View Full Version : Confused W/Infected Files...
I was experiencing a 'redirecting' problem on Internet Explorer (IE). Each time I Googled a name of an individual, and attempted to read their bio on Wikipedia, I was being redirected (or possibly hi-jacked) to another, unintended web-site. I was on the telephone 3 consecutive days with technicians at CA; each time they resolved the problem, it returned the following day. And, I make it a point not to frequent any unsavory or questionable web-sites only frequenting Yahoo, Google, Wikipedia and perhaps PokerStars.
One technician at my ISP highly recommended that I use FoxFire, exclusively which I do. And, I've also noticed that the redirecting problem has not returned because I occasionally check it with IE. I was advised by a technician at PokerStars that I have a rootkit problem. He highly recommended I visit this web-site.
I read a thread or 2 with what appeared to be a similar problem and the gentleman who gave advice was PSKelley. I followed a few of his recommendations by installing Spyware Doctor. This scanner found 257 infected files however I was unable to remove them because the form that they use was cut in half as I use a double monitor.
I also installed Spybot and it said that I had 63 infected files which it eliminated, entirely, yesterday while it claims I picked up 37 new infected files just before posting this message. I ran the Fixwareout software and was advised to post the report:
Fixwareout
Last edited 12/06/2006
Post this report in the forums please
Reg Entries that were deleted
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be legitimate FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»» Search by size and names...
»»»»» Misc files
»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
It would appear that it didn't find anything harmful.
Incidentally, my operating system is a Windows 98SE. I am using a router (non wireless) and Computer Associates Anti-Virus. I ran both their scan and Trend Micro and both found nothing. And, I just installed a trial-version of NOD32 Anti-Virus by "ESET" and it is running concurrently to my "CA" Anti-Virus - do you think that this will cause operational problems? I was hesitant to temporarily disable the "CA" figuring I would have to uninstall it.
I am very confused if I have this rootkit, or malaware, or smitfraud, or any other bugs that are as of late, surfacing. I noticed an ATF-Cleaner that PSKelley recommended but it says that it is only designed for Windows XP and 2000. I am sometimes hesitant to d-load and install some recommended software because I understand that it will not work well with Windows 98SE. I also was previously using Ad-Aware and cannot grasp why it didn't manage to pick-up all these infected files that Spyware Doctor claims that I have? Is it also possible to purchase Spyware Doctor in a computer store that sells software?
Anyone imparting helpful information will be most appreciated. thanking you in advance, until then I remain...
Very truly yours,
Wm. Palladin
PS: You're also welcome to reply directly to my e-mail which I've permitted at the start of my registering.
All help to remove malware is provided in this forum. :)
Hello.
Please follow the procedure "BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288) that I posted for you here:
http://forums.spybot.info/showthread.php?p=58260#post58260
Once you have provided the HJT log, a helper will assist you as soon as available.
Regards.
Tashi-
Thanks for your recommendations. I've download, installed and ran Spybot1.4 twice, today. I mentioned that in my posting. I'm not all that superb with conducting the other preliminaries that you are requesting. I would greatly appreciate if you could read my post, entirely, and try to understand that I am not that familiar w/attempting to eradicate any infected files on my own. That is why I have approached this Forum. I am also noticing that my computer is demonstrating signs of hesitation with opening Firefox only after I downlo9aded and installed NOD32 Anti Virus while concurrently running CA Anti Virus. I was not experiencing any hesitation before I installed NOD32 Anti-Virus - could the reason be because I have both anti-virus software running concurrently? And, Tashi - if you will impart some helpful information to me I will appreciate it, immensely. This is taking all day. First you advise me that I'm in the wrong thread area. OK, I move to what you suggest and I already said I ran Spybot 1.4. If you can't offer any help, please give this to another Expert. Thank you.
Rule of thumb is one Firewall/one Anti-Virus, to avoid conflicts and loss of program efficiency.
Please see: So how did I get infected in the first place? ( http://forums.spybot.info/showthread.php?t=279 )
Win98 is an unsupported Operating System: http://forums.spybot.info/showpost.php?p=28501&postcount=4
As the OS canot be updated, the likelihood of the PC being infected is high and in order for one of our volunteer helpers to assist you they will need to see a HJT log.
For detailed instructions on producing a HJT log please refer to the link I gave previously.
To keep it simple:
Downloads:
http://www.merijn.org/files/HijackThis.exe
Double click HijackThis.exe.
Hit None Of The Above, just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Click that, save the log somewhere, and copy/paste the log into this topic.
How to copy and paste (http://www.webmasternow.com/copyandpaste.html)
Regards.
pskelley
2006-12-16, 03:30
Welcome to the forum, please understand I do not know if I can help you or not. You first must follow the directions that tashi posted for you here:
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288
Let me give you this information.
1) This is what Symantec says about running two antivirus programs:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
and Microsoft is quoted in that same link:
"Microsoft recommends that you have only one anti-virus program installed on your computer."
Here is another opinion.
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
My first advice is that you uninstall all but one antivirus program.
2) I may need to run any number of malware removal programs, but I have no way of knowing what is needed until your provide a log from the diagnostic tool that we use at the beginning of the evaluation and removal process, that tool is called HijackThis. Follow the instructions in this link:
http://www.bleepingcomputer.com/tutorials/tutorial94.html
Once you post that HijackThis log, I will be notified and post instructions for you as soon as possible after that.
Thanks
Thank you for your response - it is most appreciated. After experiencing operational difficulties, I uninstalled NOD32 Anti-Virus and kept CA Anti-Virus intact. You might see McAfee software however I never re-subscribed and is dormant, as far as I know. I have run a scan on HJT and the following represents the results:
Logfile of HijackThis v1.99.1
Scan saved at 12:08:42 AM, on 12/18/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\PDESK.EXE
C:\PROGRAM FILES\OPTIMUM ONLINE\NETSURF.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\CCTRAY\CCTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~2\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4482/mcfscan.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
If there is any additional instructions in an attempt to eradicate any infected files, please don't hesitate to advise. Thank you.
Very Respectfully,
Wm. Palladin
pskelley
2006-12-18, 12:57
Thanks for returning this information. First I need to tell you that you are running an unsupported operating system, see this information:
http://www.microsoft.com/windows/support/endofsupport.mspx
My basic understanding is that since Microsoft no longer issues the Critical Update patches for this system (as well as the listed systems) your chances of being infected online are great and you should take this computer online with that in mind.
Here is information about this program: C:\Program Files\Optimum Online\Netsurf.exe
http://www.bleepingcomputer.com/startups/Netsurf.exe-3921.html
http://www.greatis.com/appdata/u/n/netsurf.exe.htm
http://www.processlibrary.com/directory/files/netsurf/
I suggest you use Add Remove programs to uninstall the program I highlited in red.
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE <<< is running on the Desktop, if you prefer to run it from there please create a folder and move HJT.exe and the log that is there into that folder. Backups for safety will also store there. I suggest it should look like this:
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE
Your Java program needs an update, see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
I suggest you update Java to the newest version, then uninstall all old versions in Add Remove programs.
I will remove some 016 DPF files, understand that you will be prompted to download those again if you return to the site.
Turn off Spyware Doctor until you finish:
1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...20/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...82/mcfscan.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
I am just not seeing a lot in this HJT log, please complete those instructions and let me know of any malware issues you are having.
After experiencing operational difficulties,
Please describe the operational difficulties, expecially post information about symptoms and error messages you are receiving "word for word".
Here are ideas and suggestion that may help.
http://www.microsoft.com/windows98/usingwindows/maintaining/articles/811Nov/MNTfoundation2c.asp
Thanks
Thank you for your response. I appreciate what you are saying about the outdated 98SE system and how my computer is rendered vulnerable, as a result.
I went into Add/Remove and followed your instructions about removing the Netsurf.exe
I realize that I have two separate icons for HijackThis however I don't exactly understand what you mean about creating a folder and moving HJT.exe and the log into that folder. And, I wouldn't know how to do this, either. When it comes to comprehending some directions on the computer, I'm as awkward as I was on my honeymoon requiring small signs on my wife stating "This end up"!
When I clicked onto the web-address that you provided about updating my Java, it opened a page with the following options:
Java SE Downloads Download the complete environment and routine environment
>>Get the JDK download
Directly beneath the above, it offered me the following options below:
JDK 6 Download
JDK 6 with Java EE Download
JDK 6 with NetBeans 5.5 Download
Java Runtime Environment Download
Java US DST Timezone Update Tool Download
Java SE 6 Documentation Download
So, I'm not sure which one you want me to download (or all of them)?
Then, you said "I will remove some 016 DPF files, understand that you will be prompted to download those again if you return to the site". Am I to understand that you meant to type 'It' will remove some……?
The "operational difficulties" that I was previously experiencing was because I had two (2) anti-virus software programs running, simultaneously. Incidentally, do you think I have a 'rootkit' problem?
I have d-loaded and installed "SpywareBlaster" hoping that in the future, I wouldn't pick up all these new problems.Idealistically-speaking, what Windows operating system do you prefer, which anti-virus, firewall (if necessary), which spyware scanner and which wireless router (if I decide to get that). I will respect your opinion on that. I think it might be time to upgrade my entire computer system. As it stands, I feel as though I'm trying to fix a bad haircut.
Yours,
Wm. Palladin
pskelley
2006-12-18, 23:14
Please post a new HJT log so I can see what you have done. Once I see the new log I will comment on your questions. If you want my help, I would appreciate it if you would follow my directions until we finish. SpywareBlaster is a very good freeware program that I run on all of my computers but I would appreciate it if you would download nothing I do not suggest and not until I suggest it. Once we finish, I will offer links with advice from experts which you may do with as you wish.
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 7:08:17 PM, on 12/18/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PDESK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\ETRUST EZ ANTIVIRUS\CAVRID.EXE
C:\PROGRAM FILES\CA\ETRUST INTERNET SECURITY SUITE\CCTRAY\CCTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.optonline.net/Home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [VetAlert] C:\PROGRA~1\CA\ETRUST~2\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\eTrust Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_09\BIN\SSV.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4482/mcfscan.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_6us.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
pskelley
2006-12-19, 01:52
Thanks for the HJT log, I suggest you do this:
1) I see no malware in this HJT log. If you have other malware issues, describe them to me now in as much detail as possible. Mention any error messages "word for word".
2) Windows 98 SE: Click Start then Setting then Control Panel. Look for the Java Icon which looks like a small coffee cub with the word Java under it.
Click the Icon to open the Java Control Panel. Now click the Update Tab. At the bottom right click the Update now button. Follow the prompts to update. When Java is finished, close the Java console and close the Control Panel.
3) If you have no malware issues, I will post advice from several experts and suggest you review their suggestions. Of course you will not be able to do everything they suggest, but their advice should help with your decisions. If, once you have reviewed the information, you still have questions, please post them for me and I will do my best to answer them.
Thanks...Phil
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
On Dec. 13, after having approached a technician at an unrelated web-site and described a 'redirecting' problem I had been experiencing, the technician sent me an e-mail that began with the following.
The virus you provided, "WIN32/Alureon!generic" is a rootkit virus.
You can read more about this specific variant on the following webpage.
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=50214
I also located a forum with helpful information for removing this
particular virus.
http://forums.spybot.info/showthread.php?t=8912
You'll note that this technician suggested that I read Spybot's Forum in which you were providing advice to 'Nonny', evidently someone who was experiencing similar problems. This is where I believe that I learned about "Spyware Doctor" and "Spybot Search". I installed both and thought that Spyware Doctor was extremely thorough. The first time that I ran Spyware Doctor's scan, it found a combined mixture approximately 150 problems; some files a higher risk than others.
A day or two before the tech sent me that e-mail, with the assistance of a live technician, while on-line and the telephone, he managed to resolve the redirecting problem that was impacting my computer. I was clicking on a desired button and instead of going to a desired web-site, I was being redirected to some very obscure web-sites that appeared to resemble search engines and/or advertising web-sites.
Am I to understand that the HJT log doesn't reflect the 51 files that Xoftspy just found? I went to Files & Folders on my computer, entered a few files exposed by Xoftsoft and deleted them as I did a few days ago with the "WIN32/Alureon!generic". Am I to understand I successfully managed to remove a 'rootkit' so easily? I wouldn't doubt that they'd return. I've recently installed SpyBlaster, as I mentioned. I suppose with my currently unsupported operating system of 98SE, I am resolved to the fact that I just can't prevent everything from entering my computer. However, I'd like to know your sentiments that if I purchase the Spyware Doctor, keep the CA Anti-Virus, install a good firewall program and use the Spyblaster, are you inclined to think I'm well protected as best as can be? Is there anything else I should install? I appreciate everything you've suggested for me including the time it's taken you to reply.
Wm. Palladin
pskelley
2006-12-20, 03:14
I have no idea what this
technician at an unrelated web-site did or did not do. It sounds to me like you had a Wareout infection which does often come with a rootkit. I see no evident of it in your HJT log. If you wish to scan to make sure there is none of that infection left, do that like this:
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
If you wish to run a tool that is suppposed to work on Windows 98, try this one:
http://www.f-secure.com/blacklight/
Follow the directions to download and run it. Save it to your Desktop. When it is finished, there will be a file near the program on the desktop in a notepad. Open that notepad and copy and paste the text to this topic.
Xoftspy <<< can not comment on this program and/or it's finding.
If you are talking about SpywareBlaster, it is a good freeware program. Here is a tutorial for using it:
http://www.bleepingcomputer.com/tutorials/tutorial49.html
Most knowledgeable experts suggest one antivirus program, one firewall and one good active spyware program. The problem is the Operating System itself. Hackers know how to get around those programs and infect the system. The fact that they are probably concentrating on other systems like XP since Windows 98 is being used by few folks anymore because of the lack of Microsoft support, may help you to stay uninfected, but there are sure no guarantees.
If you wish to post the results of Fixwareout and Blacklight, I will be glad to have a look to see if I see anything.
Thanks
To clarify, a technician at an unrelated web-site was a tech who responded to me when I had made an inquiry at "Google". I sent them an e-mail inquiring about this redirection problem. I thought I may have acquired an infected file when I clicked their 'Images' at their site. From what I had described, the tech thought I had a rootkit problem and suggested I visit Spybot's forum.
Phil, I have a worse problem, now. In fact, I'm typing this from another computer. I updated the Java, as you recommended, sent you the previous post and shut down. A minute later, I recalled that I had to check something on the net and I can't get on-line!
First, I got the following message on a black screen not unlike the kind you get when the computer tells you that you're about to go into Safe Mode:
Warning: Windows has detected a registry/configuration error. Choose, command prompt only and run SCANREG.
I wasn't able to run SCANREG (never even heard of SCANREG) but I was able to run Scan Disk.
Then, I got the following message: Microsoft Registry Checker You have restored a Good Registry. Windows found an error in your system files and restored a recent backup of the files to fix the problem. (I thought I'd be OK and get back on-line...I can't)
Once I get to the desktop and click on the Firefox icon I get the following error message: "This program has performed an illegal operation and will be shutdown." And, on the Firefox browser it says "Server not found".
When I attempted to open IE, I got: "Microsoft Internet Explorer has encountered a problem and needs to close". This is the message that asks if I want a printout and/or details of the problem.
It's very distressful; at this point I feel it's over for me and the computer. can you please help. Btw, I don't have a 98SE disk - the gal that built this computer never gave me a disk.
Wm. Palladin
pskelley
2006-12-20, 14:12
Warning: Windows has detected a registry/configuration error. Choose, command prompt only and run SCANREG.
Not sure I can help, but I will give you what information I can. That is a real problem not having the Windows CD. Give this a try and let me know if it works:
http://support.microsoft.com/kb/221512
If you still have problems getting on the internet, give your service provider a call: http://www.optonline.net/Support and have them check your connection settings.
Thanks
Paladin
Your rude post was removed and this topic is closed.