Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware on Win 98

Started by onceagain , Aug 11 2005 01:27 PM

  • Please log in to reply

#1
onceagain
Posted 11 August 2005 - 01:27 PM

onceagain

    New Member

  • Member
  • Pip
  • 2 posts
I've been battling a PC running Windows 98 SP2 for a little while now. Prior to 10 days ago, this computer had never been connected to the internet. Now, 10 days later, it's full of stuff.

I've read, printed, and followed many directions on this site to try and clean it up (Many thanks to all who have posted such useful information).

It had approximately 30 virus' on it and about 50 pieces of spyware/malware on it, including the dreaded Spy Sheriff.

I downloaded cwshredder, ad-aware, AVG anti-virus, spybot search and destroy, the Smit something scrubber (forgot the name of it), the CoolWeb mini scrubber, and quite a few more of the tools. I have also installed all critical updates from Microsoft (all 22 of them!).

With a lot of watching, working, and rebooting, I managed to find a few of the problem files packed up in the startup files. Mainly KERNEL32.exe, and a couple of others. I have deleted them all, disabled them from being called on startup, and they seem to have gone away, for the most part.

I do, however, have a few lingering effects. 60% of the time when I click on "Windows Explorer", the system locks up. You can move the mouse, but it won't do anything, and the "start" button is stuck in down position. Only way to get it working is to power off.

I have a feeling I have disabled something in the msconfig side of things that might be needed, but I don't know what.

I'm also running the free firewall from sybase (I think).

Upon cleaning the system up for nearly 7 hours over 2 days time, my next to the last virus scan picked up a bunch of trojan downloaders again, all parked in the \windows\temp\ files. I healed them, and ran it again and they didn't appear. However, I have faith something will return, as it has been constantly since I have been working on this.

The latest hijack log is :

Logfile of HijackThis v1.99.1
Scan saved at 2:33:45 PM, on 8/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nbc12.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;<local>
F1 - win.ini: run=hpfsched
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} -
C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O2 - BHO: (no name) - {89C528BF-CB08-ADD4-7801-CF891A576B97} -
C:\WINDOWS\SYSTEM\VMEBKOA.DLL
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} -
C:\WINDOWS\SYSTEM\BHOMOD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}
- C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater]
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MRUList] a
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft
Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon
Online\bin\matcli.exe
O15 - Trusted IP range: 67.19.178.84
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)


And the ad-aware log that's a tiny bit outdated (maybe 1 hour before finishing up my work) is :

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : typelib\{110fa82f-db6c-3c24-8929-60961d10c56e}
obj[30]=Regkey : interface\{9d573d0e-663c-435f-bf31-2c4497373c41}
obj[31]=RegValue : software\microsoft\windows\currentversion\policies\system
"Wallpaper"
obj[32]=RegValue : software\microsoft\internet explorer\main "Search Bar"
obj[33]=RegValue : software\microsoft\windows\currentversion\internet
settings\zonemap\ranges\range1 ":Range"
obj[34]=File : C:\WINDOWS\wplog.txt
obj[35]=File : C:\WINDOWS\desktop.html

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Regkey : .DEFAULT\software\aveo
obj[11]=Regkey : software\aveo

ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=Regkey : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
obj[3]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar"
obj[4]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script"
obj[5]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid"
obj[6]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon"
obj[7]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon"
obj[8]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText"
obj[12]=RegValue : .DEFAULT\software\microsoft\internet
explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"

CLICKSPRING
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[9]=Regkey : software\clickspring
obj[10]=RegValue : software\clickspring "PID"
obj[36]=File : C:\WINDOWS\SYSTEM\wnsintsv.exe
obj[37]=File : C:\WINDOWS\downloaded program files\MediaTicketsInstaller.ocx
obj[38]=File : C:\WINDOWS\downloaded program files\MediaTicketsInstaller.INF

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[13]=RegData :
.DEFAULT\software\microsoft\windows\currentversion\policies\explorer
"NoBandCustomize"
obj[14]=RegData :
.DEFAULT\software\microsoft\windows\currentversion\policies\system
"DisableTaskMgr"
obj[15]=RegData : software\microsoft\windows nt\currentversion\winlogon "Shell"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[16]=IECache Entry : Cookie:[email protected]/
obj[17]=IECache Entry : Cookie:[email protected]/
obj[18]=IECache Entry : Cookie:[email protected]/
obj[19]=IECache Entry :
Cookie:[email protected]/dcsgcxwngpifwznfzlmv83o6w_5w4m
obj[20]=IECache Entry : Cookie:[email protected]/
obj[21]=IECache Entry : Cookie:[email protected]/
obj[22]=IECache Entry : Cookie:[email protected]/
obj[23]=IECache Entry : c:\WINDOWS\Cookies\default@2o7[2].txt
obj[24]=IECache Entry : c:\WINDOWS\Cookies\default@doubleclick[1].txt
obj[25]=IECache Entry : c:\WINDOWS\Cookies\default@trafficmp[2].txt
obj[26]=IECache Entry : c:\WINDOWS\Cookies\[email protected][1].txt
obj[27]=IECache Entry : c:\WINDOWS\Cookies\default@mediaplex[1].txt
obj[28]=IECache Entry :
c:\WINDOWS\Cookies\default@dcsgcxwngpifwznfzlmv83o6w_5w4m[1].txt
obj[29]=IECache Entry : c:\WINDOWS\Cookies\[email protected][2].txt

I used the cleaning functions of ad-aware to hopefully get rd of them. I had to leave, so I'm not near the computer, so I can't get a clean, up to date ad-aware log.


The computer, overall, seems to be functioning at normal. I have a feeling I have a few minor things to clean up. Anyone see anything in the hjt file that might be in need of removal?

Many thanks in advance, your help has already helped me get from a computer that would barely run to a computer that runs almost perfect.

Edited by onceagain, 11 August 2005 - 01:29 PM.

  • 0

Advertisements

#2
onceagain
Posted 11 August 2005 - 01:51 PM

onceagain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Opps, sorry, how stupid of me to put this in the wrong forum, on my first post! Thanks for moving it. Sorry, my brain is fried after battling this thing for 2 days now.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP