Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

AppWrap.exe & Dropper.Agent.DD


  • Please log in to reply

#1
ggaudin

ggaudin

    Member

  • Member
  • PipPip
  • 23 posts
Win 98SE OS
I need a removal tool for AppWrap.exe and Trojun Horse Dropper.Agent.DD.
I have read the "Start Here" pages and have completed many runs of the following programs:
Clean Up
Ad-aware SE
Spybot S & D
AVG
Hijack This
Some of the programs say that they have removed the malware but. it keeps coming back.
Here is a copy of my Hijack file:
Logfile of HijackThis v1.99.1
Scan saved at 2:21:05 PM, on 8/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.juno.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.juno.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab


What am I looking for???
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Uninstall Spyware Begone.
They are trying to trick you into buying it.
http://www.spywarewa...nti-spyware.htm

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan

Then reboot.

Let me know.

Regards,
  • 0

#3
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I removed the 2 items that you listed; but am still getting pop up's. Here is my new Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 1:49:53 PM, on 9/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.juno.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.juno.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Can you tell me if these popups all come from the same server?
Let me know if they all have the same subject and if so, which one?

Download WinPFind.zip and unzip the contents to the C:\ folder.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder)

Regards,
  • 0

#5
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I've downloaded thew winfindP file and will run it shortly. In response to your inquiry about the popup's --- They are downloaded to my computer every time I log on to my ISP. The ads are for many different products, i.e.: Visa, Nike, Loans, virus detectors, etc... When I log off, I run clean up and usually have a thousand or more ads (up to 6 - 8 mb's) that are wiped off. I can't tell where they are coming from.
Thanks for your help....
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Please consider installing a popup-blocker.

A free and fairly good one is integrated into the Google Toolbar: http://toolbar.google.com/

Or, start using an alternative browser.
Both Firefox: http://www.mozilla.o...oducts/firefox/ and Opera: http://www.opera.com/ are safe and come with built-in popup-blocks.

These will only stop the ones that come from the web, so I will still need to see the WinPFind log in case anything is causing them that is already on your computer.

Regards,
  • 0

#7
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Thanks for the advice on the popup blocker; and I do have Mozilla Firefox I'll start using it more often....
Here's the file that you need. It's definately on my computer..
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Windows 98 Version: 4.10.2222
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 9/19/05 1:51:10 PM RH 7598112 C:\WINDOWS\SYSTEM.DAT
PECompact2 10/9/04 3:10:28 AM 9930260 C:\WINDOWS\VPTNFILE.192
PECompact2 10/9/04 3:10:28 AM 9930260 C:\WINDOWS\lpt$vpn.192
UPX! 10/5/04 3:25:24 PM 1036800 C:\WINDOWS\vsapi32.dll
aspack 10/5/04 3:25:24 PM 1036800 C:\WINDOWS\vsapi32.dll

Items found in C:\WINDOWS\hosts

UPX! 9/18/05 12:55:22 PM 17408 C:\WINDOWS\icont.exe

Checking %System% folder...
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\DBOUND3D.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\PRD.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\OQDIS400.DLL
Umonitor 8/13/05 2:29:04 PM 405504 C:\WINDOWS\SYSTEM\wopdxm.dll
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\mgihnd.dll
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\duwave.dll
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\OPSSQ400.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\HLL0404.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\djnet.dll
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\cVbinet.dll
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\MQC42.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\JJT.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\SZP32.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\QFOLE.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\NYDLL.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\HWDCI.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\dq8vb.dll
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\MOC40.DLL
Umonitor 8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\SL.DLL

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/19/05 1:51:10 PM RH 7598112 C:\WINDOWS\SYSTEM.DAT
9/19/05 1:52:52 PM RH 806944 C:\WINDOWS\USER.DAT
9/18/05 3:37:40 PM H 1003265 C:\WINDOWS\ShellIconCache
9/18/05 3:39:42 PM H 7988 C:\WINDOWS\ttfCache
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\DBOUND3D.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\PRD.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\OQDIS400.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\mrwmdm.dll
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\mgihnd.dll
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\duwave.dll
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\OPSSQ400.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\HLL0404.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\djnet.dll
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\cVbinet.dll
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\MQC42.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\JJT.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\SZP32.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\QFOLE.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\NYDLL.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\HWDCI.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\dq8vb.dll
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\MOC40.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\SL.DLL
8/13/05 2:29:04 PM R S 405504 C:\WINDOWS\SYSTEM\MFJTES40.DLL
8/20/05 2:32:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\desktop.ini
8/20/05 3:20:10 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\UJM7MHYN\desktop.ini
8/22/05 1:49:14 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\NEIHDGR5\desktop.ini
8/20/05 3:20:14 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\GL2JWLMF\desktop.ini
8/20/05 3:20:18 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\DN1M92QJ\desktop.ini
8/20/05 3:20:22 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\CP6FWPEN\desktop.ini
8/20/05 3:20:36 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\QL7WLWVU\desktop.ini
8/20/05 3:20:36 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\E9EHO74T\desktop.ini
8/20/05 3:20:38 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\SPQN0PAN\desktop.ini
8/20/05 3:21:06 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\OXYFSX2R\desktop.ini
8/20/05 3:21:08 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\SXEFS9AN\desktop.ini
8/20/05 3:21:12 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\JGQFHZ55\desktop.ini
8/20/05 3:21:16 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WY802Z04\desktop.ini
8/20/05 3:21:16 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\LFP36761\desktop.ini
8/20/05 3:21:18 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\1V74CRCX\desktop.ini
8/20/05 3:22:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WTENWLAJ\desktop.ini
8/20/05 3:22:16 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\4LMNO5QR\desktop.ini
8/20/05 3:22:16 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WHCB0VGJ\desktop.ini
8/20/05 3:22:16 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\NH6C5A04\desktop.ini
8/20/05 3:24:16 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\85Y3CDQJ\desktop.ini
8/20/05 3:24:40 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\WLU3OTQJ\desktop.ini
8/20/05 3:24:44 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\C5EROP2F\desktop.ini
8/20/05 3:36:04 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\EJN5SJMJ\desktop.ini
8/20/05 3:43:00 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\15JDUNB3\desktop.ini
8/20/05 3:43:02 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\LY0YCG75\desktop.ini
8/20/05 3:47:44 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\5HY5PT1S\desktop.ini
8/20/05 3:47:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\A10JMDA5\desktop.ini
8/20/05 3:47:50 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\LY2YN50Q\desktop.ini
8/20/05 3:49:34 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\U85SGHM5\desktop.ini
8/20/05 3:55:48 PM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\K1U1OR2B\desktop.ini
8/21/05 10:53:38 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\QPDG1VMD\desktop.ini
8/21/05 10:57:00 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\CAW3H9YQ\desktop.ini
8/21/05 11:24:30 AM HS 67 C:\WINDOWS\Temporary Internet Files\Content.IE5\8TZ0DWF1\desktop.ini
8/15/05 1:11:10 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 4/23/99 10:22:00 PM 221280 C:\WINDOWS\SYSTEM\DESK.CPL
Microsoft Corporation 8/29/02 292352 C:\WINDOWS\SYSTEM\INETCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 60928 C:\WINDOWS\SYSTEM\INTL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 420864 C:\WINDOWS\SYSTEM\MMSYS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 93248 C:\WINDOWS\SYSTEM\MODEM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14448 C:\WINDOWS\SYSTEM\NETCPL.CPL
Microsoft Corporation 8/8/99 2:17:12 AM 41232 C:\WINDOWS\SYSTEM\ODBCCP32.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 47104 C:\WINDOWS\SYSTEM\PASSWORD.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 51984 C:\WINDOWS\SYSTEM\POWERCFG.CPL
Symantec Corporation 7/25/98 12:57:48 PM 151040 C:\WINDOWS\SYSTEM\S32LUCP1.CPL
Microsoft Corporation 10/30/01 8:10:00 AM 442368 C:\WINDOWS\SYSTEM\JOY.CPL
Microsoft Corporation 2/19/01 7:07:36 PM 108032 C:\WINDOWS\SYSTEM\INPUT98.CPL
Intel Corporation 9/5/00 1:08:26 PM 177152 C:\WINDOWS\SYSTEM\HAMCPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 66048 C:\WINDOWS\SYSTEM\ACCESS.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 72192 C:\WINDOWS\SYSTEM\APPWIZ.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 103424 C:\WINDOWS\SYSTEM\MAIN.CPL
4/23/99 10:22:00 PM 70656 C:\WINDOWS\SYSTEM\STICPL.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 387072 C:\WINDOWS\SYSTEM\SYSDM.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 14848 C:\WINDOWS\SYSTEM\TELEPHON.CPL
Microsoft Corporation 4/23/99 10:22:00 PM 37376 C:\WINDOWS\SYSTEM\TIMEDATE.CPL
Sun Microsystems 11/26/01 10:24:30 PM 45148 C:\WINDOWS\SYSTEM\plugincpl131_02.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
7/10/03 1:13:38 PM 0 C:\WINDOWS\Application Data\dm.ini
3/21/04 4:00:24 PM 154 C:\WINDOWS\Application Data\dw.log
7/15/05 1:32:16 PM 16368 C:\WINDOWS\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = @msdxmLC.dll,-1@1033,&Radio : C:\WINDOWS\SYSTEM\MSDXM.OCX

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = C:\WINDOWS\SYSTEM\SHDOCVW.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : C:\WINDOWS\SYSTEM\BROWSEUI.DLL
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : C:\WINDOWS\SYSTEM\BROWSEUI.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ScanRegistry C:\WINDOWS\scanregw.exe /autorun
TaskMonitor C:\WINDOWS\taskmon.exe
SystemTray SysTray.Exe
AVG7_CC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ctfmon.exe ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun •
CDRAutoRun

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = C:\WINDOWS\SYSTEM\WEBCHECK.DLL


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/19/05 2:01:31 PM
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Aha. That looks like Look2Me pestware

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\icont.exe
C:\WINDOWS\SYSTEM\DBOUND3D.DLL
C:\WINDOWS\SYSTEM\PRD.DLL
C:\WINDOWS\SYSTEM\OQDIS400.DLL
C:\WINDOWS\SYSTEM\wopdxm.dll
C:\WINDOWS\SYSTEM\mgihnd.dll
C:\WINDOWS\SYSTEM\duwave.dll
C:\WINDOWS\SYSTEM\OPSSQ400.DLL
C:\WINDOWS\SYSTEM\HLL0404.DLL
C:\WINDOWS\SYSTEM\djnet.dll
C:\WINDOWS\SYSTEM\cVbinet.dll
C:\WINDOWS\SYSTEM\MQC42.DLL
C:\WINDOWS\SYSTEM\JJT.DLL
C:\WINDOWS\SYSTEM\SZP32.DLL
C:\WINDOWS\SYSTEM\QFOLE.DLL
C:\WINDOWS\SYSTEM\NYDLL.DLL
C:\WINDOWS\SYSTEM\HWDCI.DLL
C:\WINDOWS\SYSTEM\dq8vb.dll
C:\WINDOWS\SYSTEM\MOC40.DLL
C:\WINDOWS\SYSTEM\SL.DLL

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Please download L2m9xfix from:
GeeksToGo
Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat

Regards,
  • 0

#9
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I ran Killbox as you directed but, 12m9xfix would not extract due to either a damaged file or unknown format. I will download it again; and, it will hopefully run. Meanwhile, here's the new hijack log.
Logfile of HijackThis v1.99.1
Scan saved at 4:03:22 PM, on 9/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.juno.com/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.juno.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Juno Online Services, Inc.
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
  • 0

#10
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
The 2nd download of 12m9xfix worked ---- Here's the log.txt file. Do you need another hijack log?(other than the above post)
Log of L2M9XFix v1.01a

************

Running from directory:
C:\My Documents\DOWNLOADS\l2m9xfix

************

Files found:

C:\WINDOWS\system\CJL3D.DLL
C:\WINDOWS\system\cVbinet.dll
C:\WINDOWS\system\DBOUND3D.DLL
C:\WINDOWS\system\dfmv2clt.dll
C:\WINDOWS\system\djnet.dll
C:\WINDOWS\system\dq8vb.dll
C:\WINDOWS\system\duwave.dll
C:\WINDOWS\system\HLL0404.DLL
C:\WINDOWS\system\HWDCI.DLL
C:\WINDOWS\system\JJT.DLL
C:\WINDOWS\system\mgihnd.dll
C:\WINDOWS\system\MOC40.DLL
C:\WINDOWS\system\MQC42.DLL
C:\WINDOWS\system\mrwmdm.dll
C:\WINDOWS\system\NYDLL.DLL
C:\WINDOWS\system\OPSSQ400.DLL
C:\WINDOWS\system\OQDIS400.DLL
C:\WINDOWS\system\PRD.DLL
C:\WINDOWS\system\QFOLE.DLL
C:\WINDOWS\system\SL.DLL
C:\WINDOWS\system\SZP32.DLL
C:\WINDOWS\system\wopdxm.dll

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{980EE120-0C06-11DA-8D71-444553540000}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MRWMDM.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{83222613-54D4-784F-28B8-D0A6D6042DC8}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!
  • 0

Advertisements


#11
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
The logs look good. :tazz:

Since this infection is not visible in a HijackThis log it all depends on whether you tell me if the annoying popups stopped.

If they didn't please post a new WinPFind log

Regards,
  • 0

#12
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
So far no ads have popped up in the limited time that I've been on line, today; so, it looks good.
I have noticed that my screen appears to be somewhat faded out and the type is mushy. Also, I now have 2 identical start up trays on the bottom of my screen. Does any of that seem to be part of my infection?
Thanks a million for your help.
  • 0

#13
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Can you elaborate a bit about the "2 identical start up trays on the bottom of my screen" ?

A screenshot would be great, since I need to know as exact as possible what you are seeing.

Regards,
  • 0

#14
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I don't think that a screen shot will show the bottom tray but I will describe it for you.
All the way on the bottom of the screen is the activity/startup tray. The far left has the 'Start' button and to its immediate right are 4 icons i.e.: show desktop, IE, Win Media Player, Mozilla Firefox. Then, immediately to its right is another set of identical icons in this order: Show Desktop, IE,Mozilla Firefox, Win Media Player (the final 2 are reversed in the 2nd set of icons) --- I'll see what I can do for a screen shot....

Edited by ggaudin, 20 September 2005 - 02:09 PM.

  • 0

#15
ggaudin

ggaudin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I attached the screenshot; but, don't see it, hereon....????
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP