Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected


  • Please log in to reply
19 replies to this topic

#1 Hari25

Hari25

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 16 September 2006 - 03:45 AM

hi, thanks for taking the time to read this

i recently bought a used pc, the previous owner had no spyware protection
i downloaded kerio,spybot,ad-aware,spyware blaster,spywareguard and hjt
i also ran panda activescan, this is a p3 running win98.
panda found 3 viruses,120 spyware and 39 hacking tools
i ran ad-aware and spybot in safe mode
ad-aware found 881 infections
spybot found 39
these are my panda and hjt logs--- ooops i cant post both logs i am over maximum post length if you want my pandascan i will give it to you later


please help






Logfile of HijackThis v1.99.1
Scan saved at 2:23:39 AM, on 16/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

BC AdBot (Login to Remove)

 


#2 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 19 September 2006 - 03:53 AM

hi :thumbsup:
here is my original panda scan


Incident Status Location

Virus:Trj/Imiserv.B Disinfected Operating system
Adware:Adware/Comet Not disinfected c:\progra~1\comets~1\dm\bin\dmserver.exe
Adware:Adware/KeenValue Not disinfected C:\PROGRAM FILES\PERFECTNAV\BHO\PERFECTNAV150.DLL
Adware:Adware/Comet Not disinfected C:\PROGRAM FILES\COMET SYSTEMS\DM\BIN\DMSERVER.EXE
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
Potentially unwanted tool:application/altnet Not disinfected C:\WINDOWS\TEMP\asmfiles.cab
Adware:adware/cydoor Not disinfected c:\windows\system\cd_clint.dll
Adware:adware/comet Not disinfected c:\windows\inf\CC_43.PNF
Adware:adware/keenvalue Not disinfected c:\windows\browserxtras\pn\remove.exe
Adware:adware/gator.trickler Not disinfected c:\windows\temp\adware\fsg_4104.exe
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Adware:adware program Not disinfected c:\windows\ss3unstl.exe
Adware:adware/ieplugin Not disinfected c:\windows\systb.dll
Adware:adware/ncase Not disinfected c:\windows\msbbi.exe
Adware:adware/downloadware Not disinfected C:\WINDOWS\TEMP\Adware
Adware:adware/gator Not disinfected C:\WINDOWS\TEMP\fsg_tmp
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/xupiter Not disinfected Windows Registry
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\SYSTEM\P2P Networking\MARSHAL.DLL
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
Adware:Adware/DSSAgent Not disinfected C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\TEMP\p2psetup.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\WINDOWS\TEMP\Altnet\admdata.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\WINDOWS\TEMP\Altnet\admdloader.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\WINDOWS\TEMP\Altnet\admfdi.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\WINDOWS\TEMP\Altnet\Setup.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\WINDOWS\TEMP\Altnet\adm25.dll
Adware:Adware/Gator Not disinfected C:\WINDOWS\TEMP\fsg_tmp\GTR13A4.TMP[C:\WINDOWS\TEMP\fsg_tmp\GTR13A4.TMP]
Adware:Adware/Gator Not disinfected C:\WINDOWS\TEMP\fsg_tmp\files\PdpSetup5102.ex_[C:\WINDOWS\TEMP\fsg_tmp\files\PdpSetup5102.ex_]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[CC_43.inf]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[CSBand.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csbho.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[cscore.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csctx.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[cseng.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csietb.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[skinui.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[comet.exe]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csbrange.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[fileutil.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csutil.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csapputil.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csinst.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[comutil.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[cstray.exe]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csres.dat]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\strwr.cab[csadzap.dll]
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\CC_43.inf
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\csres.dat
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\csadzap.dll
Virus:Trj/Imiserv.B Disinfected C:\WINDOWS\TEMP\ICD1.tmp\wupdt.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\TEMP\DelA1D5.TMP
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\WINDOWS\Application Data\Microsoft\TuneUp\PowerReg Scheduler.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\mike@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\mike@com[1].txt
Spyware:Cookie/Euniverseads Not disinfected C:\WINDOWS\Cookies\mike@euniverseads[1].txt
Spyware:Cookie/SaveNow Not disinfected C:\WINDOWS\Cookies\mike@tracking.thunderdownloads[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\mike@doubleclick[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Cookies\mike@qksrv[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Cookies\mike@server.iad.liveperson[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\WINDOWS\Cookies\mike@valueclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Cookies\mike@hg1.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Cookies\mike@hitbox[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\WINDOWS\Cookies\mike@paycounter[2].txt
Spyware:Cookie/WegCash Not disinfected C:\WINDOWS\Cookies\mike@programs.wegcash[1].txt
Spyware:Cookie/Adserver Not disinfected C:\WINDOWS\Cookies\mike@z1.adserver[1].txt
Spyware:Cookie/n-CASE Not disinfected C:\WINDOWS\Cookies\mike@180solutions[2].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\Cookies\mike@fastclick[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Cookies\mike@tribalfusion[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\WINDOWS\Cookies\mike@adrevolver[2].txt
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Cookies\mike@advertising[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Cookies\mike@276[1].txt
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Cookies\mike@servedby.advertising[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\WINDOWS\Cookies\mike@targetnet[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Cookies\mike@desktop.kazaa[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Cookies\mike@casalemedia[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\WINDOWS\Cookies\mike@ads.addynamix[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\WINDOWS\Cookies\anyuser@www.myaffiliateprogram[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\anyuser@ad.yieldmanager[2].txt
Spyware:Cookie/n-CASE Not disinfected C:\WINDOWS\Cookies\anyuser@180solutions[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\WINDOWS\Cookies\anyuser@statcounter[1].txt
Spyware:Cookie/Clickbank Not disinfected C:\WINDOWS\Cookies\anyuser@clickbank[2].txt
Spyware:Cookie/Adserver Not disinfected C:\WINDOWS\Cookies\anyuser@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Cookies\anyuser@zedo[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Cookies\anyuser@doubleclick[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\anyuser@com[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\anyuser@atdmt[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\WINDOWS\Cookies\anyuser@statse.webtrendslive[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\anyuser@serving-sys[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Cookies\anyuser@server.iad.liveperson[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\WINDOWS\Cookies\mike@ads.addynamix[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\mike@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\mike@ad.yieldmanager[3].txt
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Cookies\anyuser@apmebf[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Cookies\anyuser@qksrv[2].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Cookies\anyuser@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@com[1].txt
Spyware:Cookie/Euniverseads Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@euniverseads[1].txt
Spyware:Cookie/SaveNow Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@tracking.thunderdownloads[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@doubleclick[1].txt
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@qksrv[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@server.iad.liveperson[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@valueclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@hg1.hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@hitbox[2].txt
Spyware:Cookie/PayCounter Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@paycounter[2].txt
Spyware:Cookie/WegCash Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@programs.wegcash[1].txt
Spyware:Cookie/Adserver Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@z1.adserver[1].txt
Spyware:Cookie/n-CASE Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@180solutions[2].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@fastclick[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@tribalfusion[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@adrevolver[2].txt
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@advertising[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@276[1].txt
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@servedby.advertising[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@targetnet[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@desktop.kazaa[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@casalemedia[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@ads.addynamix[2].txt
Spyware:Cookie/n-CASE Not disinfected C:\WINDOWS\Profiles\me\Cookies\anyuser@180solutions[1].txt
Spyware:Cookie/Adserver Not disinfected C:\WINDOWS\Profiles\me\Cookies\anyuser@z1.adserver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@ads.addynamix[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\me\Cookies\mike@ad.yieldmanager[3].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\me\Cookies\me@ad.yieldmanager[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\RECYCLED\NPROTECT\00002238.TXT
Virus:Trj/Imiserv.B Disinfected C:\RECYCLED\NPROTECT\00002475.EXE
Adware:Adware/KeenValue Not disinfected C:\Program Files\Common Files\updmgr\rvupdmgr.exe
Adware:Adware/KeenValue Not disinfected C:\Program Files\Common Files\updmgr\updmgr.exe
Adware:Adware/KeenValue Not disinfected C:\Program Files\Common Files\updmgr\simgr.exe
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\updmgr\data2.dat
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Kazaa\TopSearch.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\asm.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\asmps.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\admdloader.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\admdata.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\admfdi.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\adm25.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\adm.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\adm4.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\admprog.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\asmend.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Download Manager\altnetuninstall.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Points Manager\sysdetect.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Program Files\Altnet\Points Manager\Points Manager.exe
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
Adware:Adware/Comet Not disinfected C:\Program Files\Comet Systems\DM\bin\dmproxy.dll
Adware:Adware/Comet Not disinfected C:\Program Files\Comet Systems\DM\bin\cssecure.dll
Adware:Adware/Comet Not disinfected C:\Program Files\Comet Systems\DM\bin\dmfilemap.xml
Adware:Adware/nCase Not disinfected C:\Program Files\180search Assistant\180sahook.dll



and my most recent.. yesterday





Incident Status Location

Adware:adware/comet Not disinfected c:\windows\inf\dm.inf
Adware:adware/keenvalue Not disinfected c:\windows\browserxtras\pn\remove.exe
Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Adware:adware program Not disinfected c:\windows\ss3unstl.exe
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Adware:adware/ncase Not disinfected c:\windows\msbbi.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\TEMP\p2psetup.exe
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\CC_43.inf
Adware:Adware/Comet Not disinfected C:\WINDOWS\TEMP\unpack\csadzap.dll
Adware:Adware/nCase Not disinfected C:\WINDOWS\TEMP\DelA1D5.TMP
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\WINDOWS\Application Data\Microsoft\TuneUp\PowerReg Scheduler.exe
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\mike@com[1].txt
Spyware:Cookie/Cgi-bin

#3 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 19 September 2006 - 03:56 AM

and here is a freshy hjt log

Logfile of HijackThis v1.99.1
Scan saved at 2:55:51 AM, on 19/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PFWADMIN.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab



thx again :thumbsup:

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 19 September 2006 - 05:02 AM

In case anyone wonders why Hari25 posted other logs before being asked here; I asked him to in IRC.

Hi Hari25;

Looks like you had quite the fight!

Not too much left I don't think.

First the tools we'll need. Don't run any till I tell you. OK?

Download Symantec's ieplugin removal tool from here and save it to the desktop:

http://securityresponse.symantec.com/avcenter/FxIeplgn.exe

Download Killbox from Here and save it to your desktop:

http://killbox.net/downloads/KillBox.exe

Please be careful with killbox tool. It is very powerful and will delete whatever you tell it to including system files!! Only delete what I tell you.

Copy the rest of the instructions to text file or print them out. You will need your browsers closed during most of the fix.

1.) Close all open browser windows.
disconnect from internet and disable your Norton so it does not interfere.

Double click FxIeplgn.exe you downloaded from Symantec and click "start" to run scan.
It will scan your computer and remove whatever remains of ie-plug in.

It may ask you to reboot. do so if it tells you.
log will be created on desktop. I will need this later.

2.) open Killbox.exe

If you get error running killbox complaining about file 'MsComCtl.ocx' missing/corrupt please download and install "missingfilesetup.exe" from here:

http://www.javacoolsoftware.net/downloads/...ngfilesetup.exe

Once it is done...try killbox again.

Check the "delete at reboot" option, then press 'all files". It should be flashing green.

Copy the following list by hilighting it and pressing Ctrl+C

c:\windows\inf\dm.inf
c:\windows\ss3unstl.exe
c:\windows\kwv2.dat
c:\windows\smdat32m.sys
c:\windows\msbbi.exe
C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
C:\WINDOWS\TEMP\p2psetup.exe
C:\WINDOWS\TEMP\unpack\CC_43.inf
C:\WINDOWS\TEMP\unpack\csadzap.dll
C:\WINDOWS\TEMP\DelA1D5.TMP


Click the "file" menu and choose "paste from clipboard".

Hit the red button with the White X
Ok the prompt.

Computer will reboot. If it does not reboot or gives messege "Pending operations was stopped by external process!" then just restart it manually. I need you to start in safe mode.

[*]As the computer starts, press and hold down the F8 key until the 98*Grinler Startup Menu appears.
[*]Ensure that the Safe Mode option is selected.
[*]Press Enter. The computer then begins to start in Safe mode.

Graphics will look awful. Normal for safe mode.

Find and delete the following folders if they exist:

c:\windows\browserxtras

Start Hijackthis, run system scan and check (if present):

R3 - URLSearchHook: (no name) - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -


Once checked; close any open windows except hijackthis click "fix checked".

Reboot back to normal mode. Before you connect to internet make sure your Norton is back on & fully enabled.

Please post:

New hijackthis log
Log FxIeplgn created
Contents of c:\!Killbox\logs\kb.log

Careful in the !Killbox folder! It has live malware in it! (backups created by killbox)
We'll take care of these later.

Let me know how the system is running please.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 19 September 2006 - 06:23 AM

hi, thanks again :thumbsup:

here are the 3 logs you asked for

Symantec Adware.IEPlugin Removal Tool 1.0.5


registry: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main: Enable Browser Extensions (value deleted)
c:\WINDOWS\TEMP\~DF90A8.TMP: (deleted)
c:\WINDOWS\TEMP\CDASilentInstall0501.exe: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\VX4X7UGE\dotclear[1].gif: (deleted)
c:\WINDOWS\browserxtras\pn\remove.exe: (deleted)
c:\RECYCLED\NPROTECT\00000037.EXE: (deleted)
c:\Program Files\Kazaa\Help\spacer.gif: (deleted)
C:\WINDOWS\extract.exe: (deleted)

registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Use Custom Search URL (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Use Search Asst (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components: GeneralFlags (value set to 0x00000004 (4))
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: Search Page (value set to "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch")
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search: CustomizeSearch (value set to "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm")
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search: SearchAssistant (value set to "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm")
registry: HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main: Search Page (value set to "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch")

Adware.IEPlugin has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 14513
The number of deleted files: 7
The number of threat processes terminated: 0
The number of other processes terminated: 0
The number of registry entries fixed: 10







Pocket Killbox version 2.0.0.881
Running on Windows 98 as
was started @ Tuesday, September 19, 2006, 4:59 AM

# 1 [Files to Delete]
Path = c:\windows\inf\dm.inf
*File Was Deleted

Killbox Closed(Exit) @ 5:01:16 AM
__________________________________________________

???? it looks like kilbox only deleted 1 file.... i used the paste to clipboard option and there was more then 1 file there...


kilbox did no reboot my pc i did it manualy... i am going to try kilbot again... here is my hjt log




Logfile of HijackThis v1.99.1
Scan saved at 5:09:00 AM, on 19/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

Edited by Hari25, 19 September 2006 - 06:25 AM.


#6 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 19 September 2006 - 06:36 AM

i used kilbot again.. i had to delete each file individualy then i rebooted manualy.. here is the new kilbot log

Pocket Killbox version 2.0.0.881
Running on Windows 98 as
was started @ Tuesday, September 19, 2006, 4:59 AM

# 1 [Files to Delete]
Path = c:\windows\inf\dm.inf
*File Was Deleted

Killbox Closed(Exit) @ 5:01:16 AM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows 98 as
was started @ Tuesday, September 19, 2006, 5:27 AM

# 1 [Files to Delete]
Path = c:\windows\ss3unstl.exe
*File Was Deleted

# 2 [Files to Delete]
Path = c:\windows\kwv2.dat
*File Was Deleted

# 3 [Files to Delete]
Path = c:\windows\smdat32m.sys
*File Was Deleted

# 4 [Files to Delete]
Path = c:\windows\msbbi.exe
*File Was Deleted

# 5 [Files to Delete]
Path = C:\WINDOWS\SYSTEM\P2P Networking v124.cpl
*File Was Deleted

# 6 [Files to Delete]
Path = C:\WINDOWS\TEMP\p2psetup.exe
*File Was Deleted

# 7 [Files to Delete]
Path = C:\WINDOWS\TEMP\unpack\CC_43.inf
*File Was Deleted

# 8 [Files to Delete]
Path = C:\WINDOWS\TEMP\unpack\csadzap.dll
*File Was Deleted

# 9 [Files to Delete]
Path = C:\WINDOWS\TEMP\DelA1D5.TMP
*File Was Deleted

Killbox Closed(Exit) @ 5:30:55 AM
__________________________________________________

#7 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 19 September 2006 - 06:47 PM

Hi Hari;

Sorry I took a while; I didn't get my mail notice you replied back I had to come hunting for you... :thumbsup:

Ok; Lets clean up what we did so far and I'll get you to do another scan.

Things running pretty good now?

Open Killbox.exe
Click "file" > point to "clean up" > select "delete all backups"> OK prompt.
Exit Killbox.
That action deletes all the nasties out of !Killbox folder.

You can delete FxIeplgn.exe off the desktop along with its log.

So the next scan does not show me a million quarentined files.. :flowers:

Please open your norton antivirus and clean out its quarentine. It safe to delete whatever he has there.
do the same for Ad-Aware and Spybot S&D.

Then; Open Internet Options in your control pnael, click 'delete files" and select to delete "offline content". hit OK.

Now click start> run> type cleanmgr and hit enter.
Choose drive C: to clean.
have checked ONLY:

Temporary internet files
Temporary files
Recycle bin.

Hit Ok to clean. It will exit when done.

Next....

Using Internet Explorer please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save button:
  • Save the file to your desktop. It will save as a html file on desktop (web page)
  • Open the file you just saved and copy/paste it into your next reply.
*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.

Please also post a fresh hijackthis log from normal mode.

**note
Because the Kaspersky log is going to be kinda spaced out by copying the text from a html page to here you may need more than one post to get both logs in.

Thanks :huh:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 19 September 2006 - 06:54 PM

Me again...hehe

While waiting for me to get back...best to update your version of java.

Please follow the steps to remove older version Java components

Go to http://java.sun.com/j2se/1.5.0/download.jsp and download the latest version from the website

You want this one:

Java Runtime Environment (JRE) 5.0 Update 8

Next page that comes up you need to accept the agreement to download it.
First in list is the offline installation
This is the one to download.
Save it to your desktop.
Once you have saved the file continue.....


1. Close any open programs you may have running, especially your web browser
2. Click Start > Control Panel
* Depending on your OS or configuration, you may have to click Start > Settings > Control Panel
3. Open Add or Remove Programs
* If you have Windows 98 or Windows 2000, open Add/Remove Programs
4. Click once on any item listing Java Runtime Environment in the name
* Not every version of Java will begin with "Java" so be sure to read each entry in the list
5. Click the Remove or Change/Remove button
6. Follow steps 4 and 5 as many times as necessary to remove all versions of Java
7. Reboot your PC once all Java components have been removed
8. Proceed with reinstalling Java

You may need to reboot when done.

Let me know if you had any problems.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 21 September 2006 - 02:56 AM

hi, i'm back :thumbsup:
i was gone for a day...
here are the logs thanks

KASPERSKY ONLINE SCANNER REPORT
Thursday, September 21, 2006 1:49:20 AM
Operating System: Microsoft Windows 98 SE
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/09/2006
Kaspersky Anti-Virus database records: 225236
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
a:\
c:\
d:\
Scan Statistics
Total number of scanned objects 16381
Number of viruses found 3
Number of infected objects 6 / 0
Number of suspicious objects 0
Duration of the scan process 00:29:14

Infected Object Name Virus Name Last Action
c:\WINDOWS\TEMP\~DFE80E.TMP Object is locked skipped
c:\WINDOWS\TEMP\~DF107E.TMP Object is locked skipped
c:\WINDOWS\WIN386.SWP Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\Cache\_CACHE_MAP_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\Cache\_CACHE_001_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\Cache\_CACHE_002_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\Cache\_CACHE_003_ Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\history.dat Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\parent.lock Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\cert8.db Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\key3.db Object is locked skipped
c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\y4wd48im.default\formhistory.dat Object is locked skipped
c:\WINDOWS\SchedLog.Txt Object is locked skipped
c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
c:\WINDOWS\Cookies\index.dat Object is locked skipped
c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped
c:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
c:\RECYCLED\NPROTECT\NPROTECT.LOG Object is locked skipped
c:\RECYCLED\NPROTECT\00002450.EXE/msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions skipped
c:\RECYCLED\NPROTECT\00002450.EXE CAB: infected - 1 skipped
c:\RECYCLED\NPROTECT\00002450.EXE MimarSinan: infected - 1 skipped
c:\RECYCLED\NPROTECT\00002450.EXE UPX: infected - 1 skipped
c:\RECYCLED\NPROTECT\00002454.DLL Infected: not-a-virus:AdWare.Win32.Comet.v skipped
c:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
c:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
c:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
c:\Program Files\Kazaa\TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.c skipped
Scan process completed.



Logfile of HijackThis v1.99.1
Scan saved at 1:52:03 AM, on 21/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...ebscan_ansi.cab

thx again :flowers:

#10 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 21 September 2006 - 03:34 AM

hi... brand new hjt log :thumbsup:



Logfile of HijackThis v1.99.1
Scan saved at 2:33:26 AM, on 21/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...ebscan_ansi.cab

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 21 September 2006 - 03:53 AM

Hi;

Once you have removed kazaa as per our IRC discussion..
You can delete this folder:

c:\Program Files\Kazaa

Empty recycle bin
Right click on recycle bin and select "empty Norton protected recycle bin".
Ok the prompt.

You can save resorces if you fix this entry with Hijackthis:

O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE


All that does is remind you that you have an old version of Norton installed if you try to install a new one before uninstalling the old one.

If you don't want Norton controlling your recycle bin you can disable the recycle bin protection too. Recycle bin will work as it does normally.

Not sure where exactly the option is in Norton but best to disable it there.

Reboot.

About that program you are trying to remove..."operation"..

Please do this:

Open Hijackthis
Click "open misc tool ssection"
Click " open Uninstall manager"
Click "save list..."
Save the list someplace and post the log here. Leave Hijackthis open for a sec...

Hilight the "Operation" entry
At right side beside "uninstall command" copy/paste what is in that box here.

Thanks :thumbsup:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 21 September 2006 - 04:28 AM

hi,

this is uninstall log

Ad-Aware SE Personal
Adobe Acrobat 4.0
Adobe Flash Player 9 ActiveX
ATI Display Driver
BJ Printer Driver
DivX
DivX Player
HijackThis 1.99.1
Internet Explorer Q891781
J2SE Development Kit 5.0 Update 8
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Kaspersky Online Scanner
Kerio Personal Firewall 2.1.5
LiveReg (Symantec Corporation)
Logitech QuickCam
Microsoft .NET Framework 1.1
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft VGX Q833989
Microsoft Windows Critical Update Notification
MSN Messenger 7.0
Mystic Island v3.22b
Norton AntiVirus 2003 Professional Edition
Operation
Outlook Express Q837009
Panda ActiveScan
Sound Blaster Live! Value
Sound Blaster Live! Value Drivers
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
SpywareGuard v2.2
VideoLAN VLC media player 0.8.5
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 KB908519 Update
Windows 98 KB918547 Update
Windows 98 Q823559 Update
Windows 98 Q888113 Update
Windows Media Player system update (9 Series)
WinZip



this is the uninstall cmnd..C:\WINDOWS\uninst.exe -f"C:\Program Files\Hasbro Interactive\Operation\DeIsL1.isu"

thx again

#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:06:51 AM

Posted 21 September 2006 - 02:13 PM

Hi

Thanks for the log.

Here is the add/remove entry related to windows update notification:
You can uninstall this since M$ is no longer updating 98.

Microsoft Windows Critical Update Notification

Also uninstall this version of Java:

J2SE Runtime Environment 5.0 Update 6


Likely need reboot when done.

What is the error you get trying to uninstall "operation"?

And can you check to see if this file exists:

C:\Program Files\Hasbro Interactive\Operation\DeIsL1.isu

Thanks :thumbsup:

Edited by Blender, 21 September 2006 - 04:15 PM.

I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 21 September 2006 - 05:11 PM

hi again... i must be blind.. i have no idea how i missed the critical update entry

the hasbro file does not exist :s


hi again... i must be blind.. i have no idea how i missed the critical update entry

the hasbro file does not exist :s

the error i get is "unable to locate the installation log file 'C:\program files\hasbro interactive\operation\desl1.isu' uninstallation will not continue

Edited by Hari25, 21 September 2006 - 05:17 PM.


#15 Hari25

Hari25
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 21 September 2006 - 05:53 PM

hi again.. ive made some changes.. ive replaced norton with avg and deleted msn msgr..i have questions about a couple of hjt entries

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

isnt that part of msnmsngr?

and
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

i thought i got rid of this 1 previously..
this is a fresh log
Logfile of HijackThis v1.99.1
Scan saved at 4:46:20 PM, on 21/09/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [PersFw] "C:\Program Files\Kerio\Personal Firewall\persfw.exe" /hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_08\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_08\BIN\SSV.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...ebscan_ansi.cab

thx :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users