I've read, printed, and followed many directions on this site to try and clean it up (Many thanks to all who have posted such useful information).
It had approximately 30 virus' on it and about 50 pieces of spyware/malware on it, including the dreaded Spy Sheriff.
I downloaded cwshredder, ad-aware, AVG anti-virus, spybot search and destroy, the Smit something scrubber (forgot the name of it), the CoolWeb mini scrubber, and quite a few more of the tools. I have also installed all critical updates from Microsoft (all 22 of them!).
With a lot of watching, working, and rebooting, I managed to find a few of the problem files packed up in the startup files. Mainly KERNEL32.exe, and a couple of others. I have deleted them all, disabled them from being called on startup, and they seem to have gone away, for the most part.
I do, however, have a few lingering effects. 60% of the time when I click on "Windows Explorer", the system locks up. You can move the mouse, but it won't do anything, and the "start" button is stuck in down position. Only way to get it working is to power off.
I have a feeling I have disabled something in the msconfig side of things that might be needed, but I don't know what.
I'm also running the free firewall from sybase (I think).
Upon cleaning the system up for nearly 7 hours over 2 days time, my next to the last virus scan picked up a bunch of trojan downloaders again, all parked in the \windows\temp\ files. I healed them, and ran it again and they didn't appear. However, I have faith something will return, as it has been constantly since I have been working on this.
The latest hijack log is :
Logfile of HijackThis v1.99.1
Scan saved at 2:33:45 PM, on 8/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nbc12.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;<local>
F1 - win.ini: run=hpfsched
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} -
C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O2 - BHO: (no name) - {89C528BF-CB08-ADD4-7801-CF891A576B97} -
C:\WINDOWS\SYSTEM\VMEBKOA.DLL
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} -
C:\WINDOWS\SYSTEM\BHOMOD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}
- C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater]
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MRUList] a
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft
Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon
Online\bin\matcli.exe
O15 - Trusted IP range: 67.19.178.84
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)
And the ad-aware log that's a tiny bit outdated (maybe 1 hour before finishing up my work) is :
COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : typelib\{110fa82f-db6c-3c24-8929-60961d10c56e}
obj[30]=Regkey : interface\{9d573d0e-663c-435f-bf31-2c4497373c41}
obj[31]=RegValue : software\microsoft\windows\currentversion\policies\system
"Wallpaper"
obj[32]=RegValue : software\microsoft\internet explorer\main "Search Bar"
obj[33]=RegValue : software\microsoft\windows\currentversion\internet
settings\zonemap\ranges\range1 ":Range"
obj[34]=File : C:\WINDOWS\wplog.txt
obj[35]=File : C:\WINDOWS\desktop.html
OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Regkey : .DEFAULT\software\aveo
obj[11]=Regkey : software\aveo
ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=Regkey : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
obj[3]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar"
obj[4]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script"
obj[5]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid"
obj[6]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon"
obj[7]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon"
obj[8]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText"
obj[12]=RegValue : .DEFAULT\software\microsoft\internet
explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
CLICKSPRING
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[9]=Regkey : software\clickspring
obj[10]=RegValue : software\clickspring "PID"
obj[36]=File : C:\WINDOWS\SYSTEM\wnsintsv.exe
obj[37]=File : C:\WINDOWS\downloaded program files\MediaTicketsInstaller.ocx
obj[38]=File : C:\WINDOWS\downloaded program files\MediaTicketsInstaller.INF
WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[13]=RegData :
.DEFAULT\software\microsoft\windows\currentversion\policies\explorer
"NoBandCustomize"
obj[14]=RegData :
.DEFAULT\software\microsoft\windows\currentversion\policies\system
"DisableTaskMgr"
obj[15]=RegData : software\microsoft\windows nt\currentversion\winlogon "Shell"
TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[16]=IECache Entry : Cookie:[email protected]/
obj[17]=IECache Entry : Cookie:[email protected]/
obj[18]=IECache Entry : Cookie:[email protected]/
obj[19]=IECache Entry :
Cookie:[email protected]/dcsgcxwngpifwznfzlmv83o6w_5w4m
obj[20]=IECache Entry : Cookie:[email protected]/
obj[21]=IECache Entry : Cookie:[email protected]/
obj[22]=IECache Entry : Cookie:[email protected]/
obj[23]=IECache Entry : c:\WINDOWS\Cookies\default@2o7[2].txt
obj[24]=IECache Entry : c:\WINDOWS\Cookies\default@doubleclick[1].txt
obj[25]=IECache Entry : c:\WINDOWS\Cookies\default@trafficmp[2].txt
obj[26]=IECache Entry : c:\WINDOWS\Cookies\[email protected][1].txt
obj[27]=IECache Entry : c:\WINDOWS\Cookies\default@mediaplex[1].txt
obj[28]=IECache Entry :
c:\WINDOWS\Cookies\default@dcsgcxwngpifwznfzlmv83o6w_5w4m[1].txt
obj[29]=IECache Entry : c:\WINDOWS\Cookies\[email protected][2].txt
I used the cleaning functions of ad-aware to hopefully get rd of them. I had to leave, so I'm not near the computer, so I can't get a clean, up to date ad-aware log.
The computer, overall, seems to be functioning at normal. I have a feeling I have a few minor things to clean up. Anyone see anything in the hjt file that might be in need of removal?
Many thanks in advance, your help has already helped me get from a computer that would barely run to a computer that runs almost perfect.
Edited by onceagain, 11 August 2005 - 01:29 PM.