Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware on Win 98


  • Please log in to reply

#1
onceagain

onceagain

    New Member

  • Member
  • Pip
  • 2 posts
I've been battling a PC running Windows 98 SP2 for a little while now. Prior to 10 days ago, this computer had never been connected to the internet. Now, 10 days later, it's full of stuff.

I've read, printed, and followed many directions on this site to try and clean it up (Many thanks to all who have posted such useful information).

It had approximately 30 virus' on it and about 50 pieces of spyware/malware on it, including the dreaded Spy Sheriff.

I downloaded cwshredder, ad-aware, AVG anti-virus, spybot search and destroy, the Smit something scrubber (forgot the name of it), the CoolWeb mini scrubber, and quite a few more of the tools. I have also installed all critical updates from Microsoft (all 22 of them!).

With a lot of watching, working, and rebooting, I managed to find a few of the problem files packed up in the startup files. Mainly KERNEL32.exe, and a couple of others. I have deleted them all, disabled them from being called on startup, and they seem to have gone away, for the most part.

I do, however, have a few lingering effects. 60% of the time when I click on "Windows Explorer", the system locks up. You can move the mouse, but it won't do anything, and the "start" button is stuck in down position. Only way to get it working is to power off.

I have a feeling I have disabled something in the msconfig side of things that might be needed, but I don't know what.

I'm also running the free firewall from sybase (I think).

Upon cleaning the system up for nearly 7 hours over 2 days time, my next to the last virus scan picked up a bunch of trojan downloaders again, all parked in the \windows\temp\ files. I healed them, and ran it again and they didn't appear. However, I have faith something will return, as it has been constantly since I have been working on this.

The latest hijack log is :

Logfile of HijackThis v1.99.1
Scan saved at 2:33:45 PM, on 8/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nbc12.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1;<local>
F1 - win.ini: run=hpfsched
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} -
C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O2 - BHO: (no name) - {89C528BF-CB08-ADD4-7801-CF891A576B97} -
C:\WINDOWS\SYSTEM\VMEBKOA.DLL
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} -
C:\WINDOWS\SYSTEM\BHOMOD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D}
- C:\PROGRA~1\COMMON~1\VERIZO~1\SFP\VZBB.DLL
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AttuneDiscovery] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_di.exe
O4 - HKLM\..\Run: [AttuneSysTray] C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_st.exe
O4 - HKLM\..\Run: [AttuneContentUpdater]
C:\PROGRA~1\AVEO\ATTUNE\Bin\Attune_cu.exe
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [MRUList] a
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - Startup: QuickShelf 2000.lnk = C:\Program Files\Microsoft
Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon
Online\bin\matcli.exe
O15 - Trusted IP range: 67.19.178.84
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)


And the ad-aware log that's a tiny bit outdated (maybe 1 hour before finishing up my work) is :

COOLWEBSEARCH
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Regkey : typelib\{110fa82f-db6c-3c24-8929-60961d10c56e}
obj[30]=Regkey : interface\{9d573d0e-663c-435f-bf31-2c4497373c41}
obj[31]=RegValue : software\microsoft\windows\currentversion\policies\system
"Wallpaper"
obj[32]=RegValue : software\microsoft\internet explorer\main "Search Bar"
obj[33]=RegValue : software\microsoft\windows\currentversion\internet
settings\zonemap\ranges\range1 ":Range"
obj[34]=File : C:\WINDOWS\wplog.txt
obj[35]=File : C:\WINDOWS\desktop.html

OTHER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[1]=Regkey : .DEFAULT\software\aveo
obj[11]=Regkey : software\aveo

ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=Regkey : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
obj[3]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "MenuStatusBar"
obj[4]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Script"
obj[5]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "clsid"
obj[6]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "Icon"
obj[7]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "HotIcon"
obj[8]=RegValue : software\microsoft\internet
explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} "ButtonText"
obj[12]=RegValue : .DEFAULT\software\microsoft\internet
explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"

CLICKSPRING
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[9]=Regkey : software\clickspring
obj[10]=RegValue : software\clickspring "PID"
obj[36]=File : C:\WINDOWS\SYSTEM\wnsintsv.exe
obj[37]=File : C:\WINDOWS\downloaded program files\MediaTicketsInstaller.ocx
obj[38]=File : C:\WINDOWS\downloaded program files\MediaTicketsInstaller.INF

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[13]=RegData :
.DEFAULT\software\microsoft\windows\currentversion\policies\explorer
"NoBandCustomize"
obj[14]=RegData :
.DEFAULT\software\microsoft\windows\currentversion\policies\system
"DisableTaskMgr"
obj[15]=RegData : software\microsoft\windows nt\currentversion\winlogon "Shell"

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[16]=IECache Entry : Cookie:default@2o7.net/
obj[17]=IECache Entry : Cookie:default@mediaplex.com/
obj[18]=IECache Entry : Cookie:default@as-us.falkag.net/
obj[19]=IECache Entry :
Cookie:default@statse.webtrendslive.com/dcsgcxwngpifwznfzlmv83o6w_5w4m
obj[20]=IECache Entry : Cookie:default@statse.webtrendslive.com/
obj[21]=IECache Entry : Cookie:default@trafficmp.com/
obj[22]=IECache Entry : Cookie:default@doubleclick.net/
obj[23]=IECache Entry : c:\WINDOWS\Cookies\default@2o7[2].txt
obj[24]=IECache Entry : c:\WINDOWS\Cookies\default@doubleclick[1].txt
obj[25]=IECache Entry : c:\WINDOWS\Cookies\default@trafficmp[2].txt
obj[26]=IECache Entry : c:\WINDOWS\Cookies\default@as-us.falkag[1].txt
obj[27]=IECache Entry : c:\WINDOWS\Cookies\default@mediaplex[1].txt
obj[28]=IECache Entry :
c:\WINDOWS\Cookies\default@dcsgcxwngpifwznfzlmv83o6w_5w4m[1].txt
obj[29]=IECache Entry : c:\WINDOWS\Cookies\default@statse.webtrendslive[2].txt

I used the cleaning functions of ad-aware to hopefully get rd of them. I had to leave, so I'm not near the computer, so I can't get a clean, up to date ad-aware log.


The computer, overall, seems to be functioning at normal. I have a feeling I have a few minor things to clean up. Anyone see anything in the hjt file that might be in need of removal?

Many thanks in advance, your help has already helped me get from a computer that would barely run to a computer that runs almost perfect.

Edited by onceagain, 11 August 2005 - 01:29 PM.

  • 0

Advertisements


#2
onceagain

onceagain

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Opps, sorry, how stupid of me to put this in the wrong forum, on my first post! Thanks for moving it. Sorry, my brain is fried after battling this thing for 2 days now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP