Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

KavSvc, plus a bunch more [RESOLVED]

Started by Evonne , Jul 14 2005 09:57 AM

  • This topic is locked This topic is locked

#1
Evonne
Posted 14 July 2005 - 09:57 AM

Evonne

    Member

  • Member
  • PipPip
  • 20 posts
I've tried cleaning the viruses from my computer following the instructions at eTrust Virus encyclopedia. But after three weeks, I feel like I'm no further ahead than I was when I started. I think Bargain Buddy/ceres is gone. But KavSvc keeps coming back. And I can't get rid of Salm; 180Solutions keeps showing up in my virus scans.

I've run Trend Micro Housecall, AdAware, and McAfee. Spybot only finds a couple of cookies. There are a bunch of files in my Windows and Windows/System folders that show up as "Infected/Malware" when I run them through Jotti. When I start up my computer, a Work Offline box shows up that says "no Internet connection is available;" and I get an error that Explorer.exe "has requested the Runtime to terminate in an unusual way."

Please bear with me, as I've never posted to any type of forum before. But I'm so frustrated! My computer has enough quirks of it's own without all of this. In addition to the computer freezing regularly when I'm online, I now get a blue screen when I try to shut down, the printer won't print more than a couple of pages without rebooting the computer, and the whole system has slowed to a crawl. Some problems may be from old hardware, some may be from viruses, and some may be from HP and AOL not playing together well.

I really appreciate any help you can give me. Here's my HJT log from this morning.

Logfile of HijackThis v1.99.1
Scan saved at 6:20:40 AM, on 7/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\MESSAGE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\HAPMLL.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\GAMES\SHOCKWAVE\SHOCKMACHINE\SMREMINDER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP PSC 900 SERIES\BIN\HPOBRT07.EXE
C:\AMERICA ONLINE 5.0\DOWNLOAD\JESS\NEW FILES\EBOOK\GEVALIASUMMER2002LD\MEDIA_MANAGER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\WINDOWS\DESKTOP\VIRUS INFO\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.denverbroncos.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.c...x.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.c...x.php?sidebar=1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: load=WPSLOAD.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_6.DLL
O2 - BHO: IEProxyHelperObj Class - {43DF16FD-D9ED-4c9e-B14A-F3236A12C649} - C:\PROGRAM FILES\MUSICNOW\IEPROXYHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Screen Saver Messenger] C:\WINDOWS\MESSAGE.EXE
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [FullAudio] "C:\PROGRA~1\MUSICNOW\WMPImporter.exe"
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hapmll.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [ShockmachineReminder] C:\Program Files\Games\Shockwave\Shockmachine\SmReminder.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Startup: Media Manager.lnk = C:\America Online 5.0\download\Jess\New files\Ebook\GevaliaSummer2002LD\media_manager.exe
O4 - Startup: rait.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
  • 0

Advertisements

#2
Metallica
Posted 26 July 2005 - 04:20 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

Regards,
  • 0

#3
Evonne
Posted 26 July 2005 - 10:24 PM

Evonne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi! Thanks so much for responding to my problems.

I downloaded WinPFind with no problem, and have posted that below. I couldn't download Track qoo from the link you gave me. So I did a search and downloaded Track_qoo_1. But when I ran that I got a "Windows Script Host" error at Line 16 that said "File name or class name not found during Automation Operation: GetObject" I have posted below what did show up.

WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
qoologic 7/26/05 9:52:18 PM 1161491 c:\winzip.log
UPX! 7/11/05 8:57:16 AM 1965 c:\log.txt
SAHAgent 7/11/05 8:57:16 AM 1965 c:\log.txt
buddy.exe 7/11/05 8:57:16 AM 1965 c:\log.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 7/17/05 2:11:34 PM 15360771 c:\windows\VPTNFILE.733
qoologic 7/17/05 2:11:34 PM 15360771 c:\windows\VPTNFILE.733
SAHAgent 7/17/05 2:11:34 PM 15360771 c:\windows\VPTNFILE.733
KavSvc 7/26/05 9:50:40 PM 8929312 c:\windows\SYSTEM.DAT
qoologic 7/26/05 9:52:34 PM 1196064 c:\windows\USER.DAT
UPX! 5/7/05 10:31:46 AM 1044560 c:\windows\vsapi32.dll
aspack 5/7/05 10:31:46 AM 1044560 c:\windows\vsapi32.dll
UPX! 5/7/05 10:31:46 AM 170053 c:\windows\tsc.exe
abetterinternet.com 6/24/05 8:59:36 PM 8867872 c:\windows\BEDLCDCH
UPX! 5/3/05 11:44:44 AM 25157 c:\windows\RMAgentOutput.dll
PECompact2 7/17/05 2:11:34 PM 15360771 c:\windows\lpt$vpn.733
qoologic 7/17/05 2:11:34 PM 15360771 c:\windows\lpt$vpn.733
SAHAgent 7/17/05 2:11:34 PM 15360771 c:\windows\lpt$vpn.733
UPX! 7/26/05 9:24:46 PM 82432 c:\windows\ru.exe
qoologic 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
aspack 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
KavSvc 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
69.59.186.63 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
209.66.67.134 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
66.63.167.97 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
66.63.167.77 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
web-nex 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
yourkey 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
rec2_run 6/28/05 6:45:06 AM 172032 c:\windows\web2_212.exe
abetterinternet.com 6/28/05 7:23:18 AM 8195 c:\windows\mnzkr.dll
web-nex 6/28/05 7:23:18 AM 8195 c:\windows\mnzkr.dll
ad-w-a-r-e.com 6/28/05 7:23:18 AM 8195 c:\windows\mnzkr.dll

Checking %System% folder...
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DNMSSOCN.DLL
UPX! 9/29/03 11:26:54 AM 198144 c:\windows\SYSTEM\aesss4.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DUMSADSN.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DTDREF.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\mcihnd.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\WKTRM32.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\ARVIEW32.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DQTIME.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\IP41_QC.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\qodit.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DESPDIB.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\SowWFL.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\IYSTDLL.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DQGEST.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\3crbgr.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\SKMSETUP.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\mmihrnjp.dll
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\MTR.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\DKMSRPCN.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\mtihrnit.dll
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\IVMP.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\OHECLI.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\VSB32.DLL
UPX! 7/26/05 9:24:46 PM 82432 c:\windows\SYSTEM\ntpo.exe
PTech 10/27/03 5:25:04 AM 2487060 c:\windows\SYSTEM\kyf.dat
UPX! 10/27/03 5:23:06 AM 71168 c:\windows\SYSTEM\SHAgentNew.dll
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\OXBCJI32.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\OOECLI32.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\IG50_32.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\CXYPTDLG.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\SQELL32.DLL
SAHAgent 5/19/05 3:59:18 PM 35 c:\windows\SYSTEM\0at5ocoh.ini
SAHAgent 5/19/05 3:59:18 PM 35 c:\windows\SYSTEM\28pdak78.ini
SAHAgent 7/8/05 4:41:52 PM 3521 c:\windows\SYSTEM\nujbcr9v.ini
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\RBABASE.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\SSFOLDER.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\RSCMQSVR.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\FJPWPP.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\CQM.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\AJMCMPRS.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\OXFOX32.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\Pbaye32.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\ULL.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\gof89.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\CXMCAT.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\euenu.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\HHFCSA.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\RJGOBJ.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MICMS.DLL
UPX! 6/28/05 6:49:42 AM 18432 c:\windows\SYSTEM\supdate.dll
KavSvc 6/28/05 6:49:42 AM 18432 c:\windows\SYSTEM\supdate.dll
yourkey 6/28/05 6:49:42 AM 18432 c:\windows\SYSTEM\supdate.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DZMSSPXN.DLL
aspack 6/28/05 6:49:42 AM 25088 c:\windows\SYSTEM\redit.cpl
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\UCMCLN32.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\BHESac10.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\mxihrnsp.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\OXENGL32.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\hkoipt07.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\lntga10N.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\ECTIER2.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MUJT3032.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\VGAME.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\AAKRNL32.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MHSYSTEM.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\mmoert2.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\XNNROLL.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\TBAPI.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\pddx5016.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MKACM.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MUANG.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\XBNROLL.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DWAO35.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MLR.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\WWSAPD.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\GKDEF.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MVRD2X40.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\MTC40.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\ci211_graphicsmed8.dll
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\DXNDI.DLL
Umonitor 6/23/05 11:43:12 AM 405504 c:\windows\SYSTEM\muikbdfr.dll
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\mqwebdvd.dll
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\Mxdia32.dll
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\ATVIEW32.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\MUR2C.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\RTANP.DLL
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\psdx5016.dll
Umonitor 7/14/05 2:30:36 PM 405504 c:\windows\SYSTEM\cx_dshow10.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/17/05 9:35:52 PM 29630 c:\windows\ttfCache
7/26/05 9:50:40 PM 8929312 c:\windows\SYSTEM.DAT
7/26/05 9:52:34 PM 1196064 c:\windows\USER.DAT
7/26/05 9:48:50 PM 1104999 c:\windows\ShellIconCache
7/26/05 9:24:46 PM 82432 c:\windows\ru.exe
7/26/05 9:24:46 PM 82432 c:\windows\SYSTEM\ntpo.exe
7/20/05 12:19:38 PM 9728 c:\windows\All Users\DRM\drmv2.sst
7/26/05 9:24:44 PM 1293 c:\windows\Application Data\Microsoft\Internet Explorer\Desktop.htt
7/20/05 3:17:50 PM 67 c:\windows\Temporary Internet Files\Content.IE5\desktop.ini
7/20/05 3:26:32 PM 67 c:\windows\Temporary Internet Files\Content.IE5\G12VSHEJ\desktop.ini
7/20/05 3:28:38 PM 67 c:\windows\Temporary Internet Files\Content.IE5\G5CRWBOB\desktop.ini
7/20/05 3:28:40 PM 67 c:\windows\Temporary Internet Files\Content.IE5\0DCTQR8D\desktop.ini
7/20/05 3:28:40 PM 67 c:\windows\Temporary Internet Files\Content.IE5\GDUFS12B\desktop.ini
7/20/05 3:28:42 PM 67 c:\windows\Temporary Internet Files\Content.IE5\83ATI78R\desktop.ini
7/20/05 3:28:42 PM 67 c:\windows\Temporary Internet Files\Content.IE5\8PMDK9M9\desktop.ini
7/20/05 3:36:56 PM 67 c:\windows\Temporary Internet Files\Content.IE5\MJABYX23\desktop.ini
7/21/05 9:20:08 AM 67 c:\windows\Temporary Internet Files\Content.IE5\JNTMZ6V5\desktop.ini
7/26/05 9:24:24 PM 6 c:\windows\Tasks\SA.DAT
7/26/05 9:24:48 PM 178 c:\windows\Tasks\RUTASK.job

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
7/21/05 5:36:44 PM 486 C:\WINDOWS\Start Menu\Programs\StartUp\America Online 9.0 Tray Icon.lnk
4/3/05 7:17:20 AM 660 C:\WINDOWS\Start Menu\Programs\StartUp\HPAiODevice(hp psc 900 series) - 1.lnk

Checking files in %USERPROFILE%\Application Data folder...
7/6/05 9:42:30 PM 364 C:\WINDOWS\Application Data\dw.log

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\{8412F845-4DAA-8207-6469-56272D6A21FC}
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = C:\WINDOWS\SYSTEM\TDS3SHL.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry c:\windows\scanregw.exe /autorun
TaskMonitor c:\windows\taskmon.exe
SystemTray SysTray.Exe
LoadPowerProfile Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
HPScanPatch C:\WINDOWS\SYSTEM\HPScanFix.exe
hpsysdrv c:\windows\system\hpsysdrv.exe
Adaptec DirectCD C:\Program Files\DirectCD\DIRECTCD.EXE
USBMMKBD usbmmkbd.exe
VSOCheckTask "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
VirusScan Online "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
MCAgentExe C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
MCUpdateExe C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
FullAudio "C:\PROGRA~1\MUSICNOW\WMPImporter.exe"
McAfeeWebScanX C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
AOL Spyware Protection "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
Screen Saver Messenger C:\WINDOWS\MESSAGE.EXE
WT GameChannel C:\Program Files\WildTangent\Apps\GameChannel.exe
CleanUp C:\PROGRA~1\MCAFEE.COM\SHARED\MCAPPINS.EXE /v=3 /cleanup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
MSFS
MAPI
IMAIL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MoneyAgent "C:\Program Files\Microsoft Money\System\Money Express.exe"
Taskbar Display Controls RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
ShockmachineReminder C:\Program Files\Games\Shockwave\Shockmachine\SmReminder.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
BLASCS C:\WINDOWS\SYSTEM\BLASCS.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.


Track qoo 1:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
"TaskMonitor"="c:\\windows\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"HPScanPatch"="C:\\WINDOWS\\SYSTEM\\HPScanFix.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"Adaptec DirectCD"="C:\\Program Files\\DirectCD\\DIRECTCD.EXE"
"USBMMKBD"="usbmmkbd.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\MCMNHDLR.EXE\" /checktask"
"VirusScan Online"="\"C:\\PROGRA~1\\MCAFEE.COM\\VSO\\mcvsshld.exe\""
"MCAgentExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\MCAFEE.COM\\AGENT\\MCUPDATE.EXE"
"FullAudio"="\"C:\\PROGRA~1\\MUSICNOW\\WMPImporter.exe\""
"McAfeeWebScanX"="C:\\PROGRAM FILES\\NETWORK ASSOCIATES\\MCAFEE VIRUSSCAN\\WebScanX.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Screen Saver Messenger"="C:\\WINDOWS\\MESSAGE.EXE"
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

-----------------

Thanks,
Evonne
  • 0

#4
Metallica
Posted 27 July 2005 - 01:45 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
*Click here and download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\HAPMLL.EXE
c:\windows\ru.exe
c:\windows\web2_212.exe
c:\windows\mnzkr.dll
c:\windows\SYSTEM\DNMSSOCN.DLL
c:\windows\SYSTEM\aesss4.dll
c:\windows\SYSTEM\DUMSADSN.DLL
c:\windows\SYSTEM\DTDREF.DLL
c:\windows\SYSTEM\mcihnd.dll
c:\windows\SYSTEM\WKTRM32.DLL
c:\windows\SYSTEM\ARVIEW32.DLL
c:\windows\SYSTEM\DQTIME.DLL
c:\windows\SYSTEM\IP41_QC.dll
c:\windows\SYSTEM\qodit.dll
c:\windows\SYSTEM\DESPDIB.DLL
c:\windows\SYSTEM\SowWFL.dll
c:\windows\SYSTEM\IYSTDLL.DLL
c:\windows\SYSTEM\DQGEST.DLL
c:\windows\SYSTEM\3crbgr.dll
c:\windows\SYSTEM\SKMSETUP.DLL
c:\windows\SYSTEM\mmihrnjp.dll
c:\windows\SYSTEM\MTR.DLL
c:\windows\SYSTEM\DKMSRPCN.DLL
c:\windows\SYSTEM\mtihrnit.dll
c:\windows\SYSTEM\IVMP.DLL
c:\windows\SYSTEM\OHECLI.DLL
c:\windows\SYSTEM\VSB32.DLL
c:\windows\SYSTEM\ntpo.exe
c:\windows\SYSTEM\kyf.dat
c:\windows\SYSTEM\SHAgentNew.dll
c:\windows\SYSTEM\OXBCJI32.DLL
c:\windows\SYSTEM\OOECLI32.DLL
c:\windows\SYSTEM\IG50_32.DLL
c:\windows\SYSTEM\CXYPTDLG.DLL
c:\windows\SYSTEM\SQELL32.DLL
c:\windows\SYSTEM\0at5ocoh.ini
c:\windows\SYSTEM\28pdak78.ini
c:\windows\SYSTEM\nujbcr9v.ini
c:\windows\SYSTEM\RBABASE.DLL
c:\windows\SYSTEM\SSFOLDER.DLL
c:\windows\SYSTEM\RSCMQSVR.DLL
c:\windows\SYSTEM\FJPWPP.DLL
c:\windows\SYSTEM\CQM.DLL
c:\windows\SYSTEM\AJMCMPRS.DLL
c:\windows\SYSTEM\OXFOX32.DLL
c:\windows\SYSTEM\Pbaye32.dll
c:\windows\SYSTEM\ULL.DLL
c:\windows\SYSTEM\gof89.dll
c:\windows\SYSTEM\CXMCAT.DLL
c:\windows\SYSTEM\euenu.dll
c:\windows\SYSTEM\HHFCSA.DLL
c:\windows\SYSTEM\RJGOBJ.DLL
c:\windows\SYSTEM\MICMS.DLL
c:\windows\SYSTEM\supdate.dll
c:\windows\SYSTEM\DZMSSPXN.DLL
c:\windows\SYSTEM\redit.cpl
c:\windows\SYSTEM\UCMCLN32.DLL
c:\windows\SYSTEM\BHESac10.dll
c:\windows\SYSTEM\mxihrnsp.dll
c:\windows\SYSTEM\OXENGL32.DLL
c:\windows\SYSTEM\hkoipt07.dll
c:\windows\SYSTEM\lntga10N.dll
c:\windows\SYSTEM\ECTIER2.DLL
c:\windows\SYSTEM\MUJT3032.DLL
c:\windows\SYSTEM\VGAME.DLL
c:\windows\SYSTEM\AAKRNL32.DLL
c:\windows\SYSTEM\MHSYSTEM.DLL
c:\windows\SYSTEM\mmoert2.dll
c:\windows\SYSTEM\XNNROLL.DLL
c:\windows\SYSTEM\TBAPI.DLL
c:\windows\SYSTEM\pddx5016.dll
c:\windows\SYSTEM\MKACM.DLL
c:\windows\SYSTEM\MUANG.DLL
c:\windows\SYSTEM\XBNROLL.DLL
c:\windows\SYSTEM\DWAO35.DLL
c:\windows\SYSTEM\MLR.DLL
c:\windows\SYSTEM\WWSAPD.DLL
c:\windows\SYSTEM\GKDEF.DLL
c:\windows\SYSTEM\MVRD2X40.DLL
c:\windows\SYSTEM\MTC40.DLL
c:\windows\SYSTEM\ci211_graphicsmed8.dll
c:\windows\SYSTEM\DXNDI.DLL
c:\windows\SYSTEM\muikbdfr.dll
c:\windows\SYSTEM\mqwebdvd.dll
c:\windows\SYSTEM\Mxdia32.dll
c:\windows\SYSTEM\ATVIEW32.DLL
c:\windows\SYSTEM\MUR2C.DLL
c:\windows\SYSTEM\RTANP.DLL
c:\windows\SYSTEM\psdx5016.dll
c:\windows\SYSTEM\cx_dshow10.dll
C:\windows\Start Menu\Programs\StartUp\rait.exe


*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.c...x.php?sidebar=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.c...x.php?sidebar=1

O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hapmll.exe reg_run

O4 - Startup: rait.exe

Then boot back to normal and post a new HjiackThis log.

Regards,
  • 0

#5
Evonne
Posted 27 July 2005 - 05:57 AM

Evonne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Okay, I followed your instructions exactly. But 'KavSvc' didn't show up in Safe Mode.

I had a couple of other questions, too. At some point during this whole mess, I had some important files, and backups, disappear completely. I'm quite sure that I didn't accidentally delete them. While going through backup logs from the virus scans trying to find those files, I found in a McAfee log that the update had changed from 'mcupdate' to 'ru.exe'. Is that something I should worry about? And, once you get rid of these pesky viruses for me, where do I go to get help to recover the file and backups that were lost? I really appreciate all your help and patience!

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:12:46 AM, on 7/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\MESSAGE.EXE
C:\WINDOWS\SYSTEM\WPSPSW.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\GAMES\SHOCKWAVE\SHOCKMACHINE\SMREMINDER.EXE
C:\PROGRAM FILES\OROW\NTPO.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\HP PSC 900 SERIES\BIN\HPOBRT07.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
C:\WINDOWS\SYSTEM\HPOIPM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOFXM07.EXE
C:\WINDOWS\DESKTOP\VIRUS INFO\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.denverbroncos.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: load=WPSLOAD.EXE
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_6.DLL
O2 - BHO: IEProxyHelperObj Class - {43DF16FD-D9ED-4c9e-B14A-F3236A12C649} - C:\PROGRAM FILES\MUSICNOW\IEPROXYHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [FullAudio] "C:\PROGRA~1\MUSICNOW\WMPImporter.exe"
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Screen Saver Messenger] C:\WINDOWS\MESSAGE.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hapmll.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [ShockmachineReminder] C:\Program Files\Games\Shockwave\Shockmachine\SmReminder.exe
O4 - HKCU\..\Run: [Tcut] C:\Program Files\orow\ntpo.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Startup: Media Manager.lnk = C:\America Online 5.0\download\Jess\New files\Ebook\GevaliaSummer2002LD\media_manager.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.co...s-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo...s-ob-assets.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Squelchies by pogo - http://squelchies.po...s-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.co...u-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag...g-ob-assets.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol....,20/McGDMgr.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

Thanks!!
  • 0

#6
Metallica
Posted 27 July 2005 - 06:08 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Reboot into safe mode
Then set Windows to boot normally next time, but don't let it reboot.

Run HijackThis and check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\hapmll.exe reg_run

O4 - HKCU\..\Run: [Tcut] C:\Program Files\orow\ntpo.exe

Boot back to normal and check if they stayed away.

Also try and see if McAfee can still be updated.

To recover lost files is always "tricky" but it would certainly help to know how and when they went missing.
Keep in mind that installing new software, defragmenting etc. could reduce the number of files that can be recovered.
As I am unsure how valuable/important these files are (to you) it is hard to decide how to approach. There are free programs with a small chance of recovery and expensive professionals that have an improved chance of success.

Regards,
  • 0

#7
Evonne
Posted 27 July 2005 - 12:33 PM

Evonne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Great! It does look like KavSvc and Tcut are both gone. There are still a couple of files that might be associated with them. Is it safe to delete the files:
Program Files\orow\ntpo.exe
Windows\System\osaka.exe (showed up the same time as ntpo.exe and ru.exe)
Windows\Installer_marketing58.exe (associated with eXact marketing)

I don't think McAfee is updating. The log says that it starts, but has an error: can't find file ru.exe. Can I just uninstall and reinstall the McAfee?

The lost files were personal financial data. They were Quicken data and backup files that can't be entirely reconstructed. They disappeared sometime between 7/16 and 7/20, when I discovered them missing. During that time, I was moving/copying files to CD's in preparation for a System Restore. Naturally, I went through everything I'd moved looking for the files. Then I downloaded Recover4all Professional to see if I could find them somewhere on the hard disk. I can't find any evidence that the files ever existed. (Seems strange that the Quicken-generated backups are missing, too.) By that time, I was so frustrated that I decided to go ahead with the system restore from the disks that came with the computer. But that didn't even work! The disks start in dos at boot up, but won't go any further than asking if you want to delete everything and reinstall. Is there anything else I can do?

Right now, I think I've done as much as I can; and am just pleased that the viruses are cleaned up and I have my computer back! Thank you for all your help!
  • 0

#8
Metallica
Posted 27 July 2005 - 12:59 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
You can delete those files you listed.

Re-installing McAfee might be a good idea since we can't trust it at this point.

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0

#9
Evonne
Posted 27 July 2005 - 01:28 PM

Evonne

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you! Thank you for all your help! Everything seems to be running much better now.

I will be visiting your site. It looks like it has a lot of good information.

Thanks again,
Evonne
  • 0

#10
Metallica
Posted 28 July 2005 - 12:25 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP