PDA

View Full Version : Virtumonde running W/98



cph1030
2007-08-18, 04:21
Hi,
I was unfortunate enough to pick up virtumonde, and even more unfortunate to be running w/98 when i did.:sick: There seem to be several solutions for W2K and XP, but virtually none for w98. I've pasted a hijackthis log below. Thanks for any help you can give
cph1030

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:35 PM, on 8/17/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXPOL.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXCFG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CCTRAY\CCTRAY.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXFWHLP.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXAGENT.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFAEM.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\WINDOWS\XPUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFSEM.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.1.2:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ_~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\CAINTE~1\CAANTI~1\VETMSG.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O4 - HKLM\..\Run: [UmxAgent] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [WINPRB32] rundll32 WINPRB32.DLL,run
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [UmxPol] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxpol.exe
O4 - HKLM\..\RunServices: [UmxCfg] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxcfg.exe
O4 - HKLM\..\RunServices: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe /oneshot
O4 - HKCU\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\.DEFAULT\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_12\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_12\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

--
End of file - 10440 bytes

pskelley
2007-08-18, 16:29
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

That's right, no tools for this infection runs on this OS that I know of. Here is what microsoft has to say:
http://www.microsoft.com/windows/support/endofsupport.mspx
Means if you take this OS online you are going to get infected sooner more often than later. My experience with the OS, and I own a Compaq 7360 with Win98SE on it that runs like a new computer, but I DO NOT go online with it even though I can, and this infection is very limited, I will do my best but can make no promises. I will also say, if you intend to go back online once you are clean, then we will both have wasted out time removing this infection.

1) Please let me see your uninstall list in case the infection is installed:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

2) Use the instrutions in this link for your OS to show all hidden files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

3) Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
If you must run from the Desktop, create a folder like this: C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [WINPRB32] rundll32 WINPRB32.DLL,run
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKUS\.DEFAULT\..\Run: [Windows update loader] C:\Windows\xpupdate.exe (User 'Default user')

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\XPUPDATE.EXE <<< delete that file

WINPRB32.DLL <<< delete that file(you will need to search for it, probably in the same C:\Windows\ folder??)

4) Clean Manager
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and post the uninstall list and a new HJT log. Let me know how the computer is running.

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_12\ <<< check for an update and uninstall all old versions in Add Remove programs.
I am not sure how far updates from Java go for the OS.

Thanks

cph1030
2007-08-20, 03:45
Hey pskelley,
I want to start off by saying Thank You for taking time to help me with my old 98 machine. I had hoped to hang on to it till my youngest made it through college, but in light of your comments, that doesn't seem like a smart thing to do.

I followed your instructions through step 4 however, i have not yet deleted the old Java versions, but i will do that as soon as i post this reply. ...

Here's the uninstall list you asked for:
Ad-Aware SE Personal
Adobe Acrobat 5.0
Age of Mythology
Age of Mythology - The Titans Expansion
Atomic Clock Sync
Backup Dell-Installed Programs
CA Internet Security Suite
Dell ResourceCD
Dune 2000
Emperor: Battle For Dune
HijackThis 2.0.2
HP Deskjet 6500
HP Deskjet 6500 Series
HP Software Update
Intel(R) PRO Ethernet Adapter and Software
Internet Explorer Q903235
Internet Explorer Q916281
J2SE Runtime Environment 5.0 Update 12
J2SE Runtime Environment 5.0 Update 6
Kodak EasyShare software
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 SR-1 Professional
Microsoft Outlook Express 6
Microsoft VGX Q833989
Microsoft Web Publishing Wizard 1.6
Microsoft XML Parser and SDK
MSN Messenger 7.0
MSN Money Investment Toolbox
MSXML4 Parser
NetMeeting 3.01
NVIDIA Display Driver
Outlook Express Q823353
Quicken 2003 Deluxe
Retrospect 5.6
Rise of Nations Gold
Shockwave
SoundMAX
Spybot - Search & Destroy 1.4
U.S. Robotics 56K Voice PCI DOS Box Support
USB Storage Adapter FX (MXO)
Westwood Shared Internet Components
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 KB908519 Update
Windows 98 KB918547 Update
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q888113 Update
Windows 98 Q890175 Update


here's the HJT log as well

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:51 PM, on 8/19/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXPOL.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXCFG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CCTRAY\CCTRAY.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXFWHLP.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXAGENT.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFAEM.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFSEM.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.1.2:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ_~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\CAINTE~1\CAANTI~1\VETMSG.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O4 - HKLM\..\Run: [UmxAgent] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [WINPRB32] rundll32 WINPRB32.DLL,run
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [UmxPol] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxpol.exe
O4 - HKLM\..\RunServices: [UmxCfg] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxcfg.exe
O4 - HKLM\..\RunServices: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe /oneshot
O4 - HKCU\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe
O4 - HKUS\.DEFAULT\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_12\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_12\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

--
End of file - 9157 bytes

the machine seems to be running well to this point and i'll keep an eye on it in the coming days

Thanks again for your help
Charlie Hyder

pskelley
2007-08-20, 14:02
Hi Charlie, thanks for returning your information, I understand the attachment and I understand financial obligations, but it is just not safe, the junk our here gets worse and worse. In no way would I suggest you use this computer for anything that needs to be secure.
I look for malware and security issues in the uninstall list and the out of date Java is all I see. Here is a look at how easy it is to get infected:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
This is likely how it happened to you.

I am still seeing this item: O4 - HKLM\..\Run: [WINPRB32] rundll32 WINPRB32.DLL,run
WINPRB32.DLL <<< I had this file scheduled for deletion? Here is the Google:
http://www.google.com/search?hl=en&q=+WINPRB32.DLL&btnG=Search
Were you not able to do so?
I am fairly sure it needs to go, you may scan the files with one of these free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
Post the results for me to view.

Thanks

cph1030
2007-08-21, 04:57
Hey pskelley
Once again, thanks for your help.

I did have a little difficulty deleting the winpbr32.dll file itself yesterday. At first i got a msg. saying that windows was using the file and it could not be deleted etc., so then i rebooted in safe mode and i thought i was able to delete it. All that being said i went back this evening and deleted the O4 - HKLM\..\Run: [WINPRB32] rundll32 WINPRB32.DLL,run and also searched for the file itself, and it was not found.

One thing i noticed when i looked at the HJT.log was that the name Magicantispy kept appearing. That is not a program i installed, and actually i uninstalled it before i posted to the forum. Is this significant?

Here's the HJT.log

Thanks
charlie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:14 PM, on 8/20/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXPOL.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXCFG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CCTRAY\CCTRAY.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXFWHLP.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXAGENT.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFAEM.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFSEM.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.1.2:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ_~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\CAINTE~1\CAANTI~1\VETMSG.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O4 - HKLM\..\Run: [UmxAgent] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [UmxPol] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxpol.exe
O4 - HKLM\..\RunServices: [UmxCfg] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxcfg.exe
O4 - HKLM\..\RunServices: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe /oneshot
O4 - HKCU\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe
O4 - HKUS\.DEFAULT\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

--
End of file - 8804 bytes

pskelley
2007-08-21, 13:29
Thanks for returning your information, you asked:

One thing i noticed when i looked at the HJT.log was that the name Magicantispy kept appearing. That is not a program i installed, and actually i uninstalled it before i posted to the forum. Is this significant?The program is a piece of junk, but understand it got installed somehow. Often the junk if bundled with other junk and no one bothers to read the eula agreement. Because it is junk the software is written poorly and the unistaller does not remove it all, and problems can occur.
Here is information at Google: http://www.google.com/search?hl=en&q=Magicantispy&btnG=Google+Search
If we can't remove it manually, Symantec offers information for editing it from your register (make sure you backup) and several others offer removal help. Be careful because some of those look questionable also, here is a good guide to use:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

1) all files and folders still enabled

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKCU\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe
O4 - HKUS\.DEFAULT\..\Run: [Magicantispy] C:\PROGRAM FILES\MAGICANTISPY\Magicantispy.exe (User 'Default user')

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\PROGRAM FILES\MAGICANTISPY\ <<< delete that folder

Make sure you clean the recycle bin.

Let me suppest to you that you download a lot of yahoo games, yahoo is in bed with the enemy and they are not above sending adware and even spyware along with what you think is "free". As with about all free programs, you will pay a price. I suggest the games be purchased (even then read the eula) or played online.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

cph1030
2007-08-22, 04:12
Hey pskelley

The saga continues :) I followed the procedure to delete magicantispy, but interestingly enough when i went to delete the folder, it wasn't there. In any event i cleaned out the recycle bin and thought i would run Spybot to see if Virtumonde was there....unfortunately it was

Pasted below is my HJT log after the magicantispy removal. Thanks.....charlie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:04 PM, on 8/21/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXPOL.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXCFG.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PROMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HPZTSB10.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DANTZ_EXTERNALHD\COMBOBUTTON.EXE
C:\WINDOWS\MXOALDR.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CCTRAY\CCTRAY.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA ANTI-VIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXFWHLP.EXE
C:\PROGRAM FILES\CA\SHAREDCOMPONENTS\HIPSENGINE\UMXAGENT.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFAEM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CA\CA INTERNET SECURITY SUITE\CA PERSONAL FIREWALL\CAPFSEM.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.101.1.2:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb10.exe
O4 - HKLM\..\Run: [Dcfssvc] C:\WINDOWS\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MaxtorCombo] "C:\PROGRA~1\DANTZ_~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\CAINTE~1\CAANTI~1\VETMSG.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O4 - HKLM\..\Run: [UmxAgent] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ_EXTERNALHD\RETRORUN.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [UmxPol] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxpol.exe
O4 - HKLM\..\RunServices: [UmxCfg] C:\Program Files\CA\SharedComponents\HIPSEngine\Umxcfg.exe
O4 - HKLM\..\RunServices: [UmxFwHlp] C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe /oneshot
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/dj/qdiagh.cab?223
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: Yahoo! MLB StatTracker - http://aud2.sports.dcn.yahoo.com/java/y/mlbst8408_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/shpo/default/shapo.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

--
End of file - 8533 bytes

pskelley
2007-08-22, 12:36
Looking at your HJT log on this date:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:43:04 PM, on 8/21/07

Use HJT to remove this old Java line.
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)

I see nothing in the log I can identify as malware.

In any event i cleaned out the recycle bin and thought i would run Spybot to see if Virtumonde was there....unfortunately it wasIs your Spybot version completely up to date and immunized. That being the case, then post at the Spybot forum to see if it is a false positive.
Before you post, I suggest you run Spybot as suggest in this link:
http://forums.spybot.info/showthread.php?t=288 to see if the items can be removed in safe mode.

http://forums.spybot.info/forumdisplay.php?f=4 <<< Spybot forum
http://forums.spybot.info/forumdisplay.php?f=16 <<< false positives

Thanks

cph1030
2007-08-24, 13:48
hey pskelley
I believe you have defeated Virtumonde on w/98!!! Running spybot and deleting in the safe mode did the trick last evening

Also, as you suggested, the machine you cleaned is now officially an offline machine so as not to be reinfected

Many, many thanks for sharing your knowledge and time with me.

Charlie

pskelley
2007-08-25, 03:52
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks