Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Problems?


  • This topic is locked This topic is locked
38 replies to this topic

#1 elomont

elomont

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 27 April 2007 - 01:23 PM

I'm trying to fix my parents computer.

I have already ran ad-aware and it delted 500+ problems. Could not run Spybot due to : A required .DLLFile, c:\windows\system\imagehlp.dll was not found. I think I'm missing a few files though. I also receive this after running my F-prot virus protection: W32/downloader.aaw and w32/vb-emu:vb-backdoor-hrs-based!Maximus.

Can someone please have a look at this HJT log and see if there are any problems.

Thanks,

Stephanie


Logfile of HijackThis v1.99.1
Scan saved at 12:42:03 PM, on 4/27/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\UKAZ\IKYHXI.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-SCHED.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-STOPW.EXE
C:\PROGRAM FILES\FSI\F-PROT\FPAVUPDM.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\APPLICATION DATA\SHWR\NOPDB.EXE
C:\WINDOWS\HTPE\RKCJB.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...bar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\TCT101.DLL (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: (no name) - {F21D4A4B-F08A-8F79-DEAB-D528E324639F} - C:\WINDOWS\SYSTEM\VJEU.DLL (file missing)
O2 - BHO: (no name) - {1CA91A51-F7C0-8C6D-C52A-8DCD5C6A83C4} - C:\WINDOWS\SYSTEM\HIALN.DLL (file missing)
O2 - BHO: (no name) - {6392FE36-11F1-3751-A34C-6BE33EE9F8C8} - C:\WINDOWS\SYSTEM\FQLEFXT.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6892FF36-47A3-3350-A34C-6BE33EE6F3CE} - C:\WINDOWS\SYSTEM\WSLDYDHC.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [OEMCLEANUP] C:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Bqkdtz] C:\PROGRAM FILES\UKAZ\IKYHXI.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\FSI\F-Prot\F-STOPW.EXE"
O4 - HKLM\..\Run: [FRISK_MONITOR] "C:\Program Files\FSI\F-Prot\fpavupdm.exe" /RAP
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Loac] "C:\WINDOWS\Application Data\shwr\nopdb.exe" -vt yazr
O4 - HKCU\..\Run: [Gfrhhzeh] C:\WINDOWS\Htpe\rkcjb.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\Common Files\EPSON\EBAPI\Stms.exe
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

Edited by elomont, 27 April 2007 - 02:33 PM.


BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:28 AM

Posted 29 April 2007 - 12:29 PM

Hello elomont and welcome to BleepingComputer!

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

While I am revising your log, you could try and do the steps in this link: http://support.microsoft.com/kb/817493

to try and fix your problem stated:

Could not run Spybot due to : A required .DLLFile, c:\windows\system\imagehlp.dll was not found.

If that fixed your spybot problem, please have that one run too.

Thanks,
Johannes

Edited by Yourhighness, 29 April 2007 - 12:31 PM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 30 April 2007 - 12:16 AM

Hi Johannes,

First, Thank you very much for the help.

Second, I've gone to the link that you have sent, but need a little help at #5: Insert your Windows 98 CD-ROM, and then locate the following path in the Restore From box, where CD-ROM drive is the letter label of your CD-ROM drive. CD-ROM drive:\Win98

I've entered C:\Win98 which brings me to the backup File screen. In The Backup folder box it reads C:\WINDOWS\Helpdesk\SFC. Do I keep this or do I need to change it? When I click ok without changing it, it gives an error messege of: System File Checker. The file was not found. Verify that you have selected the correct 'Restore from' location and try again.

Thanks again,

Stephanie

Edited by elomont, 30 April 2007 - 12:27 AM.


#4 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 30 April 2007 - 02:13 AM

Johannes,

I've been trying to figure out why this isn't working and I came across the following. I don't know if it is related to my previous problem, so if not, just ignore this post.

If I go into Control Panel, System, then Device Manager I have three yellow exclamation points that show up.

One under Floppy disk controllers next to Standard Floppy Disk Controller.

The other two under Hard disk controllers next to Primary IDE controller (dual fifo) and Secondary IDE controller (dual info). There is a third entry under Hard disk controllers which is Intel 82801AB Bus Master IDE Controller that does not have an exclamation point next to it.

Can this be related to any of my problems?

Steph

#5 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:28 AM

Posted 30 April 2007 - 02:23 PM

Hello elomont,

Sorry for the late reply. Just had to wait to get home from work first.

It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled it, please re-enable it.
If you do not have a firewall installed, please download and install one of these excellent (and free) products:I noticed that you are running HijackThis from a Temp directory.
Please remove your current HijackThis and lets install a current version into an easily remembered and safe location:
  • Please click here to download hijackthis_sfx.exe
  • Save hijackthis_sfx.exe to your desktop.
  • Double click on the hijackthis_sfx.exe icon on your desktop then click the Unzip button. Then close the Self-Extractor window.
  • Using My Computer/Windows Explorer, navigate to C:\Program Files\Hijack This and double click on HijackThis.exe to run it.
  • If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).
  • Click "Do a system scan only". HijackThis will make a quick scan and show you a list of entries.
Also, it seems as if you have more than one Anti-Virus installed. I can see traces of McAfee, TrendMicro, and F-Prot.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if all three products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as all three products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the three programs may conflict and cause:
  • False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
  • System Performance Problems: Your system may lock up due to both software products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove any two of the following: F-Prot, McAfee or Bitdefender.

You may want to print out these instructions, as we need to go into safemode later on and dont have access to the Internet then!

Download TrojanHunter 30-Day Trial and save to your desktop. With the trial version of TrojanHunter you need to manually update the rule files before you can start scanning. Download the latest rule files (Update.zip) from here.
  • Important! Before installing, go offline, and boot into "SAFE MODE" by pressing F8 at startup to get the Windows Configuration screen. Use the arrow keys to select Safe mode, then press Enter.
  • Double-click TrojanHunterSetup.exe to install and exit the program when done. Once the program is installed it automatically configures to protect the system and All files. You should not need to change anything.
  • Extract (unzip) the Update.zip file to C:\Program Files\TrojanHunter\RuleFiles <- this folder.
    (Click here for information on how to do this if not sure. Win 9x/2000 users click here. A ZIP file requires an unzipping utility. If you need one, download 7zip (its free).)
  • Restart TrojanHunter and do a full scan. Be sure the boxes are checked (green) beside your main hard drive folders, then click on Full Scan.
  • Please now navigate to C:\Program Files\TrojanHunter 4.6\Scan Reports and look for a file called year-month-day_24hrtime.rtf. Now please copy the contents of that file in your next reply.
Run HijackThis, press Scan, and put a check mark next to all these entries:

O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\TCT101.DLL (file missing)
O2 - BHO: (no name) - {F21D4A4B-F08A-8F79-DEAB-D528E324639F} - C:\WINDOWS\SYSTEM\VJEU.DLL (file missing)
O2 - BHO: (no name) - {1CA91A51-F7C0-8C6D-C52A-8DCD5C6A83C4} - C:\WINDOWS\SYSTEM\HIALN.DLL (file missing)
O2 - BHO: (no name) - {6392FE36-11F1-3751-A34C-6BE33EE9F8C8} - C:\WINDOWS\SYSTEM\FQLEFXT.DLL (file missing)
O2 - BHO: (no name) - {6892FF36-47A3-3350-A34C-6BE33EE6F3CE} - C:\WINDOWS\SYSTEM\WSLDYDHC.DLL
O4 - HKLM\..\Run: [Bqkdtz] C:\PROGRAM FILES\UKAZ\IKYHXI.EXE


Close all other windows and browsers, and press the Fix Checked button.

Please now delete the following files and/or folders (NB: if you cannot find a file or folder that is just fine):

C:\PROGRAM FILES\UKAZ\ <-- this folder
C:\WINDOWS\HTPE\ <-- this folder


Now please boot back into normal mode and post back with a fresh HijackThis log and the log from Trojan Hunter.

While you are waiting for my reply, please have a look at this:

Please be advised that your "C:\" Drive is your Windows directory, but not your CD-Drive directory. Try the following:
1 ) right-click "My Computer" and click on "Explore."
2 ) Then have a look which Drive shows something like "windows 98" or shows a CD sign. This is your CD-Drive (usually it is drive "D").
3 ) Then do the step 5 again and enter "CD-Drive letter:\Win98" to continue with the process.

Thanks Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:28 AM

Posted 30 April 2007 - 02:45 PM

Hey there,

just a quick addition. Could you tell me what file this detection points to:

F-prot virus protection: W32/downloader.aaw and w32/vb-emu:vb-backdoor-hrs-based!Maximus


Thanks

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 30 April 2007 - 04:44 PM

In order of things you asked:

2nd email addition: The W32/downloader.AAW pointes to C:\Program Files\UKAZ\IKYHXI.EXE

I downloaded Outpost Firewall because the other two apparently were not compatible with windows 98.

I downloaded Hijack This the way you told and ran the "Do a system scan only".

I tried to erase Mcafee and Bitdefender, but when I go into Control Panel, Add/ remove programs I don't see either in the list. I also did not see anything resembling TrendMicro.

I downloaded Trojan Hunter then restarted in safe mode and clicked on desktop icon for Trojan Hunter. I also extracted the files from the Update.zip and put them where you said. I hope. I then ran a full scan of Trojan Hunter (while in safe mode). Here is a copy of the scan from Trojan Hunter:

Registry scan
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Outpost Firewall (Regedit Jump)
Suspicious registry entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Outpost Firewall (Regedit Jump)
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
Error: Unable to perform port check: PortChecker not initialized
Memory scan
No trojans found in memory
File scan
Error: Directory not found: A:\
Found adware file: C:\WINDOWS\TEMP\UNI2015.TMP.exe (Adware.Weird.100)
Found adware file: C:\Program Files\Ukaz\Ikyhxi.exe (Adware.AvenueMedia.Dyfuca.109)
2 files identified

I then ran HijackThis, marked what you said needed to be marked and deleted what you said to delete. I then rebooted into normal mode and ran HijackThis again with the following as the report log:

Logfile of HijackThis v1.99.1
Scan saved at 5:49:01 PM, on 4/30/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-SCHED.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-STOPW.EXE
C:\PROGRAM FILES\FSI\F-PROT\FPAVUPDM.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...bar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [OEMCLEANUP] C:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\FSI\F-Prot\F-STOPW.EXE"
O4 - HKLM\..\Run: [FRISK_MONITOR] "C:\Program Files\FSI\F-Prot\fpavupdm.exe" /RAP
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Gfrhhzeh] C:\WINDOWS\Htpe\rkcjb.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\Common Files\EPSON\EBAPI\Stms.exe
O4 - Startup: PowerReg SchedulerV2.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\PLUGINS\BROWSERBAR\IE_BAR.DLL
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: c:\program files\agnitum\outpost firewall

I think that's everything you asked for, if not, let me know.

Steph

Edited by elomont, 30 April 2007 - 04:54 PM.


#8 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 30 April 2007 - 05:28 PM

I just followed your instructions related to trying to run Spybot Search and Destroy and the missing Imagehlp.dll file.

I right click on computer, explore and see A: Drive, C: Drive and D: Drive labeled System_save, but no "windows 98" or CD signs.

I also got the same error messege when I enter D:\Win98 at step # 5. Same as before.

I have two drives, one is a dvd drive and the other is a cd-r-rw drive. I was under the impression that when you loaded a disc into one of the drives it was supposed to recognize that it is in there and then run automatically, but that does not happen. I'm used to my computer which is running windows XP and it loads automatically. I don't know if things are different in Windows 98.

Just another side note: I was able to run Spybot a few times, but then I think I went to Windows update and downloaded all the updates that my parents never did. I believe it was after this that I was not able to use Spybot. I have been known to be wrong though so don't hold me to when it stopped working.

I don't know if this is pertinent to fixing the other problem, so if it isn't maybe we can fix this one after we fix the first one.

Let me know,

Steph

#9 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 30 April 2007 - 05:53 PM

Ok, I swear this will the last post until I hear from you again. I swear!

Just for craps and giggles I tried to run Spybot and it actually loaded and ran, so apparently that problem is fixed.

However as I'm running Spybot, my F-prot antivirus detects the following:

C:\Window\TRANICON.EXE Infection: Possibly a new variant of W32/VB-EMU:VB-Backdoor-HRS-based!Maximus.

C:\KANSUP.REG Infection: REG/LowZones. C

C:\WINDOWS\TEMP\R.BAT Infection: BAT/BatX. L

That's it. I'll wait until I hear back from you.

Steph

#10 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:28 AM

Posted 01 May 2007 - 12:31 PM

Hi Stephanie,

lets start with this:

The W32/downloader.AAW pointes to C:\Program Files\UKAZ\IKYHXI.EXE

Can you please do the following for me:

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread: http://www.bleepingcomputer.com/forums/t/90284/malware-problems/
  • Browse for these filenames:
    • C:\Program Files\UKAZ\IKYHXI.EXE
    • C:\WINDOWS\TEMP\UNI2015.TMP.exe
    • C:\WINDOWS\Htpe\rkcjb.exe
    • C:\Window\TRANICON.EXE
    • C:\KANSUP.REG
    • C:\WINDOWS\TEMP\R.BAT
  • In the comments, please mention that I asked you to upload this file: Yourhighness
  • Click on Send File

I downloaded Outpost Firewall because the other two apparently were not compatible with windows 98.

This is good news. It will give you further protection in future.

I tried to erase Mcafee and Bitdefender, but when I go into Control Panel, Add/ remove programs I don't see either in the list. I also did not see anything resembling TrendMicro.

This is also fine. I just wanted to be sure that only one Antivirus is left for future use to avoid what is stated above.

Run HijackThis, press Scan, and put a check mark next to all these entries:

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL (file missing)
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Gfrhhzeh] C:\WINDOWS\Htpe\rkcjb.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab


Close all other windows and browsers, and press the Fix Checked button.

Please now delete the following files and folders (NB: if you cannot find a file or folder that is just fine):

C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\ <-- this folder

I am asking you to fix the McAfee and Bitdefender entries, because you said you dont have it installed and should not need them at the moment. You will be able to reinstall them again, when you go to their site and do an online scan.

Once we get the results from your uploads, we will continue ;)

Thanks, Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#11 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 01 May 2007 - 01:02 PM

Yourhighness,

Do I need to bow as I typing that?

I went UploadMalware.com and entered elomont and the link into the Email or Topic, but when I browse to find those filenames, I can't find any of them. Am I doing something wrong?

I ran a new HijackThis, but could nt find all the entries you wanted me too. I checked everything I could find and ran a new log. I also deleted the McAfee file. Here is the new HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 1:58:38 PM, on 5/1/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\CPQDIAG\CPQDFWAG.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\COMPAQ\INTERNET\ISDBDC.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-SCHED.EXE
C:\PROGRAM FILES\FSI\F-PROT\FPAVUPDM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\PROGRAM FILES\FSI\F-PROT\F-STOPW.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirec...bar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [OEMCLEANUP] C:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-STOPW.EXE] "C:\Program Files\FSI\F-Prot\F-STOPW.EXE"
O4 - HKLM\..\Run: [FRISK_MONITOR] "C:\Program Files\FSI\F-Prot\fpavupdm.exe" /RAP
O4 - HKLM\..\Run: [CPQInet Runtime Service] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [OutpostFeedBack] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.6\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\cpqdiag\CpqDfwAg.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [isdbdc] c:\compaq\internet\isdbdc.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\Program Files\Common Files\EPSON\EBAPI\Stms.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/hostsearch (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\PLUGINS\BROWSERBAR\IE_BAR.DLL
O20 - AppInit_DLLs: c:\program files\agnitum\outpost firewall

#12 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:28 AM

Posted 02 May 2007 - 11:52 AM

Hi Stephanie,

lets try this: Instead of trying to search for the files, just paste the file paths into the box. If that does not work, lets try this alternative:

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • C:\Program Files\UKAZ\IKYHXI.EXE
    • C:\WINDOWS\TEMP\UNI2015.TMP.exe
    • C:\WINDOWS\Htpe\rkcjb.exe
    • C:\Window\TRANICON.EXE
    • C:\KANSUP.REG
    • C:\WINDOWS\TEMP\R.BAT

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Once this is done, navigate to C:\_OTMoveIt\MovedFiles\ and upload the contents found in this directory to UploadMalware.

Thanks, Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#13 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 02 May 2007 - 02:01 PM

Yourhighness,

I'll give it a try the first way and this new way. I'll see if either work.

I gave the computer back to my parents, so I won't be back at that computer for a few days, maybe this weekend, so you probably won't hear from me until then.

Thanks,

Steph

#14 elomont

elomont
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:04:28 AM

Posted 04 May 2007 - 05:22 PM

Yourhighness,

I tried the first way, to which I could not find any of the files by browsing for them. I then tried to copy and paste them on UploadMalware, to which I got a response of 0 bytes were downloaded and that I should tell you about this.

I then tried the alternative you said to do, but after running it and copying the results to my reply to you, I could not find the file from OTMoveit and believed I was overlooking it. I thought I had to restart (don't ask me why) in order to find them. So, I restarted, but in doing so, lost the results of the first copy and paste of OTMoveit and what I had started to write to you. I ran OTMoveit again after restarting and here are the results I got:

File/Folder C:\Program Files\UKAZ\IKYHXI.EXE not found.
File/Folder C:\WINDOWS\TEMP\UNI2015.TMP.exe not found.
File/Folder C:\WINDOWS\Htpe\rkcjb.exe not found.
File/Folder C:\Window\TRANICON.EXE not found.
File/Folder C:\KANSUP.REG not found.
File/Folder C:\WINDOWS\TEMP\R.BAT not found.
File/Folder not found.
File/Folder not found.

Created on 05/04/2007 17:53:12

Let me know if I need to redo this or if I need to correct my mistake somehow. Sorry.

I then tried to upload the results of The OTMoveit/ Moved files to UploadMalware, but could only copy and paste the three log files contained in the Moved Files folder. There was also a Windows and Kansup file that I could not copy and paste. Here is the result:

Your file (05042007_173004.log) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file.

Your file (05042007_175312.log) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file.

Your file (05042007_175251.log) was successfully submitted. If someone requested you submit this file please let them know that you have submitted the file.





For help with malware problems please visit one of the websites listed on the right side of the page.

If you are a vendor or a forum owner and are not listed please feel free to contact me at dave(at)uploadmalware.com. Change (at) to @.

UploadMalware.com has an affiliate agreement with some of the vendors listed on the left. Any profit made from such agreements is used to keep this site operating free.






I guess that's it for now. I'll wait for your response.

Steph

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:09:28 AM

Posted 05 May 2007 - 08:41 AM

Hey Stephanie,

thanks for reporting back.

There was also a Windows and Kansup file that I could not copy and paste. Here is the result:

What do you exactly mean by this? Where there a few folders in the directory, which have names such as

C:\Program Files\
C:\WINDOWS\

There should also be:
C:\KANSUP.REG
In the OTMoveIt folder.

You will find the other files I asked for in subfolders in that directory.To make it easy for you, lets try this:
  • go to the folder: "C:\_OTMoveIt"
  • right-click the folder "MovedFiles"
  • you should now see something like: "add to "MovedFiles.zip"
    • click that option (if you have winRar installed, it should state the same, just with ".rar" at the end)
  • go to UploadMalware and follow the instructions given in my post #10, and at the stage where you browse for the files, you this time just look for the file "MovedFiles.zip" to be uploaded.
Please let me know if that worked and we will go from there.

Thanks Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users