Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

about:blank infestation - desperate for help [RESOLVED]


  • This topic is locked This topic is locked

#1
drgwspup

drgwspup

    Member

  • Member
  • PipPip
  • 62 posts
Hi,

I'm a newbie to highjack this and Geeks to go. Not too technically savy on this end. Thanks in advance for your assistance.

I've had problems for the last week or so and can't get rid of the about:blank garbage.

I normally run Norton antivirus 2003 that is regularly updated and spybot R&D. I've tried alot of things over the last several days. Here's what I recall.

I got an error message that said: "ssp.mydoom.cih ver.2.018 Somebody trying to access through port 245. Your proivate information is in danger"

The initial Spybot scan yeilded the following types of issues:
ISEARCHTECH.SLOTCH
COOLWWWSEARCH.AFF.WINSHOW
COOLWWWSEARCH.GOOGLEMS
ISEARCHTECH.ISTSVC
ISEARCHTECH. POWERSCAN
SARTPAGE-EH
XXXTOOLBAR

Initial spybot tried to fix most of the issues but said a couple were in memory and asked to run spybot on restart. It ran on reboot but didn't fix the problem. I then got a mydoom fix from Symantec, but that didn't work either. Said mydoom wasn't on my computer.

Since the problem started I have also used Aluria Security Center and Computer Associates Pest Patrol without any luck. I tried running both apps in both normal boot up and safe boot up. No luck.

I should mention that Spybot R&D aborted a couple of times when trying to run it after normal boot up.(since the problem started)

Then I found your site and downloaded and ran Ad-Aware SE, CWShredder, Spybot R&D DSO Exploit Fix, AVG and TDS-3. Ad-aware found a bunch of stuff and removed it. Shredder found some stuff and removed it. Spybot found 7 items and fixed them, AVG found 88 items, mostly trojan backdoor stuff and healed those. TDS didn't find anything.

Here's my highjack log:

Logfile of HijackThis v1.98.2
Scan saved at 1:32:13 AM, on 2/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\CRXT.EXE
C:\WINDOWS\SYSTEM\NETZP.EXE
C:\WINDOWS\SDKZA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\WINDOWS\SYSTEM\ADDNW.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\soqab8ti.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Class - {9AA00E8E-DF77-92FE-007F-550C36210091} - C:\WINDOWS\APPKK32.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [CRXT.EXE] C:\WINDOWS\CRXT.EXE
O4 - HKLM\..\RunServices: [NETZP.EXE] C:\WINDOWS\SYSTEM\NETZP.EXE
O4 - HKLM\..\RunServices: [SDKZA.EXE] C:\WINDOWS\SDKZA.EXE
O4 - HKLM\..\RunServices: [ADDNW.EXE] C:\WINDOWS\SYSTEM\ADDNW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab

Can you help? PLease?

Thanks in advance,
Mark
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi drgwspup

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lvsyf.dll/sp.html#44768
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Class - {9AA00E8E-DF77-92FE-007F-550C36210091} - C:\WINDOWS\APPKK32.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\RunServices: [CRXT.EXE] C:\WINDOWS\CRXT.EXE
O4 - HKLM\..\RunServices: [NETZP.EXE] C:\WINDOWS\SYSTEM\NETZP.EXE
O4 - HKLM\..\RunServices: [SDKZA.EXE] C:\WINDOWS\SDKZA.EXE
O4 - HKLM\..\RunServices: [ADDNW.EXE] C:\WINDOWS\SYSTEM\ADDNW.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com



Then delete the following files (if they exist):

C:\WINDOWS\system\lvsyf.dll/sp.html#44768
C:\WINDOWS\APPKK32.DLL
C:\WINDOWS\CRXT.EXE
C:\WINDOWS\SYSTEM\NETZP.EXE
C:\WINDOWS\SDKZA.EXE
C:\WINDOWS\SYSTEM\ADDNW.EXE


Reboot into normal mode (simply restart your computer as you normally would), and run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#3
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Thanks for your help KC, i think we're making progress.

An update on what i've done so far:

AboutBuster log is as follows:

Scanned at: 12:54:55 PM on: 2/13/05


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16


ADS not scanned System(FAT)
Removed! : C:\WINDOWS\jigpg.dat
Removed! : C:\WINDOWS\SYSTEM\gokdi.dat
Removed! : C:\WINDOWS\SYSTEM\avort.dat
Removed! : C:\WINDOWS\SYSTEM\kferq.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

I only ran it once because to took almost five hours to run. Is that normal? I am on deadline for a couple items tomorrow so I couldn't afford to lose another five hours to a second scan. Hope I didn't screw this up by not running it a second time.

Shredder and AdAware found things that were fixed. I ran CleanUp after Shredder and then after AdAware. I assumed that "Clean Up the left overs" meant to run it again, so I did.

When I ran Pandasoftware virus scan it found one issue "windows\system\tibs5.exe" and fixed that.

There were about seven items left from the first hiJack log to fix. I could only find the last four files from your list and deleted them.

here's the latest hijack log:

Logfile of HijackThis v1.98.2
Scan saved at 3:12:34 PM, on 2/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\soqab8ti.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab



I noticed several items are reappearring in the latest hijack log. Namely the BHOs are still there despite fixing in HJT before and the Trusted zone is still there. Should the "R3 - Default URLSearchHook is missing" have been fixed in HJT. I've seen that in other logs I was reading. Or is that in an upcoming step?

Thanks again for all your help. You guys are amazing to help people like this.

drgwspup
  • 0

#4
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
While waiting, I re-ran hjt to see if i could clear out the three BHO and the one "trusted zone" that are still appearing in the last log. There is also a new 03-toolbar entry. No effect. Thanks in advance:

Here is the latest log:

Logfile of HijackThis v1.98.2
Scan saved at 6:36:57 PM, on 2/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\soqab8ti.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdStatus Service] C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab


sincerely, drgwspup
  • 0

#5
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
KC,

Been waiting for a reply and realized you're in the UK, so you probably fast asleep. LOL

Well i think there is good news. While waiting i searched some other forums and here's what I did:

- got rid of the pesky 015 for crazywinnings by simply opening regedit and deleting references to it. A question, however... while deleting it i noticed a bunch of other suspect names. What can be done to clear those out?

- I read in another forum that Spybot RD TeaTimer can get in the way of some fixes so I checked it out and the BHOs that you told me to delete in the first HJT fix were there as protected BHO's. So, I unistalled Spybot, and now they don't show up in the HJT log. Do i need Spybot if I have all the other tools that i had to run during this fix?

Here's my hopefully, last HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 8:58:10 PM, on 2/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSDMN.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\soqab8ti.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdStatus Service] C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Let me know if all is clear. Much thanks for all your help. You folks provide an amazing service. Do you accept donations??

drgwspup
  • 0

#6
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi drgwspup

Please set your system to show all files; see here for how to do this if you're unsure.

Please use Add Remove Program File Uninstall the following
C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
O4 - HKLM\..\Run: [AdStatus Service] C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE


Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:If found

C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE

Exit Explorer, and reboot as normal afterwards.

Do you accept donations yes we do If you contact admin he will explain what you need to do Thanks

Post back a fresh HijackThis log and we'll take another look.


Kc :tazz:

Edited by thatman, 14 February 2005 - 01:37 AM.

  • 0

#7
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Hi KC,

Did as requested, but boot up was really, really slow after the changes. New optical mouse was very erractic and shortcuts/files took multiple clicks and a long time to open. What's up with that? i saw something flash up on the screen for a split second during the last reboot. Not sure what that was.

here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 7:38:00 AM, on 2/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\soqab8ti.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdStatus Service] C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab


Whiel looking for the ad status files, i found two folders in my C drive that are labeled "$vault$,avg" and "._@" Are those an issue?

thanks KC. i'm off to work so can't make changes from there. talk to you soon.

drgwspup
  • 0

#8
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi drgwspup

Please set your system to show all files; see here for how to do this if you're unsure.

Close all programs down, leaving only HijackThis running.
Place a check against the following items:

O4 - HKLM\..\Run: [AdStatus Service] C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE

Click on Fix Checked and exit HijackThis.

Reboot into Safe Mode: see here if you don't know how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\PROGRAM FILES\ADSTATUS SERVICE\ADSTATSERV.EXE<==Delete the folder and all contents

Exit Explorer, and reboot as normal afterwards.

"$vault$,avg"<-- This is legal AVG virus Vault

"._@" <-- dont know what that is


Please download Ad-aware Se

1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarrantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Reboot your PC.

Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp

http://www.pandasoft...n_principal.htm

Reboot into normal mode (simply restart your computer as you normally would),

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. ;)

kc :tazz:
  • 0

#9
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Hi KC,

well the adstatus service was in the c:\recycled folder along with a bunch of files that read like this:
info2 - (I couldn't delete it)
dc1.exe
dc151.exe
dc76.exe
dc79.exe
and a bunch of "dc"x".htm" files

I I'm going to just delete the contennts of the folder like you said. Going to run ad-aware again. Will post log shortly. thought you mght want to read the interim issues I found.

drgwspup
  • 0

#10
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
KC,

The Dc file in Recycle wouldn't delete. When I highlight and delete, the files replicate themselves with different file numbers.

Ran ad aware, but it was very difficult to get it started. Mouse operation still erratic. Couldn't even change the virus definition day from 14 to 7. Would delete 14 but wouldn't that the value of 7 or anything else. Kept hanging up on me, finally went into Task Manager and shutdown most things there and got it to run with the 7day virus definition change.

BTW, when you say close all programs prior to running something, do you mean just those that are in the bar at the bottom left of the screen or to go into task manager and shutdown all those? When I tried to do that, when I tried to close explorer or Avgemc, the system shutdown. so i left those on to run HJT.

Finally ran Adaware and it caught Broadcat PC and win32.trojan.downloader.agent.al.

Ran pandasoftware antivirus and here's that report:

Incident Status Location

Virus:Bck/Afa.A Disinfected Operating system
Virus:Bck/Afa.A Disinfected C:\WINDOWS\SYSTEM\iepa.exe
Virus:Bck/Afa.A Disinfected C:\WINDOWS\SYSTEM\d3zy32.exe
Virus:Bck/Afa.A Disinfected C:\WINDOWS\winxn32.exe
Virus:Bck/Afa.A Disinfected C:\WINDOWS\javauj.exe
Virus:Bck/Afa.A Disinfected C:\RECYCLED\DC267.EXE
Virus:Bck/Afa.A Disinfected C:\RECYCLED\DC265.EXE

Here is the HJT log;

Logfile of HijackThis v1.98.2
Scan saved at 8:27:07 AM, on 2/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\E_S4I2D1.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\soqab8ti.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\SYSTEM\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O5 "LPT1:" /M "Stylus C84"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OWCCardbusTray] ocbtray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt4_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: Yahoo! Dots - http://download.game...ts/y/dtt1_x.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn...eUC/MsnUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca....r/axscanner.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Note: My Recycle file still is full of the "Dc "x" " files and there are dc.exe files there also.

Help!!!!

drgwspup
  • 0

Advertisements


#11
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Forgot to comment on system performance:

Slow to boot up. Erratic mouse control initially. Once IE up and runnnin, then it's fine. I'm suspicious.

Thanks, Mark

Will be home from the office for the xext 3 hours so i can interact more frequently. REALLY need to get this fixed.

Thanks for all your help, you guys are great
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi drgwspup

This is good all the bad guy are in the Bin. Ok lets see if we can flush them out

Run this atleast two times

1) url=http://antispyware.nextdesigns.net/showsoftware.php?id=8]About:Buster[/url] - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Reboot into normal mode (simply restart your computer as you normally would)


Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:
  • 0

#13
drgwspup

drgwspup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
OK, KC will do. Those are all the steps i ran on Sunday. I feel like I'm chasing my tail!! LOL. Thanks again for all your help.

About buster took 5 hours to run the first scan. Is that normal? Will run it two times.

Did you want me to run About Buster two times or run all four programs (about Buster, Cleanup, CWShredder, Ad AWARE) two times?
  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi drgwspup

Just before you go to bed start about buster and let it run

This will help in the clear up we are doing ok

Kc :tazz:
  • 0

#15
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi drgwspup

win 98se Recycle bin problems

http://support.micro...=173416&sd=RMVP

SYMPTOMS
When you try to delete a file in Windows, you may receive the following error message:
Cannot delete "filename", cannot find the specified path.

Make sure you typed the right path.
When this behavior occurs, you can still delete files in MS-DOS mode.
CAUSE
This behavior can occur if the Recycle Bin has become corrupted, or if you have installed and then uninstalled Fix-It Utilities by Mijenix Corporation, causing the Recycle Bin to become corrupted.
RESOLUTION
To resolve this issue, follow these steps:
1. Click Start, point to Shutdown, and then click Restart to MS-DOS.
2. Type CD\, and then press ENTER.
3. Type CD RECYCLED, and then press ENTER.
4. Type ATTRIB -r -s -h info2.*, and then press ENTER.
5. Type DEL INFO2, and then press ENTER. NOTE: This deletes the damaged INFO2 file and creates a new file automatically.
6. Windows 95: Restart your computer.

When you see the Starting Windows 95 message, press F8, and then on the Startup menu, select Command Prompt Only.

Windows 98: Restart your computer, press and hold down the CTRL key after your computer completes the Power On Self Test (POST), and then on the Startup menu, select Command Prompt Only.NOTE: You can start the computer with the Windows Startup disk if it is available.

7. At the command prompt, type the following lines, pressing ENTER after each line:
attrib -r -s -h c:\recycled
deltree c:\recycled
NOTE: If the problem occurs on a drive other than C, substitute the appropriate drive letter for drive C in the above commands.

8. Restart the computer. This re-creates the Recycle Bin.

You can find more info for 98 here http://aumha.org/win4/kbui.php

Kc :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP