Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me on this [CLOSED]


  • This topic is locked This topic is locked

#1
Virgilut

Virgilut

    Member

  • Member
  • PipPip
  • 10 posts
Logfile of HijackThis v1.99.1
Scan saved at 22:14:42, on 14.10.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\RFA\RFAGENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1048\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ActiveX Control - {E9694F20-BEF8-11D9-BF5E-444553540000} - (no file)
O2 - BHO: IE SP2 AddOn - {108005E0-BEF9-11D9-BF5E-444553540000} - (no file)
O2 - BHO: (no name) - {50DCBDC1-BF46-11D9-BF5E-44452620839E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [rfagent] "C:\PROGRAM FILES\RFA\rfagent.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O9 - Extra button: Microsoft AntiSpyware helper - {53623020-BF46-11D9-BF5E-444553540000} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {53623020-BF46-11D9-BF5E-444553540000} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {53623020-BF46-11D9-BF5E-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {53623020-BF46-11D9-BF5E-444553540000} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: Visual Studio 6 Extensibility Libraries -
O16 - DPF: Microsoft WFC Forms Designer -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.149,85.255.112.11
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
Virgilut

Virgilut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Dear Buckeye_Sam,
Thank you very much for your intention, but after a whole day of attempts I have succeed to get rid of that nasty malware running Ad-Aware in safe mode.
However, I still have a problem with my PC, probably a consequence of that infection and system crash. My problem is known as "FAT 32 free space bug" and consist in the fact that even I know for sure that I have 1,3 Gb free space on my hard disk, Windows Explorer shows just 600 Mb of free space.
In the past I've solved this problem using Microsoft scandisk or Norton Disk Doctor but this time both utilities reports that there are no problems with my FAT 32. My OS is Windows 98.
If you have an idea how can I solve this, please let me know.
Thank you again for your kindness.
Virgilut
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'd be surprised if Adaware was able to fix what I was seeing in your log. Can you post a new hijackthis log?
  • 0

#5
Virgilut

Virgilut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Dear Buckeye_Sam,
Here is my new HijackThis Log. I'm very curious to find out if I still have malware infections on my PC.
After your last reply I'm not so sure: maybe Spybot was the program which solved the infection showing me in safe mode an infection not present in normal mode.
Anyway, the problem with the free space of my hard disk is persisting.
Thank you again.
Virgilut


Logfile of HijackThis v1.99.1
Scan saved at 20:38:30, on 21.10.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1048\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ActiveX Control - {E9694F20-BEF8-11D9-BF5E-444553540000} - (no file)
O2 - BHO: IE SP2 AddOn - {108005E0-BEF9-11D9-BF5E-444553540000} - (no file)
O2 - BHO: (no name) - {50DCBDC1-BF46-11D9-BF5E-44452620839E} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: Visual Studio 6 Extensibility Libraries -
O16 - DPF: Microsoft WFC Forms Designer -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'll admit, I see some leftovers but nothing active. :tazz:

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ActiveX Control - {E9694F20-BEF8-11D9-BF5E-444553540000} - (no file)
O2 - BHO: IE SP2 AddOn - {108005E0-BEF9-11D9-BF5E-444553540000} - (no file)
O2 - BHO: (no name) - {50DCBDC1-BF46-11D9-BF5E-44452620839E} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: Visual Studio 6 Extensibility Libraries -
O16 - DPF: Microsoft WFC Forms Designer -



Reboot your computer.

Now let's see if there's anything hidden that we don't see.

Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.


Also post a new hijackthis log.
  • 0

#7
Virgilut

Virgilut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello Sam,

I've followed your instructions but I encounter some problems.

First I've runned HijackThis and, as you can see in the new log below, the line
O15 - Trusted IP range: 67.19.185.246
could not be fixed, even if I tried to remove it three or four times.

Than I've downloaded Blacklight following your link, but I could not execute it because first I received an error message that the required file userenv.dll is missing. After I've downloaded the file from the Internet and put it both in the same directory with blbeta.exe and in Windows/system directory, I received the following new error message (in a Window named Error Starting Program): "The USERENV.DLL file is linked to missing export NTDLL.DLL:RtlDosPathNameToNtPathName_U". After I click OK I receive in a new window: "A device attached to the computer is not functioning".
I checked if I have the file NTDLL.DLL in my Windows/system directory, and I found it there.
Maybe I'm not so clean yet!!!!
By the way, the free space of my disk is still (in false mode) very low.
I'm waiting for your reply, if you still have enough patience for my endless problems.

Virgilut

Logfile of HijackThis v1.99.1
Scan saved at 16:48:01, on 22.10.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PWSTRAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1048\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PWSTray] PwsTray.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\WebMenuImg.htm
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted IP range: 67.19.185.246
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download(right click and select Save file as or Save link as): DelDomains.inf
http://mvps.org/winh.../DelDomains.inf

To use: Close all open browsers
Right-click DelDomains.inf and select: Install


This should remove that 015 line for you.

How are things working for you? Any problems?
  • 0

#9
Virgilut

Virgilut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Dear Sam,
I've downloaded file DelDomains.inf and after I installed it, I was able to remove line 015.
By the way, finally I discovered the "mistery" of those error messages wich appears when I try to install Black Light Beta. This programs works only under Windows 2000 or Windows XP operating systems and I have Windows '98 on my PC! So I can't use this tool and show you it's log.
Excepting that strange behavior of the hard disk's free space indicator, showing (on my opinion) wrong data, for the moment everything seems to be OK.
If you have any clue about that, let me know.
Thanks for all.
Virgilut
  • 0

#10
Virgilut

Virgilut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Dear Sam,
I've downloaded file DelDomains.inf and after I installed it, I was able to remove line 015.
By the way, finally I discovered the "mistery" of those error messages wich appears when I try to install Black Light Beta. This programs works only under Windows 2000 or Windows XP operating systems and I have Windows '98 on my PC! So I can't use this tool and show you it's log.
Excepting that strange behavior of the hard disk's free space indicator, showing (on my opinion) wrong data, for the moment everything seems to be OK.
If you have any clue about that, let me know.
Thanks for all.
Virgilut
  • 0

#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Try this:

Click Start -> Run
Type in chkdsk C: /f /x /r

When that is complete, run defrag.
Then reboot and check your space.

Let me know if that helps at all.
  • 0

#12
Virgilut

Virgilut

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hello Sam,
I've done everything you wrote to me. First I tried to run chkdsk but I received a "parse error 3" and after changing the command line (removing /x /r) I've been prompted to use ScanDisk instead. As usual Scan Disk did not find any errors on my hard disk.
Than I succesfully run defrag and, of course, my computer's speed was improved, but my free space is still low. I'm begining to think that maybe I have some huge backup files or something like this on that drive.
I've downloaded Clean Up from Geeks To Go site and I'll try to use it.

Virgilut
  • 0

#13
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Download and install the free version of TreeSize.
http://www.jam-softw...are/index.shtml

Then go exploring and see if you can determine where all your space is being used. At this point it's doubtful that it's a malware issue, but I can't completely rule it out. Let me know what you find.
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP