Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Startpage.19.AO [RESOLVED]


  • This topic is locked This topic is locked

#1
falcon1717

falcon1717

    New Member

  • Member
  • Pip
  • 6 posts
Hi,

I am running Win98SE and have picked up this trojan which has hijacked my browser startpage and is allowing popups and enabling a virus which AVG detects and heals.

I am running updated versions of CWShredder, AVG, AdAware, and Spybot S&D.
My HijackThis log is below:

Logfile of HijackThis v1.99.1
Scan saved at 11:21:57 PM, on 10/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SDKNN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\IEYJ32.EXE
C:\WINDOWS\TEMP\F241.TMP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TEMP\F244.TMP.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {32003FED-E118-27E1-7F26-894B06E86B08} - C:\WINDOWS\SYSTEM\NETRY32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEYJ32.EXE] C:\WINDOWS\IEYJ32.EXE
O4 - HKLM\..\Run: [F241.TMP] C:\WINDOWS\TEMP\F241.TMP.exe
O4 - HKLM\..\Run: [F244.TMP] C:\WINDOWS\TEMP\F244.TMP.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [F241.TMP.EXE] C:\WINDOWS\TEMP\F241.TMP.EXE
O4 - HKLM\..\Run: [F244.TMP.EXE] C:\WINDOWS\TEMP\F244.TMP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [SDKNN.EXE] C:\WINDOWS\SDKNN.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TEMP\F163.TMP
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab


Thanks.
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi falcon1717 and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Please DELETE your current HJT program from its present location.

2. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
  • Run HijackThis
  • Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  • POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
falcon1717

falcon1717

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

Thanks for the help. I deleted the old HijackThis and installed it to its own folder in the Program Files directory.

My new log is here:Logfile of HijackThis v1.99.1
Scan saved at 11:51:00 PM, on 10/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SDKNN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\IEYJ32.EXE
C:\WINDOWS\TEMP\F241.TMP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TEMP\F244.TMP.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {32003FED-E118-27E1-7F26-894B06E86B08} - C:\WINDOWS\SYSTEM\NETRY32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IEYJ32.EXE] C:\WINDOWS\IEYJ32.EXE
O4 - HKLM\..\Run: [F241.TMP] C:\WINDOWS\TEMP\F241.TMP.exe
O4 - HKLM\..\Run: [F244.TMP] C:\WINDOWS\TEMP\F244.TMP.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [F241.TMP.EXE] C:\WINDOWS\TEMP\F241.TMP.EXE
O4 - HKLM\..\Run: [F244.TMP.EXE] C:\WINDOWS\TEMP\F244.TMP.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [SDKNN.EXE] C:\WINDOWS\SDKNN.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TEMP\F163.TMP
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Wordpad as we will be working in Safe Mode. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.
  • Please download and install these programs - DO NOT RUN THEM YET

    • Download Ad-Aware SE Personal 1.06 and save it to your DESKTOP
      • Install Ad-Aware SE Personal 1.06:
        • Double-click on aawsepersonal.exe to install the program.
        • Follow the default settings for installation.
        • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
      • Update Ad-Aware SE Personal 1.06:
        • Double-click the Ad-Aware SE Personal icon on your desktop.
        • Click "Check for updates now" then click "Connect".
        • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
      • Configure Ad-Aware SE Personal 1.06:
        • Click on the Gear button at the top of the window.
        • Click "General" on the left hand side to display the General Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Automatically save logfile"
        • "Automatically quarantine objects prior to removal"
        • "Safe Mode (always request confirmation)"
        • "Prompt to update outdated definitions" - change to 7 days from the default 14.
      • Click "Scanning" on the left hand side to display the Scan Settings box.
      • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
        • "Scan within archives"
        • "Select drives & folders to scan" - select your hard drive(s).
        • "Scan active processes"
        • "Scan registry"
        • "Deep-scan registry"
        • "Scan my IE favorites for banned URLs"
        • "Scan my Hosts file"
      • Click "Advanced" on the left hand side to display the Advanced Settings box.
        • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
          • "Move deleted files to Recycle Bin"
          • "Include additional object information"
          • "Include negligible objects information"
          • "Include environment information"
      • Click "Defaults" on the left hand side to display the Default Settings box.
        • Make sure these items have your preferred settings in them.:
        • "Default homepage"
        • "Default searchpage"
      • Click "Tweak" on the left hand side to display the Tweak Settings box.
        • Click the + (plus) sign next to the Log Files section. This will expand the section.
        • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
          • "Include basic Ad-Aware settings in log file"
          • "Include additional Ad-Aware settings in log file"
          • "Include reference summary in log file"
          • "Include alternate data stream details in log file"
        • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
        • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
          • "Unload recognized processes & modules during scan"
          • "Scan registry for all users instead of current user only"
          • "Obtain command line of scanned processes"
        • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
        • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
          • "Always try to unload modules before deletion"
          • "During removal, unload Explorer and IE if necessary"
          • "Let Windows remove files in use at next reboot"
          • "Delete quarantined objects after restoring"
        • Click"Proceed" to save them and EXIT the program.
    • Download About Buster from the attachment to this post.
      • Create a new Folder on your Desktop
        • Right click on your Desktop
        • Select New, then Folder
        • Name the new folder AboutBuster5
      • Click on About Buster5.zip to UNZIP it
        • On the uppermost toolbar, click Actions>>Select All
        • On the Main Toolbar, choose EXTRACT and the new AboutBuster5 folder on your Desktop as the destination.
      • Do NOT check for updates as the host site being down , the check for updates will make the downloaded file unusable. If by any chance , check for update is done and error is shown , just unzip the downloadable zip file again and overwrite the existing AboutBuster which will bring back the original file again
      • Remember, this program MUST be run in Safe Mode.
      • DO NOT RUN IT YET.
    • Download CWShredder
      DO NOT RUN IT YET
  • Make sure all Hidden Files and Folders are visible.
    • Open Windows Explorer & Go to Tools > Folder Options.
    • Click on the View tab and make sure that "Show hidden files and folders" are checked.
    • Uncheck "Hide protected operating system files" and "Hide extensions for known file types" .
    • Now click "Apply to all folders"
    • Click "Apply", then "OK"
  • REBOOT into Safe Mode

    How to Start To Safe Mode Using the F8 method in Windows 98/98SE/ME
    • turn the computer off
    • as the computer restarts, press and hold down the Ctrl key until the Windows 98 startup menu appears. (This also works with the F8 key following the same steps)
    • Choose Safe mode from the startup menu,
    • press Enter
    • Windows starts in Safe mode.
    • Restart your computer when finished troubleshooting

  • CLOSE ALL WINDOWS AND BROWSERS, Scan with Hijack This and put a checkmark beside each one of the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\bnyjc.dll/sp.html#93256
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {32003FED-E118-27E1-7F26-894B06E86B08} - C:\WINDOWS\SYSTEM\NETRY32.DLL
    O4 - HKLM\..\Run: [IEYJ32.EXE] C:\WINDOWS\IEYJ32.EXE
    O4 - HKLM\..\Run: [F241.TMP] C:\WINDOWS\TEMP\F241.TMP.exe
    O4 - HKLM\..\Run: [F244.TMP] C:\WINDOWS\TEMP\F244.TMP.exe
    O4 - HKLM\..\Run: [F241.TMP.EXE] C:\WINDOWS\TEMP\F241.TMP.EXE
    O4 - HKLM\..\Run: [F244.TMP.EXE] C:\WINDOWS\TEMP\F244.TMP.EXE
    O4 - HKLM\..\RunServices: [SDKNN.EXE] C:\WINDOWS\SDKNN.EXE /s
    O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\TEMP\F163.TMP
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab


  • Click on Fix Checked and EXIT HijackThis.

  • Using Windows Explorer, locate and DELETE the following files/folders (and all their content), if present:


    C:\WINDOWS\SDKNN.EXE
    C:\WINDOWS\IEYJ32.EXE
    C:\WINDOWS\TEMP\F241.TMP.EXE
    C:\WINDOWS\TEMP\F244.TMP.EXE
    C:\WINDOWS\system\bnyjc.dll
    C:\WINDOWS\SYSTEM\NETRY32.DLL
    C:\WINDOWS\TEMP\F163.TMP


    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked.If it is, uncheck it and try again.

  • Run CW-Shredder
    • Hit the FIX button
    • Let it run and fix what it finds.
  • Run AboutBuster 5.0 .
    • This will scan your computer for the bad files and delete them.
    • It will ask to scan the system again, let it.
    • Save the report (copy and paste into notepad or wordpad and save as a .txt file).
    • Post a copy back with your reply.
  • Run Ad-Aware
    • Click the "Start" button.
    • Uncheck the "Search for negligible risk entries" entry.
    • Choose the "Use custom scanning options" scan mode.
    • Click the "Next" button.
    • Ad-Aware will begin to scan for malware residing on your computer.
    • Allow the scan to finish.
    • Right-click on any entry in the list and click "Select All" to select the whole list.
    • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

  • Clean out temporary and TIF files
    • Go to Start > Run and type in the box: cleanmgr.
      • Let it scan your system for files to remove.
      • Make sure these 3 are checked
      • Temporary Files
      • Temporary Internet Files
      • Recycle Bin
    • Click OK to DELETE the files
  • REBOOT into Normal Mode

  • Download and run this online virus scan ===> TrendMicro's Housecall if you can:<---Important
    *Make sure you check "AutoClean"

  • REBOOT your system.

  • Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review along with the AboutBuster log.
Regards,

Trevuren

  • 0

#5
falcon1717

falcon1717

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

I am unable to check the "During removal, unload Explorer and IE if necessary" section of the AdAware Tweak module. It is grayed out.

Is this a problem?
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Only slightly inconvenient. Please continue with the fix.

Trevuren
  • 0

#7
falcon1717

falcon1717

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I am now having AboutBuster problems!

After downloading the file and clicking on the zip file in order to unzip it, I am told the file is corrupt and to try downloading it again.

I tried this several times with the same result. I downloaded the file from anther location and when I run the program it says it has successfully completed a scan and then gives me the run time error 339: "Component comctl32.ocx or one of its dependencies not correctly registered; a file is missing or invalid."
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We are experiencing AboutBuster problems

Try it this way.

1. DELETE your current copy of AboutBuster.

2. Please download AboutBuster from the attachment to this post.

3. Create a folder on your desktop and call it AboutBuster

4. UNZIP the AboutBuster.zip file and extract all files to this newly created AboutBUster Folder

5. Do NOT check for updates as the host site being down , the check for updates will make the downloaded file unusable.

6. Start with "Begin Removal".

7. If by any chance , check for update is done and error is shown , just unzip the downloadable zip file again and overwrite the existing AboutBuster which will bring back the original file again


Regards,

Trevuren

  • 0

#9
falcon1717

falcon1717

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, I went through all the steps and my new log is below, however I continued to receive the runtime error 339 for AboutBuster so I was unable to produce a log for that.
I hope that's ok.

Logfile of HijackThis v1.99.1
Scan saved at 2:05:00 AM, on 10/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and I can proceed with my final recommendations

Trevuren
  • 0

#11
falcon1717

falcon1717

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Things are looking pretty good now.
Your help prevented a reformat, which would have been a major pain.
Thanks a lot.
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

1.Re-hide your System Files and Folders to prevent any future accidents.


2. Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP