[NormaJBaker2000]

I have attempted to install Spyware Blaster from 2 different download sites (one being download.com) through your site. Everytime I try to install it on my computer, I get the error message " This program has been damaged, possibly by a bad sector of the hard drive or a virus. Please reinstall it". I ran McAfee anti-virus but nothing came up. I just install ZoneAlarm. Could that have anything to do with it? Here is an HJT log just in case you need it:

Logfile of HijackThis v1.99.1
Scan saved at 11:55:13 AM, on 5/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERWORKSTATION\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\VERIZON ONLINE\BIN\MPBTN.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWDELAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.02.3000.1002\EN-XU\STMAIN.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperWorkstation\DkService.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=west&bw=dsl&cd=4.0&bm=ho_home
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb11.pog...aploader_v6.cab
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcaf...can/mcasupd.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon....es/vzWebIns.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab

Thank you in advance for the assistance.
-Jenni

[Advertisements]

Hi Jenni, this log is clean.

How about if you install it from the JavaCoolSoftware Site?

[greyknight17]

Hi Jenni, this log is clean.

How about if you install it from the JavaCoolSoftware Site?

[NormaJBaker2000]

I could not remember the name of the other website I attempted to download from and that is why I didn't add that info. I went to the link you posted and it turns out that is the other site I have already attempted to download from. Also, as an update, my McAfee is having problems updating. I uninstalled it and attempted to install AVG but now I am having problems installing AVG as well. You previously helped me with the smitfraud virus and I also obtained help from Metallica a few days ago with pop-ups I was having trouble with. When I went to panda to do an online scan (because I could not get the AVG to work), it told me my IE was not updated. I know I updated this recently because that was the browser I was using when I became infected with smitfraud. I don't know if somewhere the update was erased or if this has something to do with the current problem. I updated that today though. I am going to attempt to run a virus scan through panda again now and I will let you know the results. Thanks.
-Jenni

[greyknight17]

Hi Jenni, you may also run mwav and see if it will find anything that Panda might have missed:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[NormaJBaker2000]

Ok....here's the story. I did everything up through step 3. When I double-click on the mwav file, it unzips automatically to c:/WINDOWS/Temp and then does nothing else. When I searched the temp folder, I found mwav and mwavscan. I double-clicked on mwavscan but nothing happened. Mwav is in notepad so I have copied that and it follows. I don't know if that is what you were requesting to look at but it is all it has.

[General]
EngineType=1

[Welchia]
Reg1=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCPatch,"","",""
Reg2=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCTFTPD,"","",""
DeleteFile1=%winsysdir%\wins\svchost.exe
DeleteFile2=%winsysdir%\wins\Dllhost.exe

[LovGate]
Reg1=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ll_reg,"","",""
Reg2=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetMeeting\RemoteDesktop(RPC),"","",""
Reg3=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Microsoft\NetWork File Wall Services,"","",""
Reg4=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows\Management Instrumentation Driver Extension,"","",""
DeleteFile1=%winsysdir%\NetServices.exe
DeleteFile2=%winsysdir%\RAVMOND.EXE
DeleteFile3=%winsysdir%\RAVMOND.EXE
DeleteFile4=%winsysdir%\WinGate.exe
DeleteFile5=%winsysdir%\WinDriver.exe
DeleteFile6=%winsysdir%\WinHelp.exe
DeleteFile7=%winsysdir%\winrpc.exe
DeleteFile8=%winsysdir%\ily.dll
DeleteFile9=%winsysdir%\task.dll
DeleteFile10=%winsysdir%\reg.dll
DeleteFile11=%winsysdir%\1.dll
DeleteFile12=%winsysdir%\win32vxd.dll
DeleteFile13=%winsysdir%\kernel66.dll
DeleteFile14=%winsysdir%\kernel66.dll
DeleteFile15=%winsysdir%\iky668.dll
DeleteFile16=%winsysdir%\reg678.dll
DeleteFile17=%winsysdir%\task688.dll
DeleteFile18=%winsysdir%\111.dll

[CodeRed]
DeleteFile1=%inetpub%\scripts\root.exe
DeleteFile2=%PF%\common~1\system\MSADC\root.exe
DeleteFile3=%SYSTEMDIR%explorer.exe
Reg1=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\C
Reg2=HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\D

[OpaServ]
DeleteFile1=%SYSTEMDIR%\Tmp.ini
; this is Opaserv.M
DeleteFile2=%SYSTEMDIR%\MSLICENF.COM
DeleteFile3=%SYSTEMDIR%\BOOT.EXE
BAT1=Autoexec.bat,MSLICENF
BAT2=Autoexec.bat,BOOT.EXE

[Sobig.e]
DeleteFile1=%winsysdir%\cgtask.exe
DeleteFile2=%winsysdir%\mmtask.exe

[Winupie]
DeleteFile1=%winsysdir%\AxConfig.dll,regsvr32 /s /u AxConfig.dll

[Swen]
DeleteFile1=%winsysdir%\SWEN*.DAT

[JS.Fortnight]
DeleteFile1=%PF%\sign.htm
DeleteFile2=%PF%\sign.html

[Novarg]
DeleteFile1=%winsysdir%\shimgapi.dll

[Pagabot]
Reg1=HKEY_LOCAL_MACHINE\Software\Microsoft\windows\currentversion\run,Cryptographic Service,"",""

[Parite.b]
Reg1=HKEY_CURRENT_USER\Software\Microsoft\windows\currentversion\explorer,PINF,"",""

[Parite.a]
Reg1=HKEY_CURRENT_USER\Software\Microsoft\windows\currentversion\explorer,ZANF,"",""

[Adware.SeekSeek]
Reg1=HKEY_CURRENT_USER\Console,UUID,"",""
Reg2=HKEY_CURRENT_USER\Console,lp,"",""

Also, when I ran the Panda scan, it was showing alot of adware (including that stupid wp.exe) but I can't get ad-aware to run either.
Thanks,
-Jenni

[greyknight17]

Download mwav.exe again. Don't run it yet. Rename it to something like mwavOld.exe instead and try running it. The log above is not what I want. It should tell us what files it found to be possible viruses. If anything, try running it in Safe Mode.

[NormaJBaker2000]

I apologize for the length of time it has taken me to respond. I somehow was able to get my ad-aware up and running, just FYI. I tried all the steps you gave me to attempt to run mwav, but it still is not working for me. Any other suggestions?
Thank you.
-Jenni

[greyknight17]

mwav should have run automatically once it unzips itself to the temp folder. I think it begins the program installation after it unzips itself. So try again.

If it's still giving you problems, do this:

Download DllCompare http://www.greyknigh.../DllCompare.exe and run it. Click on the 'Locate.com' button. Wait a few seconds and then click on the 'Compare' button. Let it run, then click on 'Make a log of what was found'. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running DllCompare.

[NormaJBaker2000]

The mwav unzips but does not start automatically. I tried locating the unzipped files and starting it manually but that does not work either. Here is the log from DLLCompare:


* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,009 items found: 1,009 files, 0 directories.
Total of file sizes: 191,573,006 bytes 182.70 M

--------------------End log---------------------

I don't know what any of that means but I hope it is a good thing. My internet connection is running real slow right now though. I don't know if that has anything to do with the current problem. Also, I should prolly let you know that evey day now, Winpatrol pops up and tells me a file with a DLL extension is attempting to install itself. When I click on "no" I get a pop-up that says "uninstall failed". Then when I scan with HJT, the files are there. I end up running SPFix and CWShredder and then deleting the remainder from the HJT log. Just thought I would let you know in case this helps any. Thanks.
-Jenni

[greyknight17]

I want you go here and upload this file (C:\WINDOWS\RunDLL.exe) to the site. Hit Submit. What does the analysis say?

[NormaJBaker2000]

Service load: 0% 100%

File: RunDLL.exe
Status: OK
MD5 a533e5bbc3f981cd669cbb524f1200b6
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

[greyknight17]

Right click on that rundll.exe file and go to Properties. Go to the Version tab. Is it from Microsoft and what is the creation/modified date?

OK, let's run this program instead then:

Let's use a program to scan for any trojans that may exist. Download TDS-3 http://tds.diamondcs...p?page=download. Learn how to use it at http://tds.diamondcs...?page=easytouse. Make sure to update it after you installed it. You can get the manual updates at http://tds.diamondcs...php?page=update. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to 'System Testing' on the menu and choose 'Full System Scan'. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. If you have problems copying the text, look (or search) for a file named scandump.txt and see if that has the alarms - post that here.

[NormaJBaker2000]

Here are both logs:

23:21:18 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
23:21:18 [Init] Started 19-05-05 23:21:18 Pacific Standard Time (UTC: 8), Internet Time @1306.46
23:21:18 [Init] Loading TDS-3 Systems ...
23:21:18 [Init] Token successfully adjusted.
23:21:18 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
23:21:19 [Init] • Plugins : OK. Loaded 13
23:21:19 [Init] • Exec Protection : Not Installed
23:21:19 [Init] WARNING: Your Radius.TD3 database needs to be updated!
23:21:19 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
23:21:19 [Init] Licensed users can use the Update facility from the TDS menu
23:21:19 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
23:21:42 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
23:21:42 [Init] • Systems Initialised [55589 references - 28940 primaries/14386 traces/12263 variants/other]
23:21:42 [Init] Radius Systems loaded. <Databases updated 19-05-2005>
23:21:42 [Init] TDS-3 Ready. <@192.168.1.47, 0.0.0.0, 127.0.0.1 - usa>
23:21:42 [Tip Of The Day] For a summary of what a button or feature of TDS-3 does, hover the mouse cursor over it to get tooltip information.
23:21:42 [Init] NOTICE A change has been detected in the autostart registry. Press Ctrl+A to view the autostart registry
23:21:42 [TDS] Good evening Operator.
23:21:59 [Mutex Memory Scan] Started...
23:22:01 [Mutex Memory Scan] Finished (no trojan mutexes found).
23:22:01 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
23:22:10 [CRC32] Started - verifying 29 files ...
23:22:12 [CRC32] File doesn't exist: C:\WINDOWS\System\cmd.exe
23:22:13 [CRC32] File doesn't exist: C:\WINDOWS\System\netstat.exe
23:22:15 [CRC32] File doesn't exist: C:\WINDOWS\System\drwatson.exe
23:22:16 [CRC32] File doesn't exist: C:\WINDOWS\System\drwtsn32.exe
23:22:17 [CRC32] File doesn't exist: C:\WINDOWS\System\rundll32.exe
23:22:18 [CRC32] File doesn't exist: C:\WINDOWS\System\sysedit.exe
23:22:19 [CRC32] File doesn't exist: C:\WINDOWS\System\taskman.exe
23:22:20 [CRC32] File doesn't exist: C:\WINDOWS\System\taskmgr.exe
23:22:20 [CRC32] File doesn't exist: C:\WINDOWS\System\winlogon.exe
23:22:21 [CRC32] File doesn't exist: C:\WINDOWS\System\regedt32.exe
23:22:22 [CRC32] File doesn't exist: C:\WINDOWS\System\netmsg.dll
23:22:23 [CRC32] File doesn't exist: C:\WINDOWS\System\winsock.dll
23:22:25 [CRC32] Test finished.
23:26:31 [Memory Scan] Memory scan started, please wait a moment ...
23:26:38 [Memory Scan] Memory scan complete.
23:26:38 [Mutex Memory Scan] Started...
23:26:40 [Mutex Memory Scan] Finished (no trojan mutexes found).
23:26:40 [Trace Scan] Started...
23:27:33 [Trace Scan] Finished.
23:27:33 [ServiceScan] Scanning for services and drivers ...
23:27:34 [ServiceScan] Scanned 23 services and drivers.
23:27:34 [File Scan] Scanning in A:\ ...
23:27:34 [File Scan] Scanned 0 files: 0 alarms in 0.3828125 seconds (Avg 1. files/sec)
23:27:34 [File Scan] Scanning in C:\ ...
01:15:02 [File Scan] Scanned 58985 files: 34 alarms in -79952.35 seconds (Avg .26 files/sec)
01:15:03 [File Scan] Scanning in M:\ ...
01:15:04 [File Scan] Scanned 0 files: 34 alarms in 0.1098633 seconds (Avg 1. files/sec)


Scan Control Dumped @ 07:18:49 20-05-05
Positive identification (DLL): Adware.HereToFind (dll)
File: c:\windows\remove_me.dll

Positive identification: TrojanDropper.Win32.Agent.ii
File: c:\windows\temp\nlji.exe

Positive identification (DLL): Trojan.Win32.StartPage.qr3 (dll)
File: c:\windows\system\oglg.dll

Positive identification (DLL): Trojan.Win32.StartPage.qr3 (dll)
File: c:\windows\system\fenacaa.dll

Positive identification (DLL): Trojan.Win32.StartPage.qr3 (dll)
File: c:\windows\system\lnehgo.dll

Positive identification (DLL): Trojan.Win32.StartPage.qr3 (dll)
File: c:\windows\system\iohf.dll

Positive identification (embedded in file): Adware.CoolWeb.a (dll)
File: c:\windows\system\o1716ov0.tmp

Positive identification (embedded in file): Adware.CoolWeb.a (dll)
File: c:\windows\system\o78kdov0.tmp

Positive identification (DLL): Adware.180Solutions.f (dll)
File: c:\windows\system\mscjjn.dll

Positive identification (DLL): Adware.HereToFind (dll)
File: c:\windows\system\remove_me.dll

Positive identification (DLL): TrojanDownloader.Win32.Agent.le (dll)
File: c:\windows\system\wldr.dll

Positive identification: Adware.FindSpy.e
File: c:\windows\system\spoolsrv32.exe

Positive identification: Trojan.Win32.StartPage.nk10
File: c:\windows\system\temperror32.dat

Positive identification (DLL): TrojanDropper.Win32.Small.nj (dll)
File: c:\windows\system\msbb321.dlltmp

Positive identification: TrojanDownloader.Win32.TSUpdate.j Dropper
File: c:\windows\system\tsuninst.exe

Positive identification: Adware.EZula.g1
File: c:\windows\system\ezpopstub.exe

Positive identification (DLL): Adware.PopCap (dll)
File: c:\windows\downloaded program files\popcaploader.dll

Positive identification (DLL): TrojanDownloader.Win32.Small.xo (dll)
File: c:\windows\downloaded program files\v3.dll

Positive identification (DLL): Adware.PopCap (dll)
File: c:\windows\downloaded program files\conflict.1\popcaploader.dll

Positive identification (DLL): Adware.PopCap (dll)
File: c:\windows\downloaded program files\conflict.2\popcaploader.dll

Positive identification: Riskware.Tool.KillApp
File: c:\hp\bin\terminator.exe

Positive identification: Adware.BookedSpace.c Dropper.a
File: c:\my documents\windows media player\wmplayer.exe

Positive identification: Trojan.Win32.StartPage.tj3
File: c:\program files\internet explorer\vka.exe

Positive identification: TrojanDownloader.Win32.Delf.cb12
File: c:\program files\internet explorer\dwrrihbh.exe

Positive identification (DLL): Adware.WinAD.aj (dll)
File: c:\program files\yahoo!\ypsr\quarantine\ppq6042.tmp

Positive identification: Adware.WinAD.aj1
File: c:\program files\yahoo!\ypsr\quarantine\ppq6043.tmp

Positive identification <Adv>: Possible WebDownloader
File: c:\program files\yahoo!\ypsr\quarantine\ppq6044.tmp

Positive identification: TrojanDropper.Win32.Small.vb
File: c:\recycled\q166352.exe

Suspicious Filename: Dual extensions
File: c:\aolextras\desktop\problem fixes\mwav\mwavold.exe.exe

Positive identification (DLL): Adware.MediaBack.b (dll)
File: c:\backups\backup-20050430-202404-169.dll

Positive identification (DLL): Trojan.Win32.StartPage.qr3 (dll)
File: c:\backups\backup-20050501-012827-802.dll

Positive identification (DLL): Adware.ReSearch.a (dll)
File: c:\backups\backup-20050501-012827-332.dll

Positive identification (embedded in file): TrojanDownloader.Win32.IstBar.ff
File: c:\backups\backup-20050501-012827-172.dll

Positive identification (DLL): TrojanDropper.Win32.Agent.cy (dll)
File: c:\backups\backup-20050501-012827-172.dll

Kind of scary looking.
Thanks
-Jenni

[greyknight17]

Go to this site again and upload this file to it -> c:\my documents\windows media player\wmplayer.exe

I think a trojan replaced the good/legit media player file. You might have to extract that file back from the Windows CD or get it from another Windows ME computer (if it's the same media player version).

Go to c:\program files\yahoo!\ypsr\quarantine\ and empty out that folder.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

c:\windows\remove_me.dll
c:\windows\system\oglg.dll
c:\windows\system\fenacaa.dll
c:\windows\system\lnehgo.dll
c:\windows\system\iohf.dll
c:\windows\system\o1716ov0.tmp
c:\windows\system\o78kdov0.tmp
c:\windows\system\mscjjn.dll
c:\windows\system\remove_me.dll
c:\windows\system\wldr.dll
c:\windows\system\spoolsrv32.exe
c:\windows\system\temperror32.dat
c:\windows\system\msbb321.dlltmp
c:\windows\system\tsuninst.exe
c:\windows\system\ezpopstub.exe
c:\windows\downloaded program files\popcaploader.dll
c:\windows\downloaded program files\v3.dll
c:\windows\downloaded program files\conflict.1\
c:\windows\downloaded program files\conflict.2\
c:\program files\internet explorer\vka.exe
c:\program files\internet explorer\dwrrihbh.exe

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Restart.

Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and uncheck that same box to enable system restore.

Restart again.

How's everything running now?

[NormaJBaker2000]

Well...I am going to try to download spyware blaster again. I will let you know if it works out.
-Jenni

Edited by NormaJBaker2000, 20 May 2005 - 03:13 PM.