Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CoolWWWSearch.Aff.Winshow and its friends [RESOLVED]


  • This topic is locked This topic is locked

#1
RaptorGirl

RaptorGirl

    Member

  • Member
  • PipPip
  • 13 posts
Hi,
First off, I'm gonna' ask you to forgive me both for my amateur computer knowledge and lingo, and my crappy operating system/computer... I know I should just buy a new computer instead of trying to rescue this one, but, alas, I am pretty broke, so I'd appreciate any attempts to salvage this one ;) .

Anyways, by my estimations, I've been hijacked by Coolwwwsearch and associated friends. It all started a few weeks ago on my boyfriend's profile, when apparently some boxes popped up telling him he was infected (I don't know if they were real Norton related files or just the spyware in action). He also got the blue screen telling him that his computer's infected, run virus software, etc., and psguard (red exclamation point with a link to their spyware) was on his toolbar, saying "this computer has been infected".

Since then, most of the work has been done on my profile, which seems to run a little faster and better. On his profile we can't seem to open Norton anymore, although I haven't tried reinstalling because it runs on my profile.

Symptoms: My Internet Explorer has it's home page changed to about:blank (search engine with words like Xanax, Viagra and casinos typed in for me), and both [bleep] and search sites have been put into my bookmarks. Of course, all of this returns with reboot even if I change it. Lots of pop-ups (I think most have the header "Only the best" or something like that). Frequent freezing. Dialog boxes popping up and telling me that Windows Firewall has detected suspicious activity, click here to find out how to get rid of spyware. Pretty slow (although it was already :tazz: ). Etc. No blue screen of death on my profile, though.

When I run a Norton full scan, it inevitably finds files infected by Byte.Trojan and Download.Trojan, but even after I "fix" these files, the infection is usually back by next scan.

Ad-Aware keeps on finding lots of CWS stuff, and Spyware S & D keeps on finding CoolWWWSearch.Aff.Winshow and trek blue error nuker, yet even if I get rid of them, they are back after the next reboot. I thought CWShredder would be my saviour, but it keeps on saying that there is no CWS on my computer (I even tried running that extra program that gets rid of the type of CWS that won't let shredder run, but apparently that type of CWS wasn't on my computer).

Panda Active Scan found a whole bunch of spyware, but couldn't disinfect any of it.

My HJT log is below. Any insights on how I can free my computer would be greatly appreciated... although layperson's language is always appreciated.




Logfile of HijackThis v1.99.1
Scan saved at 9:13:30 AM, on 7/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SDKNF.EXE
C:\WINDOWS\SYSTEM\ADDTD.EXE
C:\WINDOWS\SYSTEM\MFCPV.EXE
C:\WINDOWS\MSDM32.EXE
C:\WINDOWS\ATLGS.EXE
C:\WINDOWS\D3FS32.EXE
C:\WINDOWS\SYSTEM\D3HT32.EXE
C:\WINDOWS\ADDSD32.EXE
C:\WINDOWS\NETUQ32.EXE
C:\WINDOWS\SYSTEM\WINCC32.EXE
C:\WINDOWS\SYSTEM\NTYM.EXE
C:\WINDOWS\IPEX32.EXE
C:\WINDOWS\SYSTEM\D3MX32.EXE
C:\WINDOWS\WINBJ32.EXE
C:\WINDOWS\D3WW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\ATLOP32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\D3MX32.EXE
C:\WINDOWS\SDKNF.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\PROFILES\NORANN\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\cxbyy.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E741AE57-A145-C804-699C-3AC145BCB876} - C:\WINDOWS\SYSTEM\MSZC32.DLL
O2 - BHO: Class - {DCC69B40-C060-D573-6BED-21A0EA3DBCD1} - C:\WINDOWS\SYSTEM\SYSIV.DLL
O2 - BHO: Class - {99FA4172-70BA-F5F0-EB8D-3E910E0ADD26} - C:\WINDOWS\APPHM.DLL
O2 - BHO: Class - {957A6506-FA99-95EC-8012-78785C25AEF1} - C:\WINDOWS\SYSTEM\IPLP.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ATLOP32.EXE] C:\WINDOWS\SYSTEM\ATLOP32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [SDKNF.EXE] C:\WINDOWS\SDKNF.EXE /s
O4 - HKLM\..\RunServices: [ADDTD.EXE] C:\WINDOWS\SYSTEM\ADDTD.EXE /s
O4 - HKLM\..\RunServices: [MFCPV.EXE] C:\WINDOWS\SYSTEM\MFCPV.EXE /s
O4 - HKLM\..\RunServices: [MSDM32.EXE] C:\WINDOWS\MSDM32.EXE /s
O4 - HKLM\..\RunServices: [ATLGS.EXE] C:\WINDOWS\ATLGS.EXE /s
O4 - HKLM\..\RunServices: [D3FS32.EXE] C:\WINDOWS\D3FS32.EXE /s
O4 - HKLM\..\RunServices: [D3HT32.EXE] C:\WINDOWS\SYSTEM\D3HT32.EXE /s
O4 - HKLM\..\RunServices: [ADDSD32.EXE] C:\WINDOWS\ADDSD32.EXE /s
O4 - HKLM\..\RunServices: [NETUQ32.EXE] C:\WINDOWS\NETUQ32.EXE /s
O4 - HKLM\..\RunServices: [WINCC32.EXE] C:\WINDOWS\SYSTEM\WINCC32.EXE /s
O4 - HKLM\..\RunServices: [NTYM.EXE] C:\WINDOWS\SYSTEM\NTYM.EXE /s
O4 - HKLM\..\RunServices: [IPEX32.EXE] C:\WINDOWS\IPEX32.EXE /s
O4 - HKLM\..\RunServices: [D3MX32.EXE] C:\WINDOWS\SYSTEM\D3MX32.EXE /s
O4 - HKLM\..\RunServices: [WINBJ32.EXE] C:\WINDOWS\WINBJ32.EXE /s
O4 - HKLM\..\RunServices: [D3WW.EXE] C:\WINDOWS\D3WW.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi, and thanks for the reply. I am out of town at the moment, but I will be back home tomorrow, and will post a fresh HJT log ASAP.
  • 0

#4
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Sam,

My new HJT log is below.

My computer actually has two different user profiles (as I believe I mentioned above). Does this mean I should post a second HJT log for the other profile, or should what we do on this profile likely clear up the other one as well?

Thanks a lot!


Logfile of HijackThis v1.99.1
Scan saved at 1:18:08 AM, on 8/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SDKNF.EXE
C:\WINDOWS\SYSTEM\ADDTD.EXE
C:\WINDOWS\SYSTEM\MFCPV.EXE
C:\WINDOWS\MSDM32.EXE
C:\WINDOWS\ATLGS.EXE
C:\WINDOWS\D3FS32.EXE
C:\WINDOWS\SYSTEM\D3HT32.EXE
C:\WINDOWS\ADDSD32.EXE
C:\WINDOWS\NETUQ32.EXE
C:\WINDOWS\SYSTEM\WINCC32.EXE
C:\WINDOWS\SYSTEM\NTYM.EXE
C:\WINDOWS\IPEX32.EXE
C:\WINDOWS\SYSTEM\D3MX32.EXE
C:\WINDOWS\WINBJ32.EXE
C:\WINDOWS\D3WW.EXE
C:\WINDOWS\APIZP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\ATLOP32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\ATLGS.EXE
C:\WINDOWS\SYSTEM\ADDTD.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cltiw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cltiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cltiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cltiw.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cltiw.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cltiw.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {957A6506-FA99-95EC-8012-78785C25AEF1} - C:\WINDOWS\SYSTEM\IPLP.DLL
O2 - BHO: Class - {CE7CB6E8-8034-F80C-363B-234570B55926} - C:\WINDOWS\SYSTEM\APIZX32.DLL
O2 - BHO: Class - {9A977CCE-452A-DBC9-15F2-B633B92A8D4C} - C:\WINDOWS\SYSTEM\APPQR.DLL
O2 - BHO: Class - {4DA8CAE4-8676-C0B7-802D-3BAD02EFF99E} - C:\WINDOWS\SYSTEM\ATLQR32.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ATLOP32.EXE] C:\WINDOWS\SYSTEM\ATLOP32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [SDKNF.EXE] C:\WINDOWS\SDKNF.EXE /s
O4 - HKLM\..\RunServices: [ADDTD.EXE] C:\WINDOWS\SYSTEM\ADDTD.EXE /s
O4 - HKLM\..\RunServices: [MFCPV.EXE] C:\WINDOWS\SYSTEM\MFCPV.EXE /s
O4 - HKLM\..\RunServices: [MSDM32.EXE] C:\WINDOWS\MSDM32.EXE /s
O4 - HKLM\..\RunServices: [ATLGS.EXE] C:\WINDOWS\ATLGS.EXE /s
O4 - HKLM\..\RunServices: [D3FS32.EXE] C:\WINDOWS\D3FS32.EXE /s
O4 - HKLM\..\RunServices: [D3HT32.EXE] C:\WINDOWS\SYSTEM\D3HT32.EXE /s
O4 - HKLM\..\RunServices: [ADDSD32.EXE] C:\WINDOWS\ADDSD32.EXE /s
O4 - HKLM\..\RunServices: [NETUQ32.EXE] C:\WINDOWS\NETUQ32.EXE /s
O4 - HKLM\..\RunServices: [WINCC32.EXE] C:\WINDOWS\SYSTEM\WINCC32.EXE /s
O4 - HKLM\..\RunServices: [NTYM.EXE] C:\WINDOWS\SYSTEM\NTYM.EXE /s
O4 - HKLM\..\RunServices: [IPEX32.EXE] C:\WINDOWS\IPEX32.EXE /s
O4 - HKLM\..\RunServices: [D3MX32.EXE] C:\WINDOWS\SYSTEM\D3MX32.EXE /s
O4 - HKLM\..\RunServices: [WINBJ32.EXE] C:\WINDOWS\WINBJ32.EXE /s
O4 - HKLM\..\RunServices: [D3WW.EXE] C:\WINDOWS\D3WW.EXE /s
O4 - HKLM\..\RunServices: [APIZP.EXE] C:\WINDOWS\APIZP.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#5
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Let's clean up this profile first and then you can post the other one and we'll see if there's anything there to deal with.

Before we do anything you will need to disable Spybot's Teatimer function. If you are not sure how to do this please check the info at this link.
http://russelltexas....re/teatimer.htm


We are going to need some tools to remove this infection. Please download, install, and update any of these programs that you don't already have. Do not run any of them yet.Next I want you to make sure that you can VIEW ALL HIDDEN FILES.


If you have problems with any of these steps make a note of the problem and then continue on to the next step. Let me know of any problems in your next reply. Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.

Please print out these instructions.


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============

Once in Safe mode follow these steps:
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cltiw.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cltiw.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cltiw.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\cltiw.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cltiw.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\cltiw.dll/sp.html#93256
    O2 - BHO: Class - {957A6506-FA99-95EC-8012-78785C25AEF1} - C:\WINDOWS\SYSTEM\IPLP.DLL
    O2 - BHO: Class - {CE7CB6E8-8034-F80C-363B-234570B55926} - C:\WINDOWS\SYSTEM\APIZX32.DLL
    O2 - BHO: Class - {9A977CCE-452A-DBC9-15F2-B633B92A8D4C} - C:\WINDOWS\SYSTEM\APPQR.DLL
    O2 - BHO: Class - {4DA8CAE4-8676-C0B7-802D-3BAD02EFF99E} - C:\WINDOWS\SYSTEM\ATLQR32.DLL
    O4 - HKLM\..\Run: [ATLOP32.EXE] C:\WINDOWS\SYSTEM\ATLOP32.EXE
    O4 - HKLM\..\RunServices: [SDKNF.EXE] C:\WINDOWS\SDKNF.EXE /s
    O4 - HKLM\..\RunServices: [ADDTD.EXE] C:\WINDOWS\SYSTEM\ADDTD.EXE /s
    O4 - HKLM\..\RunServices: [MFCPV.EXE] C:\WINDOWS\SYSTEM\MFCPV.EXE /s
    O4 - HKLM\..\RunServices: [MSDM32.EXE] C:\WINDOWS\MSDM32.EXE /s
    O4 - HKLM\..\RunServices: [ATLGS.EXE] C:\WINDOWS\ATLGS.EXE /s
    O4 - HKLM\..\RunServices: [D3FS32.EXE] C:\WINDOWS\D3FS32.EXE /s
    O4 - HKLM\..\RunServices: [D3HT32.EXE] C:\WINDOWS\SYSTEM\D3HT32.EXE /s
    O4 - HKLM\..\RunServices: [ADDSD32.EXE] C:\WINDOWS\ADDSD32.EXE /s
    O4 - HKLM\..\RunServices: [NETUQ32.EXE] C:\WINDOWS\NETUQ32.EXE /s
    O4 - HKLM\..\RunServices: [WINCC32.EXE] C:\WINDOWS\SYSTEM\WINCC32.EXE /s
    O4 - HKLM\..\RunServices: [NTYM.EXE] C:\WINDOWS\SYSTEM\NTYM.EXE /s
    O4 - HKLM\..\RunServices: [IPEX32.EXE] C:\WINDOWS\IPEX32.EXE /s
    O4 - HKLM\..\RunServices: [D3MX32.EXE] C:\WINDOWS\SYSTEM\D3MX32.EXE /s
    O4 - HKLM\..\RunServices: [WINBJ32.EXE] C:\WINDOWS\WINBJ32.EXE /s
    O4 - HKLM\..\RunServices: [D3WW.EXE] C:\WINDOWS\D3WW.EXE /s
    O4 - HKLM\..\RunServices: [APIZP.EXE] C:\WINDOWS\APIZP.EXE /s
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm



  • Next run CWShredder, making sure to click "Fix".


  • Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.


  • Delete these files(do not be concerned if they don't exist):

    C:\WINDOWS\cltiw.dll
    C:\WINDOWS\SYSTEM\IPLP.DLL
    C:\WINDOWS\SYSTEM\APIZX32.DLL
    C:\WINDOWS\SYSTEM\APPQR.DLL
    C:\WINDOWS\SYSTEM\ATLQR32.DLL
    C:\WINDOWS\SYSTEM\ATLOP32.EXE
    C:\WINDOWS\SYSTEM\D3MX32.EXE
    C:\WINDOWS\SYSTEM\ADDTD.EXE
    C:\WINDOWS\SYSTEM\MFCPV.EXE
    C:\WINDOWS\SYSTEM\D3HT32.EXE
    C:\WINDOWS\SYSTEM\WINCC32.EXE
    C:\WINDOWS\SYSTEM\NTYM.EXE
    C:\WINDOWS\MSDM32.EXE
    C:\WINDOWS\ATLGS.EXE
    C:\WINDOWS\D3FS32.EXE
    C:\WINDOWS\ADDSD32.EXE
    C:\WINDOWS\NETUQ32.EXE
    C:\WINDOWS\IPEX32.EXE
    C:\WINDOWS\WINBJ32.EXE
    C:\WINDOWS\D3WW.EXE
    C:\WINDOWS\APIZP.EXE
    C:\WINDOWS\SDKNF.EXE


  • Finally run a full scan with Adaware.


  • Reboot your computer to go back to normal mode and post a new hijackthis log and the log from About Buster.
Let me know of any problems that you had.
  • 0

#6
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Sam,
Thanks for the quick reply (and clear instructions)!

There were a few difficulties, however...

I wasn't able to run About Blaster. When I tried to run in, the window said "Streams (ADS) not scanned: System not NTFS". When I tried to close the window, a dialog box saying that the database was corrupt or missing popped up, and Windows Explorer was open. Should I just try downloading it again and giving it another shot?

I also was not able to delete either C:\WINDOWS\atlgs.exe or C:\WINDOWS\SYSTEM\WINCC32.exe. Although I was still in safe mode, dialog boxes popped up sayong that they could not be deleted because "the specified file is being used by Windows"

Other than that, everything seemed to go OK. CWShredder still didn't find anything, and AdAware found a bunch of stuff related to CoolWebSearch, Malware.Psguard, and SearchClinck.

HJT log is below, and thanks again for your help!!

Logfile of HijackThis v1.99.1
Scan saved at 11:26:37 PM, on 8/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\WINCC32.EXE
C:\WINDOWS\ATLGS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hzcug.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hzcug.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [WINCC32.EXE] C:\WINDOWS\SYSTEM\WINCC32.EXE /s
O4 - HKLM\..\RunServices: [ATLGS.EXE] C:\WINDOWS\ATLGS.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#7
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Oops :tazz: , I just noticed that a few of the files in msconfig that are supposed to open on start-up were not selected, so here's a new HJT log with them selected!

But my homepage does seem to be sticking! ;)

Thanks again!


Logfile of HijackThis v1.99.1
Scan saved at 11:18:14 AM, on 8/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM\WINCC32.EXE
C:\WINDOWS\ATLGS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hzcug.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hzcug.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [ATLOP32.EXE] C:\WINDOWS\SYSTEM\ATLOP32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [WINCC32.EXE] C:\WINDOWS\SYSTEM\WINCC32.EXE /s
O4 - HKLM\..\RunServices: [ATLGS.EXE] C:\WINDOWS\ATLGS.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
This infection can be tough to kill in Windows 98 because of the tools that are most effective at killing it won't run on 98. So this may take a few steps, but we will get rid of it for you. :tazz:


Download the Pocket Killbox.
Extract it to your desktop or someplace where you can easily find it again.


==========


Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\hzcug.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hzcug.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\SYSTEM\intel32.exe
O4 - HKLM\..\Run: [ATLOP32.EXE] C:\WINDOWS\SYSTEM\ATLOP32.EXE
O4 - HKLM\..\RunServices: [WINCC32.EXE] C:\WINDOWS\SYSTEM\WINCC32.EXE /s
O4 - HKLM\..\RunServices: [ATLGS.EXE] C:\WINDOWS\ATLGS.EXE /s



=========


Double-click on KillBox.exe to launch the program.
  • Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:

    • C:\WINDOWS\system\hzcug.dll
      C:\WINDOWS\SYSTEM\intel32.exe
      C:\WINDOWS\SYSTEM\ATLOP32.EXE
      C:\WINDOWS\SYSTEM\WINCC32.EXE
      C:\WINDOWS\ATLGS.EXE

  • Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
  • Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
Your system will reboot now.


==========


Please run this online virus scan.
Make sure it is set to clean automatically

Panda Virus Scan

There may be files that this scan will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#9
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Sam,
Yeah, I have been informed several times that Win'98 is a huge drag because it isn't supported anymore, but apparently my crappy lil' computer will slow down even more if I try to update to XP ;) ... so I am more than willing to undergo a few extra steps to get rid of this [bleep] :tazz: .

There were no problems going through your steps, other than cutting and pasting into Killbox (I couldn't get more than 2 pasted in at once, but I managed to get all teh necessary files deleted anyways).

My HJ log:
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


And my Panda Activescan:
Incident Status Location

Adware:adware/startpage.bbc No disinfected C:\w.exe
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.dll
Adware:Adware/Startpage.VY No disinfected C:\WINDOWS\SYSTEM\oxyaaaaa.exe
Adware:Adware/CWS.Flsmngr No disinfected C:\WINDOWS\SYSTEM\flsmngr.dll
Adware:Adware/Startpage.VY No disinfected C:\WINDOWS\iqigylf.exe
Adware:Adware/Startpage.VY No disinfected C:\WINDOWS\rlsgoub.exe
Adware:Adware/Startpage.VY No disinfected C:\WINDOWS\dieneed.exe

It looks a [bleep] of a lot cleaner than last time I ran it, at least!

Thanks again!
  • 0

#10
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Oh, and I am not near as profane as your censors would have you believe ... I guess it's a G-rated forum, so calling malware anything other than a meanie is unacceptable! :tazz:
  • 0

Advertisements


#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
:tazz: Yeah, I think the language settings are pretty strict here. I don't pay too much attention to it though. :)


You did a great job! ;)

There's just a few bad files left. Use Killbox to delete these files.

C:\w.exe
C:\WINDOWS\msbb.dll
C:\WINDOWS\SYSTEM\oxyaaaaa.exe
C:\WINDOWS\SYSTEM\flsmngr.dll
C:\WINDOWS\iqigylf.exe
C:\WINDOWS\rlsgoub.exe
C:\WINDOWS\dieneed.exe



Reboot and post a new hijackthis log. Let me know how things are running on your end. Any problems?
  • 0

#12
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Why thank you :tazz: !

My latest HJ log is below. I also ran an AdAware Scan (basic findings below as well), which unfortunately still found some CWS stuff. I don't know whether it is just remnants of the stuff I'm almost rid of, or whether it will pop up again after I reboot. Any insights? I will certainly run another scan when I reboot to see if it's still there. I will also run Spybot S & D tomorrow (sorry, I'm sleepy) to see if anything else pops up, and possibly Norton as well, as I've been kinda' neglecting my anti-virus scanning in the midst of all this!

But you did ask how things are running... most of the problems seem to have pretty much disappeared... my homepage is back to normal, no new bookmarks or unwanted popups, etc. My computer is still really slow and prone to freezing very easily, but I'm sure we'll talk clean-up when this is all over and done with (and it probably doesn't help that I have too many programs running at Start-up).

I also wanted to mention that I do have a second user profile that I wouldn't mind taking a look at when we're done with this one (which, by the sounds of it, will be soon ;) ). I'm sure some of it has already been cleaned up by what we've done already, but I was wondering whether it would be helpful for me to go through all the same steps with that profile before I post it's HJT log (e.g., run AdAware, S&D, PandaActiveScan, etc).

Thank you so much for your time!

Logfile of HijackThis v1.99.1
Scan saved at 12:57:17 AM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

AdAware Scan (just a bit of it!!)

References detected during the scan:

Alexa(TAC index:5):1 total references
CoolWebSearch(TAC index:10):4 total references
MRU List(TAC index:0):14 total references <---- I deleted all these from the parts pasted below


Started registry scan


CoolWebSearch Object Recognized!
Type : Regkey
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{36fcc7fd-0e20-4292-a50a-0b761ae933ad}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : norann\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:

New critical objects: 2
Objects found so far: 2


Started deep registry scan


Deep registry scan result:

New critical objects: 0
Objects found so far: 2




Started Tracking Cookie scan



Tracking cookie scan result:

New critical objects: 0
Objects found so far: 16



Deep scanning and examining files (C:)


Disk Scan Result for C:\

New critical objects: 0
Objects found so far: 16


Performing conditional scans...


CoolWebSearch Object Recognized!
Type : RegValue
Data :
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL

CoolWebSearch Object Recognized!
Type : RegData
Data : no
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no

CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
TAC Rating : 10
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank

Conditional scan result:

New critical objects: 3
Objects found so far: 19

1:23:29 AM Scan Complete

Summary Of This Scan

Total scanning time:00:24:13.110
Objects scanned:71685
Objects identified:5
Objects ignored:0
New critical objects:5
  • 0

#13
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Just me again....
Good news: Those files I spoke of last time appeared to just be leftovers, as they all disappeared after I rebooted and re-run AdAware.

I just finished running Spybot S&D and it found stuff related to:

Backweb Lite
CoolWWWSearch.HomeSearch
CoolWWWSearch.Svcinit

...which I am also hoping are leftovers that will disappeared next reboot (we'll wait and see... I'm running all these scans between errands, work, etc)

The only thing I am really worried about is Spybot found something related to the Klez worm (argh!!!! :tazz: ) which apparently decided to show up a couple of days ago... should my Norton take care of that?

Most recent HJT:
Logfile of HijackThis v1.99.1
Scan saved at 2:34:10 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

Anyways, I will post again when I see whether S&D appears clean next reboot, and after I run my Norton to try and get rid of my @#!$#% worm...

Thanks again!
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks clean of malware.

Spybot should take care of those registry entries for you.
You can run Norton, but I would also run the Panda online scan again.

Post the log from Panda and let me know how things are going.
  • 0

#15
RaptorGirl

RaptorGirl

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi Sam,
My Norton scan turned up a few files infected with Trojan.Desktophijack.B, which were supposedly fixed. Were those just remnants of my infection? It also turned up some Adware stuff called both Iefeats and CWSIEFeats, which I deleted.

As for the PandaScan, the log is below:

Incident Status Location

Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM\sdknk32.exe
Virus:Trj/Agent.AEL Disinfected C:\WINDOWS\SYSTEM\atllo.exe

I deleted the adware file using Killbox, hope that's OK.

Also, the latest HJ log:
Logfile of HijackThis v1.99.1
Scan saved at 11:55:28 PM, on 8/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-CA\MSNAPPAU.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AOL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - User Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {82F2D6B2-6C58-4404-A930-9DB0FD90D4B1} (Driver_Detective_v43_Non_Member.DD_v43) - http://www.drivershq..._Non_Member.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

If you think everything looks clean, I will do one last scan after my next reboot, and then leave it all alone.

But I still have the other user profile to check, which is probably at least partially clean from the work I did in safe mode... would you like me to run all the regular stuff, eg. S&D, AdAware, Panda, etc, on that profile before I post a HJT log for that profile?

Thank you so much once again!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP