Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

ps guard highjack

Started by monkeyboyblues , Aug 25 2005 02:44 PM

This topic is locked

#1
monkeyboyblues

Posted 25 August 2005 - 02:44 PM

Member

Member
146 posts

hello,

i have been highjacked by some spyware called
"ps-guard". i've noticed somebody else has posted
about this. it masquerades as an icon in my
toolbar, occassionally showing a popup ballon
telling me my computer is infected. then sometimes
a spyware scan window will open showing ps-guard
voluntarily scanning my computer for viruses.
after i immediately delete this, i find an icon for
ps-guard on my desktop and in my add/remove
programs list. i always delete the icon and remove
the software.
i've run through all the system software checks that
you have instructed new users to do, except for
ewido as i don't have windows xp, but the spyware
remains.
here is my highjack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:17:08 PM, on 8/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\ICASSERV.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\POPCORN72.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\SYSTEM\msblank.html
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\SYSTEM\ICASSERV.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avpmondll] JAguAr.exe
O4 - HKLM\..\Run: [keybdll] 34763.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [lpt] qwe.exe
O4 - HKCU\..\Run: [WinInitDll] StartCpl.exe
O4 - HKCU\..\Run: [FLKPT] ExchangeMaster.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.95.218.83...ol.chm::/on.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8
O21 - SSODL: TKERLGOJsUM - {23321C0A-8998-B6A0-8B2F-14345B2F10D7} - C:\WINDOWS\SYSTEM\OWO.DLL

thanks much,

monkeyboyblues

#2
Guest_thatman_*

Posted 25 August 2005 - 03:05 PM

Guest

Hi thatman

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXEExit the Task Manager when finished.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\SYSTEM\msblank.html
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\SYSTEM\ICASSERV.EXE
O4 - HKLM\..\Run: [avpmondll] JAguAr.exe
O4 - HKLM\..\Run: [keybdll] 34763.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [lpt] qwe.exe
O4 - HKCU\..\Run: [FLKPT] ExchangeMaster.exe
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://195.95.218.83...ol.chm::/on.exe
O21 - SSODL: TKERLGOJsUM - {23321C0A-8998-B6A0-8B2F-14345B2F10D7} - C:\WINDOWS\SYSTEM\OWO.DLL
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

Exit Explorer.Reboot as normal.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\msblank.html
C:\WINDOWS\SYSTEM\ICASSERV.EXE
C:\WINDOWS\JAguAr.exe
C:\WINDOWS\34763.exe
C:\WINDOWS\scanregw.exe /autorun
C:\WINDOWS\SYSTEM\popcorn72.exe rundll.dll,LoadMouseProfile
C:\WINDOWS\SYSTEM\intell32.exe
C:\Program Files\PSGuard\PSGuard.exe
C:\WINDOWS\qwe.exe
C:\WINDOWS\ExchangeMaster.exe
C:\WINDOWS\SYSTEM\OWO.DLL

Let the system reboot.

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

[b]Run HijackThis and post the new log.

Kc :tazz:

#3
monkeyboyblues

Posted 25 August 2005 - 06:23 PM

Member

Topic Starter
Member
146 posts

thanks for the quick reply.
much appreciated! :tazz:

i've already downloaded
tend pc-cillian virus scan,
and it is not detecting any
viruses or spyware.

here is the new HJT logfile,
post the exectution of
your instructions:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:27 PM, on 8/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [WinInitDll] StartCpl.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8
O21 - SSODL: TKERLGOJsUM - {23321C0A-8998-B6A0-8B2F-14345B2F10D7} - C:\WINDOWS\SYSTEM\OWO.DLL (file missing)

Edited by monkeyboyblues, 25 August 2005 - 09:57 PM.

#4
Guest_thatman_*

Posted 26 August 2005 - 03:43 AM

Guest

Hi monkeyboyblues

So you live in the Ukraine ?. I don't think you do you have trojan onboard StartCpl.exe
And I need you to run the panda scanner

85.255.112.8
Host reachable, 96 ms. average

85.255.112.0 - 85.255.127.255

Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

Andrei Kislizin
OOO Inhoster,
ul.Antonova 5, Kiev,
03186, Ukraine

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKCU\..\Run: [WinInitDll] StartCpl.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.50.176.158,85.255.112.8
O21 - SSODL: TKERLGOJsUM - {23321C0A-8998-B6A0-8B2F-14345B2F10D7} - C:\WINDOWS\SYSTEM\OWO.DLL (file missing)
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them: if found
StartCpl.exe<--Delete this file
C:\WINDOWS\SYSTEM\OWO.DLL [/B]<--Delete this file
Exit Explorer.Reboot as normal.

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:

#5
monkeyboyblues

Posted 27 August 2005 - 04:37 PM

Member

Topic Starter
Member
146 posts

hello again kc,

no i dont live in the ukraine, why do you ask?

anyway, the panda scan deleted a wininet.dll file
and i couldn't get online.
i acquired the file online from another computer
and i was able to get back online.
however, when i shutdown the pc and later
turned it on, the error message came back telling
me that i was missing the file again.
so i had to copy the file back on.
incidentally, my pc will not allow me to copy the
file while in windows, i have to do it in ms-dos.
what's going on here? :tazz:

^^^^^^here is my panda scan log file:

Incident Status Location

Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\OLEEXT.DLL
Virus:W32/Smitfraud.E Disinfected Operating system
Adware:adware/topspyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll
Dialer:dialer.bew No disinfected C:\WINDOWS\SYSTEM\maxd1.exe
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM\oleext.dll
Spyware:spyware/betterinet No disinfected C:\WINDOWS\SYSTEM\msexnpfi.exe
Adware:adware/psguard No disinfected C:\WINDOWS\TEMP\PSGuardInstall.exe
Spyware:spyware/wareout No disinfected C:\WINDOWS\APPLICATION DATA\wo.tmp
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/transponder No disinfected Windows Registry
Virus:Trj/Downloader.DOY Disinfected C:\WINDOWS\SYSTEM\GGG56DZK.DLL
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\srpcsrv32.dll
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmlis.exe
Virus:Trj/Downloader.EES Disinfected C:\WINDOWS\SYSTEM\cfgrbkrend.exe
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmiin.exe
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmsul.exe
Virus:W32/Smitfraud.E Disinfected C:\WINDOWS\SYSTEM\WININET.DLL
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmzhb.exe
Dialer:Dialer.BSV No disinfected C:\WINDOWS\SYSTEM\winctrl64.exe
Virus:Trj/Teps.A Disinfected C:\WINDOWS\SYSTEM\winctrl16.exe
Virus:Trj/Teps.A Disinfected C:\WINDOWS\SYSTEM\666.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\jaaa.dll
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmsly.exe
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\SYSTEM\cszxu.exe
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmgww.exe
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\ZNP771OW\m7[1].htm
Dialer:Dialer.BEW No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\M5PU3MHS\connect[1].htm
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/SearchAid No disinfected C:\ms32.tmp

^^^^^^here is my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 6:18:37 PM, on 8/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .m4a: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

Edited by monkeyboyblues, 27 August 2005 - 09:16 PM.

#6
Guest_thatman_*

Posted 28 August 2005 - 08:50 AM

Guest

Hi monkeyboyblues

Please read through the instructions before you start (you may want to print this out).

Download Pocket Killbox and unzip it; save it to your Desktop.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop. Don't run it yet!

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Please set your system to show all files; please see here if you're unsure how to do this.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet,

Reboot into Safe Mode: please see here if you are not sure how to do this.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CWShredder to fix your CWS problem.

Run AD-Aware se

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\SYSTEM\OLEEXT.DLL
C:\WINDOWS\SYSTEM\srpcsrv32.dll
C:\WINDOWS\SYSTEM\maxd1.exe
C:\WINDOWS\SYSTEM\oleext.dll
C:\WINDOWS\SYSTEM\msexnpfi.exe
C:\WINDOWS\TEMP\PSGuardInstall.exe
C:\WINDOWS\APPLICATION DATA\wo.tmp
C:\WINDOWS\rdt.ini
C:\WINDOWS\SYSTEM\GGG56DZK.DLL
C:\WINDOWS\SYSTEM\srpcsrv32.dll
C:\WINDOWS\SYSTEM\dmlis.exe
C:\WINDOWS\SYSTEM\cfgrbkrend.exe
C:\WINDOWS\SYSTEM\dmiin.exe
C:\WINDOWS\SYSTEM\dmsul.exe
C:\WINDOWS\SYSTEM\WININET.DLL
C:\WINDOWS\SYSTEM\dmzhb.exe
C:\WINDOWS\SYSTEM\winctrl64.exe
C:\WINDOWS\SYSTEM\winctrl16.exe
C:\WINDOWS\SYSTEM\666.exe
C:\WINDOWS\SYSTEM\jaaa.dll
C:\WINDOWS\SYSTEM\dmsly.exe
C:\WINDOWS\SYSTEM\cszxu.exe
C:\WINDOWS\SYSTEM\dmgww.exe
C:\WINDOWS\Temporary Internet Files\Content.IE5\ZNP771OW\m7[1].htm
C:\WINDOWS\Temporary Internet Files\Content.IE5\M5PU3MHS\connect[1].htm
C:\ms32.tmp

Let the system reboot as normal.

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:

#7
monkeyboyblues

Posted 28 August 2005 - 03:17 PM

Member

Topic Starter
Member
146 posts

kc,

thanks again for your help.

panda virus scan log file:

Incident Status Location

Virus:Trj/Qhost.BP Disinfected Operating system
Spyware:spyware/wareout No disinfected C:\PROGRAM FILES\WareOut
Adware:adware/sbsoft No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 5:04:16 PM, on 8/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

#8
Guest_thatman_*

Posted 29 August 2005 - 02:48 AM

Guest

Hi monkeyboyblues

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[-HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
[-HKEY_CLASSES_ROOT\ToolBand.StartBHO.1]
[-HKEY_CLASSES_ROOT\ToolBand.StartBHO]
[-HKEY_CLASSES_ROOT\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}]
[-HKEY_CLASSES_ROOT\CLSID\{A9AEE0DD-89E1-40EE-8749-A18650CC2175}]
[-HKEY_CLASSES_ROOT\Interface\{F9BDB492-37D6-4E33-B324-058B22E21FFA}]
[-HKEY_CLASSES_ROOT\TypeLib\{1293FED0-03D0-4426-B0CF-9D3C5141BA8C}]
[-HKEY_CLASSES_ROOT\Popup.Pop]
[-HKEY_CLASSES_ROOT\Popup.Pop.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9AEE0DD-89E1-40EE-8749-A18650CC2175}]
[-HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\URLSearchHooks\{30192F8D-0958-44E6-B54D-331FD39AC959}]
[-HKEY_ALL_USERS\Software\SerG]
[-HKEY_ALL_USERS\Software\Pop]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winds_24]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBSoft]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Doubleclick the file and confirm you want to merge it with the registry. Make sure you do this step first before going any further.

Use windows explorer delete the following file's/folder's
C:\PROGRAM FILES\WareOut<--Delete this folder

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:

#9
monkeyboyblues

Posted 29 August 2005 - 10:35 AM

Member

Topic Starter
Member
146 posts

ok,

here's my panda scan report:

Incident Status Location

Virus:Trj/Qhost.BP Disinfected Operating system
Adware:adware/sbsoft No disinfected Windows Registry
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

here's my HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:26:13 PM, on 8/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

#10
Guest_thatman_*

Posted 30 August 2005 - 03:05 AM

Guest

Hi monkeyboyblues

* Download the Registry Search Tool.
* Unzip the contents of RegSrch.zip to a convenient location.
* Double-click on RegSrch.vbs.
* If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
* In the "Enter search string (case insensitive) and click OK..." box paste this string:
sbsoft
* Click "OK" to search the registry for that string.
* Wait for a few minutes while it completes the search.
* Click "OK" to open the results in WordPad.
* Copy and paste the entire results into your next post.
[/list]
Kc :tazz:

#11
monkeyboyblues

Posted 30 August 2005 - 09:30 AM

Member

Topic Starter
Member
146 posts

hello kc,

i preformed the search with registry search tool
and it said not traces of "sbsoft" found but it
did not prompt me to a word pad log.

i hope i did good. :tazz:

#12
Guest_thatman_*

Posted 31 August 2005 - 06:22 AM

Guest

REGEDIT4
[-HKEY_CLASSES_ROOT\ToolBand.ToolBandObj.1]
[-HKEY_CLASSES_ROOT\ToolBand.ToolBandObj]
[-HKEY_CLASSES_ROOT\ToolBand.StartBHO.1]
[-HKEY_CLASSES_ROOT\ToolBand.StartBHO]
[-HKEY_CLASSES_ROOT\CLSID\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}]
[-HKEY_CLASSES_ROOT\CLSID\{A9AEE0DD-89E1-40EE-8749-A18650CC2175}]
[-HKEY_CLASSES_ROOT\Interface\{F9BDB492-37D6-4E33-B324-058B22E21FFA}]
[-HKEY_CLASSES_ROOT\TypeLib\{1293FED0-03D0-4426-B0CF-9D3C5141BA8C}]
[-HKEY_CLASSES_ROOT\Popup.Pop]
[-HKEY_CLASSES_ROOT\Popup.Pop.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A9AEE0DD-89E1-40EE-8749-A18650CC2175}]
[-HKEY_ALL_USERS\Software\Microsoft\Internet Explorer\URLSearchHooks\{30192F8D-0958-44E6-B54D-331FD39AC959}]
[-HKEY_ALL_USERS\Software\SerG]
[-HKEY_ALL_USERS\Software\Pop]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winds_24]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBSoft]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Doubleclick the file and confirm you want to merge it with the registry. Make sure you do this step first before going any further.

Reboot as normal

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:

#13
monkeyboyblues

Posted 31 August 2005 - 09:06 AM

Member

Topic Starter
Member
146 posts

thanks kc,

panda scan report:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Virus:Trj/Troiram.A Disinfected C:\WINDOWS\SYSTEM\dmkpe.exe
Virus:Trj/DelCache.A Disinfected C:\WINDOWS\SYSTEM\csmjo.exe
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:03 AM, on 8/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab

#14
Guest_thatman_*

Posted 31 August 2005 - 09:19 AM

Guest

Hi monkeyboyblues

Use windows explorer to delete the following file's/folder's
C:\WINDOWS\SYSTEM\dmkpe.exe<--Delete this file
C:\WINDOWS\SYSTEM\csmjo.exe<--Delete this file

I will leave this for a couple of day the will allow me to research sbsoft.
I like to remove malware from the registery, you are in no danger from the program all we have left is some useless registery key that will not work with out the software on you system.

Please Post back in two days with a new panda scan and new HJT.log

Kc :tazz:

#15
monkeyboyblues

Posted 02 September 2005 - 08:59 AM

Member

Topic Starter
Member
146 posts

hello kc,

here's the pandascan report:

Incident Status Location

Adware:adware/sbsoft No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe

here's the HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:46:58 AM, on 9/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPFW.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\ARUPLD32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -noauth
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab