Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Freeprod/pokapoka/lockx on windows98 [RESOLVED]

Started by scottsatellite , Oct 08 2005 05:31 PM

  • This topic is locked This topic is locked

#1
scottsatellite
Posted 08 October 2005 - 05:31 PM

scottsatellite

    Member

  • Member
  • PipPip
  • 22 posts
Please help.
I have read many of the postings.
However I have Windows 98 and I have yet to find one that addresses this.
I got a message through my associates AIM to look at a picture and the rest is history.
I've never posted to any board before so any guidance is appreciated.
I have already downloaded "Hijack this" however I have ended tasks on stuff so that I don't get any of the pop ups and sofar I have been successful.
I used it to delete pokapoka and lockx, but I don't know if that made a difference.
This is my current Hijack this:
Logfile of HijackThis v1.99.1
Scan saved at 7:14:52 PM, on 10/8/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGMEIN\LOGMEIN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\LOGMEIN\LOGMEINSYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\XOFTSPY\XOFTSPY.EXE
C:\WINDOWS\DESKTOP\HIJACK.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\PROGRAM FILES\LOGMEIN\LogMeInSystray.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [stratas] LOCKX.EXE
O4 - HKLM\..\RunServices: [LogMeIn] "C:\PROGRAM FILES\LOGMEIN\LogMeIn.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-67-525-0000166.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-67-525-0000166.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\RunServices: [services32] C:\Program Files\Common Files\Windows\mc-67-525-0000166.exe
O4 - HKCU\..\RunServices: [DNS] C:\Program Files\Common Files\mc-67-525-0000166.exe
O4 - HKCU\..\RunServices: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.41...etzip/RdxIE.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.red...cabs/videox.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadc...ieNetworks1.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab

Thank you so much for your help :tazz:
  • 0

Advertisements

#2
greyknight17
Posted 09 October 2005 - 11:37 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download AimFix and run it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download LQFix http://users.telenet...tools/LQfix.exe and run it. Click on Next->Next->Install. Click Finish to launch LQfix. Follow the screen prompts. Your system will reboot afterwards. Please wait for the script to finish in the background at this time...

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

XoftSpy - it’s rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.myseachexplorer.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.myseachexplorer.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\RunServices: [stratas] LOCKX.EXE
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-67-525-0000166.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-67-525-0000166.exe
O4 - HKCU\..\RunServices: [services32] C:\Program Files\Common Files\Windows\mc-67-525-0000166.exe
O4 - HKCU\..\RunServices: [DNS] C:\Program Files\Common Files\mc-67-525-0000166.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

LOCKX.EXE
C:\Program Files\Common Files\Windows\mc-67-525-0000166.exe
C:\Program Files\Common Files\mc-67-525-0000166.exe

Restart and run BOTH these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here along with the Panda log.
  • 0

#3
scottsatellite
Posted 09 October 2005 - 08:48 PM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Greyknight17,
First, thank you so much for your help.
Hope I am replying to your post the correct way.

Had already downloaded and ran AIMfix by the time I got your reply. It found lockx and put it in a quarentene(however you spell that word).

Already deleted Xoftspy at the begining too - took a bit but I think I got rid of it.

My computer was already set to show hidden files and the rest of those instructions you had - so I don't know what that means.

Ran LQfix - couldn't tell if it did anything.

Downloaded and ran CWshredder - it didn't find anything.

restarted in safe mode and ran Hijack this. Deleted 5 files that had the mysearchexplorer.com/sp2.php - that's all that was there out of your list. It did not find the mc-67-525-0000 files or lockx.

Ran the trend micro program (after downloading java2 etc - took a while). It found 2 files with the mc-67-525-0000. It would not delete them. Kept asking for a ticket. I applyed for a ticket but it wouldn't work. I hit both options of "clean infections only" and "clean and fix"

However, after finding those files I did a "find file" from the start bar and deleted them from there. Hope that was ok. It did find a bunch of files named mc-67-525-0000.

Now I am probably telling something you know, but it seems that what this virus does is redraw the items on your screen so you think its the real item but it must be a picture of it or some sort of illusion. I have noticed that when I clicked on things it didn't react, but then if I control-alt-delete and close explorer then the things I want to click on work. (including even the link in the e-mail to get back to this message board).

OK. Hope what I said helps. Probably all you need is the new Hijack log...lol.
Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 10:26:47 PM, on 10/9/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGMEIN\LOGMEIN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LOGMEIN\LOGMEINSYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\PROGRAM FILES\LOGMEIN\LogMeInSystray.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LogMeIn] "C:\PROGRAM FILES\LOGMEIN\LogMeIn.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.41...etzip/RdxIE.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.red...cabs/videox.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadc...ieNetworks1.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab

Again. Thank you so much for your help.
So how is it looking from that report?
Can't say this hasn't been more than nervewracking - every blue and black screen that last longer than a split second scares me..lol.
Thank you thank you for your time...
  • 0

#4
greyknight17
Posted 10 October 2005 - 10:37 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your log here is clean...

Did Panda scan find anything?

Since you are still experiencing problems, go to Kapersky and run their online scanner. Post that log here when done.
  • 0

#5
scottsatellite
Posted 10 October 2005 - 02:03 PM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Greyknight - Ran the Kapersky scan - took hours -
It said it found 8 viruses and a bunch of other stuff - but then no delete or fix option or if it is there I don't see it.
Here's the report:

Monday, October 10, 2005 15:49:43
Operating System: Microsoft Windows Millennium Edition
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/10/2005
Kaspersky Anti-Virus database records: 144053


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
a:\
c:\
m:\

Scan Statistics
Total number of scanned objects 58387
Number of viruses found 8
Number of infected objects 21
Number of suspicious objects 7
Duration of the scan process 9954 sec

Infected Object Name Virus Name
c:\WINDOWS\TEMP\k_B555.TMP Infected: Trojan-Downloader.Win32.Agent.tv

c:\WINDOWS\Temporary Internet Files\Content.IE5\OXYBCP6N\nitrous.exitfuel[1].htm Infected: Trojan.JS.NoClose.a

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/29 Dec 2002 23:04 to [email protected]:FW: Undeliverab.eml/[From mail ][Date Sun, 29 Dec 2002 17:42:41 -0500 (EST)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/29 Dec 2002 23:04 to [email protected]:FW: Undeliverab.eml/[From mail ][Date Sun, 29 Dec 2002 17:42:41 -0500 (EST)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/29 Dec 2002 23:04 to [email protected]:FW: Undeliverab.eml Suspicious: Exploit.HTML.Iframe.FileDownload

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:49 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:45:55, 04/06/03]/UNNAMED/Noah491.scr Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:49 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:45:55, 04/06/03]/UNNAMED Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:49 to [email protected]:FW: Mail delivery failed: re.eml Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:50 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:46:30, 04/06/03]/UNNAMED/Delga.pif Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:50 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:46:30, 04/06/03]/UNNAMED Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:50 to [email protected]:FW: Mail delivery failed: re.eml Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:50 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:47:02, 04/06/03]/UNNAMED/Ashley510.com Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:50 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:47:02, 04/06/03]/UNNAMED Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:50 to [email protected]:FW: Mail delivery failed: re.eml Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:51 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:47:35, 04/06/03]/UNNAMED/Impress Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:51 to [email protected]:FW: Mail delivery failed: re.eml/[From scott ][Date 13:47:35, 04/06/03]/UNNAMED Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Sent Items/04 Jun 2003 14:51 to [email protected]:FW: Mail delivery failed: re.eml Infected: Email-Worm.Win32.Fizzer

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Inbox/participants ILP/20 Sep 2002 20:12 from sk8er3297:[fall2002ilp] 468x60 ad.html Suspicious: Exploit.HTML.Iframe.FileDownload

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Inbox/29 Dec 2002 22:47 from Postmaster:Undeliverable Mail.eml/[From mail ][Date Sun, 29 Dec 2002 17:42:41 -0500 (EST)]/html Suspicious: Exploit.HTML.Iframe.FileDownload

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Inbox/29 Dec 2002 22:47 from Postmaster:Undeliverable Mail.eml Suspicious: Exploit.HTML.Iframe.FileDownload

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Inbox/16 Jun 2003 17:49 from dia design:reee.html Suspicious: Exploit.HTML.Iframe.FileDownload

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Inbox/23 Aug 2003 01:27 from [email protected]:failure notice.eml/[From ][Date Fri, 22 Aug 2003 21:55:42 --0400]/UNNAMED/your_document.pif Infected: Email-Worm.Win32.Sobig.f.dam

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Inbox/23 Aug 2003 01:27 from [email protected]:failure notice.eml/[From ][Date Fri, 22 Aug 2003 21:55:42 --0400]/UNNAMED Infected: Email-Worm.Win32.Sobig.f.dam

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP/Archive Folders/Inbox/23 Aug 2003 01:27 from [email protected]:failure notice.eml Infected: Email-Worm.Win32.Sobig.f.dam

c:\WINDOWS\Application Data\Microsoft\Outlook\ARCHIVE.PPP Infected: Email-Worm.Win32.Sobig.f.dam

c:\WINDOWS\Downloaded Program Files\jao.dll Infected: Trojan-Spy.Win32.Briss.k

c:\Recycled\Dc5.bak Infected: Backdoor.Win32.IRCBot.ct

c:\xz.bat Infected: Trojan.BAT.KillProc.a

Scan process completed.

So there it is.

Please let me know what to do. Thanks. Looks like some of it is in my outlook archive which actually I can't open, and I lost 2 years worth of e-mail a couple months ago. If we solve that it would be amazing.
Didn't do the Panda thing yet because I thought you said to do trend micro or pandasoft.
Thanks again :tazz: . Guess there is a little more work to do here.
  • 0

#6
greyknight17
Posted 10 October 2005 - 02:54 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

c:\WINDOWS\Downloaded Program Files\jao.dll
c:\Recycled\Dc5.bak
c:\xz.bat

If you get a PendingOperations message, just close it and restart your computer manually.

I want you to run both of those scans, so yes run Panda scan also. I think Panda can actually delete those virus infected emails for you also since Kapersky doesn't do it :tazz:
  • 0

#7
scottsatellite
Posted 10 October 2005 - 05:28 PM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Ok. Did killbot - though it didn't ask me to reboot - I restarted my computer - hope that was correct thing to do.

Ran Panda ActiveScan. It cleaned a couple things, but left the rest.

Here's the report:


Incident Status Location

Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\services.exe
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/windowenhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils
Adware:adware/elitebar No disinfected C:\WINDOWS\Favorites\Casino & Carrers
Spyware:spyware/dyfuca No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\TEMP\FLEOK\msbb.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\TEMP\msbb.exe
Adware:Adware/WindowEnhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Dialer:Dialer.PI No disinfected C:\WINDOWS\Temporary Internet Files\Content.IE5\CH2B416F\free_sex_viewer[1].exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\BIINI.INF
Spyware:Spyware/RedhotnetworksNo disinfected C:\WINDOWS\Downloaded Program Files\videox.inf
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Virus:Trj/Reboot.F Disinfected C:\HP\bin\Rebooter.exe
Spyware:Spyware/Bridge No disinfected C:\_RESTORE\TEMP\JAO.0
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\DC5.0
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\XZ.0
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\cwebpage.dll
Adware:Adware/SideSearch No disinfected C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc7.exe
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc8.exe
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc9.exe
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc11.exe
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc12.exe
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc13.exe
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc14.exe

Hmmm...seems like there is some nice stuff in there - especially the dialer whatever that is - it doesn't sound good...that'll teach me..haha.

Should I delete the whole Content.IE5 folder? (it found that in the find file but not the subsequent listed things "\CH2B416F\ etc etc"

Thanks for your help. I just want this crazy stuff off my machine. Hope this is the last of it...
  • 0

#8
greyknight17
Posted 10 October 2005 - 07:56 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and enable system restore again by unchecking that same box.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\Program Files\Common Files\services.exe
C:\PROGRAM FILES\COMMON FILES\services.exe
C:\Program Files\DNS\cwebpage.dll
C:\PROGRAM FILES\Lycos
C:\Program Files\Lycos\Sidesearch\sidesearch13218.dll
C:\Recycled\Dc11.exe
C:\Recycled\Dc12.exe
C:\Recycled\Dc13.exe
C:\Recycled\Dc14.exe
C:\Recycled\Dc7.exe
C:\Recycled\Dc8.exe
C:\Recycled\Dc9.exe
C:\WINDOWS\Downloaded Program Files\videox.inf
C:\WINDOWS\Favorites\Casino & Carrers
C:\WINDOWS\INF\BIINI.INF
C:\WINDOWS\INF\BIINI.INF
C:\WINDOWS\SYSTEM\SBUtils
C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
C:\WINDOWS\TEMP\FLEOK\msbb.exe
C:\WINDOWS\TEMP\msbb.exe
C:\WINDOWS\Temporary Internet Files\Content.IE5\CH2B416F\free_sex_viewer[1].exe

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Delete these if found:

C:\Program Files\DNS\
C:\Program Files\Lycos\
C:\WINDOWS\Favorites\Casino & Carrers
C:\WINDOWS\SYSTEM\SBUtils

Restart and run a new Panda scan. Post the log here.
  • 0

#9
scottsatellite
Posted 10 October 2005 - 08:07 PM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Disable System restore was already checked and it didn't ask me to restart when I unclicked and clicked it again.
Should I restart anyway, or unclick that box now?

Do you want me to redownload Killbox again? I downloaded it earlier as per your instructions.

I await your answer as I want to follow your exact instructions.
  • 0

#10
greyknight17
Posted 10 October 2005 - 08:54 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, restart manually.

No need to redownload KillBox. Run the one you have now.
  • 0

Advertisements

#11
scottsatellite
Posted 10 October 2005 - 09:11 PM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Not clear about this: "Go to Start->Settings->Control Panel and double click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. Go back and enable system restore again by unchecking that same box."

With the "Go back and enable system restore again by unchecking that same box."

Do you want me to enable system restore right now after I restarted or are you just telling me that I can enable it at a later time? Seems like I would not want system restore since maybe viruses use that to restore themselves - on the other hand I have no idea what I'm talking about...haha that's why I'm asking.

Also, how do I check what things are in my temporary files so that I make sure they are backed up?

Sorry for these questions if you think they are silly - just don't want to make a mistake.

Thanks.
  • 0

#12
scottsatellite
Posted 11 October 2005 - 11:18 AM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Haven't heard back from you and in the meanwhile I ran killbox and hoped the system restore setting was ok. Both times I have used killbox it has never asked me to reboot nor have I gotten a pending operation message. I followed your instructions and it seems those files are still there (content .IE5 was still in the find file after restarting manually after running killbox). Again, still not sure about the system restore settings until I hear back from you.

Sorry for my lack of expertise and your guidance is appreciated.

Thanks.
  • 0

#13
scottsatellite
Posted 12 October 2005 - 03:25 PM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Greyknight,
ran killbox, pasted the file list you made, followed instructions, restarted, ran cleanup, restarted, deleted files as you instructed, restarted.

Ran Panda scan. Here it is:


Incident Status Location

Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/windowenhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils
Adware:adware/elitebar No disinfected C:\WINDOWS\Favorites\Casino & Carrers
Spyware:spyware/dyfuca No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\BIINI.INF
Spyware:Spyware/RedhotnetworksNo disinfected C:\WINDOWS\Downloaded Program Files\videox.inf
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Spyware:Spyware/Bridge No disinfected C:\_RESTORE\TEMP\JAO.0
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\DC5.0
Virus:W32/Sdbot.EFG.worm Disinfected C:\_RESTORE\TEMP\XZ.1
Adware:Adware/Maxifiles No disinfected C:\_RESTORE\TEMP\SERVICES.0
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc1.dll
Adware:Adware/SideSearch No disinfected C:\Recycled\Dc8.dll
Adware:Adware/WindowEnhancer No disinfected C:\Recycled\Dc39.dll
Please let me know what to do next, or what I may have done incorrectly.
If there is a reason you won't/can't reply please let me know that to as I am not confident in doing this and don't want to be left uncertain. From what I know from other people who got the pokapoka/freeprod thing - hacktool was part of it - and I see its still on here. Looking forward to your guidance. Thanks. Have a great one.
  • 0

#14
greyknight17
Posted 12 October 2005 - 09:20 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Sorry for the delay. Forums was being upgraded yesterday so I didn't get to post my reply. Believe it or not, I was actually posting a reply to your first and second reply there...just when I got an error about the forum being upgraded :tazz: But I'm back now :)

I want you to enable system restore right after the restart since we don't want to take any chances (just in case your system crashes and needs a restore point).

You can see the files for the temp folders at:

C:\WINDOWS\TEMP\
C:\WINDOWS\Temporary Internet Files\

You shouldn't have anything important saved in those folders since they are called temporary folders.

Please disable system restore now. Restart and enable it back again.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\PROGRAM FILES\COMMON FILES\InetGet\
C:\PROGRAM FILES\COMMON FILES\InetGet2\
C:\PROGRAM FILES\Lycos
C:\Recycled\Dc1.dll
C:\Recycled\Dc39.dll
C:\Recycled\Dc8.dll
C:\WINDOWS\Downloaded Program Files\videox.inf
C:\WINDOWS\Favorites\Casino & Carrers
C:\WINDOWS\INF\BIINI.INF
C:\WINDOWS\SYSTEM\SBUtils

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Make sure these files/folders are deleted by now (if not, delete them now):

C:\PROGRAM FILES\COMMON FILES\InetGet\
C:\PROGRAM FILES\COMMON FILES\InetGet2\
C:\PROGRAM FILES\Lycos
C:\Recycled\Dc1.dll
C:\Recycled\Dc39.dll
C:\Recycled\Dc8.dll
C:\WINDOWS\Downloaded Program Files\videox.inf
C:\WINDOWS\Favorites\Casino & Carrers
C:\WINDOWS\INF\BIINI.INF
C:\WINDOWS\SYSTEM\SBUtils

Restart and run a new Panda scan. Post that log here along with a new HijackThis log.
  • 0

#15
scottsatellite
Posted 12 October 2005 - 11:13 PM

scottsatellite

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks. Great to hear from you and your explanations cleared that up.

Here's the latest panda scan, followed by Hijack this. Looks like the last set of deletions didn't take. I don't know that you have had me deal with that "Process logger" file yet - but its been there in the last few scan reports. Here is the panda scan:

Incident Status Location

Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Adware:adware/windowenhancer No disinfected C:\WINDOWS\SYSTEM\SBUtils
Adware:adware/elitebar No disinfected C:\WINDOWS\Favorites\Casino & Carrers
Spyware:spyware/dyfuca No disinfected Windows Registry
Spyware:Spyware/RedhotnetworksNo disinfected C:\WINDOWS\Downloaded Program Files\videox.inf
Hacktool:HackTool/ProcLog.A No disinfected C:\HP\bin\ProcessLogger.exe
Spyware:Spyware/Bridge No disinfected C:\_RESTORE\TEMP\JAO.0
Adware:Adware/Maxifiles No disinfected C:\_RESTORE\TEMP\SERVICES.0
Adware:Adware/Maxifiles No disinfected C:\Recycled\Dc1.dll
Adware:Adware/SideSearch No disinfected C:\Recycled\Dc8.dll
Adware:Adware/WindowEnhancer No disinfected C:\Recycled\Dc39.dll
Spyware:Spyware/BetterInet No disinfected C:\Recycled\Dc66.INF
Here's the hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:13 AM, on 10/13/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\LOGMEIN\LOGMEIN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\LOGMEIN\LOGMEINSYSTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\VIRUS SOFTWARE\HIJACK.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hp.my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\PROGRAM FILES\LOGMEIN\LogMeInSystray.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LogMeIn] "C:\PROGRAM FILES\LOGMEIN\LogMeIn.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.41...etzip/RdxIE.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream10k.red...cabs/videox.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadc...ieNetworks1.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/ractrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab

Alrighty. Still some work to do here obviously - and I thought I would be the magical get it on the first try guy..lol. I'll be up for a bit if you are still around. Muchos Grasias once again :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP