Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dirty Windows ! [RESOLVED]


  • This topic is locked This topic is locked

#1
doug-smith

doug-smith

    New Member

  • Member
  • Pip
  • 3 posts
Attached File  hijackthislog.txt   3.23KB   106 downloadsAttached File  genscanner.txt   366bytes   137 downloadsGreetings:

Can somebody please help me resurrect my pc ?

Non-Proprietary
AMD K6-233 (MMX)
ATC-5030 MB w/ Intel Chipset (430TX)
8.0gb HDD / 128mb SDRAM / 16mb Dia. Monster Fusion PCI
10/100 fast ethernet pci to ZyXEL ADSL mdm@384/128kbp
Windoze 98 OSR 1 (patched).
okay, I know it's not much but it will get me by 'till I build another.

PROBLEM
Long story short: Last week my pc was kidnapped by [180 Search Assistant].
It took hours and hours before I was able to regain some control of the system.
Since then I have gone through the process (thrice) of dwnloading and running the programs (AdAware SE , SpyBot S&D, CWShredder, tds3, Spyware blaster etc....)
I have not been able to restore the system to a halfway stable condition. I have installed & un-installed just about every AntiVirus on the market. Ive done several on-line scans at BitDefender, Panda, Trend Micro and others. Each time , a different Vscan program would reveal a different virus overlooked by the former scanner. I do believe that much of those where False-Positives.
I had the same results with the many, many Malware/Adware removal scans I performed. Each program uncovered an intrusion not detected by the former. Some of which were also FP's.
Anyways, in the last 5 days I have removed at least 30 different problems ranging from spy/adware, dialers,media motors, backdoors, trojans and more. Each time I would try to attempt to visit a AntiVirus or Malware removal provider, my network connection would simply freeze up as well as the whole system,forcing me to reboot [CTRL] [ALT] [DEL].
Im confident that Ive removed most of the culprits however, I still experience the freeze-ups @ AntiVirus sites and downloads. Yesterday I was attempting to download a 53 mb scanner from F-Secure Systems, all was going well and at 48 megs the system locked-up. I am still experiencing this annoyance. I know that I still have something running in the background but i cant find out what it is. All of the Virus scanners come up clean now as do the spyware and adware scanners as well. Most of the detection and removal programs I have used have been freeware or share, but i have had to fork out a pretty good penny to aquire some of the others. I dont really want to pay out more $ without the guarantee of a fix now.
Im pretty sure that whatever is still lurking on the computer is TSR because at a clean boot-up, my system resources are at 50 -55% free and my memory drops almost instantaniously from 128mb to around about 4 to 6% free. I do have a custom page file of about 320 min and 320 max, but they remain almost completely free during all this. My Firewall is a bit heavy on sys. resource but nowhere near to that extent.(ZoneAlarm Pro).
One more bit of info. and I will close this novel. I have a trial version of XoftSpy Spyware Remover 4.15.00 (freescan only). This is the only scanner that still reveals a threat. Below is cut from the Xoftspy log:
<ScanningRegKeys>
</SW>
<SW NAME = "W32.Xabot.Worm">
<REGKEYFOUND NAME = "software\microsoft\windows\currentversion\run-"/>
<REGKEY NAME = "W32.Xabot.Worm software\microsoft\windows\currentversion\run-"/>
:
I have not been able to locate this in the registry nor can i find any files or extensions associated with it. I dont know if its a falsey or not. hijackthis doesnt make any reference to W32.Xabot.Worm either. It is a legit worm but hardly in circulation.
So, what do you think ? Am I SOL ? This has turned out to be the toughest troubleshoot Ive ever performed. Im no super-techy but Im certainly far from being a novice, but this incident has left me with more questions than answers and that really sucks.
Finally, please take a look at the attachment to this post. In there you will find an excerpt from one of my spyware doctor logs. Its in *.txt format. Tell me what you think about it and how i can find out if it has done any damage.
Thanks so much for your time and effort.
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi doug-smith and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
doug-smith

doug-smith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks Excal
I was begining to wonder if anyone would answer. But I understand you guys are loaded down. Perhaps when (if) I get this pc back on track, I will join you guys in your mission.
Anyway, everything is pretty much the same as when i posted the original.
I'm not sure this new hijackthis log will be of any help to you though. Tell me I'm wrong! And BTW, I've narrowed my virus protection down to ZoneAlarm so I would guess that the other Scanner entries could be removed.
Here's the Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:26:04 AM, on 7/15/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\PROGRAM FILES\TUNEUP UTILITIES 2004\MEMOPTIMIZER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GMM COMPUTER TECHNOLOGIES\WINDOW SHADES\WSTRAYICON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOADS\UTILITIES\MISC\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDSG.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livesc02.cus...l/java/RntX.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab

Thanks.
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi Doug,

Believe it or not, that log looks clean. You did a good job cleaning it up.
All I see is Zone Alarm on your computer for protection. You still need an Anti-Virus at the very minium. I will give you a whole list of Free Products you can you for your computer when we are done. For the time being, please download and install one of these free antivriuses so you won't be completely unprotected.

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


Open Hijackthis. Do a scan and put a check next to the following items:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL


Click FIXED CHECKED

Run this online virus scan: ActiveScan - Save the results from the scanand post them back here

Thanks,

:tazz:

Excal!
  • 0

#5
doug-smith

doug-smith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Excal, thanks for reviewing my logs. I did as you instructed.
before i paste the new htlog let me ask you this: Can i remove (fix) all the online scanner refs and anything pertaining to Virus scans? I am using AV software (ZoneLabs Antivirus w/firewall) should I junk it and go with AVG?
Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 1:03:05 AM, on 7/16/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\GMM COMPUTER TECHNOLOGIES\WINDOW SHADES\WSTRAYICON.EXE
C:\DOWNLOADS\UTILITIES\MISC\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Window Shades - {B5B57F4F-EFA5-11D4-A971-444553540000} - C:\PROGRA~1\GMMCOM~1\WINDOW~1\WINDOW~1.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDSG.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\TOOLS\IESDPB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - https://livesc02.cus...l/java/RntX.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai....02/cpbrkpie.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcaf...22/ComCtl32.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab

end of hjlog.

and what about that thing at 016 with the ftp coupons stuff ? Can i get rid of it too or do i need it for something?

I will post the Active Scan results in a few minutes.
Panda Active Scan in Progress....

Edited by doug-smith, 16 July 2005 - 01:31 AM.

  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi doug,

If ZoneLabs Antivirus w/firewall is working for you, then thats fine. You can supplement it with the online scans ;)


In regards to the O16's, they are ActiveX Objects (aka Downloaded Program Files).
here is a good site if u want to read about them. Those 16's you have are not malcious

http://www.active-x....cles/whatis.htm

Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#7
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP