infection. If you reboot then the files are likely to change in name so that the fix that we give you won't work.

I have asked another team member to monitor this thread because of the time zone differences between us and the fact that I might not be able to be online all of this evening myself.

Let me speak to the other team members and I'll post back to you very soon.

#15 dragon_20716

dragon_20716
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Location:Maryland
  • Local time:05:38 AM

Posted 07 December 2004 - 02:24 PM

Penmore,
One other thing. The infected computer is at home and I am at work. I am unable to get back to the infected computer until after 8:00 PM US Eastern Standard Time (my home is located near Washington DC). I understand that would be after 2:00 AM for you.
Thanks,
Dragon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users