[blabbaboo]

Hi, can't run Ewido on w98, ran Spybot, Adaware, CW Shredder, Counterspy, etc. Spysheriff won't go away, all instructions I've found are for XP. Any help appreciated, hjt log follows. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 3:40:54 PM, on 8/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KERNELS32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE
C:\WINDOWS\SYSTEM\VXH8JKDQ6.EXE
C:\WINDOWS\SYSTEM\VXH8JKDQ7.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SVCHOST.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com.../gw/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com.../gw/search.html
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT\SPYBOT~5\SDHELPER.DLL
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\svchost.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Shell] Explorer.exe C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE
O4 - HKCU\..\Run: [SpySheriff] C:\PROGRAM FILES\SPYSHERIFF\SpySheriff.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\symcsvc.exe
O14 - IERESET.INF: START_PAGE_URL=www.gateway.com
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

[Advertisements]

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Right click on this link http://www.greyknigh...lO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\svchost.exe
O4 - HKLM\..\RunServices: [Shell] Explorer.exe C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE
O4 - HKCU\..\Run: [SpySheriff] C:\PROGRAM FILES\SPYSHERIFF\SpySheriff.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\symcsvc.exe
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Delete these if found:

C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\SYSTEM\kernels32.exe
C:\WINDOWS\svchost.exe - careful on this one, ONLY delete it in the WINDOWS folder and no where else
C:\winstall.exe
C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE
C:\PROGRAM FILES\SPYSHERIFF\
C:\WINDOWS\SYSTEM\symcsvc.exe

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner. When done, make sure the box is check for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log.

Upload this file (C:\WINDOWS\SYSTEM\SVCHOST.EXE - see if you have more than one by any chance) to http://virusscan.jotti.org and report back what it found.

[greyknight17]

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Right click on this link http://www.greyknigh...lO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SYSTEM\SVCHOST.EXE /s
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\Run: [Auto Update] C:\WINDOWS\svchost.exe
O4 - HKLM\..\RunServices: [Shell] Explorer.exe C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE
O4 - HKCU\..\Run: [SpySheriff] C:\PROGRAM FILES\SPYSHERIFF\SpySheriff.exe
O4 - HKCU\..\RunServices: [aupd] C:\WINDOWS\SYSTEM\symcsvc.exe
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Delete these if found:

C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\SYSTEM\kernels32.exe
C:\WINDOWS\svchost.exe - careful on this one, ONLY delete it in the WINDOWS folder and no where else
C:\winstall.exe
C:\WINDOWS\SYSTEM\VXH8JKDQ2.EXE
C:\PROGRAM FILES\SPYSHERIFF\
C:\WINDOWS\SYSTEM\symcsvc.exe

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Save the file as "copy.bat". Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner. When done, make sure the box is check for wininet.dll and click cure.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log.

Upload this file (C:\WINDOWS\SYSTEM\SVCHOST.EXE - see if you have more than one by any chance) to http://virusscan.jotti.org and report back what it found.

[blabbaboo]

greyknight17, thanks very much, the pc is clean! As I said, I can't run Ewido on W98, but the spysheriff is completely gone, Spybot, Adaware, Counterspy, Trojan Hunter all say negative infection. I really appreciate your help.

[greyknight17]

Did you do any fixing after you posted your log? According to your log, you are heavily infected.

Yes, I took Ewido out, but I guess that last sentense still asks for the Ewido log I forgot to edit that out also.

Can you at least give me a new HijackThis log to review one more time just to make sure? I don't like leaving users like this even though it seems like they are clean.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.