Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

RE:Another issue


  • Please log in to reply

#1
dhnish

dhnish

    Member

  • Member
  • PipPip
  • 30 posts
Hi

This is on WIN98, have run Ad-aware/Cwredder . Found 287 spywares. No viruses
were detected. Have just installed window-washer. Is there anything else i need to do?Pls advice
Thank you and have a nice day

Yours in service
dhnish

Logfile of HijackThis v1.98.2
Scan saved at 5:29:16 PM, on 1/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\R_SERVER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVSUIT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UTILITY\HIJACKTHIS TOOL\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com/start.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\INSTAFIN.DLL (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [anuzmp] C:\WINDOWS\anuzmp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.EXE /service
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\Network Associates\VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "erica"
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe /startup
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm11968MY
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c46.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab32846.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
  • 0

Advertisements


#2
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi Dhnish

You do have some spyware problems there.

You are using the old version of HijackThis. Please download the new version from here http://www.geekstogo...action=cat&id=3 It is more powerful than the version you have used and can find more hijackers. Do a fresh HijackThis log with the new version and post it.

Download LSPfix.exe from http://cexx.org/lspfix.htm and put it somewhere accessible. You may need it later.

Please let me know if this is your choice of homepage http://my.freeze.com/start.shtml
It is not a site I know.
  • 0

#3
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi dhnish. Why so many computers? In the last two weeks, we have cleaned up at least four different machines. Are they for different users? Or are some of them the same computers that run into various problems?
  • 0

#4
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

I'am sorry for posting so many questions on this issues.But they are from different computers used by different users. They are also from different location.
Nowadays i'am encountering this issues vry often - previously i used to format and install but now since i found this site, and you guys are vry helpfull indeed thus i was hoping you would sincerely solve my issues. This is much faster and users are happy.
I will work on my own first if i cannot find an answer i really hope you guys can assist.
Thank you and have a nice day

Yours in service
dhnish
  • 0

#5
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Why do you clean so many computers? Is it for your job?
  • 0

#6
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

One of my job function in this company is to also maintain the health of the computers. Yes,its also my job. If users hve problems they come to me.
Hope you can assist.
Thank you and have a nice day

Yours in service
dhnish
:)
  • 0

#7
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi Dhnish

If you are going to be doing this on a lot of computers you maybe should learn more about removal methods and definitely more about prevention methods.

Most of the spyware on this machine was installed by someone agreeing to download and install other software. It wasn't by accident.

I hope you downloaded LSPfix.exe from http://cexx.org/lspfix.htm as requested. You will need it later.

You may need to print this out or copy and paste into a Notepad file so you can keep track of the deletions when you are working in Safe Mode and not connected to the internet.

Newdotnet is a special case.

Newdotnet sometimes New.Net may be listed in Control Panel Add/Remove Programs, if it is use that method to uninstall. If it is not please locate the Newdotnet folder in the Program Files folder and check if the 'NDNuninstallX_XX.exe' file is located there (the XXXs are version numbers). If it is - double click that file to uninstall it. It isn't there with all variants. If neither method is available then continue with the HijackThis fix.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find these processes in the list, select them and click on "Kill Process". Read the name very carefully as there may be some names that are similar but that are genuine files.

MWSOEMON.EXE
WINSERVAD.EXE
WINSERVSUIT.EXE

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and click on Fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.freeze.com/start.shtml
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\INSTAFIN.DLL (file missing)
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL
O3 - Toolbar: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows ServeAd] C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\SYSTEM\SahAgent.exe
O4 - HKLM\..\Run: [CMESys] "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
O4 - HKLM\..\Run: [anuzmp] C:\WINDOWS\anuzmp.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZNxdm11968MY
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...etup1.0.0.8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c46.cab



Open Control Panel and go to Add/Remove programs

If the following programs are listed please uninstall them - they may not be listed. If they aren't you can't use that method.

MyWebSearch
CMEII (Part of Gain/Gator/Claria)
GMT (also Part of Gain/Gator/Claria)
Quicksearch

Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up. When the Safe Mode screen appears

Open Windows Explorer and go to >Tools>Folder Options>View, select:

Show hidden files and folders
Display the contents of system folders

Uncheck:

Hide protected operating system files

Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:

Search System folders
Search Hidden Files and folders
Search SubFolders

Delete all the files and folders noted in bold below. Some may not be there but use the search function in Windows Explorer to make sure.

C:\WINDOWS\web\ related.htm - file only
C:\PROGRAM FILES\ MYWEBSEARCH - delete entire folder
C:\Program Files\Common Files\ GMT\GMT.exe - delete entire folder
C:\PROGRAM FILES\ WEB_REBATES\Sy1150\Tp1150\scri1150a.htm -delete entire folder
C:\WINDOWS\ anuzmp.exe - delete file only
C:\PROGRAM FILES\COMMON FILES\ CMEII\CMESYS.EXE - delete entire folder
C:\WINDOWS\SYSTEM\ SahAgent.exe - delete file only
C:\Program Files\ QuickSearch\QuickSearchBar3_28.dll - delete
C:\WINDOWS\DOWNLOADS\ INSTAFIN.DLL
C:\PROGRAM FILES\ WINDOWS SERVEAD\WINSERVAD.EXE
C:\PROGRAM FILES\ WINDOWS SERVEAD\WINSERVSUIT.EXE

Reboot into normal mode and run LSPfix. Doubleclick on LSPfix. Click the "I know what I'm doing" checkbox.

Check all instances of NewDotNet that are in the left hand pane and nothing else and click the arrows to move them to the right hand pane - "Remove". Then click Finish.


Reboot into normal mode and do a new HijackThis log and post in this thread.
  • 0

#8
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
Hi dhnish,

I'm glad you're able to help your users repair their computers, rather than having to reformat and reinstall. However, the mission of this forum is to provide free help to users that may not have access to the resources from any other source. This is generally for personal use.

Companies and organizations often have group policies, and other server side restrictions in place to help prevent infection, and they do also often "re-image" an infected machine. Since the data is stored on a file server, and the company has restrictions about the software that's installed, it's not usually a big issue.

Obviously, it's not this black and white. However, when we see a member submitting multiple logs, we begin to question why. Unfortunately, some questions go unanswered here, and it's not fair to other members to be helping someone multiple times. I'd suggest you may want to learn more about cleaning these systems yourself. Join our Geek U here: http://www.geekstogo...here-t4817.html
  • 0

#9
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

Can i still post questions in this forums if there are any?
Thank you and have a nice day

Yours in service
dhnish
  • 0

#10
admin

admin

    Founder Geek

  • Administrator
  • 24,501 posts
If it's a hijackthis/spyware question, I would perfer you join Geek U and learn to analyze the problems yourself. Other question will be answered, as long as it's not abused.
  • 0

#11
dhnish

dhnish

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi

Dear Ilago,
The problem has been solved
Thanks a lot.
Thank you and have a nice day

Yours in service
dhnish
:tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP