Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: smitfraud and friends?

  1. 2005-12-29, 20:12 #1
    tools4me
    tools4me is offline
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default smitfraud and friends?

    Please help. Trying to clean up a big mess. Was getting lots of pop-ups/ pop-unders, and system freezes, especially when trying to navigate from or to msn and yahoo. A fatal exception error was occurring but this seems to have gone away: 0D 0028:C0034366 in VXD IFSMGR(01) 000009A2.

    This is a Win98 SE machine, so I'm not certain if I can use smitrem, ewido, adaware --- please advise.

    I've installed and ran Spybot S&D 1.04 (multiple times), which initially found nearly 200 problems including smitfraud-c, windupdate, apropos, tango, wild tangent, dyfuca, winfixer, and so on, apparently has fixed them, but some have been reappearing (at the moment no problems found).

    Last night, I did an online antivirus scan with BitDefender, which found 19 or so trojans, i think it did not fix one. Installed AVG antivirus, it found more trojans.

    So, where to start? I'm sure there's more to fix!! Here's the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:52:55 AM, on 12/29/2005
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    c:\windows\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\MEDIA GATEWAY\MEDIAGATEWAY.EXE
    C:\WINDOWS\SYSTEM\ODBLTS3.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\MY DOCUMENTS\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
    O2 - BHO: (no name) - {1884fe38-ce34-42d6-a272-ba950f73dfbb} - C:\WINDOWS\SYSTEM\lirkmwnb.apo
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\APRPS\CXTPLS.DLL (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [msrmd1c2] C:\WINDOWS\SYSTEM\msrmd1c2.exe
    O4 - HKLM\..\Run: [Media Gateway] C:\PROGRAM FILES\MEDIA GATEWAY\MEDIAGATEWAY.EXE
    O4 - HKLM\..\Run: [r98j36X] ODBLTS3.EXE
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - Startup: Shortcut to noteit.exe.lnk.disabled
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
    O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/...s/MsnPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab



    Thanks for all you do!
  2. 2005-12-29, 21:43 #2
    Corrine
    Corrine is offline
    Security Expert Corrine's Avatar
    Join Date
    Oct 2005
    Location
    Upstate, NY
    Posts
    62

    Default

    Hi, tools4me. Ewido won't work on a Windows98 machine so you will need to skip that part. Between the smitRem© fix, SpyBot Search & Destroy, Ad-Aware and the Panda Scan, that should take care of it. Just be sure to post the logs afterward for someone to check.
    Windows Insider MVP * * * Microsoft MVP, 2006-20016

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
  3. 2005-12-30, 09:43 #3
    tools4me
    tools4me is offline
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Hi corrine: I've already taken the sleeping pill , so i hope i can get thru this quickly. I hope I have stayed with the instruction, enough, but I know that problems remain.

    In Safe-Mode ran smitRem© fix, and attach a log.
    In Safe-Mode ran Ad-Aware, and attach log.

    Rebooted and ran the Panda Active Scan, and attach log. I spent about four hours downloading the disinfection software but it would not install along with the AVG Antivirus; still wouldn't install after I removed the AVG. Re-installed the AVG. Regret not getting to clean up the trojans and adware Panda found

    Ran another SpyBot Search & Destroy, and the problems had returned again for fixing - Registry Keys for DyFuCa, MyWay.MyWebSearch, and Wind Updates. Attach a log.

    Ran another AVG Antivirus, and nothing found.

    Ran HJT and paste it here:
    Logfile of HijackThis v1.99.1
    Scan saved at 1:07:39 AM, on 12/30/2005
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    c:\windows\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
    O2 - BHO: (no name) - {1884fe38-ce34-42d6-a272-ba950f73dfbb} - C:\WINDOWS\SYSTEM\lirkmwnb.apo
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - (no file)
    O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
    O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [msrmd1c2] C:\WINDOWS\SYSTEM\msrmd1c2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - Startup: Shortcut to noteit.exe.lnk.disabled
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
    O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/...s/MsnPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)


    Hope you can help us get the dirty things out of there.
    Thanks again
  4. 2005-12-30, 13:55 #4
    Corrine
    Corrine is offline
    Security Expert Corrine's Avatar
    Join Date
    Oct 2005
    Location
    Upstate, NY
    Posts
    62

    Default

    Hi, tools4me. Please copy/paste your logs as a reply rather than as attachments. That way they can be reviewed together in situ.

    Thank you.
    Windows Insider MVP * * * Microsoft MVP, 2006-20016

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
  5. 2005-12-30, 16:41 #5
    tools4me
    tools4me is offline
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    OK, will try that.
    smitRem:

    smitRem © log file
    version 2.8

    by noahdfear


    Windows 98 [Version 4.10.2222]


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    spyaxe uninstaller NOT present
    Winhound uninstaller NOT present

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system folder ~~~




    ~~~ Icons in system folder ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~



    ~~~ Miscellaneous Files/folders ~~~



    ~~~~ wininet.dll ~~~~

    wininet.dll Present!!


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Starting registry repairs

    Deleting files

    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system folder ~~~




    ~~~ Icons in system folder ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~


    ~~~ Miscellaneous Files/folders ~~~





    ~~~~ wininet.dll ~~~~

    wininet.dll Clean!!
  6. 2005-12-30, 17:00 #6
    tools4me
    tools4me is offline
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Ad-Aware first part:

    Ad-Aware SE Build 1.06r1
    Logfile Created on:Thursday, December 29, 2005 4:17:09 PM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R84 28.12.2005
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    180Solutions(TAC index:6):3 total references
    Adintelligence.AproposToolbar(TAC index:10):8 total references
    Alexa(TAC index:5):8 total references
    DyFuCA(TAC index:3):1 total references
    PeopleOnPage(TAC index:9):2 total references
    SahAgent(TAC index:9):5 total references
    Tracking Cookie(TAC index:3):262 total references
    WinAD(TAC index:7):16 total references
    WindUpdates(TAC index:8):10 total references
    Wotch.Mediaman(TAC index:3):4 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Definition File:
    =========================
    Definitions File Loaded:
    Reference Number : SE1R84 28.12.2005
    Internal build : 96
    File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\defs.ref
    File size : 572788 Bytes
    Total size : 1722466 Bytes
    Signature data size : 1688043 Bytes
    Reference data size : 33911 Bytes
    Signatures total : 47840
    CSI Fingerprints total : 1280
    CSI data size : 37161 Bytes
    Target categories : 15
    Target families : 808


    Memory + processor status:
    ==========================
    Number of processors : 1
    Processor architecture : Non Intel
    Memory available:65 %
    Total physical memory:130464 kb
    Available physical memory:50708 kb
    Total page file size:1966684 kb
    Available on page file:1966684 kb
    Total virtual memory:2093056 kb
    Available virtual memory:2046528 kb
    OS:Microsoft Windows 98 SE

    Ad-Aware SE Settings
    ===========================
    Set : Safe mode (always request confirmation)
    Set : Don't log streams smaller than 0 Bytes
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    12-29-2005 4:17:09 PM - Scan started. (Full System Scan)

    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [KERNEL32.DLL]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4279207345
    Threads : 4
    Priority : High
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Win32 Kernel core component
    InternalName : KERNEL32
    LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
    OriginalFilename : KERNEL32.DLL

    #:2 [MSGSRV32.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294955349
    Threads : 1
    Priority : Normal
    FileVersion : 4.10.2222
    ProductVersion : 4.10.2222
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows 32-bit VxD Message Server
    InternalName : MSGSRV32
    LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
    OriginalFilename : MSGSRV32.EXE

    #:3 [MPREXE.EXE]
    FilePath : C:\WINDOWS\SYSTEM\
    ProcessID : 4294952645
    Threads : 1
    Priority : Normal
    FileVersion : 4.10.1998
    ProductVersion : 4.10.1998
    ProductName : Microsoft(R) Windows(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : WIN32 Network Interface Service Process
    InternalName : MPREXE
    LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
    OriginalFilename : MPREXE.EXE

    #:4 [EXPLORER.EXE]
    FilePath : C:\WINDOWS\
    ProcessID : 4294879037
    Threads : 5
    Priority : Normal
    FileVersion : 4.72.3110.1
    ProductVersion : 4.72.3110.1
    ProductName : Microsoft(R) Windows NT(R) Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
    OriginalFilename : EXPLORER.EXE

    #:5 [AD-AWARE.EXE]
    FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
    ProcessID : 4294842973
    Threads : 2
    Priority : Normal
    FileVersion : 6.2.0.236
    ProductVersion : SE 106
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft AB Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Adintelligence.AproposToolbar Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Misc
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : interface\{b99a727f-0782-4a71-bcc2-6e1e66414904}

    Adintelligence.AproposToolbar Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Misc
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : interface\{b548b7d8-3d03-4aed-a6a1-4251fad00c10}

    Adintelligence.AproposToolbar Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Misc
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{016235be-59d4-4ceb-add5-e2378282a1d9}

    SahAgent Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 9
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{c0ef89ee-eec7-4535-a041-f1ebf79560a7}

    SahAgent Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 9
    Category : Data Miner
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : typelib\{52cacfdf-9170-46a9-ae2e-e594d324c72a}

    WinAD Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 7
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : appid\{735c5a0c-f79f-47a1-8ca1-2a2e482662a8}

    WinAD Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 7
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{1e5f0d38-214b-4085-ad2a-d2290e6a2d2c}
    Value : AppID

    WinAD Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 7
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : interface\{00ada225-ea6c-4fb3-82e8-68189201ccb9}

    WinAD Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 7
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : typelib\{15696ae2-6ea4-47f4-bea6-a3d32693efc7}

    WindUpdates Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 8
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : appid\mediagateway.exe

    WindUpdates Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 8
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : mediagateway.installer

    PeopleOnPage Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 9
    Category : Data Miner
    Comment :
    Rootkey : HKEY_USERS
    Object : .DEFAULT\software\apropos

    Adintelligence.AproposToolbar Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 10
    Category : Misc
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{016235be-59d4-4ceb-add5-e2378282a1d9}

    Alexa Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

    Alexa Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Value : MenuStatusBar

    Alexa Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Value : Script

    Alexa Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Value : clsid

    Alexa Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Value : Icon

    Alexa Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Value : HotIcon

    Alexa Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
    Value : ButtonText

    DyFuCA Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 3
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{00000010-6f7d-442c-93e3-4a4827c2e4c8}

    WinAD Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : track

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : reqcount

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : DownloadPath

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : Language

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : SoftwareTable

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : Updating

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : LastUpdate

    WinAD Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 7
    Category : Malware
    Comment : Media Gateway
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\media gateway
    Value : Request

    WindUpdates Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 8
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\code store database\distribution units\{15ad4789-cdb4-47e1-a9da-992ee8e6bad6}

    WindUpdates Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 8
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\media gateway

    WindUpdates Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 8
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\media gateway
    Value : DisplayName

    Wotch.Mediaman Object Recognized!
    Type : Regkey
    Data :
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\wotch

    Wotch.Mediaman Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\wotch
    Value : y

    Wotch.Mediaman Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\wotch
    Value : SessionPacket

    Wotch.Mediaman Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 3
    Category : Data Miner
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\wotch
    Value : UCID

    Alexa Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 5
    Category : Data Miner
    Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
    Rootkey : HKEY_USERS
    Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
    Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

    WindUpdates Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 8
    Category : Malware
    Comment : "Media Gateway"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\run
    Value : Media Gateway

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 40
    Objects found so far: 40


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Adintelligence.AproposToolbar Object Recognized!
    Type : RegValue
    Data :
    TAC Rating : 10
    Category : Misc
    Comment : "r98j36X"
    Rootkey : HKEY_LOCAL_MACHINE
    Object : Software\Microsoft\Windows\CurrentVersion\Run
    Value : r98j36X

    Adintelligence.AproposToolbar Object Recognized!
    Type : File
    Data : odblts3.exe
    TAC Rating : 10
    Category : Misc
    Comment :
    Object : c:\windows\system\
  7. 2005-12-30, 17:29 #7
    tools4me
    tools4me is offline
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Ad-Aware second part: I give up on this Ad-Aware breaking into pieces. I can't spend all day with this. We need to do something different. Please use the attachment if that is at all possible. I'm sorry, but it is too much.

    Here is the Panda Scan:


    Incident Status Location

    Virus:Trj/Agent.AHI Not disinfected Operating system
    Adware:adware/ncase Not disinfected C:\TEMP\salm_kyf.dat
    Spyware:spyware/apropos Not disinfected C:\PROGRAM FILES\Aprps
    Adware:adware/wupd Not disinfected Windows Registry
    Virus:Trj/Agent.AHI Not disinfected C:\WINDOWS\SYSTEM\lirkmwnb.apo
    Adware:Adware/KeenValue Not disinfected C:\WINDOWS\Downloaded Program Files\imloader.exe
    Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\ProxyStub.dll
    Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\WinGenerics.dll
    Spyware:Spyware/Apropos Not disinfected C:\Program Files\Aprps\pstub0\proxystub.dll
    Virus:Trj/Multidropper.TY Not disinfected C:\temp\Bargains.exe
    The Spybot S&D:


    --- Report generated: 2005-12-29 23:12 ---

    DyFuCA: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8}

    MyWay.MyWebSearch: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}

    MyWay.MyWebSearch: Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}

    MyWay.MyWebSearch: Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}

    Wind Updates: Code storage database (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}


    --- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

    2005-12-27 unins000.exe (51.41.0.0)
    2005-05-31 blindman.exe (1.0.0.1)
    2005-05-31 SpybotSD.exe (1.4.0.3)
    2005-05-31 Update.exe (1.4.0.0)
    2005-05-31 TeaTimer.exe (1.4.0.2)
    2005-05-31 advcheck.dll (1.0.2.0)
    2005-05-31 borlndmm.dll (7.0.4.453)
    2005-05-31 delphimm.dll (7.0.4.453)
    2005-05-31 SDHelper.dll (1.4.0.0)
    2005-05-31 Tools.dll (2.0.0.2)
    2005-05-31 UnzDll.dll (1.73.1.1)
    2005-05-31 ZipDll.dll (1.73.2.0)
    2005-05-31 aports.dll (2.1.0.0)
    2005-12-23 Includes\Cookies.sbi (*)
    2003-03-16 Includes\Temporary.sbi (*)
    2005-12-23 Includes\Dialer.sbi (*)
    2005-12-23 Includes\Hijackers.sbi (*)
    2005-12-23 Includes\Malware.sbi (*)
    2005-12-23 Includes\Keyloggers.sbi (*)
    2005-12-23 Includes\Revision.sbi (*)
    2005-12-23 Includes\Security.sbi (*)
    2005-12-23 Includes\Spybots.sbi (*)
    2005-12-23 Includes\Trojans.sbi (*)
    2003-03-16 Includes\plugin-ignore.ini
    2005-02-17 Includes\Tracks.uti
    2005-12-23 Includes\PUPS.sbi (*)

    And the HJT:

    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
    O2 - BHO: (no name) - {1884fe38-ce34-42d6-a272-ba950f73dfbb} - C:\WINDOWS\SYSTEM\lirkmwnb.apo
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - (no file)
    O2 - BHO: (no name) - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
    O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [msrmd1c2] C:\WINDOWS\SYSTEM\msrmd1c2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - Startup: Shortcut to noteit.exe.lnk.disabled
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
    O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/...s/MsnPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -
    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)

    Thanks for all you help
  8. 2005-12-31, 01:19 #8
    Corrine
    Corrine is offline
    Security Expert Corrine's Avatar
    Join Date
    Oct 2005
    Location
    Upstate, NY
    Posts
    62

    Default

    I'm sorry, but it is too much.
    :(

    Please just post a complete HijackThis log so someone can check it for you. There are things that need removing. Also, please let us know how you're doing.
    Windows Insider MVP * * * Microsoft MVP, 2006-20016

    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!
  9. 2005-12-31, 03:24 #9
    tools4me
    tools4me is offline
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Hi Corrine:

    Sure, I'll post another HJT. In the previous posts, I pasted the complete logs from smitRem, the Panda Scan, and the HJT. The Ad-Aware was huge, and I posted only a portion of it. BitDefender says I have a Trojan in /WINDOWS/SYSTEM/lirkmwnb.apo and it can't repair it. Maybe the HJT shows it, too? As well as more things to fix, I'm sure. The smitRem and Ad-Aware have made a big difference; not getting pop-ups/pop-unders, freezes. Still, I know there's more to clean-up.

    And Here is a fresh HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:04:02 PM, on 12/30/2005
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    c:\windows\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\GWHOTKEY.EXE
    C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
    O2 - BHO: (no name) - {1884fe38-ce34-42d6-a272-ba950f73dfbb} - C:\WINDOWS\SYSTEM\lirkmwnb.apo
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [msrmd1c2] C:\WINDOWS\SYSTEM\msrmd1c2.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Wild File\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - Startup: Shortcut to noteit.exe.lnk.disabled
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYUS
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
    O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
    O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/...s/MsnPUpld.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O18 - Filter: text/html - (no CLSID) - (no file)
    O18 - Filter: text/plain - (no CLSID) - (no file)

    Please let me know what remains to be fixed on this pc; I need to return home tomorrow and want to be able to not worry so much about it.
    Thanks Again
  10. 2006-01-08, 04:00 #10
    LonnyRJones
    LonnyRJones is offline
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Sorry for the delay tools4me

    Let us know how the pc is and post a fresh hijackthis log please.
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules