Please find requested logs below.
Panda report:
Incident Status Location
Adware:Adware/StartPage.AES No disinfected C:\q626464.exe
Possible Virus. No disinfected D:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 11:33:28 AM, on 8/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\WINDOWS\EXPLORER.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\PDESK.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\PROGRAM FILES\NZSEARCH\NZSPC.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
D:\PROGRAM FILES\CALLWAVE\IAM.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\OLDDRIVE\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\WINDOWS\SYSTEM\PSTORES.EXE
D:\HIJACK\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://start.earthlink.netR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.earthlink...ton/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://start.earthlink.net/AL/SearchR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://my.netzero.ne...ch?r=minisearchR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://start.earthlink.netR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://my.netzero.ne...ch?r=minisearchR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://D:\WINDOWS\TEMP\se.dll/space.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://my.netzero.ne...ch?r=minisearchR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://start.earthlink.net/AL/SearchR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://my.netzero.ne...ch?r=minisearchR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://my.netzero.ne...=6.0B2&N=PL&O=IR3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [intell32.exe] D:\WINDOWS\SYSTEM\intell32.exe
O4 - HKLM\..\Run: [PSGuard] D:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [THGuard] "D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] D:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "D:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [E6TaskPanel] "D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\OLDdrive\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabSpSeHjfix:
(8/30/05 3:37:46 PM) SPSeHjFix started v1.09
(8/30/05 3:37:47 PM) OS: Win98SE A (4.10.67766446)
(8/30/05 3:37:47 PM) Language: english
(8/30/05 3:37:56 PM) Disinfect started
(8/30/05 3:37:56 PM) Bad-Dll(IEP): (not found)
(8/30/05 3:37:56 PM) Bad-Dll(IEP) in BHO: (not found)
(8/30/05 3:37:56 PM) UBF: 4
(8/30/05 3:37:56 PM) UBB: 0
(8/30/05 3:37:56 PM) UBR: 19
(8/30/05 3:37:56 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 D:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(8/30/05 3:37:56 PM) Bad IE-pages:
(8/30/05 3:37:56 PM) Stealth-String not found:
(8/30/05 3:37:56 PM) File added to delete: d:\windows\temp\se.dll
(8/30/05 3:37:56 PM) Reboot
(8/30/05 3:38:35 PM) SPSeHjFix 2nd Step
(8/30/05 3:38:35 PM) RunServicesOnce-Key: (edited)
(8/30/05 3:38:51 PM) Cleaned
Smitfiles:
smitRem log file
version 2.3
by noahdfear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
oleext.dll
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll Present!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system folder ~~~
oleext.dll
~~~ Icons in system folder ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~~ wininet.dll ~~~~
wininet.dll Clean!!
Latest HijackThis run just before posting:
Logfile of HijackThis v1.99.1
Scan saved at 2:41:58 PM, on 8/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\SYSTEM\KERNEL32.DLL
D:\WINDOWS\SYSTEM\MSGSRV32.EXE
D:\WINDOWS\SYSTEM\MPREXE.EXE
D:\WINDOWS\SYSTEM\mmtask.tsk
D:\WINDOWS\SYSTEM\MSTASK.EXE
D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
D:\WINDOWS\TASKMON.EXE
D:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\WINDOWS\SYSTEM\PDESK.EXE
D:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\PROGRAM FILES\CALLWAVE\IAM.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
D:\WINDOWS\SYSTEM\DDHELP.EXE
C:\OLDDRIVE\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\PROGRAM FILES\NETZERO\EXEC.EXE
D:\WINDOWS\SYSTEM\PSTORES.EXE
D:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
D:\WINDOWS\SYSTEM\RNAAPP.EXE
D:\WINDOWS\SLRUNDLL.EXE
D:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
D:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
D:\WINDOWS\EXPLORER.EXE
D:\HIJACK\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://start.earthlink.netR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://www.earthlink...ton/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://start.earthlink.net/AL/SearchR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://start.earthlink.netR0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://start.earthlink.net/AL/SearchR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =
http://my.netzero.ne...=6.0B2&N=PL&O=IR3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - D:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=HPFsched
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - D:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - D:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] D:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] D:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [THGuard] "D:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] D:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [NetZero_uoltray] D:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spc_w] "D:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [E6TaskPanel] "D:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Internet Answering Machine.lnk = D:\Program Files\CallWave\IAM.EXE
O4 - Startup: Office Startup.lnk = D:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\OLDdrive\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cabO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.syma...bin/AvSniff.cabO16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/s...nfo/webscan.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft...free/asinst.cab