Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt log - Bonzai


  • This topic is locked This topic is locked
5 replies to this topic

#1 bonzai125

bonzai125

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 20 December 2004 - 05:11 PM

Hi,

Here follows the Hjt log. What happens is that now and then, maybe every 10 minutes, the laptop wants to connect to the internet. I have to click on Cancel 8 times in a row to get rid of it. Avg, adaware, spybot and cwshredder are all clean. One thing I should mention though, I cannot connect to the internet anymore with this old laptop anymore as there is no modem nor network card at the moment. I'm connecting with a desktop to download files and copy them to this laptop. I would be grateful if someone could help.

Logfile of HijackThis v1.99.0
Scan saved at 10:41:50, on 12/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
C:\WINDOWS\SYSTEM\JDBGMRG.EXE
C:\WINDOWS\SYSTEM\MSFINDOSA.EXE
C:\WINDOWS\SYSTEM\WINDFIND.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\S3SYSKEY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\0000000\MSOSA.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TASKMON.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.suoonerie.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.suoonerie.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.suoonerie.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.suoonerie.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suoonerie.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.suoonerie.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [s3syskey] s3syskey.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [TEscKey] TESCKEY.EXE
O4 - HKLM\..\Run: [TFunckey] TFUNCKEY.EXE
O4 - HKLM\..\Run: [THotkey] THotkey.Exe
O4 - HKLM\..\Run: [MSAdmin] C:\WINDOWS\SYSTEM\JDBGMRG.EXE
O4 - HKLM\..\Run: [msfindosa.exe] C:\WINDOWS\SYSTEM\msfindosa.exe
O4 - HKLM\..\Run: [atisrc2] C:\WINDOWS\SYSTEM\windfind.exe
O4 - HKLM\..\Run: [mmxrun] \0000000\msosa.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.Drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.Drv
O4 - HKLM\..\RunServices: [MSAdmin] C:\WINDOWS\SYSTEM\JDBGMRG.EXE
O4 - HKLM\..\RunServices: [msfindosa.exe] C:\WINDOWS\SYSTEM\msfindosa.exe
O4 - HKLM\..\RunServices: [atisrc2] C:\WINDOWS\SYSTEM\windfind.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [li-thund00002] c:\program files\Webdialer\li-thund00002.exe -m
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\taskmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

BC AdBot (Login to Remove)

 


#2 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:48 AM

Posted 23 December 2004 - 01:09 AM

I cannot connect to the internet anymore with this old laptop anymore
as there is no modem nor network card at the moment.
I'm connecting with a desktop to download files and copy them to this laptop.

I need to mention that for the moment we can fix the infection, but if/when you go back online,
your first destination should be http://www.windowsupdate.com/
because the latest available MSIE service pack for this platform (W98 SE) is SP1, latest version no. is 6.00.2800.1106;
minimum requirement to avoid re-infection is SP1 (6.00.2800.1106).

That said, bonzai125, I will check your log and be back with you in about 24 hours.
patiently patrolling, plenty of persisant pests n' problems ...

#3 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:48 AM

Posted 23 December 2004 - 09:21 AM

bonzai125,
you will lose your Internet connection temporarily during the fix procedure.
Copy/paste these instructions to a notepad or copy/print the page to your PC so you have them to refer to.
Please read the information provided at the download & "info only" links, also.

Start-->Add or Remove Programs-->Uninstall (if found) any instances of Webdialer

Set your PC to: show hidden files. Check show hidden files & uncheck hide system files.
Additional information here.

Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop.

Run Hijackthis: click Scan, and put a checkmark next to each of the following objects:

See any point in keeping these? If not, delete them. Start & search pages will return to normal defaults
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.suoonerie.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.suoonerie.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.suoonerie.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.suoonerie.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suoonerie.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.suoonerie.com


O4 - HKLM\..\Run: [MSAdmin] C:\WINDOWS\SYSTEM\JDBGMRG.EXE
O4 - HKLM\..\Run: [msfindosa.exe] C:\WINDOWS\SYSTEM\msfindosa.exe
O4 - HKLM\..\Run: [atisrc2] C:\WINDOWS\SYSTEM\windfind.exe
O4 - HKLM\..\Run: [mmxrun] \0000000\msosa.exe
O4 - HKLM\..\RunServices: [MSAdmin] C:\WINDOWS\SYSTEM\JDBGMRG.EXE
O4 - HKLM\..\RunServices: [msfindosa.exe] C:\WINDOWS\SYSTEM\msfindosa.exe
O4 - HKLM\..\RunServices: [atisrc2] C:\WINDOWS\SYSTEM\windfind.exe
O4 - HKCU\..\Run: [li-thund00002] c:\program files\Webdialer\li-thund00002.exe -m
When you're sure that files marked for deletion are correct, click the Fix button.

Reboot your computer into Safe Mode by tapping F8 until
the DOS screen appears. Yes. Use the up arrow to choose safe mode. Hit enter. OK.

Search for, locate and delete these files or folders
(Don't be concerned if they don't exist, the previous steps may have eliminated them.)
Do not delete the main folders C:\WINDOWS or C:\Program Files.
To find them use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->
check search "system folders", "hidden files & folders" & "sub-folders".
You may also navigate to the appropriate folder, right-click-->delete individual files.

Delete manually:
C:\WINDOWS\SYSTEM\JDBGMRG.EXE<-- this file only
C:\WINDOWS\SYSTEM\msfindosa.exe<--this file only
C:\WINDOWS\SYSTEM\windfind.exe<--this file only
\0000000\msosa.exe<--search for the file name and when found delete it and the folder it was in.
c:\program files\Webdialer\li-thund00002.exe -m<--search for the file name and when found delete it and the folder it was in.

Delete Temp Files
To clean out your temp files use:
Start-->Run-->type in: %temp% and press the ok button.
This should open up the temp directory that your machine uses.
Please delete all files and folders found in the temp folder.
If you get an error when deleting a file, skip that file and delete all the others.
Doing this in Safe Mode you should be able to delete all the files.

Reboot your computer to go back to normal mode.

Delete Temporary Internet Files use:
Start Button-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button
Put a checkmark in Delete offline content.
Press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted.

Empty the recycle bin.

Run HijackThis again and post the new log as a reply to this post.
(Include comments regarding any problems you might have had, and let us know if its working better. Some additional options may exist)

Edited by phawgg, 23 December 2004 - 09:22 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#4 bonzai125

bonzai125
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:48 PM

Posted 23 December 2004 - 04:14 PM

Thank you phawgg. I managed to log on to the internet and do a windows update. I followed your instructions, had a keyboard problem after deleting windfind.exe in safe mode( couldn't use the backspace key anymore and all letters were in capital), but this could be a power problem as verything is normal now. Here is the log:
Logfile of HijackThis v1.99.0
Scan saved at 09:33:32, on 12/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\S3SYSKEY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [s3syskey] s3syskey.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [THotkey] THotkey.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM\..\RunServices: [TSPower] SPower.drv
O4 - HKLM\..\RunServices: [TDockNUndock] TEject.drv
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [System Update] C:\WINDOWS\System\taskmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

Thanks for your help and Merry Christmas

#5 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:48 AM

Posted 24 December 2004 - 11:11 AM

bonzai125, Good Job! (the keyboard problem didn't compromise the fix)
:flowers: You have a clean log, so now you should disable & re-enable your System Restore to set a new restore point.
This insures that there are no infected files found in a restore point left over from what we have just cleaned.
Additional information & instructions are here.

Some other steps to be taken are:

1. Use secure Internet Explorer settings
  • Open IE and check tools-->internet options-->security-->click internet icon-->
    Click custom and check that these settings are:
  • Download unsigned ActiveX controls - prompt
  • Initialize and script ActiveX controls not marked as safe - disable
  • Installation of desktop items - prompt
  • Launching programs and files in IFRAME - prompt
  • Navigate sub-frames across different domains - prompt
2. Use AntiVirus Software & Update Frequently. It's best to use only one. You are, great!
  • An excellent free program is AVG, if you need an option. This program can be set to automatically scan & either auto-update or
    you may choose to do that yourself. Virus definition updates with this program occur frequently, which is very good.
3. Use a Firewall, but use only one.
  • Excellent free programs available include:
  • Sygate
  • Kerio
  • (others are also available)
  • Choose one (if you do not already use a firewall). Keep your Firewall up & monitor it's configurations
  • (fully understanding it's operation may require some thought & a little practice, but it helps greatly to have it installed and functioning)
4. Use Microsoft Windows Updates Frequently. Not so much with win98 as with other versions, though.

5. Use Spybot S&D & Update
  • Install and use this program with its TeaTimer option.
  • This will provide realtime spyware & hijacker protection on your computer alongside your virus protection.
  • You should also scan your computer with this program on a regular basis, just as you would an antivirus software.
  • Check for updates when you do. A tutorial is available here.
7. Use SpywareBlaster & Update
  • Install and use this program
  • Adding a large list of sites/programs into your Browser settings, it protects you from running or downloading known malicious programs.
  • You may customize it if required to accomodate your individual needs, and updates are also frequently issued with new definitions added
  • Make it a habit to run and update on a regular basis.
7. Use Ad-Aware & Update
  • Install, configure and use this program with the others.
  • It is very well thought of in it's effectiveness, it complements the actions of the others.
  • It provides for additional plug-in specialty tools as well as an upgrade if you choose them.
  • Updates are frequent, so I suggest that you do both that and run the program regularly.
8. Use an alternative Browser Frequently. You may use several if you like.
  • Consider using Firefox as an alternative to IE for fundamental security reasons.
  • You can have both easily. Doing so will provide you with several benefits and options.
  • Other alternative browsers are also available at no charge
  • They do not have inherent vulnerabilities to the extent that IE does.
  • They are not subject to the same attention by malware creators as IE, which is much more commonly used.
All of these recommendations will provide a valuable service to you,
and no conflicts exist when operating them together on your PC [win98]
Please enact them for your own sake, at that of the Internet itself.

9. Use BleepingComputer Tutorials & Resources Frequently. "and check for updates...:thumbsup:"
  • While cleaning your PC important tutorials were offered to explain what was being done.
  • Urgency to accomplish the task may have compromised your full understanding of what all was involved.
  • There is always room for improvement when using a personal computer.
  • Resources are available here and improving all the time.
    Some that deal with these recommendations & other topics include:
Tutorials available for more in-depth considerations.
Switching from Internet Explorer to Firefox
Four Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware
Simple and easy ways to keep your computer safe and secure on the Internet
Using Spybot - Search & Destroy to remove Spyware from Your Computer
Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware
Steps to take when connecting a new computer to the Internet

Edited by phawgg, 24 December 2004 - 11:17 AM.

patiently patrolling, plenty of persisant pests n' problems ...

#6 phawgg

phawgg

    Learning Daily


  • Members
  • 4,543 posts
  • OFFLINE
  •  
  • Location:Washington State, USA
  • Local time:09:48 AM

Posted 31 December 2004 - 07:35 PM

Closed. The topics in this thread appear to have been resolved.

If referring to this thread you may:
Right-click Posted. Choose Copy Link Location. Paste with comments to a New Topic.

You may also contact a HJT Team Member, and reference the link location address. Happy New Year. :thumbsup: :flowers:
patiently patrolling, plenty of persisant pests n' problems ...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users