-
In Memoriam -Always in our heart
Choose Export and save it to your Desktop. Copy/Paste the information in that notepad to this same topic.
-
Got it!
Logfile of HijackThis v1.99.1
Scan saved at 7:45:46 PM, on 9/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER\CLIENTMG\ESSIDSET.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\CLIENTMGR2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\DESKTOP\SPYBOT\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aolsearch.aol.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.phoenix.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BaySwap] C:\Program Files\PowerPanel\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [BWSVC] C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Ecru] "C:\WINDOWS\wtet\wuauclt.exe" -vt yazr
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Client Manager.lnk = C:\Program Files\BUFFALO\Client Manager\CLIENTMG\ESSIDSET.exe
O4 - Startup: ClientManager2.lnk = C:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
-
In Memoriam -Always in our heart
Thanks for the HJT log, I was hoping the problem would pop right out, such is not the case. We may have some hidden malware, but I will first address what I see. I need you to give me more information about what you are seeing, describe in more detail, does it vary, do you receive other popups and do they occur when you are offline. Is this:
sexlist the only one? Can you tell me where it is directing you, copy paste the url for me if there is one.
Here is what I see in the HJT log:
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
http://www.bleepingcomputer.com/star....exe-4734.html
O4 - HKCU\..\Run: [Ecru] "C:\WINDOWS\wtet\wuauclt.exe" -vt yazr while that exe could be a legit item, windows updates, it can also be a trojan. I don't think you would have Windows updates running all of the time, especially since there are no more updates from Microsoft for your system.
http://www.google.com/search?sourcei...=wuauclt%2Eexe
You can scan this item with one or more of these from online scanners for us to be sure:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
I do not like th looks of this one, do you know it? I will remove it, if it is valid, it will be put back the next time you visit the website.
Turn off TeaTimer until you are done, it will block the changes we want to make:
http://russelltexas.com/malware/teatimer.htm
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKCU\..\Run: [Ecru] "C:\WINDOWS\wtet\wuauclt.exe" -vt yazr
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://209.190.5.106/display/PopupSh.ocx
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
(may be gone, just don't miss them)
C:\WINDOWS\SYSTEM\SBUtils\ <<< delete that folder
C:\WINDOWS\wtet\ <<< delete that folder
Clean out all temp, tif and cookies.
1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files
Restart the computer and post a new HJT log, let me know how you are running and post any information I requested above.
Thanks
Last edited by pskelley; 2006-09-17 at 12:28.
-
Hjt
Here is my log. I see this thing called Irmon on it. Do you know what that is? My computer is running better and can shut down on its own now. Should I turn teatimer back on? Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 9:56:16 AM, on 9/17/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\POWERPANEL\BAYSWAP\BAYSWAP.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\APOINT\APOINT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\DSLAUNCH.EXE
C:\PROGRAM FILES\SONY\HOTKEY UTILITY\HKSERV.EXE
C:\PROGRAM FILES\SONY\JOG DIAL UTILITY\JOGSERV2.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\BATTERYSCOPE\BATMGR.EXE
C:\PROGRAM FILES\POWERPANEL\PROGRAM\PCFMGR.EXE
C:\PROGRAM FILES\APOINT\APWHEEL.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER\CLIENTMG\ESSIDSET.EXE
C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\CLIENTMGR2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\DESKTOP\SPYBOT\HJT\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://aolsearch.aol.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mycampus.phoenix.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\PROGRAM FILES\TECHSMITH\SNAGIT 7\SNAGITIEADDIN.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AlpsPoint] C:\Progra~1\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [YAMAHA DS-XG Launcher] c:\windows\dslaunch.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [BaySwap] C:\Program Files\PowerPanel\BaySwap\BaySwap.exe
O4 - HKLM\..\RunServices: [BWSVC] C:\PROGRAM FILES\BUFFALO\CLIENT MANAGER 2\BWSVC.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: BatteryScope.lnk = C:\Program Files\BatteryScope\Batmgr.exe
O4 - Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\Program\PcfMgr.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Client Manager.lnk = C:\Program Files\BUFFALO\Client Manager\CLIENTMG\ESSIDSET.exe
O4 - Startup: ClientManager2.lnk = C:\Program Files\BUFFALO\Client Manager 2\ClientMgr2.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
-
In Memoriam -Always in our heart
-
I just reactivitated Teatimer
And spybot said that it has detected an important registry change
C:\WINDOWS\wtet\wuauclt.exe
should I allow this change?
-
In Memoriam -Always in our heart
You just deleted that folder and you scanned it to make sure it was bad first. Just exactly what is Spybot asking you?
Last edited by pskelley; 2006-09-18 at 00:26.
-
It is a S&D registry change permission thing
actually it is going through a bunch more. AlpsPoint is the next one. I am not allowing the changes. Is that okay?
Value Deleted
Entry: SBWatchDog.EXE
-
In Memoriam -Always in our heart
Sounds good to me, might have to do with the TeaTimer memory. If you deleted the files/folder, there is nothing TT can do to reinstall them. I do not use TT, preferring SpywareGuard instead. You will find information about that in the links I provided. I use Spybot with TT turned off. Your topic will be open for a few days, if anything comes up, post it.
Thanks
Last edited by pskelley; 2006-09-18 at 00:36.
-
MSconfig
I did the msconfig thing and when I rebooted all of the programs were still there. They opened anyways.
Is that bad?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules