Hi Usetobe
First of all, sorry I keep replying so slowly.. I only get an hour or two on my PC before going to work, so I'm trying to carry out instructions asap. Thanks for your help!!
I have gone through all your instructions now (managed to unzip with my 98SE at last.. can I upgrade to XP or would it require too much of memory?)
Problems are as follows:
1) Still have the blue desktop with Trojan-HTML.Smitfraud.c
2) Still have problems shutting down and re-booting - it always tries to open an Internet connection after I have told it to Shut Down. Sometimes it just has the screen 'Windows is shutting down' and would stay like that all day.. have to shut down manually.
3) If my USB is connected to my Neuf Telecom box (ISP running ADSL through phone line) then it does something different when I start-up. Instead of saying the usual Logon to Windows.. what is your password? It says Logon to Microsoft Networking.. what is your password? I put the same one, but I'm not sure if I should?
4) USB to Neuf box also appeared to affect Safe Mode.. I couldn't run it while it was connected (the F8 button just beeped at me when I pressed it continuously)
5) Safe Mode sometimes froze, mouse wouldn't move.. had to shut down manually.
6) When I hover over some things, it seems to click them for me? Opens folders, shuts folders etc
7) When I did the HJT log in Safe Mode, it didn't give me the R1 - HKCU\Software files... so I couldn't delete them... but they appeared when I did the HJT scan in normal mode just now, as you can see below. I did manage to check and delete three of the entries.
Anyway, here is the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:41:20, on 23/05/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\FRIENDLY TECHNOLOGIES\BROADBANDACCESS\FTS.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\VSSERV.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDOESRV.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.neuf.frR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\Friendly Technologies\BroadbandAccess\fts.exe"
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\SOFTWIN\BITDEF~1\BDMCON.EXE
O4 - HKLM\..\Run: [BitDefender Virus Shield] C:\Program Files\Softwin\BitDefender8\\vsserv.exe
O4 - HKLM\..\Run: [BDOESRV] C:\Program Files\Softwin\BitDefender8\\bdoesrv.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\bdnagent.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BitDefender Communicator] C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
O4 - HKLM\..\RunServices: [BitDefender Scan Server] C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
O4 - HKLM\..\RunServices: [BitDefender Live! Init] C:\Program Files\Softwin\BitDefender8\\bdinit.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcaf...482/mcfscan.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabI have attached the SpSeHjfix log you asked for (I can't seem to open it to cut and paste here... so I have sent as an attachment).
Also, here is the Bit Defender Scan log that I sent yesterday:
//-----------------------------------------------------------------
//
// Product: BitDefender 8 Professional Plus
// Version: 8.0
//
// Created on: 22/05/2005 11:46:12
//
//-----------------------------------------------------------------
Statistics
Scan path : C:\
D:\
E:\
Folders : 1140
Files : 111708
Archives : 979
Packed files : 23576
Identified viruses : 3
Infected files : 3
Warnings : 0
Suspect files : 2
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 4
Renamed files : 0
I/O errors : 4
Scan time : 00:56:49
Scan speed (files/sec) : 32
Virus definitions : 166058
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 4
Mail plugins : 6
System plugins : 1
Scan options
Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email
File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;
Action
Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user
Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user
Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report
Summary:
C:\WINDOWS\SYSTEM\gclib.exe Suspect BehavesLike:Trojan.LowZones
C:\WINDOWS\SYSTEM\gclib.exe Disinfection failed
C:\WINDOWS\SYSTEM\gclib.exe Moved
C:\WINDOWS\TEMP\se.dll Infected Trojan.StartPage.BA
C:\WINDOWS\TEMP\se.dll Disinfection failed
C:\WINDOWS\TEMP\se.dll Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Infected Exploit.ADODB.Stream.Gen
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\KRARGPWL\eied_s7[1].chm=>/eied_s7.htm Move failed
C:\WINDOWS\r0faxcip.ini Infected Trojan.Agent.DM
C:\WINDOWS\r0faxcip.ini Disinfection failed
C:\WINDOWS\r0faxcip.ini Moved
C:\web.exe Suspect BehavesLike:Trojan.LowZones
C:\web.exe Disinfection failed
C:\web.exe Moved
OK. I think that is all I can do for now!!! Thank you once again for all your help.
Tom