ATTACHMENT: (to issue/new_post:"possibleTrojans+assortedMALWARE_w/Complications" with_descrip:"TDS-3_log_incl'd" by user:bri) I request someone take a look at my friend's HJT log, when it gets added (should be Next after i receive some needed directions). The following, is my service log history for my work on my friend's machine:.. (Issues are included amongst the exceptional cases in my attempt at following instructions...) I will eventually be working on 4 or 5 pc's (or will be - this one here is the first and i have yet to even truly begin) with my friend's machine being the initial case/issue (all win98se machines (at least at this point)). This first sole case/issue, is to the Malware Removal Forum, to clean+optimize my friend's pc. There are other issues needing fixing, which, hopefully, will show up on the anticipated HJT log. (Trojans immediately following, are id'ed with Symantec's antivirus encyclopedia naming-conventions.) I am NOT convinced that all of my friend's trojans have been cleaned from his system yet.. They reportedly continue to return, over time, even after paid help from a supposed professional, of which i am Not. At one point in the past several months, he had at least four types, including a general (perhaps unidentifiable generic-typed) 'trojan horse,' and "trojan.download," also "trojan.downloader," and "PWSteal.trojan." Note that I have yet to install or run TDS-3 but I shall (AMMENDED: (have)), if it is advised, and necessary, for we prefer Not to install stuff we cannot afford.. although, i would say my friend may decide to afford ({pending}) the product to get his system working again... (I do understand there is a free 30-day trial period, however...) {making use of it now} (AMMENDED: I went ahead and took advantage of/started the free 30-day trial period on TDS-3 for my friend.) [Also, note that his machine has had browser startpage trojan issues, as well...] I have attempted to follow every other step (save for the actual HJT step), to the letter: you may read exceptions below: <-SNIP-> (i dont REALLy suppose you guys want the play-by-play below, even of only the failed op's..) (..even if there may be some relevant and quite helpful info herein, so i'll let you ask me questions, as many of you appear to like to do so :I ..) I have told Michelle and others within livechat that i've had no connection troubles with the machine being worked on, but this is only partially true.. I mentioned to her that i get disconnects and failed dialups at the service (my friend and i both use the same service), with my (own) oldest machine, only. (..supposedly due to high dialup modem pool traffic volume ...(?)) I've actually been having intermittent dialup difficulty with All Three machines here now, to be mOST accurate, however. My friend's win98se machine (all three machines are win98se) is the only one at question right now tho (ie, the only one being worked on right now) :.. ISSUES:.. (in an attempt to get to the point of being able to post an HJT log) -2o?> (according to advice given me in livechat, i have re-enabled some long-ago-disabled startup items (from the get-go, for this cleaning of my friend's machine).. i was not conversant with hjt at that time, and yet remain so, for the time being (just one or two steps away from completion)) -1o?> NOTE: my friend has previously "ghost"'ed or somehow upgraded to a larger hd! (so, he now has two hard drives: a larger "C:\" and a smaller/original "D:\" ..with the (new) C drive being the bootup drive) 0o?> (my friend's machine had previously had downloader.trojan and probably some other trojans removed from it with avg and/or symantec antivirus client: {we had gotten hits reported from symantec antivirus client of, also: download.trojan, "trojan horse" and pwsteal.trojan (as well as possibly some time in earlier days, the "cih" virus - i am uncertain as to whether cih ever delivered its payload, nor even positive whether or not it ever infected the system in question - however, it did appear to show up on a previous log of some sort of antivirus software on his system, if not mistaken -but no longer(?)) 1o?> (..therefore, due to the info above, regarding intermittent dialup difficulties, i performed the winsockfix for win98se upon his machine):.. winsockfix gave me two options for 3 files, with what appeared to be dialogs from windows cab files being accessed, which came up warning me that i could replace/copy_over newer versions of the three files in question:.. (but i have done as windows recommended and kept the existing (newer) versions instead) - his (and all three) machines are yet able to connect to the internet, however, again, with some intermittent difficulties on all three PCs (again, random disconnects, and some failed initial dialup attempts - once connected, however, they tend to stay connected for a good long while, generally; yet, the initial-failed-dialups seem pervasive) \ (1o3:) File name: snmpapi.dll Description: SNMP Utility Library Your version: 5.00.2195.5513 (2o3:) File name: vip.386 Description: Windows IP Driver Your version: 4.10.2226 (3o3:) File name: telnet.exe Description: Telnet Program Your version: 5.00.1755.2 <..> 2o?> one of your required ad-aware settings is unsettable (on all three of the win98se machines here, 2 of these PCs belonging to me (one, only recently, gifted from my aunt, thus, relatively new, and untouched), and the one under consideration herein, i am cleaning for a friend {i am uncertain as to whether this setting is even settable iN ANY win98se environment}): config (gear icon option) > Tweak > cleaning_engine > "2) During removal, unload Explorer and IE if necessary" 3o?> ad-aware crashed when a certain critical object was found as one of his processes, and one of his startup items seemed to be in question, and so, after the whole scan completed successfully, "quarantining" went off successfully, but then the "deleting" phase/pass failed, and ad-aware 'hung' ..so I did a machine reset, rescanned and reprocessed, removing the few that showed up this latter time, and everything 'seemed' to be ok 4o?> spybot appears to flag pest patrol as still installed on his (my friend's) machine, when i know i've done an uninstall via Add-Remove Programs for this app; also, i've had other difficulties with apparent partial uninstalls on his machine: including a start-up icon, GuardDog.exe, which it seems was never uninstalled but only disabled via the addition of a new hard drive: (to repeat: at one point, my friend upgraded with a new, larger hard drive, ghosted or some such operation *sigh*) { - as guarddog.exe comes up as a missing icon (startup item) upon bootup... (although, a match is found within the guard dog app directories on the d drive)} - and, other partial un-installs seem to be apparent... 5o?> spybot crashed ("when?":..) after asking to be allowed to reboot as a temporary startup item, so as to be able to remove some lingering malware, but precisely after the bootup AND after a successful lengthy scan, but therein upon setup into the spybot application proper {I do NOT believe windows had a chance to fully boot up}: (the app windows failed to fully render, the machine 'hung' once again, and i did another machine reset and rebooted (i am aware of the process of going to the Close Program dialog with a single control-alt-delete (to remove certain processes in an attempt to enable a more controlled shutdown), but it doesnt always seem to work, and while you sometimes need to instead press the Other delete key (above the arrow keypad set, and within the insert-delete/home-end/pageUp-pageDown set, instead of the one within the numeric keypad set), i do not always think to try this alternative, and, quite often, it's impossible to successfully perform either and the machine is truly hung/frozen/dead..)) And Then, just as with ad-aware, i re-ran spybot and re-performed a scan, which came up with a few hits, and again once more, things 'seemed' to go off successfully. 6o?> trend micro's housecall online scan came up with the following:.. 2 of 2 :.. Virus Scan Result File " TROJ STARTPAG.QY CanNotAccess C:\WINDOWS\SYSTEM\eliteriw32.exe " TROJ STARTPAG.QY Non Cleanable C:\WINDOWS\SYSTEM\temperror32.dat ..and of which I left alone, rather than attempting to delete, which was the only other option. (During the 1st of my 2 attempts at performing microtrend's housecall online antivirus scan (the 2nd of which appeared to be somewhat successful - at least in its diagnosis which found this trojan to be present), 3 or 4 adware banners came up, pop-up's which complained of various spyware and solicited my compliance, and to which my response was as i've been informed by some respectable sites, to close them using the upper right hand corner, title-bar close (x) button, until one pop-up came up which had the close button disabled, for which i attempted to access the Close Programs dialog with a single control-alt-delete, which failed.. Eventually, AFTER the scan was done, i was able to try again to access the Close Programs dialog box, and attempt to close the offending pop-up advertisement, which resulted in closing ALL open IE windows :( ...) 7o?> (uninstalled symantec antivirus client & re-installed (from on old) avg) (symantec antivirus client asked to release quarantined, so i did) 8o?> avg scan: came up with the same two files as trend micro's housecall, only ..avg calls the trojan horse "Startpage.21.AL" and the info it gives ..on them suggests it is ok just to delete trojans, and it did so ..automatically without giving me the option, and i could find no ..settings for "logging-to-file_and_leaving_alone" prior to the scan.. ..:.. as a further measure, upon recalling housecall's advice on how to rid ..myself of the trojan, i am taking the following further steps, ..prior to any reboot:.. *)avg ultimately stopped responding upon further in-application browsing, after initial scan ..so i shut down the current instance of its Test Center with the Close Programs dialog box. Ao?> downloaded winzip90.exe Bo?> installed winzip90.exe Co?> unzipped procexp.exe Do?> running process explorer .....(only went in and.. ..verified that no process (nor registry key) now points to either trojan, above.. ..so, without doing anything on the list of housecall's to-do's for ridding the ..trojan, avg seems to have done the work for us, if not on these tries, perhaps on ..an original usage by a service technician, which my friend earlier paid to ..install+use avg for him. (The only possible thing which may perhaps have been left ..undone of the avg list might be to Reset the internet defaults (Web Settings) from ..within the Internet Options control panel) -i'm unconvinced his pc is trojan free) (..after all, they keep coming back for some reason, so something must be reloading them...) *)I'm Positive there Yet remain Many Other things needing fixing within his registry.! Eo?> redid both av scannings, just to be sure. ReSults:.. 1o2> avg: (reports) clean. 2o2> micro trend's housecall: (reports) clean. 9o?> tds-3 (trojan defense suite - 3) - did not install: neither i, nor my friend ..can afford software right now. (Although, I have the install file, ..in case the thirty day trial should prove beneficial to him.) *** [ AMMENDED - see TDS-3 log included within initial-post_bottom ] Ao?> windows critical update :.. (all critical updates and service packs appear to be installed.) Bo?> reboot test .. comes up ok, except for that GuardDog.exe startup icon which ..originates from the ghosting problem when he upgraded/added hard drive; And I'm wondering if removing malware and optimizing his system would be considered two seperate Forum issues? Or if it can be? or should? I'd much rather handle it all in one new topic, if possible and appropriate. Please Advise. (Also notable: his IE6 runs ok: he owns his own homepage again, and has for quite some time... i've had his machine for yet another month now: i had it for a month or two earlier in the summer, also. *sigh* I've fixed certain things, failed at others...) Co?> I guess that's it.. I may be ready to run HJT and post its log now, and.. ..i'm Perfectly willing to firstly, install and run tds-3 - w/supervision.. ..as i'd Much rather be doing this properly the 1st time, if possible. {AMMENDED: (done.)} Thanks to the GeeksToGo staff and everyone who's helping... :) -bri/bcc p.s. Excal and Insipid have both requested to see my posted link, so I'll probably travel to LiveChat to see if either of them would wish to engage in this any time soon, thanks!:))) p.p.s. I took a quick look at a re-running of belarc's application for my friend's pc:.. (Belarc Advisor indicates NO windows hotfixes Need reinstalling but for a few WMP fixes at this time.) p.p.p.s. ALSO NOTABLE of Recent (the past couple of days): i've been denying access to the internet to microsoft's loadqm/QMgr process, and now the thing is attempting to access the internet at a constant rate, all the while i'm logged on the internet ..seems to be verified by Process Explorer ... Not definitively so, necessarily, as i'm now finally ready to post (everything is done now but for the HJT posting, which i've decided to leave off pending further directions from you guys), ..as now there appears to be no further constant accessing going on... (Process Explorer had seemED to show fairly definitively in its activity-graph that the only things currently running were the loadqm process (mostly), and to a lesser degree, Process Explorer itself (during all the internet activity - i could see this was going on from zonealarm (scratch that, i dont think zonealarm showed any activity, but the modem system-tray icon lit up in a regular pattern)), but I've only just started using Process Explorer...) >