Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

"Ceres" ad popups, missing dll's, stability issues

Started by fingle , May 31 2005 03:01 AM

  • This topic is locked This topic is locked

#1
fingle
Posted 31 May 2005 - 03:01 AM

fingle

    New Member

  • Member
  • Pip
  • 6 posts
Greetings,

My wife's co-worker has given us a laptop. It had a history of virii trouble of some sort, apparently in its checkered youth.

My intent is to use it to communicate with my wife vie Teamspeak while she is overseas on a four-month business trip. It has been working very well for several months, right up until a week before my wife left with the "good" laptop. I'd heard rumors of trouble from the two kids in the house, but as soon as my wife flew out of the country my niece informed me that she'd "been having trouble lately with MySpace and the Internet on the Compaq!"

Trouble as in Ceres ad popups, a missing file on boot-up (ccw32.dll ) that was associated with something called "Carbon Copy", constant lockup, and POR re-boots. Sex ads with amazingly graphic animations, ads for "adware removal tools", the works.

Joy. I had no idea it was this bad out there. I've been spoiled by my somewhat careful care of the "good" laptop! I let this one slide...

Before posting, I have spent the past five days completing the first four steps listed at "GeeksToGo: Before you post a HijackThis log!" I hope that I've covered most of it.

(It took three days just to get the machine to reliably boot. Fun stuff! )

Someone had done a partial uninstall of McAfee AntiVirus at some point. I should clean that up the rest of the way, but my skills are about a five on a 1-to-10 scale, and I have to be careful not to cause more trouble than I'm trying to cure.

I did install AVG anti-virus. I've run the full scan today, and I've also run the following crapware removal tools:

PanicWare's PopUpScanner (PopUpStopper has always been on this machine)

Spybot S&D

SpywareBlaster

Ad-Aware SE Personal

HijackThis

The only step I could not complete was the installation and use of CWShredder. (Missing dll file: oleacc.dll ) That, and the missing ccw32.dll file...

I have resisted the temptation to jump in and start deleting things without good advice, so I apologize if this listing is extensive to the point of idiotic.

Thank you for any time you might have for this!

- Pat Hough

The computer is a Compaq Presario 1690
64 MBytes RAM
AMD K6 processor
running Windows 98 ver 4.10.1998

Here's the HijackThis log:

- - - - - - - - - - - - - - - -

Logfile of HijackThis v1.99.1
Scan saved at 1:54:29 AM, on 5/31/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\IOMEGA HOTBURN\AUTOLAUNCH.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\XUJPIGL.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\CALC.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.altavista...ort/runonce.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: JunoBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\JUNO\TOOLBAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [xujpigl] c:\windows\system\xujpigl.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe
O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavist...avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavist...avie5/babelfish
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavist...avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavist...avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/hostsearch (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

- - - - - - - - - - - - - - - - -
...and here's the Panda ActiveScan report:


Incident Status Location

Adware:Adware/BookedSpace No disinfected C:\WINDOWS\CFGMGR52.DLL
Virus:Trj/Imiserv.D Disinfected Operating system
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\XUJPIGL.EXE
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM\RSYNCMON.DLL
Adware:Adware/Kingporn No disinfected C:\WINDOWS\SYSTEM\COMMCOSS.DLL
Adware:Adware/Twain-Tech No disinfected c:\WINDOWS\SYSTEM\XUJPIGL.EXE
Adware:Adware/SaveNow No disinfected C:\windows\TEMP\atf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Spyware:Spyware/ShopNav No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\windows\TEMP\AutoUpdate0
Adware:Adware/WinTools No disinfected C:\windows\TEMP\down.cab
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM\wrapperouter.exe
Adware:Adware/DealHelper No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM\246765-ventura-hot.exe
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/ExactSearch No disinfected C:\windows\TEMP\installer_MARKETING??.exe
Adware:Adware/Kingporn No disinfected C:\WINDOWS\SYSTEM\commcoss.dll
Adware:Adware/Transponder No disinfected Windows Registry
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\SYSTEM\psoft1.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\SYSTEM\xujpigl.exe
Adware:Adware/Pacimedia No disinfected C:\WINDOWS\SYSTEM\psoft1.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM\installer_MARKETING18.exe
Adware:Adware/Kingporn No disinfected C:\WINDOWS\SYSTEM\COMMCOSS.DLL
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\SYSTEM\wrapperouter.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM\246765-ventura-hot.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\SYSTEM\bs51-eginwl51-vb.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\SYSTEM\thin-94-1-x-x.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM\InstallerV34.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Uxlkca.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM\rsyncmon.dll
Adware:Adware/HuntBar No disinfected C:\WINDOWS\SYSTEM\EDow_AS2.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM\netsync.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\dun.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM\Bjwhkp.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\SYSTEM\dist001.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\cxtpls_loader.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\tpptvout.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\SYSTEM\fintvt16.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\TEMP\installer_MARKETING18.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\TEMP\wrapperouter.exe
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\TEMP\ExtractDLL.dll
Adware:Adware/WinTools No disinfected C:\WINDOWS\TEMP\down.cab
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\TEMP\down.cab[WToolsB.dll]
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\TEMP\down.cab[WToolsA.exe]
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.inf]
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab[ceres.dll]
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.cab[spike.exe]
Adware:Adware/Transponder No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\TEMP\DrTemp\ceres.dll
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\TEMP\WToolsB.dll
Adware:Adware/MyWebSearch No disinfected C:\WINDOWS\TEMP\WToolsA.exe
Adware:Adware/SaveNow No disinfected C:\WINDOWS\TEMP\auf0.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\TEMP\auf1.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\TEMP\AutoUpdate0\auto_update_install.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\TEMP\AutoUpdate0\setup.inf
Adware:Adware/Apropos No disinfected C:\WINDOWS\TEMP\cxtpls_loader.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32.ini
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\hoprcvdi.exe
Virus:Trj/Updagent.A Disinfected C:\Program Files\Internet Explorer\svchost.exe
  • 0

Advertisements

#2
coachwife6
Posted 05 June 2005 - 11:35 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Since it's been over five (50) days, please run another log and post it in this thread. :tazz:
  • 0

#3
coachwife6
Posted 05 June 2005 - 12:52 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi. Welcome to GTG. :tazz: I went ahead and did a fix any way

You have avg and McAfee running. Please get rid of one. It's hurting you.

Please download CleanUp! - Download - HomePage

Don't run it yet.

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Please set your system to show
all hidden files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\WINDOWS\SYSTEM\XUJPIGL.EXE
Exit the Task Manager when finished.

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check narj against each of the following, making sure you get each one and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.altavista...ort/runonce.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\SYSTEM\RSYNCMON.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [xujpigl] c:\windows\system\xujpigl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\JUSearch\hcm.exe" -w
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: (no name) - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: &AltaVista Home - {06FE5D00-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavist...avie5/babelfish (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://jump.altavist...avie5/babelfish (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/linksearch (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/linksearch (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/hostsearch (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://jump.altavist...vie5/hostsearch (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia...ll/pcs_0002.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\SYSTEM\XUJPIGL.EXE
C:\WINDOWS\SYSTEM\RSYNCMON.DLL
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTB.DLL
C:\WINDOWS\CFGMGR52.DLL
c:\Program Files\AutoUpdate\<<entire folder
RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,
C:\WINDOWS\wupdt.exe
C:\WINDOWS\web\related.htm
buddy.exe

Exit Explorer, and reboot as normal afterwards.


If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Run CleanUp!


Please reboot and post a fresh HijackThis log and we will take another look to see how we did.
  • 0

#4
fingle
Posted 05 June 2005 - 07:18 PM

fingle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you for your reply today! You cannot imagine how relieved I am!

I am currently unable to remove McAfee normally, and now if I attempt to run "Add/Remove Programs" or "Printers" I receive an error message that states the "rundll32.exe" is not found...

I will do any editing that you can recommend in regedit, or I can consult McAfee for the manual removal instructions. I think I'll stick with the free software until this machine is cleaned up again, then look into purchasing the latest McAfee software for this one, as we've had good luck so far on the wife's machine...

Everything you recommended has been done, although certain entries, such as "systb.dll", "rsyncmon.dll" and "wupdt.exe" were not found...

Here is the latest HijackThis log...

Cheers!
- Pat Hough

- - - - - - - - -

Logfile of HijackThis v1.99.1
Scan saved at 5:55:52 PM, on 6/5/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.altavista...ort/runonce.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: JunoBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\JUNO\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe
O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavist...avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavist...avie5/babelfish
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab

- - - - - -
  • 0

#5
coachwife6
Posted 05 June 2005 - 08:50 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please Download CoolWebShredder, from http://www.geekstogo...=download&id=17 , Extract it & run the program. Click the Next Button & let it scan. Make sure you let it fix all CWS Remnants.

Please set your system to show
all hidden files; please see here if you're unsure how to do this.


Press Control-Alt-Del to enter the Task Manager.

Click on the Processes tab and end the following processes:

C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
Exit the Task Manager when finished.

Close all programs and all windows, leaving only HijackThis running. Please disconnect from the internet. Place a check narj against each of the following, making sure you get each one and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presar...&s=search&i=enu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.altavista...ort/runonce.htm
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} (TGOnlineCtrl Class) - http://zone.msn.com/...pandaonline.cab

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.


Using Windows Explorer, locate the following files/folders, and delete them:

C:\PROGRAM FILES\NETWORK ASSOCIATES<<entire folder

Exit Explorer, and reboot as normal afterwards.


If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Run CleanUp!

Please reboot and post a fresh HijackThis log and we will take another look to see how we did.
  • 0

#6
fingle
Posted 05 June 2005 - 09:28 PM

fingle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello,

I have been unable to use CWShredder since downloading it several days ago, and the latest download suffers the same fate.

I am missing the file "oleacc.dll" so the program will not run.

I am also now missing "rundll32.exe" and do not know which of the many, many .cab files in the folder Win98 might contain this file. The folders are all compressed, but if you have ay advice on where to go to look for either of these files, I'd appreciate it.

I would ask my wife to e-mail me the files, but at this time she's probably at work in Hong Kong and will not be available to send me any files until she gets home, at about 3 AM my local time (Southern California!)

I will ask a friend who is local to send me the files if he is home, He's running XP, but I can probably get both of those files from him.

Until I install oleacc.dll I will be unable to run CWShredder, so I'll hold off on the other steps until that time. Thank you for your time today!

I have to take the 6th grader out for dinner right now. She's been patiently waiting for me to fix the printer/scanner so that she can complete some of the artwork for her science proect, but it'll have to wait 'til tomorrow.

Heck, I can get the files from work tomorrow!

Wish me luck, and thanks again for the help!

Back soon...

- Pat Hough
  • 0

#7
fingle
Posted 06 June 2005 - 02:14 AM

fingle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay, I solved all of the missing .dll or .exe's by reinstalling Win98...

CWShredder was able to run, but found nothing...

Instituted each of your latest suggestions re: McAfee and all the rest...

I haven't had any popup ads in a bit, and the popusstopper seems to be less busy, so this is getting better!

Here's the latest:

Cheers!
- Pat Hough

- - - - - - - - - - - - -

Logfile of HijackThis v1.99.1
Scan saved at 1:14:12 AM, on 6/6/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: JunoBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\JUNO\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE"
O4 - HKCU\..\RunServices: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\RunServices: [Pop-Up_Scanner] "C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE"
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavist...avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavist...avie5/babelfish
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
  • 0

#8
coachwife6
Posted 06 June 2005 - 02:29 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Check these two in hijack this:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)

How is it running? :tazz:
  • 0

#9
fingle
Posted 06 June 2005 - 11:36 PM

fingle

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I've "fixed" the last two you suggested...

It's running very, very well. Thank you very much for your help. THis has been a trying couple of weeks with my wife out of the country. Bad time to not have a reliable home computer!

I am using AVG for anti-virus, and I'll be running Ad-Aware, Spybot Search and Destroy, and Spyware Blaster to combat future incursions. I will also run CWShredder and CleanUp40, as well as the online PandaScan app.

Can you recommend a decent, free firewall?

I'll be purchasing the McAfee products soon, but not until a couple more paydays are past...

Thank you again!
- Pat Hough


- - - - - - - - - - - - - -

Logfile of HijackThis v1.99.1
Scan saved at 10:24:35 PM, on 6/6/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.juno.com/s...ch?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\JUSEARCH\SEARCHENH1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: JunoBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\JUNO\TOOLBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Pop-Up_Scanner] "C:\PROGRAM FILES\PANICWARE\POP-UP SCANNER\POPUPSCN.EXE"
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavist...avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavist...avie5/babelfish
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/...bGameLoader.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/...WebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
  • 0

#10
coachwife6
Posted 07 June 2005 - 03:25 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please do not run cwshdredder on a machine unless prescribed so by a malware expert. Running CWShredder on a healthy machine can cause damage.

I've never heard of CleanUp40. Is that the CleanUp? I've asked you to run.

ZoneAlartm and Sygate have free products. I would continue to use AVG along with the other products if money is an issue. Now that you are aware of what can help and hurt your computer, I think you're in good hands.

It's looking good. :help: Glad we could help.

Congratulations! Your system is CLEAN :tazz:

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the Hijack This folder if everything is working okay.

After doing all these, your system will be thoroughly protected from future threats. ;)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP