[Bojangles01]

Gday. Like a few people here i got a nice dose of the Trojan_SpyHTMLsmithfraudc thing. I found this http://www.geekstogo...udc-t17872.html thru a google search and i followed the instructions but i then realised that it's probably different for each computer... Anyway, i did it and it helped slightly but i know the parasites are still in my pc...

Some help would be greatly appreciated. Im sure that CWS is in there aswell, although CWShredder cant seem to nab it.

Here is my HiJackThis logfile.

Logfile of HijackThis v1.99.1
Scan saved at 03:53:48 PM, on 12/05/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\PCSUITE\DATALAYER\DATALAYER.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\TOOLS\NCLTRAY.EXE
C:\WINDOWS\SEEVE.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\INSTALLATION STUFF\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - C:\WINDOWS\SYSTEM\guaa.dll
O2 - BHO: (no name) - {C528C1BD-C28D-11D9-9B2D-0048A3F56EEB} - C:\WINDOWS\SYSTEM\OOAL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\SEEVE.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\WINDOWS\ARP.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Filter: text/html - {C528C19B-C28D-11D9-9B2D-0048BB8B621C} - C:\WINDOWS\SYSTEM\OOAL.DLL
O18 - Filter: text/plain - {C528C19B-C28D-11D9-9B2D-0048BB8B621C} - C:\WINDOWS\SYSTEM\OOAL.DLL

[Advertisements]

Please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

Then, Download BOTH of these programs:
-StartDreck
-Win98.fix

First do this:
Go to start/run/type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

Then, Unzip and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

Post the activescan log as well as a new HiJackThis log.

Edited by bananafanafo, 12 May 2005 - 12:22 AM.

[Michelle]

Please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

Then, Download BOTH of these programs:
-StartDreck
-Win98.fix

First do this:
Go to start/run/type:
msinfo32
*Expand: "Software Environment"
*Expand: "System hooks"
File may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

Then, Unzip and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

Post the activescan log as well as a new HiJackThis log.

Edited by bananafanafo, 12 May 2005 - 12:22 AM.

[Bojangles01]

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If So hilite And use edit>copy and post here

I dont actually understand this part...
You want me to post the file 'XXXXX..dll' here?

[Michelle]

No worries, you can just skip that part, unless we need it later, then I'll explain Just follow the below instructions:

Please run this online virus scan:
ActiveScan

Save the results from ActiveScan.

Then, Download BOTH of these programs:
-StartDreck
-Win98.fix

Then, Unzip and run StartDreck.exe
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post the log!

Post the StartDreck log along with the results from ActiveScan.

Edited by bananafanafo, 12 May 2005 - 11:32 AM.

[Bojangles01]

Ok, here's the Active Scan Log


Incident Status Location

Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\EHANDK.DLL
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM\aupgg.exe
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\ngjndk.dll
Adware:Adware/XPlugin No disinfected C:\WINDOWS\SYSTEM\tksrv99.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmltok.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\picsvr\picsvr.exe
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\CERES.INF
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\se.dll
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\Start Menu\Programs\StartUp\MyWebSearch Email Plugin.lnk
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.inf
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ysbactivex.dll
Adware:Adware/WinAD No disinfected C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.ocx
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\mm15201518.Stub.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\econtpqa\ebqtotdcbf\ooeurfnop.exe
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\econtpqa\cactmelr\buesrepf.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/Startware No disinfected C:\Program Files\Starware\bin\Starware.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccess.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccK.exe
...

Here's the StartDreck log..

StartDreck (build 2.1.7 public stable) - 2005-05-14 @ 09:40:38 (GMT +10:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Jayden at OEMCOMPUTER

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
*msnmsgr="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*SpybotSD TeaTimer=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
»RunOnce
»Local Machine
»Run
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*NvCplDaemon=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
*nwiz=nwiz.exe /install
*NvMediaCenter=RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
*DataLayer=C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
*Nokia Tray Application=C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*seeve=C:\WINDOWS\SEEVE.exe
*Nsv=C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*WinTools=C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
»RunServicesOnce
**knd=rundll32 C:\WINDOWS\RUNHEHP.CAB,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{daa873d4-958c-453c-81ca-3fe6f3676a87}
`InprocServer32=C:\WINDOWS\SYSTEM\guaa.dll
*{C528C1BD-C28D-11D9-9B2D-0048A3F56EEB}
`InprocServer32=C:\WINDOWS\SYSTEM\OOAL.DLL
»Files
»System/Drivers
»Running Processes
+FFCFD623=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF82BB=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF954B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFACEB=C:\WINDOWS\ACCSTAT.EXE
+FFC0278B=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFC0D1AF=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFC0D9BB=C:\WINDOWS\RUNDLL32.EXE
+FFC01953=C:\WINDOWS\EXPLORER.EXE
+FFC1A477=C:\WINDOWS\TASKMON.EXE
+FFC0A527=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFC20933=C:\WINDOWS\RUNDLL32.EXE
+FFC1BDCF=C:\PROGRAM FILES\COMMON FILES\PCSUITE\DATALAYER\DATALAYER.EXE
+FFC25183=C:\PROGRAM FILES\COMMON FILES\NOKIA\TOOLS\NCLTRAY.EXE
+FFC27B4B=C:\WINDOWS\SEEVE.EXE
+FFC2FB3B=C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
+FFC2D8EB=C:\WINDOWS\RUNDLL32.EXE
+FFC2EE5B=C:\WINDOWS\RunDLL.exe
+FFC2BF93=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFC36EB7=C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
+FFC5AB83=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFC4D3C3=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFC3E20F=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFC526EF=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFC66E97=C:\MY DOCUMENTS\INSTALLATION STUFF\STARTDRECK\STARTDRECK.EXE
»Application specific

...

And the Win98.Fix thing was a dead link for me. I tried searching for it but nothing really came up..

[Michelle]

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\SYSTEM\EHANDK.DLL
C:\WINDOWS\SYSTEM\aupgg.exe
C:\WINDOWS\SYSTEM\ngjndk.dll
C:\WINDOWS\SYSTEM\tksrv99.exe
C:\WINDOWS\SYSTEM\xmlparse.dll
C:\WINDOWS\SYSTEM\xmltok.dll
C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll
C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
C:\WINDOWS\SYSTEM\picsvr\picsvr.exe
C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\INF\CERES.INF
C:\WINDOWS\TEMP\se.dll
C:\WINDOWS\Start Menu\Programs\StartUp\MyWebSearch Email Plugin.lnk
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YSBactivex.inf
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ysbactivex.dll
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll
C:\WINDOWS\Downloaded Program Files\m67m.ocx
C:\WINDOWS\Downloaded Program Files\m67m.inf
C:\WINDOWS\seeve.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\unstall.exe
C:\Program Files\Common Files\econtpqa\ebqtotdcbf\ooeurfnop.exe
C:\Program Files\Common Files\econtpqa\cactmelr\buesrepf.exe
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
C:\Program Files\Starware\bin\Starware.dll
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, post a new HiJackThis log (ignore any error messages you may receive on startup). Don't worry about the win98fix, I've got it covered

[Bojangles01]

Thanks for the help mate...
Here's the new HiJackThis Log..

Logfile of HijackThis v1.99.1
Scan saved at 11:20:43 AM, on 14/05/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\PCSUITE\DATALAYER\DATALAYER.EXE
C:\PROGRAM FILES\COMMON FILES\NOKIA\TOOLS\NCLTRAY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vhlinks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - C:\WINDOWS\SYSTEM\guaa.dll (file missing)
O2 - BHO: (no name) - {C528C1BD-C28D-11D9-9B2D-0048A3F56EEB} - C:\WINDOWS\SYSTEM\OOAL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\SEEVE.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[Michelle]

You will want to print these instructions out!

First thing I need you to do is disable Teatimer! This is important as it could interfere with cleaning your system:

* Open Spybot.
* Click MODE, then check ADVANCED MODE, click YES
* Click TOOLS in bottom lefthand corner.
* Click on SYSTEM STARTUP.
* Uncheck Teatimer.
* Click ALLOW CHANGE.
* We will enable Teatimer after your system is clean

Run HijackThis. Place a check next to the following items and click FIX CHECKED:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O2 - BHO: (no name) - {daa873d4-958c-453c-81ca-3fe6f3676a87} - C:\WINDOWS\SYSTEM\guaa.dll (file missing)
O2 - BHO: (no name) - {C528C1BD-C28D-11D9-9B2D-0048A3F56EEB} - C:\WINDOWS\SYSTEM\OOAL.DLL


Reboot into Safe Mode - you can do this by restarting your computer and continually tapping F8 until a menu appears, Use your up arrow key to highlight Safe Mode, then hit enter. Using Windows Explorer, delete the following files:

C:\WINDOWS\SYSTEM\OOAL.DLL
C:\WINDOWS\TEMP\SE.DLL

Here is the important part!:

* We are going to boot in DOS,
* Click the Start button
* Select Shut Down
* Select Restart the computer in MS-DOS mode
* Click the Yes button

When in DOS...

Type (make sure it's exact!):

del C:\WINDOWS\RUNHEHP.CAB

Then, hit Enter.

Exit DOS.

Reboot your system and ignore the errors you WILL get after reboot.

Post a new HiJackThis log

Edited by bananafanafo, 13 May 2005 - 08:11 PM.

[Bojangles01]

Ummm, these werent there...
C:\WINDOWS\SYSTEM\OOAL.DLL
C:\WINDOWS\TEMP\SE.DLL

But i did the rest, here's the log from HijackThis...

Logfile of HijackThis v1.99.1
Scan saved at 12:33:58 PM, on 14/05/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

[Michelle]

Hmm, that's interesting...

Ok, first I need you to run HiJackThis while in normal mode. Second, Why did you "fix" everything in HiJackThis? It's ok, though, fortunately HiJackThis makes backups and we'll restore them. I just need you to post a new log so I can see exactly what needs to be put back.

[Bojangles01]

Sorry man...
When you originally posted the "Check The Following" for HiJackThis, there wasn't thing else written under it. This is what i saw:

You will want to print these instructions out!

First thing I need you to do is disable Teatimer! This is important as it could interfere with cleaning your system:

* Open Spybot.
* Click MODE, then check ADVANCED MODE, click YES
* Click TOOLS in bottom lefthand corner.
* Click on SYSTEM STARTUP.
* Uncheck Teatimer.
* Click ALLOW CHANGE.
* We will enable Teatimer after your system is clean

Run HijackThis. Place a check next to the following items and click FIX CHECKED:


Reboot into Safe Mode - you can do this by restarting your computer and continually tapping F8 until a menu appears, Use your up arrow key to highlight Safe Mode, then hit enter. Using Windows Explorer, delete the following files:

C:\WINDOWS\SYSTEM\OOAL.DLL
C:\WINDOWS\TEMP\SE.DLL

....

So i assumed you meant check everything....

My apologies. Anyway, here's the new HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 03:47:23 PM, on 15/05/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vhlinks.com/
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

[Michelle]

Open HiJackThis.
Click on "None of the above, just start the program"
Click on "Config" (bottom right)
Click on "Backups"

Put a checkmark next to these items:

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

Then click "Restore"

Close HiJackThis.

Set your system to SHOW HIDDEN FILES

Then, I need you to delete these folders using Windows Explorer (they won't show up by "search"):

C:\Program Files\Common Files\WINTOOLS
C:\Program Files\Media Access
C:\Program Files\Common Files\econtpqa
C:\WINDOWS\SYSTEM\nsvsvc
C:\WINDOWS\SYSTEM\picsvr

Post a new HiJackThis log.

Edited by bananafanafo, 15 May 2005 - 09:03 AM.

[Bojangles01]

Hey mate..
Here's the Log file.

Logfile of HijackThis v1.99.1
Scan saved at 04:22:29 PM, on 16/05/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\WMPLAYER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vhlinks.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

...

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe wasn't in the HiJackThis restore page. (Remember we disabled it?)

Edited by Bojangles01, 16 May 2005 - 12:27 AM.

[Michelle]

Yes, I remember disabling it

Ok, good! Now onto smitfraud...You followed all instructions in the link you posted in your first post, yes? The infection we just cleaned was due to CoolWebSearch and not smitfraud. So, having any other problems??

Edited by bananafanafo, 16 May 2005 - 12:51 AM.

[Bojangles01]

Ummm, the background is [bleep]ed.. plain black screen and i cant use Jpg's as the wallpaper. That happened at the same time as the other probs. Is there a way i can see if smitfraud is on my system?