[peacemaker05]

Hi,

Background:
I'm running Windows 98, PIII - Have had major problems attempting to remove Trojan-Spy.html.smitfraud.c Hijaker. I downloaded almost everything made to detect it and nothing caught it yet.

I had a few pretty nasty malware programs that would disable anti-virus protection by killing the .exe files needed to make them work. My IE was toast, would not open and generated Runtime errors, and IE Elplorer errors in modudel "Unknown" and I know that's a virus.

I'm using Firefox, Mozilla, and I also downloaded Netscape to ensure I could get online during this situation-but, that meant I could not perform online virus scans such as Panda's Active Scan or any of the others requiring an IE browser.

In addition, any virus detection software that I downloaded would somehow be disabled by the malware so I know the parasites were paying close attention to what was going on. The virus(es) even tried to disable the shareware version of Panda's Titanium, Platinum, and True Prevent (yes I downloaded them all) but, Titanium found 11 malware programs and disinfected them. I was unable to update the virus definitions, so it missed T-Spy and its variants.


Currently:

I now have IE somewhat functional now but it still won't display images so I haven't yet fixed the problem. So realizing that, HELP! I have downloaded CW Shredder, TDS-3, Spybot S&D, Hijack This, Pocket Killbox and several other Viral detection and removal programs, however many of them point to IE to obtain Updates on the Web (is there a work around for that?) Without updated definitions the latest viral strains are missed by most software.

Need some advice for the direction to take to end this fight with my computer. I have attached the Hijack this log as of 6/1/05. By the way, I have exposed all hidden files, and I have searched Add/Remove programs and removed IGuard. However, I did not recognize any other malware programs, they most likely are in the registry.

Logfile of HijackThis v1.99.1
Scan saved at 4:25:47 AM, on 06/01/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\PASSRV.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\PAVFNSVR.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\PSIMSVC.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\FIREWALL\PAVFIRES.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\PAVPROT9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\PAVKRE9X.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\PREVSRV.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\WEBPROXY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\WINDOWS\TPPALDR.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\APVXDWIN.EXE
C:\PROGRAM FILES\HISTORYKILL\HISTKILL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HISTORYKILL\HKPOPUPKILLER.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\SRVLOAD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\AUDIO\HIJACK THIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\UPGRADER.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.msnbc.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pqcywukb.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5Cgoogle.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\pqcywukb.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Echo Gals2 Jump Start] echostr2.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavsched.exe"
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKLM\..\RunServices: [PAVFNSVR] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe"
O4 - HKLM\..\RunServices: [PSIMSVC] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PSIMSVC.exe"
O4 - HKLM\..\RunServices: [PAVFIRES] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe"
O4 - HKLM\..\RunServices: [Pavprot9] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavprot9.exe"
O4 - HKLM\..\RunServices: [Pavkre9X] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre9X.exe"
O4 - HKLM\..\RunServices: [Panda Preventium+ Service] "C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM 2005 INTERNET SECURITY\PREVSRV.EXE"
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Hewlett-Packard Recorder.lnk.disabled
O4 - Startup: HPAiODevice.lnk.disabled
O4 - Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Microsoft AntiSpyware helper - {261E84C5-C0D6-40A4-90DB-EE3AB25AB607} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {261E84C5-C0D6-40A4-90DB-EE3AB25AB607} - (no file) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: XmLdrLocation - {0C887F38-5178-43DA-B9F0-B856141FCDA4} - C:\WINDOWS\SYSTEM\mserrtrc.dll
 hijackthis6105.log.txt   5.91KB   163 downloads

Edited by peacemaker05, 01 June 2005 - 03:03 PM.

[Advertisements]

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and post your log as a new topic in the Hijack This forum. It will get a better response there from the people most qualified to analyze logs.

Most of what Hijack This lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

~Kristy

[Kristy]

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and post your log as a new topic in the Hijack This forum. It will get a better response there from the people most qualified to analyze logs.

Most of what Hijack This lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

~Kristy

[StarHawk]

Hi peacemaker05

I glance over your HJT log and I see a couple problems that need dealt with. At least part of coolweb search is still installed as well as a few other problems. So you need to follow Rustymilo's advice and post your log in the malware section of this forum. Geek U students aren't allowed to help with these logs. It's a rule here and a good rule since the wrong advice could hurt more than help. So post in malware section and qualified staff there will help you remove the rest of the garbage from your machine.

I have downloaded CW Shredder, TDS-3, Spybot S&D, Hijack This, Pocket Killbox and several other Viral detection and removal programs, however many of them point to IE to obtain Updates on the Web (is there a work around for that?)

Are you wishing to update Windows or update the spyware removal programs? Most spyware/ av programs can update themselves. without any web browser. And any web browser should be able to allow you to download files. Perhaps you need to make another web browser your default web browser. for firefox, click Tools Options and then check the box under Default browser and click check now. Let firefox make itself the default.

If it's windows 98, see my post Here. esp the part about the UNOFFICIAL Windows 98SE Service Pack. If you need Internet explorer 6, Click Here

If you have some experience using MS-Dos there is a good anti virus program for dos, F-Prot for Dos. you will also have to download the current virus definitions to use it. it is not a windows program so only use it if you are comfortable using Dos. But I doubt you would have the problem

any virus detection software that I downloaded would somehow be disabled by the malware

So please repost your Hijack this log and I hope I've been of some help.

[peacemaker05]

Thank you, I'll try what you've suggested...and yes you and Rusty have both been helpful. These types of issues are best resolved with a teamwork approach. Thanks again for your reply to my post.

[StarHawk]

These types of issues are best resolved with a teamwork approach. Thanks again for your reply to my post.

Well said peacemaker05. Thanks