[Gothos]

Working a friends PC that was whacked by his daughter (Ya think at 18 years old she'd know better...)

I ran an online scan .... 9 virus removed, 3 Trojan's removed.
Ran HJT ... removed those reference links.
Started in Cmd Promt safe mode. Removed said linked files/folders in HJT.
Re started in windows... re-ran online scanner ... NPF. (No problem found)
Ran Ad aware ... removed 22 instances.
Re-booted.
Ran Ad-aware ... NPF
Ran CWshredder ... NPF
Re-ran on-line scanner ... NPF
Ran Clean-up ... trash gone ... NPF (I guess)

Still cannot get the backgroud to it's normal state .... still "pops" back into active desktop mode, wierd desktop background, and the PC is still a tad laggy ... so ..... There is still an issue here I cannot see ...

*goes bald cause of the hair pulling*

The MOST recent HJT log is shown below .... (no other mods will be done till a reply)

Thanks in advance for the quick response.

~G~

(Yes..... I have already applied to be an assistant on this forum... :-) )

HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 4:11:58 PM, on 8/22/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\WEBSVR\SYSTEM\INETSW95.EXE
C:\PROGRAM FILES\MCAFEE\VIRUSSCAN95\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\ALDUS\PIPELINE\REMIND.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\PLUS!\MICROSOFT INTERNET\IEXPLORE.EXE
C:\HJC\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F1 - win.ini: load=C:\ALDUS\PIPELINE\remind.exe
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Microsoft WebServer] C:\Program Files\WebSvr\System\svctrl /init
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\McAfee\VirusScan95\VSHWIN32.EXE
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "C:\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [Microsoft WebServer] C:\Program Files\WebSvr\System\inetsw95.exe -w3svc
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\McAfee\VirusScan95\VSHWIN32.EXE
O4 - Startup: Microsoft Office Shortcut Bar.Lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Help - {BAFBC9E1-EEF2-11D9-9DBA-00A0CC370461} - http://online.comcast.net/help/ (file missing) (HKCU)
O9 - Extra button: Support - {BAFBC9E2-EEF2-11D9-9DBA-00A0CC370461} - http://www.comcastsupport.com/ (file missing) (HKCU)
O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab

Edited by Gothos, 22 August 2005 - 04:18 PM.

[Advertisements]

Well ... thanks for the "speedy" replys and all the pass overs ........

Close this task out..........

I need to reload windows....

[Gothos]

Well ... thanks for the "speedy" replys and all the pass overs ........

Close this task out..........

I need to reload windows....

[Michelle]

You only posted 9 hours ago (and got mad after less than 3 hours??). It is completely unreasonable to expect a reply within that timeframe. You are not the only person who has posted in this forum. No one intentionally "passed over" your post and there is no need for the sarcasm.

Did you reload Windows?

Edited by Michelle, 23 August 2005 - 01:28 AM.

[Gothos]

Sorry Michelle, I didn't mean to imply that nothing is being done. I (in my over-zealous way) was researching the HJT log and seemed to whack a VERY important file.



So .... with that done Windows refuses to launch ... (black screen with a lovely cursor flashing and laughing at me.)

Yes Windows 98SE is now in the process of a re-load. My friend is aware and has no critical files needed. (Although I do have a HD backup of his work files .... hehe)

Thanks for the help and maybe I'll figure out what it was I whacked out ... so's as not to do that again.



~G~

Edited by Gothos, 23 August 2005 - 08:40 AM.

[Michelle]

Have you tried to see if the system will boot into Safe Mode? If it will, then HiJackThis has back ups created. However if you deleted the file after fixing in HJT then that's a different story unless it's still in the Recycle Bin.

Edited by Michelle, 23 August 2005 - 10:30 AM.

[Gothos]

Yup tried the safe mode, (no joy) and straight command prompt. (still had the "giggling" cursor).

Least I killed it with style.



The system (for the most part) is rebuilt now with no issues. Just need to get his various drivers loaded for his video and printer.

~G~

[Michelle]

Ah, well, I'm sorry to hear that, but glad everything is running smoothly now!

I recommend installing protection programs on it to help prevent it from getting infected again

Here are my recommendations:


Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG, Anti-Vir, or Avast (Avast is free for home, non-commercial use only) have.
• Firewall<= A firewall is definitely a must have. Two good free versions are Sygate, and ZoneAlarm.

[Gothos]

Oh yeah, reinstalled his McAffee's (he has an active subscription for updates) as well as Ad-aware, CWShredder, Spyware guard and Blaster.

I also use Trojan Hunter. A pretty good program when used with CWShredder.

I didn't know about the hosts file. That I'll get set up straight away...

Thanks again.

[Michelle]

I didn't do much, but you're welcome

However, I do not recommend running CWShredder when the system is not infected with CoolWebSearch.

[Michelle]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.