Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse? [RESOLVED]


  • This topic is locked This topic is locked

#1
deimbt

deimbt

    New Member

  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:21:30 PM, on 5/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\APIHK32.EXE
C:\WINDOWS\MSYI.EXE
C:\WINDOWS\MFCQL32.EXE
C:\WINDOWS\SYSTEM\JAVAMW32.EXE
C:\WINDOWS\IELP32.EXE
C:\WINDOWS\SYSTEM\APPML.EXE
C:\WINDOWS\SYSTEM\IPPP32.EXE
C:\WINDOWS\IPRT.EXE
C:\WINDOWS\SYSTEM\NTYL32.EXE
C:\WINDOWS\SYSTEM\NTOK32.EXE
C:\WINDOWS\CRCQ.EXE
C:\WINDOWS\SYSTEM\MFCYN32.EXE
C:\WINDOWS\IPWC32.EXE
C:\WINDOWS\ADDNE.EXE
C:\WINDOWS\JAVAUO.EXE
C:\WINDOWS\NTRJ.EXE
C:\WINDOWS\JAVACX32.EXE
C:\WINDOWS\SYSTEM\APIIR32.EXE
C:\WINDOWS\SYSTEM\WINJQ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\WINDOWS\JAVAAG.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\BSW.EXE
C:\WINDOWS\SYSTEM\WINNOOK.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\SCOUR EXCHANGE\SX.EXE
C:\WINDOWS\SYSTEM\WINJQ32.EXE
C:\WINDOWS\SYSTEM\NETST32.EXE
C:\WINDOWS\SYSTEM\JAVAMW32.EXE
C:\WINDOWS\IELP32.EXE
C:\WINDOWS\JAVAUO.EXE
C:\WINDOWS\ADDGZ.EXE
C:\WINDOWS\CRCQ.EXE
C:\WINDOWS\SYSTEM\APPOX32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE BROWSER\NETSCAPE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {44D255E6-2EF4-39C2-21AD-A22CFC343440} - C:\WINDOWS\MSER.DLL
O2 - BHO: Class - {7E895675-8786-0AE8-F4FB-E7CDC57A70B8} - C:\WINDOWS\APPVX32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [JAVAAG.EXE] C:\WINDOWS\JAVAAG.EXE
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [APIHK32.EXE] C:\WINDOWS\SYSTEM\APIHK32.EXE /s
O4 - HKLM\..\RunServices: [MSYI.EXE] C:\WINDOWS\MSYI.EXE /s
O4 - HKLM\..\RunServices: [MFCQL32.EXE] C:\WINDOWS\MFCQL32.EXE /s
O4 - HKLM\..\RunServices: [JAVAMW32.EXE] C:\WINDOWS\SYSTEM\JAVAMW32.EXE /s
O4 - HKLM\..\RunServices: [IELP32.EXE] C:\WINDOWS\IELP32.EXE /s
O4 - HKLM\..\RunServices: [APPML.EXE] C:\WINDOWS\SYSTEM\APPML.EXE /s
O4 - HKLM\..\RunServices: [IPPP32.EXE] C:\WINDOWS\SYSTEM\IPPP32.EXE /s
O4 - HKLM\..\RunServices: [IPRT.EXE] C:\WINDOWS\IPRT.EXE /s
O4 - HKLM\..\RunServices: [NTYL32.EXE] C:\WINDOWS\SYSTEM\NTYL32.EXE /s
O4 - HKLM\..\RunServices: [NTOK32.EXE] C:\WINDOWS\SYSTEM\NTOK32.EXE /s
O4 - HKLM\..\RunServices: [CRCQ.EXE] C:\WINDOWS\CRCQ.EXE /s
O4 - HKLM\..\RunServices: [MFCYN32.EXE] C:\WINDOWS\SYSTEM\MFCYN32.EXE /s
O4 - HKLM\..\RunServices: [IPWC32.EXE] C:\WINDOWS\IPWC32.EXE /s
O4 - HKLM\..\RunServices: [ADDNE.EXE] C:\WINDOWS\ADDNE.EXE /s
O4 - HKLM\..\RunServices: [JAVAUO.EXE] C:\WINDOWS\JAVAUO.EXE /s
O4 - HKLM\..\RunServices: [NTRJ.EXE] C:\WINDOWS\NTRJ.EXE /s
O4 - HKLM\..\RunServices: [JAVACX32.EXE] C:\WINDOWS\JAVACX32.EXE /s
O4 - HKLM\..\RunServices: [APIIR32.EXE] C:\WINDOWS\SYSTEM\APIIR32.EXE /s
O4 - HKLM\..\RunServices: [WINJQ32.EXE] C:\WINDOWS\SYSTEM\WINJQ32.EXE /s
O4 - HKLM\..\RunServices: [NETST32.EXE] C:\WINDOWS\SYSTEM\NETST32.EXE /s
O4 - HKLM\..\RunServices: [ADDGZ.EXE] C:\WINDOWS\ADDGZ.EXE /s
O4 - HKLM\..\RunServices: [APPOX32.EXE] C:\WINDOWS\SYSTEM\APPOX32.EXE /s
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\winnook.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Scour Exchange.lnk = C:\Program Files\Scour Exchange\SX.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Dell Home - {24A6FF20-6412-11D4-A864-602351C10000} - http://www.dellnet.com (file missing) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Is this your antivirus program?

C:\Program Files\AntivirusGold\AntivirusGold.exe


Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid
Scour Exchange
Web Rebates


Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
c:\windows\system\apihk32.exe
c:\windows\msyi.exe
c:\windows\mfcql32.exe
c:\windows\system\javamw32.exe
c:\windows\ielp32.exe
c:\windows\system\appml.exe
c:\windows\system\ippp32.exe
c:\windows\iprt.exe
c:\windows\system\ntyl32.exe
c:\windows\system\ntok32.exe
c:\windows\crcq.exe
c:\windows\system\mfcyn32.exe
c:\windows\ipwc32.exe
c:\windows\addne.exe
c:\windows\javauo.exe
c:\windows\ntrj.exe
c:\windows\javacx32.exe
c:\windows\system\apiir32.exe
c:\windows\system\winjq32.exe
c:\windows\system\msmsgs.exe
c:\windows\javaag.exe
c:\windows\system\winnook.exe
c:\program files\scour exchange\sx.exe
c:\program files\scour exchange\
c:\windows\system\winjq32.exe
c:\windows\system\netst32.exe
c:\windows\system\javamw32.exe
c:\windows\ielp32.exe
c:\windows\javauo.exe
c:\windows\addgz.exe
c:\windows\crcq.exe
c:\windows\system\appox32.exe
C:\WINDOWS\MSER.DLL
C:\WINDOWS\APPVX32.DLL
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\msmsgs.exe
C:\WINDOWS\JAVAAG.EXE
C:\WINDOWS\SYSTEM\APIHK32.EXE
C:\WINDOWS\MSYI.EXE
C:\WINDOWS\MFCQL32.EXE
C:\WINDOWS\SYSTEM\JAVAMW32.EXE
C:\WINDOWS\IELP32.EXE
C:\WINDOWS\SYSTEM\APPML.EXE
C:\WINDOWS\SYSTEM\IPPP32.EXE
C:\WINDOWS\IPRT.EXE
C:\WINDOWS\SYSTEM\NTYL32.EXE
C:\WINDOWS\SYSTEM\NTOK32.EXE
C:\WINDOWS\CRCQ.EXE
C:\WINDOWS\SYSTEM\MFCYN32.EXE
C:\WINDOWS\IPWC32.EXE
C:\WINDOWS\ADDNE.EXE
C:\WINDOWS\JAVAUO.EXE
C:\WINDOWS\NTRJ.EXE
C:\WINDOWS\JAVACX32.EXE
C:\WINDOWS\SYSTEM\APIIR32.EXE
C:\WINDOWS\SYSTEM\WINJQ32.EXE
C:\WINDOWS\SYSTEM\NETST32.EXE
C:\WINDOWS\ADDGZ.EXE
C:\WINDOWS\SYSTEM\APPOX32.EXE
C:\PROGRAM FILES\WEB_REBATES\


Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip it to a folder on your the Desktop. Run AboutBuster and click OK. Click Update and then Check For Update to see if there are any updates. Close the program now.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\
C:\PROGRAM FILES\WEB_REBATES\


Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bfikz.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {44D255E6-2EF4-39C2-21AD-A22CFC343440} - C:\WINDOWS\MSER.DLL
O2 - BHO: Class - {7E895675-8786-0AE8-F4FB-E7CDC57A70B8} - C:\WINDOWS\APPVX32.DLL
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [JAVAAG.EXE] C:\WINDOWS\JAVAAG.EXE
O4 - HKLM\..\Run: [AntivirusGold] C:\Program Files\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\RunServices: [APIHK32.EXE] C:\WINDOWS\SYSTEM\APIHK32.EXE /s
O4 - HKLM\..\RunServices: [MSYI.EXE] C:\WINDOWS\MSYI.EXE /s
O4 - HKLM\..\RunServices: [MFCQL32.EXE] C:\WINDOWS\MFCQL32.EXE /s
O4 - HKLM\..\RunServices: [JAVAMW32.EXE] C:\WINDOWS\SYSTEM\JAVAMW32.EXE /s
O4 - HKLM\..\RunServices: [IELP32.EXE] C:\WINDOWS\IELP32.EXE /s
O4 - HKLM\..\RunServices: [APPML.EXE] C:\WINDOWS\SYSTEM\APPML.EXE /s
O4 - HKLM\..\RunServices: [IPPP32.EXE] C:\WINDOWS\SYSTEM\IPPP32.EXE /s
O4 - HKLM\..\RunServices: [IPRT.EXE] C:\WINDOWS\IPRT.EXE /s
O4 - HKLM\..\RunServices: [NTYL32.EXE] C:\WINDOWS\SYSTEM\NTYL32.EXE /s
O4 - HKLM\..\RunServices: [NTOK32.EXE] C:\WINDOWS\SYSTEM\NTOK32.EXE /s
O4 - HKLM\..\RunServices: [CRCQ.EXE] C:\WINDOWS\CRCQ.EXE /s
O4 - HKLM\..\RunServices: [MFCYN32.EXE] C:\WINDOWS\SYSTEM\MFCYN32.EXE /s
O4 - HKLM\..\RunServices: [IPWC32.EXE] C:\WINDOWS\IPWC32.EXE /s
O4 - HKLM\..\RunServices: [ADDNE.EXE] C:\WINDOWS\ADDNE.EXE /s
O4 - HKLM\..\RunServices: [JAVAUO.EXE] C:\WINDOWS\JAVAUO.EXE /s
O4 - HKLM\..\RunServices: [NTRJ.EXE] C:\WINDOWS\NTRJ.EXE /s
O4 - HKLM\..\RunServices: [JAVACX32.EXE] C:\WINDOWS\JAVACX32.EXE /s
O4 - HKLM\..\RunServices: [APIIR32.EXE] C:\WINDOWS\SYSTEM\APIIR32.EXE /s
O4 - HKLM\..\RunServices: [WINJQ32.EXE] C:\WINDOWS\SYSTEM\WINJQ32.EXE /s
O4 - HKLM\..\RunServices: [NETST32.EXE] C:\WINDOWS\SYSTEM\NETST32.EXE /s
O4 - HKLM\..\RunServices: [ADDGZ.EXE] C:\WINDOWS\ADDGZ.EXE /s
O4 - HKLM\..\RunServices: [APPOX32.EXE] C:\WINDOWS\SYSTEM\APPOX32.EXE /s
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\winnook.exe
O4 - Startup: Scour Exchange.lnk = C:\Program Files\Scour Exchange\SX.exe
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {34A54E9A-6A98-45EA-8B73-D8DF6BB515A6} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)


Close HijackThis.

Restart your computer.

1. Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoft...com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.
  • 0

#3
deimbt

deimbt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Mr. Greyknight,

I really don't have an antivirus program..I had just downloaded it arbitrarily
  • 0

#4
deimbt

deimbt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
:tazz: Logfile of HijackThis v1.99.1
Scan saved at 2:13:52 AM, on 5/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\NETEI32.EXE
C:\WINDOWS\MSMK32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\JAVAAG.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\MSMK32.EXE
C:\WINDOWS\NETEI32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8AE8A170-3113-8C93-CBCE-6EBAC7413F23} - C:\WINDOWS\SYSTEM\ADDLL.DLL
O4 - HKLM\..\Run: [JAVAAG.EXE] C:\WINDOWS\JAVAAG.EXE
O4 - HKLM\..\RunServices: [NETEI32.EXE] C:\WINDOWS\NETEI32.EXE /s
O4 - HKLM\..\RunServices: [MSMK32.EXE] C:\WINDOWS\MSMK32.EXE /s
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Dell Home - {24A6FF20-6412-11D4-A864-602351C10000} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Here are the results of the PANDA:

Incident Status Location

Virus:Trj/Downloader.BSU Disinfected Operating system
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\JAVAAG.EXE
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\NETEI32.EXE
Virus:Trj/Downloader.BSU Disinfected Operating system
Adware:Adware/Gator No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\windows\favorites\Only sex website.url
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\dhp?.dll
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\polall1m.exe
Adware:Adware/WUpd No disinfected C:\Program Files\ErrorGuard
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGrab.dll
Spyware:Spyware/Petro-Line No disinfected C:\windows\favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/BootPorn No disinfected C:\BOOT.EXE
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Spywad No disinfected C:\WINDOWS\DESKTOP.HTML
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Virus:Trj/Downloader.CFJ Disinfected Operating system
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\intmonp.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\DHPE.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\POLALL1M.EXE
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\shmkluuv.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\apihk32.exe
Virus:Trj/Downloader.CFJ Disinfected C:\WINDOWS\SYSTEM\ciaa.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\javamw32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ttvju.dll
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msmsgs.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\SYSTEM\LogFiles\T54152130.so
Adware:Adware/Gogotools No disinfected C:\WINDOWS\SYSTEM\shnlog.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msole32.exe
Virus:Trj/Puper.A Disinfected C:\WINDOWS\SYSTEM\intmonp.exe
Adware:Adware/BlueScreenWarningNo disinfected C:\WINDOWS\SYSTEM\wldr.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\appml.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\ippp32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\ntyl32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\atldg.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\cufab.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\ntok32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\dmxff.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\bfikz.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\netik32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\wuojw.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\mfcyn32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ubtya.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\eokkl.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\wenyr.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\apiir32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\winjq32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\netst32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\appox32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\rkcip.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\sysva32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\aeqct.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\addgq32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\syshl.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\appir32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\winym.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\SYSTEM\javahe32.exe
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGRAB.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\INF\TWAINTEC.INF
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\BTGRAB.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\stmtreco.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\randreco.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\tt_reco.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/IWon No disinfected C:\WINDOWS\Desktop\backups\backup-20050524-215350-811.inf
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\What is hydrocodone.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online instant loan.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Seven days of free [bleep].url
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.INI
Adware:Adware/IPInsight No disinfected C:\WINDOWS\SATMAT.INI
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log
Adware:Adware/Transponder No disinfected C:\WINDOWS\POLMX.EXE
Virus:Trj/Downloader.OU Disinfected C:\WINDOWS\wupdt.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.EXE
Adware:Adware/Imibar No disinfected C:\WINDOWS\systb.dll
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TWAINTEC.DLL
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\enhupdt.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\SATMAT.EXE
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\lxagu.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\javaag.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\mryamm.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\rbqzrh.log
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\msyi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcql32.exe
Adware:Adware/Spywad No disinfected C:\WINDOWS\desktop.html
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\snuir.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\qwtyxl.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\pakedh.txt
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\zxqjz.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\ielp32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\nqahf.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\bwdhap.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\gvamo.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\hehqyv.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\uuvfil.log
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\iprt.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\vsdgf.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\juohpm.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\nmggxl.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\jqzgi.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ntmi32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\crcq.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\dqowks.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\ipwc32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\addne.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\oehtwk.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\javauo.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\ntrj.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\owawyk.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\rdjji.dll
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\javacx32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ztsffy.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\qqpre.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\cnhpyq.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\addgz.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\axmtet.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\kyantd.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\mgvjpj.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\xkkoqc.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\haezn.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\kbmhzp.log
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\syseh32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\pgjpup.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wtswpw.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\apiiy.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\gvamou.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\javatx32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\vpaher.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\uscnne.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\apibd.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wdwcbp.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\apptj.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\hhyzyl.dat
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syszv32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\javaex32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wvtzlc.dat
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\netib.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\crrx32.exe
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Antivirus Gold - I can't find much information on this, so remove it. Install Grisoft AVG instead.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pvfrw.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8AE8A170-3113-8C93-CBCE-6EBAC7413F23} - C:\WINDOWS\SYSTEM\ADDLL.DLL
O4 - HKLM\..\Run: [JAVAAG.EXE] C:\WINDOWS\JAVAAG.EXE
O4 - HKLM\..\RunServices: [NETEI32.EXE] C:\WINDOWS\NETEI32.EXE /s
O4 - HKLM\..\RunServices: [MSMK32.EXE] C:\WINDOWS\MSMK32.EXE /s

Run AboutBuster and click OK. Click Start->OK and then follow the rest of the prompts to scan (choose Yes/OK for all). It will ask you if you want a second scan, choose Yes. Save the log file and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\NETEI32.EXE
C:\WINDOWS\MSMK32.EXE
C:\WINDOWS\JAVAAG.EXE
C:\WINDOWS\MSMK32.EXE
C:\WINDOWS\NETEI32.EXE
C:\WINDOWS\SYSTEM\ADDLL.DLL
C:\WINDOWS\Favorites\Sites about\


Restart and run a new HijackThis scan. Save the log file and post it here.

Also run a new Panda scan and post the report here.
  • 0

#6
deimbt

deimbt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:42:01 PM, on 5/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MFCOJ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\APPVW.EXE
C:\WINDOWS\SYSTEM\CRSU.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ADDLH32.EXE
C:\WINDOWS\SYSTEM\ADDLH32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mnfsv.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mnfsv.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mnfsv.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mnfsv.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mnfsv.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mnfsv.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mnfsv.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7FF2353E-A005-88D1-9A8F-F3F164543390} - C:\WINDOWS\SYSTEM\ADDCY32.DLL
O4 - HKLM\..\Run: [CRSU.EXE] C:\WINDOWS\SYSTEM\CRSU.EXE
O4 - HKLM\..\RunServices: [MFCOJ32.EXE] C:\WINDOWS\SYSTEM\MFCOJ32.EXE /s
O4 - HKLM\..\RunServices: [APPVW.EXE] C:\WINDOWS\APPVW.EXE /s
O4 - HKLM\..\RunServices: [ADDLH32.EXE] C:\WINDOWS\SYSTEM\ADDLH32.EXE /s
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Dell Home - {24A6FF20-6412-11D4-A864-602351C10000} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab



Panda

Incident Status Location

Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\MFCOJ32.EXE
Virus:Trj/Downloader.BSU Disinfected Operating system
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\APPVW.EXE
Virus:Trj/Downloader.BSU Disinfected Operating system
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\CRSU.EXE
Virus:Trj/Downloader.BSU Disinfected Operating system
Adware:Adware/Gator No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\windows\favorites\Only sex website.url
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\dhp?.dll
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\polall1m.exe
Adware:Adware/WUpd No disinfected C:\Program Files\ErrorGuard
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGrab.dll
Spyware:Spyware/Petro-Line No disinfected C:\windows\favorites\Sites about\Ab scissor.url
Adware:Adware/Transponder No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/BootPorn No disinfected C:\BOOT.EXE
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Spywad No disinfected C:\WINDOWS\DESKTOP.HTML
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msole32.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\DHPE.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\POLALL1M.EXE
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\shmkluuv.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\mfcoj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\javamw32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ttvju.dll
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msmsgs.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\SYSTEM\LogFiles\T54152130.so
Adware:Adware/Gogotools No disinfected C:\WINDOWS\SYSTEM\shnlog.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msole32.exe
Adware:Adware/BlueScreenWarningNo disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\atldg.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\cufab.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\dmxff.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\bfikz.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\netik32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\wuojw.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ubtya.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\eokkl.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\wenyr.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\rkcip.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\aeqct.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\mnfsv.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\crsu.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\sysic32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\addsp.exe
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGRAB.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\INF\TWAINTEC.INF
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\BTGRAB.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\stmtreco.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\randreco.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\tt_reco.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/IWon No disinfected C:\WINDOWS\Desktop\backups\backup-20050524-215350-811.inf
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\What is hydrocodone.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online instant loan.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Seven days of free [bleep].url
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.INI
Adware:Adware/IPInsight No disinfected C:\WINDOWS\SATMAT.INI
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log
Adware:Adware/Transponder No disinfected C:\WINDOWS\POLMX.EXE
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.EXE
Adware:Adware/Imibar No disinfected C:\WINDOWS\systb.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TWAINTEC.DLL
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\SATMAT.EXE
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\lxagu.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\mryamm.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\rbqzrh.log
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\msyi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcql32.exe
Adware:Adware/Spywad No disinfected C:\WINDOWS\desktop.html
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\snuir.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\qwtyxl.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\pakedh.txt
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\zxqjz.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\nqahf.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\bwdhap.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\gvamo.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\hehqyv.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\uuvfil.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\vsdgf.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\juohpm.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\nmggxl.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\jqzgi.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ntmi32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\dqowks.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\oehtwk.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\owawyk.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\rdjji.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ztsffy.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\qqpre.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\cnhpyq.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\axmtet.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\kyantd.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\mgvjpj.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\xkkoqc.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\haezn.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\kbmhzp.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\pgjpup.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wtswpw.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\cknarm.txt
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\gvamou.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\vpaher.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\uscnne.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wdwcbp.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\hhyzyl.dat
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syszv32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wvtzlc.dat
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syscr32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ssumyb.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\bmmtoj.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\xiegk.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\hphdoe.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\pvfrw.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syssb32.exe
Virus:Trj/Downloader.BSU Disinfected C:\WINDOWS\javafs32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appvw.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\wgymmj.txt
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sysji32.exe
Adware:Adware/IWon No disinfected C:\Program Files\iWon\iWonSlot\2.bin\IWONSLOT.DLL
Adware:Adware/IWon No disinfected C:\Program Files\iWon\iWonBar\2.bin\NPIWON0.DLL
Adware:Adware/BootPorn No disinfected C:\boot.exe
  • 0

#7
deimbt

deimbt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I have followed your instructions. Thank you for all your help thus far. It may have been fixed, but I am not sure. Here is the Hijack log and Panda log

Logfile of HijackThis v1.99.1
Scan saved at 10:12:31 PM, on 5/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MFCOJ32.EXE
C:\WINDOWS\APPVW.EXE
C:\WINDOWS\SYSTEM\ADDLH32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CRSU.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\ADDLH32.EXE
C:\WINDOWS\SYSTEM\MFCOJ32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [CRSU.EXE] C:\WINDOWS\SYSTEM\CRSU.EXE
O4 - HKLM\..\RunServices: [MFCOJ32.EXE] C:\WINDOWS\SYSTEM\MFCOJ32.EXE /s
O4 - HKLM\..\RunServices: [APPVW.EXE] C:\WINDOWS\APPVW.EXE /s
O4 - HKLM\..\RunServices: [ADDLH32.EXE] C:\WINDOWS\SYSTEM\ADDLH32.EXE /s
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Dell Home - {24A6FF20-6412-11D4-A864-602351C10000} - http://www.dellnet.com (file missing) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab




Incident Status Location

Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\MFCOJ32.EXE
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\APPVW.EXE
Virus:Trj/Downloader.BSU Disinfected Operating system
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\CRSU.EXE
Adware:Adware/Gator No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\windows\favorites\Only sex website.url
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\dhp?.dll
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\polall1m.exe
Adware:Adware/WUpd No disinfected C:\Program Files\ErrorGuard
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGrab.dll
Adware:Adware/Transponder No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/BootPorn No disinfected C:\BOOT.EXE
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Spywad No disinfected C:\WINDOWS\DESKTOP.HTML
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msole32.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\DHPE.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\POLALL1M.EXE
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\shmkluuv.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\mfcoj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\SYSTEM\javamw32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ttvju.dll
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msmsgs.exe
Adware:Adware/Virmaid No disinfected C:\WINDOWS\SYSTEM\LogFiles\T54152130.so
Adware:Adware/Gogotools No disinfected C:\WINDOWS\SYSTEM\shnlog.exe
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msole32.exe
Adware:Adware/BlueScreenWarningNo disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\atldg.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\cufab.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\bqqfg.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\dmxff.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\bfikz.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\netik32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\wuojw.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ubtya.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\eokkl.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\wenyr.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\rkcip.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\aeqct.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\mnfsv.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\crsu.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\sysic32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\addsp.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ktusc.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\twxnz.dll
Adware:Adware/BTGrab No disinfected C:\WINDOWS\BTGRAB.DLL
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\INF\TWAINTEC.INF
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\BTGRAB.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\stmtreco.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\randreco.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM32\tt_reco.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/IWon No disinfected C:\WINDOWS\Desktop\backups\backup-20050524-215350-811.inf
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Seven days of free [bleep].url
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.INI
Adware:Adware/IPInsight No disinfected C:\WINDOWS\SATMAT.INI
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log
Adware:Adware/Transponder No disinfected C:\WINDOWS\POLMX.EXE
Adware:Adware/IPInsight No disinfected C:\WINDOWS\ALCHEM.EXE
Adware:Adware/Imibar No disinfected C:\WINDOWS\systb.dll
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\TWAINTEC.DLL
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\SATMAT.EXE
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\lxagu.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\mryamm.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\rbqzrh.log
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\msyi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\mfcql32.exe
Adware:Adware/Spywad No disinfected C:\WINDOWS\desktop.html
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\snuir.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\qwtyxl.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\pakedh.txt
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\zxqjz.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\nqahf.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\bwdhap.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\gvamo.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\hehqyv.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\uuvfil.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\vsdgf.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\juohpm.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\nmggxl.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\jqzgi.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ntmi32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\dqowks.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\oehtwk.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\owawyk.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\rdjji.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ztsffy.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\qqpre.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\cnhpyq.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\axmtet.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\kyantd.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\mgvjpj.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\xkkoqc.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\haezn.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\kbmhzp.log
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\pgjpup.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wtswpw.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\cknarm.txt
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\gvamou.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\vpaher.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\uscnne.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wdwcbp.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\hhyzyl.dat
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syszv32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\wvtzlc.dat
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syscr32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\ssumyb.dat
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\bmmtoj.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\xiegk.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\hphdoe.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\pvfrw.dll
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syssb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appvw.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\wgymmj.txt
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sysji32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\qbypj.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\bhjin.dll
Adware:Adware/IWon No disinfected C:\Program Files\iWon\iWonSlot\2.bin\IWONSLOT.DLL
Adware:Adware/IWon No disinfected C:\Program Files\iWon\iWonBar\2.bin\NPIWON0.DLL
Adware:Adware/BootPorn No disinfected C:\boot.exe
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, you see all those files that say No disinfected in the Panda scan/report? I want you to delete those files manually if you can find them (if they exist). Do this in safe mode (see below):

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.
Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [CRSU.EXE] C:\WINDOWS\SYSTEM\CRSU.EXE
O4 - HKLM\..\RunServices: [MFCOJ32.EXE] C:\WINDOWS\SYSTEM\MFCOJ32.EXE /s
O4 - HKLM\..\RunServices: [APPVW.EXE] C:\WINDOWS\APPVW.EXE /s
O4 - HKLM\..\RunServices: [ADDLH32.EXE] C:\WINDOWS\SYSTEM\ADDLH32.EXE /s
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Dell Home - {24A6FF20-6412-11D4-A864-602351C10000} - http://www.dellnet.com (file missing) (HKCU)


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\SYSTEM\MFCOJ32.EXE
C:\WINDOWS\APPVW.EXE
C:\WINDOWS\SYSTEM\ADDLH32.EXE
C:\WINDOWS\SYSTEM\CRSU.EXE
C:\WINDOWS\SYSTEM\ADDLH32.EXE
C:\WINDOWS\SYSTEM\MFCOJ32.EXE


OK, delete all those files found by Panda if they still exist.

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#9
deimbt

deimbt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Mr Greyknight17, I am headed to bed; I have an early conference call EST 7:00am. Can we touch base tomorrow evening around 8 or 9 pm. I have started to follow the instructions, but I was up last night until about 4am and need to get to bed.

Thanks. :tazz:
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. I'm at work today and tomorrow, but should be online at night (EST time also). :tazz:

Try to fix those and delete the files mentioned in the Panda scan. That should get rid of most of the problematic files.
  • 0

#11
deimbt

deimbt

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
:tazz:

Finally here is the update hijack and panda:


Logfile of HijackThis v1.99.1
Scan saved at 11:57:41 PM, on 5/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\FSSCRCTL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Pandascan

Incident Status Location

Adware:Adware/Gator No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\Program Files\ErrorGuard
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\WINDOWS\SYSTEM\msmsgs.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, Gator still seems to be there, although I'm not sure if it's just remnants of it left behind. But just to be safe, I want you to go to your Add/Remove panel and see if you can locate and uninstall these programs:

ScreenScenes
GotSmiley
WeatherScope
DashBar
PrecisionTime
Date Manager
Gator eWallet
Web Secure Alert
GAIN
MyWebSearch
ErrorGuard


Delete these files if found:

C:\WINDOWS\SYSTEM\msmsgs.exe
C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll


Restart. If you want, you may run another Panda scan to see what else is left (if any).

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP