[coachwife6]

How is it going DT?

[Advertisements]

Nothing good. Wannabe1 is still thinking over our last attempt (I think).

If I had the money to replace it, I'd throw the machine out the window.

[DangerousThing]

Nothing good. Wannabe1 is still thinking over our last attempt (I think).

If I had the money to replace it, I'd throw the machine out the window.

[coachwife6]

Can you give me a new hijack this log, the blacklight log and the rootkit analysis again? Also, have you ever done a panda scan? If not, please run it and post the contents of the log here. Don't throw it out the window. Everything can be fixed one way or another. It's just difficult to do when you are not sitting in front of it, but you are doing a great job.

[DangerousThing]

My mind is fried. Could you steer me in the right direction for the blacklight and rootkit analyses? Thanks

[coachwife6]

Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.

Please download Rootkit Revealer (link is at the very bottom of the page)

• Unzip it to your desktop.
• Open the rootkitrevealer folder and double-click rootkitrevealer.exe
• Click the Scan button (bottom right)
• It may take a while to scan (don't do anything while it's running)
• When it's done, go up to File > Save. Choose to save it to your desktop.
• Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

[DangerousThing]

Thanks. I'm at work today until 2100 CST (US). I am off tomorrow and will try to get you what you need. I really appreciate all your efforts.

[DangerousThing]

Hi again. The blacklight program won't open. I get a missing dll file message. On further review, it seems it isn't designed for Win98. I also am unable to open the Rootkit revealer. I get an error starting program message referring to "The PSAPI.DLL file is linked to missing export NTDLL.DLL:NtAllocateVirtualMemory>>>>and the "A device attached to the system is not functioning" Anyway, at least the HiJack This is working! Here
it is:

Logfile of HijackThis v1.99.1
Scan saved at 9:12:13 AM, on 12/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\RunServices: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

[coachwife6]

Go to this link and go to no. 5. Follow the instructions on providing a startup log also.

http://www.bleepingc...ware-tut42.html

[DangerousThing]

Okay, here it is:

StartupList report, 12/29/05, 12:07:59 PM
StartupList version: 1.52.2
Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AtiPTA = Atiptaxx.exe
BJCFD = C:\Program Files\BroadJump\Client Foundation\CFD.exe
YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe
QuickTime Task = "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
Zone Labs Client = C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
THGuard = "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
AVG7_CC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
AVG7_EMC = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
AVG7_AMSVR = C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
WinPatrol = "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
ATIPOLAB = ati2evxx.exe
SchedulingAgent = mstask.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
KB891711 = C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ccleaner = "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 29/12/2005, 8:59:32)

[Rename]
NUL=C:\WINDOWS\TEMPOR~1\CONTENT.IE5\INDEX.DAT
NUL=C:\WINDOWS\COOKIES\INDEX.DAT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVGFRE~1\BOOTUP.EXE
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBPCI512\DOSDRV\SBEINIT.COM
SET PATH=C:\WINDOWS\SYSTEM\WBEM;%PATH%
Set tvdumpflags=10
Set tvdumpflags=8
Set tvdumpflags=8

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Spybot - Search & Destroy - Scheduled Task.job

--------------------------------------------------

Enumerating Download Program Files:

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://fpdownload.ma...director/sw.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?37862.6340625

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH8.OCX
CODEBASE = http://fpdownload.ma...ent/swflash.cab

[RegConfig Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YREGCFG.DLL
CODEBASE = http://download.yaho...rod/yregcfg.cab

[YPCXWizard Class]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\PARENTAL CONTROLS\YPCXWIZARD_DLL.DLL
CODEBASE = http://download.yaho...d2003080601.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.2\HRTBEAT.OCX
CODEBASE = http://fdl.msn.com/z...s/heartbeat.cab

[YahooYMailTo Class]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL
CODEBASE = http://download.yaho...mail/ymmapi.dll

[yucsetreg Class]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\COMMON\YUCCONFIG.DLL
CODEBASE = C:\Program Files\Yahoo!\common\yucconfig.dll

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[ZoneIntro Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ZINTRO.OCX
CODEBASE = http://zone.msn.com/...ro.cab34246.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.4\HRTBEAT.OCX
CODEBASE = http://fdl.msn.com/z...s/heartbeat.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
CODEBASE = http://www.pandasoft.../as5/asinst.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefend...bitdefender.cab

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\YINSTHELPER.DLL
CODEBASE = http://download.yaho...s/yinst0309.cab

[Virtools WebPlayer Class]
InProcServer32 = C:\PROGRAM FILES\VIRTOOLS WEB PLAYER 3.0\WEBPLAYER.OCX
CODEBASE = http://a532.g.akamai...0/Installer.exe

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,660 bytes
Report generated in 0.609 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[coachwife6]

This thread is so long and I don't have time to go back and look through both threads but have you tried turning off zone alarm and applying the windows updates?

Also, navigate to this file and right-click on it and tell me it's properties.

C:\WINDOWS\NOTEPAD.EXE

[DangerousThing]

Yes, I have tried to update with ZoneAlarm tuned off to no avail. The file in question is shown as:

Type: Application
Location: C:\WINDOWS
Size: 52.0KB (53,248 bytes) 65,536 bytes used

MS-DOS name: NOTEPAD.EXE
Created: Friday, April 23, 1999
Modified: Friday, April 23, 1999

Accessed: Thursday, December 29, 2005

The attribute box checked is: Archive

File Version: 4.10.1998
Description: Windows Notepad application file
Copyright: Copyright © Microsft corp. 1991-1998

[coachwife6]

I really think you are malware free.

You can run a free virus scan and post the results here. But if that turns up clean, I'll send you back to the 98forum. Sorry.

You did say your version of windows is valid, right?

Please run a free online virus scan here (tick the "Auto Clean" checkbox):

http://housecall.antivirus.com/

or from:

http://www.pandasoft...n_principal.htm

You will need to use Internet Explorer to download both scans.

[DangerousThing]

Define "valid"

[coachwife6]

tell me where you got windows from.

[DangerousThing]

I upgraded my machine from Win95 a few years ago. I paid a friend of a friend to do it along with a RAM and video card upgrade.

Edited by DangerousThing, 29 December 2005 - 04:40 PM.