Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please help with HijackThis log?[RESOLVED]

Started by clintbrass , Mar 13 2005 11:51 PM

  • This topic is locked This topic is locked

#1
clintbrass
Posted 13 March 2005 - 11:51 PM

clintbrass

    Member

  • Member
  • PipPip
  • 12 posts
Hi, I've followed the directions on http://www.geekstogo/forum/You_Must ... with regard to basic scanning. Unfortunately, I'm still experiencing occasional redirects to websites that dump a lot of spyware on my computer.

I scanned with the most up-to-date versions (after checking online for updates) of Ad-aware SE, CWShredder, and Spybot S&D. I also scanned with my Norton Antivirus Corporate Edition (again, updated). But I'm still getting redirected to spyware websites. In addition, when I tried to install SpywareBlaster (in both regular and safe modes), I was unsuccessful. The Javacool website said that I should mention that when trying to install the software, the following error displayed: "This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it." I was able to install SpywareGuard, but something seems to be interfering with my ability to update it.

At that point, I downloaded a fresh setup package for reinstallation, but that resulted in the same outcome, both in regular and safe modes. Thus, I finally ran HijackThis 1.99.1, both in regular mode and in safe mode. I'm not sure if seeing the contrast is helpful, but judging that the SpyBlaster installation was unsuccessful even in safe mode, my guess is that the contrast may be helpful in seeing what I'm contending with even in safe mode. The two HijackThis logs follow, with the regular one first, and then the log from safe mode.

Thank you very, very much for any help you can provide. It's so great that folks help each other with this stuff. Curses on the spyware jerks.

Clint

****
REGULAR MODE
****
Logfile of HijackThis v1.99.1
Scan saved at 12:21:39 AM, on 3/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\CBA\PDS.EXE
C:\WINDOWS\SYSTEM\CBA\XFR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSGSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {0E4B32CB-A025-A8D8-0A46-FBCACFD79B99} - C:\WINDOWS\SYSTEM\IXHZQCL.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~4\VPTRAY.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~4\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~4\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Intel PDS] c:\windows\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] c:\windows\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [TMA Distribution] c:\windows\system\cba\lcfinst.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hoiwpy] C:\WINDOWS\SYSTEM\jll.exe
O4 - HKCU\..\Run: [Oteu] C:\WINDOWS\Application Data\hstt.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.isgraf.is...m/acgm/acgm.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab



****
FROM SAFE MODE
****
Logfile of HijackThis v1.99.1
Scan saved at 12:25:48 AM, on 3/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {0E4B32CB-A025-A8D8-0A46-FBCACFD79B99} - C:\WINDOWS\SYSTEM\IXHZQCL.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~4\VPTRAY.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~4\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~4\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Intel PDS] c:\windows\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] c:\windows\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [TMA Distribution] c:\windows\system\cba\lcfinst.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Hoiwpy] C:\WINDOWS\SYSTEM\jll.exe
O4 - HKCU\..\Run: [Oteu] C:\WINDOWS\Application Data\hstt.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.isgraf.is...m/acgm/acgm.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
  • 0

Advertisements

#2
don77
Posted 22 March 2005 - 10:24 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Clint and welcome.



Download and install Cleanup

Also
Dowload the following program
CWShredder
It should be the current version, but check for updates
“Don’t run it yet”

Please download and install Ad-aware.
Setting up Ad-aware- please make sure you update it first




Next,. Reboot into SAFE MODE
Please restart HJT put a check next to the following if they still exist, close all open windows and click “fix.checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {0E4B32CB-A025-A8D8-0A46-FBCACFD79B99} - C:\WINDOWS\SYSTEM\IXHZQCL.DLL
O4 - HKCU\..\Run: [Hoiwpy] C:\WINDOWS\SYSTEM\jll.exe
O4 - HKCU\..\Run: [Oteu] C:\WINDOWS\Application Data\hstt.exe
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Unless you set or your Admin or a third party software set the above, Please have HJT fix them as well.

make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present

C:\WINDOWS\SYSTEM\IXHZQCL.DLL
C:\WINDOWS\SYSTEM\jll.exe
C:\WINDOWS\Application Data\hstt.exe
c:\ied_s7m.cab
c:\x.cab

I would like for you to also search for the following and if any are found please delete all and any of them, They may be in more than 1 locations be sure and delete all of them please

ieplugin.dll
se.dll
systb.dll
winobject.dll
extract.exe
se.exe
systb.exe
wdskctl.exe
wupdt.exe
winserv.exe


Next,
Run Program cwshredder and have it fix anything it finds.
Make sure you click the “Fix” button


Next,
Open Cleanup! Click on clean up now and let it run,
When it has finished click NO to reboot now.

Next,
Scan with AdAware have it remove what it finds

Restart your computer, Post back a fresh log please
  • 0

#3
clintbrass
Posted 23 March 2005 - 12:11 AM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Don77, thanks so much for helping. I followed your directions. I tried again to install SpywareBlaster, but it displayed the same message as before, that I might have a virus. (I included the verbatim message in my previous post.) I scanned with Norton AntiVirus to no avail. As I wrote previously, Javacool's website told me to be sure to share that information with you.

Here is my fresh log:

*************

Logfile of HijackThis v1.99.1
Scan saved at 12:57:02 AM, on 3/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\CBA\PDS.EXE
C:\WINDOWS\SYSTEM\CBA\XFR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSGSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~4\VPTRAY.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~4\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~4\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Intel PDS] c:\windows\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] c:\windows\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [TMA Distribution] c:\windows\system\cba\lcfinst.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.isgraf.is...m/acgm/acgm.cab
  • 0

#4
don77
Posted 23 March 2005 - 05:44 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Welcome so far Clint,
That seems to have cleaned up most of the crap on your machine,

Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.

Then scan again with HijackThis and post another log.
  • 0

#5
don77
Posted 23 March 2005 - 05:47 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi again Clint,
Could you tell me what if any of the following were found when seraching for files to delete please,

ieplugin.dll
se.dll
systb.dll
winobject.dll
extract.exe
se.exe
systb.exe
wdskctl.exe
wupdt.exe
winserv.exe


I m curious, Help to know this,
Thanks
Don
  • 0

#6
clintbrass
Posted 23 March 2005 - 09:21 AM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Don, I'm sorry, I should have told you that. There were two copies of extract.exe. I'm away from my machine now, but both were in the windows directory, one in the command subdirectory, and the other I don't recall exactly. I'll do the online scans, etc., tonight and post the new HJT log. Thanks again.
Clint
  • 0

#7
clintbrass
Posted 03 April 2005 - 03:56 PM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi Don, here's the latest in my travails. I've followed all directions but have continued to experience some problems.
Thanks so much for your help.
Clint



MORE SPECIFICS
I don't know the terminology here, but I've learned from looking at other strings that I need to be as specific as I can in order to be helpful. It looks like I have a browser hijacker? In particular, my browser has been sent to the following two sites, primarily.

h**p://66.230.167.104/sout.php?fc=64
[this seems to do two things... (1) take over a browser window and switch it to various malware-infested pornography sites, and (2) open a window within a window, if that makes any sense... almost like it opens a connection to another web page within the web page you're looking at]

h**p://vv2.i1.topx.cc/index.php?aid=20038
[I've caught this before it went too far, but it may have been trying to send me to a search site that seemed to dump malware on the machine, as well as opening up browser windows to malware sites.]

I searched Google for these addresses and ones similar to them, e.g., posted on sites like this one. I'm not sure I made any progress, but one thing I did find was that ...

O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

... was written up on one website to be "TinyBar D". I fixed that with HighJack this, with some speed benefits, and I've not recently been sent to this website:

h**p://66.230.167.104/sout.php?fc=64

However, I've continued to be sent to the other one.
h**p://vv2.i1.topx.cc/index.php?aid=20038

... and I'm not sure I've solve any problems.



WHAT I'VE DONE
I went into safe mode and utilized, with browser windows closed, Norton AV, AdAware, SpyBot, CWSShredder, and CleanUp.exe (all updated). I also performed the online scan from Panda ActiveScan, but was unable to do so with TrendMicro's HouseCall, which never worked ("Iexplore: this program has performed an illeagal operation and will be shut down"), followed by the machine hanging up in safe mode, where I had to use the task manager to get out of "DDE Server Window".

Further below, I've posted fresh HighJack this and ActiveScan outputs.

Finally, I attempted again to install SpywareBlaster 3.3 in both regular and safe modes, but was unsuccessful. Javacool's website said [http://www.javacools...7/007/article/]
I should be sure to mention that I am receiving the “program has been damaged” error message with SpywareBlaster.



ACTIVESCAN ONLINE RUN
Here's what came up with the ActiveScan run, before I went into safe mode. It appears that CleanUp killed everything except for "SideSearch", which ActiveScan gives no details on how to fix.


Incident Status Location

Adware:Adware/SideSearch No disinfected Windows Registry
Virus:Trj/Downloader.WT Disinfected Operating system
Adware:Adware/WUpd No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\K5GHEN8H\main[1].htm
Virus:Trj/Downloader.WT No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\8BFRMSP5\eied_s7_80[1].cab[eied_s7_c_80.exe]
Virus:Trj/Downloader.WT No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\8BFRMSP5\eied_s7_80[1].cab[eied.inf]
Virus:Trj/Downloader.WT No disinfected C:\RECYCLED\NPROTECT\00000083.CAB[eied_s7_c_80.exe]
Virus:Trj/Downloader.WT No disinfected C:\RECYCLED\NPROTECT\00000083.CAB[eied.inf]
Virus:Trj/Downloader.WT No disinfected C:\RECYCLED\NPROTECT\00000565.CAB[eied_s7_c_80.exe]
Virus:Trj/Downloader.WT No disinfected C:\RECYCLED\NPROTECT\00000565.CAB[eied.inf]
Virus:Trj/Downloader.WT Disinfected C:\Program Files\HijackThis\backups\backup-20050323-003106-944.inf
Virus:Trj/Downloader.WT Disinfected C:\Program Files\HijackThis\backups\backup-20050323-003106-606.inf



HIGHJACK THIS LOG (FROM SAFE MODE)
Here's what came up in my HighJack This log, from safe mode, performed after I had done everything above.

Logfile of HijackThis v1.99.1
Scan saved at 5:07:42 PM, on 4/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~4\VPTRAY.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~4\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~4\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Intel PDS] c:\windows\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] c:\windows\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [TMA Distribution] c:\windows\system\cba\lcfinst.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - HKCU\..\RunServices: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - HKCU\..\RunServicesOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#8
clintbrass
Posted 03 April 2005 - 08:19 PM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Hi,
Drat, I've limited my browsing to just news sites, but the hijacker that was sending me to

h**p://66.230.167.104/sout.php?fc=64

has shown its face again. Apparently nothing I've done has fixed the underlying problem. Could it have to do with

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

or

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

?
  • 0

#9
clintbrass
Posted 03 April 2005 - 08:20 PM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I meant for one of those two entries to be this one:

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
  • 0

#10
don77
Posted 04 April 2005 - 08:08 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Good spot, sorry I missed this one,
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll

The others you have mentioned are legit files,

Run cleanup! again this time do it in normal mode, when it ask to reboot allow it to do so,
Next clean out your Recycle Bin,

Please scan with HJT in normal mode and post back the fresh log from it please
  • 0

Advertisements

#11
clintbrass
Posted 04 April 2005 - 08:46 PM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
I pasted the fresh HJT log below. One other thing occurred to me that I might be important...? At one point, I think one of the programs I have said "Media Tickets" was on my machine. However, I don't recall doing anything about it, because I wasn't presented with an option to do that (sorry I don't remember more). When I went to a Googled website on that topic, it seemed to indicate that Media Tickets might not show up on HJT. The European site for Trend Micro's Housecall, the online scanner,

http://ae.trendmicro...ROJ_LOWZONES.BW

... suggested that I needed Housecall in order to get rid of Media Tickets. Unfortunately, my IE crashes when I try to use Housecall, and Mozilla Firefox (just installed last night) doesn't seem compatible with it.

All of that said, here's the new HJT, from normal mode, after CleanUp and restart. There was nothing in the Recyle Bin to get rid of.

*****

Logfile of HijackThis v1.99.1
Scan saved at 10:32:43 PM, on 4/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\CBA\PDS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\CBA\XFR.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\MSGSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~4\VPTRAY.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~4\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~4\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Intel PDS] c:\windows\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] c:\windows\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [TMA Distribution] c:\windows\system\cba\lcfinst.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
  • 0

#12
don77
Posted 05 April 2005 - 04:44 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Go to Add/Remove programs, look for "
Media Tickets"
If found please remove it,
I m not seeing it in your log, In fact your log looks clean,

Run another scan with Active scan,
Plus
Please disable your current AV
Click Here and run RAV online scan, Copy and paste back the log into this thread when it has finished,
Be sure and enable your AV when done with the above
  • 0

#13
clintbrass
Posted 05 April 2005 - 09:51 PM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, Media Tickets was not available in Add/Remove programs. I ran Active scan (see 1st log below); I was unable to find the WUpd file in the PC using Find Files or Folders, and the SideSearch listing gave no indication how to get rid of it, except by purchasing the commercial product. (I then disabled Norton AntiVirus and ran RAV with no results (see output below). Then I did another HJT in normal mode.


******
Active scan:
******

Incident Status Location
Adware:Adware/SideSearch No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\RECYCLED\NPROTECT\00002692.HTM
******
RAV AntiVirus online scan ("scan my PC") results:
******

Scan started at 4/5/05 10:50:51 PM

Scanning memory...

Scanned
============================
Objects: 23084
Directories: 2146
Archives: 2010
Size(Kb): -1198065
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 897




******
HJT:
******


Logfile of HijackThis v1.99.1
Scan saved at 11:45:37 PM, on 4/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\CBA\PDS.EXE
C:\WINDOWS\SYSTEM\CBA\XFR.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSGSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\NORTON UTILITIES\SYSDOC32.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~4\VPTRAY.EXE
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~4\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~4\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [Intel PDS] c:\windows\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] c:\windows\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [TMA Distribution] c:\windows\system\cba\lcfinst.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - HKCU\..\RunServices: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Startup: IomegaWare.lnk = C:\Program Files\Iomega\IomegaWare\Commander.exe
O4 - Startup: Iomega QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QuikSync.exe
O4 - Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\imgicon.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\imgstart.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
  • 0

#14
clintbrass
Posted 05 April 2005 - 10:49 PM

clintbrass

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Do you suppose the hypotheses in this thread...

http://castlecops.com/postt113999.html

... might have anything to do with my situation? I noticed two similarities: the inability to get SpywareBlaster functioning, and the fact that I was infected with se.dll at one point. The problem in that thread looks very complicated, and I'm hesistant to do anything like it without direction from someone who knows what he or she is doing.
  • 0

#15
don77
Posted 06 April 2005 - 05:29 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Clint,
Download SpSeHjfix into a folder. Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix' and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Give spywareBlaster another shot after you run the above,
Let us know how you make out,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP