Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Urgent help needed [RESOLVED]


  • This topic is locked This topic is locked

#1
tlstevens

tlstevens

    Member

  • Member
  • PipPip
  • 21 posts
I am working on a computer for a friend. It was so bad that he had trouble booting into windows. I have run ad aware and spybot. I would like it if someone could check out this hijack this log to see what else I need to do to clean out the spyware that has invaded this computer.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 6:01:59 PM, on 7/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\NVSVC.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ADDSJ32.EXE
C:\WINDOWS\SYSTEM\SYSEV32.EXE
C:\WINDOWS\SDKSV32.EXE
C:\WINDOWS\SYSTEM\ADDHC32.EXE
C:\WINDOWS\SYSTEM\APIDY32.EXE
C:\WINDOWS\MFCUQ32.EXE
C:\WINDOWS\ADDTJ32.EXE
C:\WINDOWS\SYSTEM\APPIS32.EXE
C:\WINDOWS\SYSTEM\NETBM32.EXE
C:\WINDOWS\SYSTEM\D3TY.EXE
C:\WINDOWS\CREH32.EXE
C:\WINDOWS\NETMR.EXE
C:\WINDOWS\SYSTEM\MFCGP32.EXE
C:\WINDOWS\SYSTEM\APIMD.EXE
C:\WINDOWS\SYSTEM\MSXP.EXE
C:\WINDOWS\SDKIY32.EXE
C:\WINDOWS\SYSTEM\CRXV32.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ATLAS.EXE
C:\PROGRAM FILES\GHOSTSURF 2005\PROXY.EXE
C:\PROGRAM FILES\GHOSTSURF 2005\SCHEDULER DAEMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\MSXP.EXE
C:\WINDOWS\SYSTEM\ADDHC32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SDKSV32.EXE
C:\WINDOWS\SYSTEM\APIMD.EXE
C:\WINDOWS\SYSTEM\APIMD.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.194.90.249/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: Class - {36D3DED4-B6ED-977C-3402-43C0935E6265} - C:\WINDOWS\SYSTEM\ATLWS32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [Atitask] Atiptaaa.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~6\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ATLAS.EXE] C:\WINDOWS\SYSTEM\ATLAS.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\PROGRAM FILES\GHOSTSURF 2005\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCMD32.EXE] C:\WINDOWS\MFCMD32.EXE /s
O4 - HKLM\..\RunServices: [ADDSJ32.EXE] C:\WINDOWS\ADDSJ32.EXE /s
O4 - HKLM\..\RunServices: [SYSEV32.EXE] C:\WINDOWS\SYSTEM\SYSEV32.EXE /s
O4 - HKLM\..\RunServices: [SDKSV32.EXE] C:\WINDOWS\SDKSV32.EXE /s
O4 - HKLM\..\RunServices: [ADDHC32.EXE] C:\WINDOWS\SYSTEM\ADDHC32.EXE /s
O4 - HKLM\..\RunServices: [APIDY32.EXE] C:\WINDOWS\SYSTEM\APIDY32.EXE /s
O4 - HKLM\..\RunServices: [MFCUQ32.EXE] C:\WINDOWS\MFCUQ32.EXE /s
O4 - HKLM\..\RunServices: [ADDTJ32.EXE] C:\WINDOWS\ADDTJ32.EXE /s
O4 - HKLM\..\RunServices: [APPIS32.EXE] C:\WINDOWS\SYSTEM\APPIS32.EXE /s
O4 - HKLM\..\RunServices: [NETBM32.EXE] C:\WINDOWS\SYSTEM\NETBM32.EXE /s
O4 - HKLM\..\RunServices: [D3TY.EXE] C:\WINDOWS\SYSTEM\D3TY.EXE /s
O4 - HKLM\..\RunServices: [CREH32.EXE] C:\WINDOWS\CREH32.EXE /s
O4 - HKLM\..\RunServices: [NETMR.EXE] C:\WINDOWS\NETMR.EXE /s
O4 - HKLM\..\RunServices: [MFCGP32.EXE] C:\WINDOWS\SYSTEM\MFCGP32.EXE /s
O4 - HKLM\..\RunServices: [APIMD.EXE] C:\WINDOWS\SYSTEM\APIMD.EXE /s
O4 - HKLM\..\RunServices: [MSXP.EXE] C:\WINDOWS\SYSTEM\MSXP.EXE /s
O4 - HKLM\..\RunServices: [SDKIY32.EXE] C:\WINDOWS\SDKIY32.EXE /s
O4 - HKLM\..\RunServices: [CRXV32.EXE] C:\WINDOWS\SYSTEM\CRXV32.EXE /s
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Personal Coach.lnk = C:\Program Files\mpfull.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {299B8680-C426-11D9-9F52-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {299B8680-C426-11D9-9F52-444553540000} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: http://icn.umeche.maine.edu
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://195.225.177.2...path3/msits.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download AboutBuster http://www.greyknigh...AboutBuster.zip and unzip the files to a folder on your Desktop. Run AboutBuster and click OK. Click Update button to see if there are any updates. Close the program now.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://216.194.90.249/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://drvvv.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\uicpx.dll/sp.html#28129
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: Class - {36D3DED4-B6ED-977C-3402-43C0935E6265} - C:\WINDOWS\SYSTEM\ATLWS32.DLL
O4 - HKLM\..\Run: [ATLAS.EXE] C:\WINDOWS\SYSTEM\ATLAS.EXE
O4 - HKLM\..\Run: [Security iGuard] C:\PROGRAM FILES\SECURITY IGUARD\SECURITY IGUARD.EXE
O4 - HKLM\..\RunServices: [NVSvc] C:\WINDOWS\SYSTEM\nvsvc.exe -runservice
O4 - HKLM\..\RunServices: [MFCMD32.EXE] C:\WINDOWS\MFCMD32.EXE /s
O4 - HKLM\..\RunServices: [ADDSJ32.EXE] C:\WINDOWS\ADDSJ32.EXE /s
O4 - HKLM\..\RunServices: [SYSEV32.EXE] C:\WINDOWS\SYSTEM\SYSEV32.EXE /s
O4 - HKLM\..\RunServices: [SDKSV32.EXE] C:\WINDOWS\SDKSV32.EXE /s
O4 - HKLM\..\RunServices: [ADDHC32.EXE] C:\WINDOWS\SYSTEM\ADDHC32.EXE /s
O4 - HKLM\..\RunServices: [APIDY32.EXE] C:\WINDOWS\SYSTEM\APIDY32.EXE /s
O4 - HKLM\..\RunServices: [MFCUQ32.EXE] C:\WINDOWS\MFCUQ32.EXE /s
O4 - HKLM\..\RunServices: [ADDTJ32.EXE] C:\WINDOWS\ADDTJ32.EXE /s
O4 - HKLM\..\RunServices: [APPIS32.EXE] C:\WINDOWS\SYSTEM\APPIS32.EXE /s
O4 - HKLM\..\RunServices: [NETBM32.EXE] C:\WINDOWS\SYSTEM\NETBM32.EXE /s
O4 - HKLM\..\RunServices: [D3TY.EXE] C:\WINDOWS\SYSTEM\D3TY.EXE /s
O4 - HKLM\..\RunServices: [CREH32.EXE] C:\WINDOWS\CREH32.EXE /s
O4 - HKLM\..\RunServices: [NETMR.EXE] C:\WINDOWS\NETMR.EXE /s
O4 - HKLM\..\RunServices: [MFCGP32.EXE] C:\WINDOWS\SYSTEM\MFCGP32.EXE /s
O4 - HKLM\..\RunServices: [APIMD.EXE] C:\WINDOWS\SYSTEM\APIMD.EXE /s
O4 - HKLM\..\RunServices: [MSXP.EXE] C:\WINDOWS\SYSTEM\MSXP.EXE /s
O4 - HKLM\..\RunServices: [SDKIY32.EXE] C:\WINDOWS\SDKIY32.EXE /s
O4 - HKLM\..\RunServices: [CRXV32.EXE] C:\WINDOWS\SYSTEM\CRXV32.EXE /s
O9 - Extra button: Microsoft AntiSpyware helper - {299B8680-C426-11D9-9F52-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {299B8680-C426-11D9-9F52-444553540000} - (no file) (HKCU)
O16 - DPF: {10000000-1000-0000-1000-000000000000} - mhtml:file://C:\ARCHIVE.MHT!http://195.225.177.2...path3/msits.exe

===================================================

Run AboutBuster and click Begin Removal button. Once that's done, just hit the OK button. Click Exit once you are done. Click the OK button and it should exit. Open up the 'Ab LogFile.txt' (which was created in the same folder as AboutBuster) and post the log here.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Delete these files if they still exist:

c:\program files\security iguard\
c:\windows\addtj32.exe
c:\windows\creh32.exe
c:\windows\mfcmd32.exe
c:\windows\mfcuq32.exe
c:\windows\netmr.exe
c:\windows\sdkiy32.exe
c:\windows\sdksv32.exe
c:\windows\system\addhc32.exe
c:\windows\system\apidy32.exe
c:\windows\system\apimd.exe
c:\windows\system\appis32.exe
c:\windows\system\atlas.exe
c:\windows\system\atlws32.dll
c:\windows\system\crxv32.exe
c:\windows\system\d3ty.exe
c:\windows\system\mfcgp32.exe
c:\windows\system\msxp.exe
c:\windows\system\msxp.exe
c:\windows\system\netbm32.exe
c:\windows\system\nvsvc.exe
c:\windows\system\sysev32.exe
C:\WINDOWS\system\uicpx.dll


The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#3
tlstevens

tlstevens

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
The computer doesn't have an internet connection at the moment since it was dropped off at my house to look at. Is there a way to get updates to the programs I need to run by downloading an executable or copying files from my computer onto a disc. I will start to follow your recommendations and post back. Thanks for your help. I can't install ewido because the computer only has windows 98 and the installer said it needs windows 2000 or xp.

Edited by tlstevens, 23 July 2005 - 12:26 PM.

  • 0

#4
tlstevens

tlstevens

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Here are the logs I have so far.


Logfile of HijackThis v1.99.1
Scan saved at 2:46:11 PM, on 7/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GHOSTSURF 2005\PROXY.EXE
C:\PROGRAM FILES\GHOSTSURF 2005\SCHEDULER DAEMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [Atitask] Atiptaaa.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~6\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\PROGRAM FILES\GHOSTSURF 2005\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Personal Coach.lnk = C:\Program Files\mpfull.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: http://icn.umeche.maine.edu




No Files Found!
------------------------------------------------
Scan was ABORTED at 2:20:16 PM


AboutBuster 5.0 reference file 30
Scan started on [7/23/05] at [2:39:51 PM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\Windows\shyix.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:41:54 PM







smitRem log file
version 2.2

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Windows directory ~~~



~~~ Drive root ~~~

wp.exe


~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Windows directory ~~~



~~~ Drive root ~~~

wp.exe


~~~~ wininet.dll ~~~~

wininet.dll Clean!!



I wasn't able to run ewido since the computer doesn't support it. Is there another program for windows 98 that will give the same results.
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
So no internet at all? You should really try to get that Panda scan going. I just want to make sure there aren't any other files hidden from us.

OK, try this fix. Fix whatever applies.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system\hhk.dll
C:\Windows\System\wldr.dll
C:\Windows\System\helper.exe
C:\Windows\System\intmon.exe
C:\Windows\System\shnlog.exe
C:\Windows\System\intmonp.exe
C:\Windows\System\msmsgs.exe
C:\Windows\system\msole32.exe
C:\Windows\system\ole32vbs.exe


Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System\Log Files\
C:\Program Files\Security iGuard\


Restart your computer.

Restart and post a new HijackThis log along with the results from ActiveScan.
  • 0

#6
tlstevens

tlstevens

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I have a question about your last post. After downloading killbox. It mentions copying the files listed in your post. Do I copy them into a notepad file from the post and then paste them into the killbox program.
  • 0

#7
tlstevens

tlstevens

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I finished following your instructions from your last post. Here is the latest hijack this log.


Logfile of HijackThis v1.99.1
Scan saved at 10:04:58 PM, on 7/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\PTUDFAPP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GHOSTSURF 2005\PROXY.EXE
C:\PROGRAM FILES\GHOSTSURF 2005\SCHEDULER DAEMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [Atitask] Atiptaaa.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [VsecomrEXE] C:\PROGRA~1\PLUS!\Viruscan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~6\GAMECO~1\COMMON\SWTRAYV4.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\PROGRAM FILES\GHOSTSURF 2005\DeleteSatellite.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\PLUS!\VIRUSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Personal Coach.lnk = C:\Program Files\mpfull.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O15 - Trusted Zone: http://icn.umeche.maine.edu
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you get the KillBox instructions? If not, all you have to do is highlight them here in the forum and select copy. No need for Notepad. Go directly to KillBox->File->Paste from Clipboard.

Do you know what this file is for?

C:\Program Files\mpfull.exe

If not, I want you to upload it to http://virusscan.jotti.org and see what it reports back.

Other than that:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
tlstevens

tlstevens

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Im not sure what mpfull is it might refer to a media player installed. Thanks for your help. The computer is responding better. I have installed ad aware and spybot. I will make sure my friend runs these on a regular basis. Thanks again for all your help.
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP