Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

toolbar (TBS) probably wintools too


  • This topic is locked This topic is locked

#1
jtownvideo

jtownvideo

    New Member

  • Member
  • Pip
  • 4 posts
hi there. trying to fix up my windows 98 laptop (toolbar, and i think wintoolsa). it just loves to house malware at every opportunity. i've switched to mozilla browsing in stead of IE. and of course downloaded the suite of software suggested by the staff.

any more tricks i can try?

also, wanna see my log?

Logfile of HijackThis v1.99.1
Scan saved at 5:52:17 PM, on 3/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50029
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50029
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50029
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Smart Label OServer] C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [BaySwap] C:\Program Files\PowerPanel\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [Win32DLL] C:\WINDOWS\Win32DLL.vbs
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - (no file) (HKCU)
O12 - Plugin for .rm: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://studiesabroad...sses/CFJava.cab
O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...allerRaptor.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.midtow...sCamControl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL



hey, thanks for having a look. let me know which are safe to remove.

jesse
  • 0

Advertisements


#2
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
First of all, open Spybot S&D, click Mode>Advanced>Tools>Resident and remove the check from the Tea Timer box. You can reinstate it later but we don't want it interfering with what we need to do. Reboot when done.

Click here to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done. Rescan with HJT and post a new log here so that any remnants can be removed manually.
  • 0

#3
jtownvideo

jtownvideo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hello again. believe it or not this is how long it took me to accomplish the short list of tasks you assigned.Logfile of HijackThis v1.99.1
Scan saved at 7:01:32 PM, on 3/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Smart Label OServer] C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [TBPS] C:\PROGRAM FILES\TOOLBAR\TBPS.exe
O4 - HKLM\..\RunServices: [BaySwap] C:\Program Files\PowerPanel\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [Win32DLL] C:\WINDOWS\Win32DLL.vbs
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRAM FILES\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - (no file) (HKCU)
O12 - Plugin for .rm: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://studiesabroad...sses/CFJava.cab
O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...allerRaptor.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.midtow...sCamControl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab



thanks again for looking, and for responding so fast.

jesse
when i scan with adaware, it always gives me a list of items that can't be removed, asks me to scan on restart, and even after scanning on restarting lists some items that couldn't be removed.

without further ado:
  • 0

#4
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Create a new folder called C:\HijackThis, move the HijackThis.exe file into the new folder and run it from there. This is necessary to ensure you have backups should anything go wrong.

Reboot into Safe Mode by tapping F8 after the BIOS has loaded.

Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLST.DLL (file missing)
O4 - HKLM\..\Run: [TBPS] C:\PROGRAM FILES\TOOLBAR\TBPS.exe
O4 - HKLM\..\RunServices: [Win32DLL] C:\WINDOWS\Win32DLL.vbs
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRAM FILES\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O16 - DPF: {FDDCE9FE-1FC6-413C-80B1-37B101FDA1D4} (ShellInstaller Control) - http://download.budd...allerRaptor.cab


Exit HijackThis when done. Using Windows Explorer, find and delete the following:

C:\PROGRAM FILES\TOOLBAR\ <-- folder
C:\WINDOWS\Win32DLL.vbs
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\ <--folder

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.

Edited by Daemon, 16 March 2005 - 01:18 AM.

  • 0

#5
jtownvideo

jtownvideo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hello again.

made the new folder, rebooted to safe mode, but in the scan did not fine:
04-HKLM\...........COMMON~1 (the last of the 04 lines)
or
C:\Windows\win32dll.vbs (tried showing all files, even tried a dos del but "no file found")


i don't know if that is relevant.

here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:19 PM, on 3/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIGHJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [Smart Label OServer] C:\PROGRAM FILES\SONY\SMART LABEL\SSLOSERV.EXE
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [BaySwap] C:\Program Files\PowerPanel\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: (no name) - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - (no file) (HKCU)
O12 - Plugin for .rm: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppl3260.dll
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://studiesabroad...sses/CFJava.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.or...iveX/ofmctl.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://camera.midtow...sCamControl.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab



thanks for your conitnued support.
jesse
  • 0

#6
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Looks like you got it all anyway - how is it running now?
  • 0

#7
jtownvideo

jtownvideo

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
seems to be running fine, thanks.

i don't like those lines about the viewpoint toolbar though... can i kill them?


Jesse
  • 0

#8
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
You're welcome - glad to help :tazz: You can disable it if you prefer, see here:

http://computercops....plist-4102.html

To help keep you clean follow the recommendations in Tony's article here:

So how did I get infected in the first place?


As this problem has been resolved the topic will be closed. If you need this topic reopened, please contact a member of staff here.

Edited by Daemon, 17 March 2005 - 02:31 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP