Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win98, redirection, popups, Trojans

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Sean_Claude » June 26th, 2005, 11:31 am

Hi Nick, did all you said to do. On the 2nd time
it could not find nothing wrong. Here is my files.=
The blue Smitfraud Screen is still the Wallpaper.
Claude

(6/26/05 7:57:03 AM) SPSeHjFix started v1.09
(6/26/05 7:57:04 AM) OS: Win98SE A (4.10.67766446)
(6/26/05 7:57:04 AM) Language: english
(6/26/05 7:57:32 AM) Disinfect started
(6/26/05 7:57:32 AM) Bad-Dll(IEP): se.dll
(6/26/05 7:57:32 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\KKOMODA.DLL
(6/26/05 7:57:32 AM) Searchassistant Uninstaller - Keys Deleted
(6/26/05 7:57:32 AM) UBF: 6
(6/26/05 7:57:32 AM) UBB: 0
(6/26/05 7:57:32 AM) FilterKey: HKCR\text/html (deleted)
(6/26/05 7:57:32 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(6/26/05 7:57:32 AM) FilterKey: HKCR\CLSID\{EFAA44E9-D9BD-11D9-9956-0004C405594A} (deleted)
(6/26/05 7:57:32 AM) FilterKey: HKCR\text/plain (deleted)
(6/26/05 7:57:32 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(6/26/05 7:57:32 AM) FilterKey: HKCR\CLSID\{EFAA44E9-D9BD-11D9-9956-0004C405594A} (error while deleting)
(6/26/05 7:57:32 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EFAA44EA-D9BD-11D9-9956-000434D7C73D} (deleted)
(6/26/05 7:57:32 AM) BHO-Key: HKCR\CLSID\{EFAA44EA-D9BD-11D9-9956-000434D7C73D} (deleted)
(6/26/05 7:57:32 AM) UBR: 13
(6/26/05 7:57:32 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(6/26/05 7:57:32 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(6/26/05 7:57:32 AM) Stealth-String found: C:\WINDOWS\HLPBEWL.GIF
(6/26/05 7:57:32 AM) File added to delete: c:\windows\system\kkomoda.dll
(6/26/05 7:57:32 AM) File added to delete: c:\windows\system\kkomoda.dll
(6/26/05 7:57:32 AM) File added to delete: c:\windows\temp\se.dll
(6/26/05 7:57:32 AM) File added to delete: c:\windows\hlpbewl.gif
(6/26/05 7:57:32 AM) Reboot
(6/26/05 8:13:09 AM) SPSeHjFix 2nd Step
(6/26/05 8:13:10 AM) RunServicesOnce-Key: (edited)
(6/26/05 8:13:24 AM) Cleaned



Logfile of HijackThis v1.99.1
Scan saved at 8:24:14 AM, on 6/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm
Advertisement
Register to Remove

Unread postby Nick-YF19 » June 26th, 2005, 10:46 pm

Hi, you have 2 nasty infections, so far I haven't dealt with the Smitfraud since it isn't the worst one you have. There are two posts for things to do to fix. Do everything in this post 1st to finish off the about:blank infection. Once done with this, then do the instructions in the next post.


Scan with Hijackthis and check the boxes next to all these,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall


Now close all other windows, then click Fix Checked.

After that, restart the computer in Safe mode. When the computer is starting, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Enable hidden files by doing this:

* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Then find and delete these files if found:

C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\HLPBEWL.GIF

You may not find them, but please lok for them.



This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files

To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.


Step 2: Delete Temporary Internet Files

Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Once done with everything in this post, proceed to the next post and follow the instructions there.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Nick-YF19 » June 26th, 2005, 11:10 pm

This the second part for the bad wallpaper you have. Make sure you do the instructions in the previous post 1st, as that is the more difficult one to remove.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download Grinler's reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt then follow the rest of the instructions below.

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid


Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system\hhk.dll
C:\Windows\System\wldr.dll
C:\Windows\System\helper.exe
C:\Windows\System\intmon.exe
C:\Windows\System\shnlog.exe
C:\Windows\System\intmonp.exe
C:\Windows\System\msmsgs.exe
C:\Windows\system\msole32.exe
C:\Windows\System\ole32vbs.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following, if found, (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard


Reboot into normal mode.

1.) Download The Hoster Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right-Click HERE and Save As to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf on your desktop and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » June 29th, 2005, 2:28 am

Hi Nick,
Did almost all you said to do. I could not
download the cleaner you wanted me to used,
so used cCleaner instead. Here our my 2 logs
you requested=


Incident Status Location

Virus:Trj/Multidropper.ACW Disinfected C:\WINDOWS\SYSTEM\winldra.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
Virus:Trj/Downloader.CTU Disinfected C:\WINDOWS\SYSTEM\z14.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\SYSTEM\z13.exe
Virus:Trj/Downloader.CBY Disinfected C:\WINDOWS\SYSTEM\z15.exe
Virus:Trj/Lowzones.BU Disinfected C:\WINDOWS\SYSTEM\z16.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\SYSTEM\z11.exe
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Startpage.YC No disinfected C:\WINDOWS\SYSTEM\intronsad.exe
Spyware:Spyware/Loadcash No disinfected C:\WINDOWS\SYSTEM\cmd32.exe
Virus:Trj/Multidropper.AKB Disinfected C:\WINDOWS\SYSTEM\z12.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\nsvsvc\nsv.ocx
Virus:Trj/Downloader.BTV Disinfected C:\WINDOWS\SYSTEM\sssdfgbsdfghbnj.exe
Virus:Trj/Downloader.BTV Disinfected C:\WINDOWS\SYSTEM\popcorn128.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\bln02nqv.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\2b3fsk0h.dll
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mqexdlm.srg
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\javexulm.vxd
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\bbchk.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\msbe.dll
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\nvms.dll
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM\mscb.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl3.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl2.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exdl1.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul1.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\exul3.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\SYSTEM\vidctrl\vidctrl.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\CERES.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\banner.inf
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Search the Web.url
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\HOSTS.SAM
Adware:Adware/ISearch No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050610-140841-163.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050625-104357-983.dll
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050610-140842-378.dll
Adware:Adware/WinAD No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050610-140845-919.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050611-113633-644.dll
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050610-140841-380.dll.tcf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050625-104357-978.inf
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Desktop\hijackthis\backups\backup-20050625-104357-978.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\hisistheurls.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Virus:Trj/Multidropper.ACW Disinfected C:\WINDOWS\wmplayer.exe
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\wupdt.exe
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll
Virus:Trj/Bancos.NL Disinfected C:\WINDOWS\wmplayer2.exe
Virus:Bck/Dumador.O Renamed C:\WINDOWS\netdx.dat
Virus:W32/Dumaru.R.worm Disinfected C:\WINDOWS\dvpd.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\exdl.exe
Spyware:Spyware/Loadcash No disinfected C:\WINDOWS\loadclean.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inst\3p_1n2.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\70tovmto.exe
Adware:Adware/HuntBar No disinfected C:\NULL
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/SaveNow No disinfected C:\Program Files\MaxALERT\SaveNowInst.exe
Adware:Adware/ISearch No disinfected C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar[isearch.js]
Adware:Adware/ExactSearch No disinfected C:\Program Files\NaviSearch\bin\NLS.EXE.tcf
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\bin\adv.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\bin\adx.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_click_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_auto_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_welcome.html
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bb_welcome1.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\icon.gif
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\logo.gif
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bin\cb.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\CashBack\bin\flash.exe
Adware:Adware/HuntBar No disinfected C:\Temp\EDow.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_click_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_auto_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_welcome.html
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\bb_welcome1.swf
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\icon.gif
Spyware:Spyware/BargainBuddy No disinfected C:\Temp\logo.gif
Adware:Adware/BlueScreenWarningNo disinfected C:\wp.exe
Adware:Adware/BlueScreenWarningNo disinfected C:\wp.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\installer_MARKETING30.exe
Adware:Adware/PortalScan No disinfected C:\InstallAPS.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:18:54 PM, on 6/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Thanks for everything, Claude
ps= still gettin popups.
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » June 29th, 2005, 3:39 am

Something is preventing some of te fixes from keeping. I see you have some software from SBC that may be the cause. O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE / Open the watchdog program if you can and turn it off. I'm not too familiar with it, so I'm not sure how to turn it off. If you can't figure it out, fix the above line with HJT. Don't fix anything else with HJT until you are in safe mode.



Next, download Pocket Killbox and unzip it; save it to your Desktop. Unzip it to a convenient location. DO NOT RUN IT YET.


After that, restart the computer in Safe mode. When the computer is starting, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.


Open the task manager and end these processes if found:

C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE




Scan with Hijackthis and check the boxes next to
all these,

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx

Now close all other windows, then click Fix Checked.



1. Copy the following list to the Clipboard.Click and hold the right mouse button and move the pointer over the following text until it is all highlighted.
Code: Select all
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTEM\MSBE.DLL
C:\WINDOWS\SYSTEM\NVMS.DLL
C:\WINDOWS\SYSTEM\MSCB.DLL
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE



2. Start Pocket Killbox, it is the red circle with a large white X in it. Click the radio button that says Delete a file on reboot. Click on the "File" menu and select "Paste from Clipboard". One of the files from the list under the last point should show in the window under "Full Path of File to Delete". Click the litle arrow next to the window and check that they are all there and that no files not on the list are present.
Click the red circle with a white cross in it.
The program will ask you to confirm the delete. Answer yes.
The program will ask you if you want to reboot. Answer yes.
Let the system reboot.

After rebooting, look to see if these folders are still present, delete them if found.

C:\Program Files\BullsEye Network
C:\Program Files\NaviSearch
C:\Program Files\CashBack
C:\WINDOWS\SYSTEM\nsvsvc
C:\WINDOWS\SYSTEM\VIDCTRL


After that, post a new hijackthis log.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » June 30th, 2005, 12:44 am

Hi Nick,
Did everything you said to do, things are alot
better, no popups and puter is working faster.
On the killbox, I had to add each file individually.
Thanks alot, Claude
Here is my new log after rebooting=

Logfile of HijackThis v1.99.1
Scan saved at 9:36:00 PM, on 6/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » June 30th, 2005, 10:17 pm

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » July 3rd, 2005, 8:43 pm

Hi Nick,
Guess what, before I got all the safeguards in, I think
I got the same virus back again. The puter is slow again
and I get popups faster than I can erase them.
Show I post another Hyjack Log, so you can see
what is going on?
Thanks for dealing with all the problems.
Claude
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » July 3rd, 2005, 11:39 pm

Go ahead and post a new log. Can't tell much till then.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » July 4th, 2005, 12:18 am

Here is the current log=

Logfile of HijackThis v1.99.1
Scan saved at 10:18:08 PM, on 7/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\MSLUI4.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MSLUI4.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [MSLUI4] C:\WINDOWS\SYSTEM\MSLUI4.exe
O4 - HKCU\..\RunOnce: [MSLUI4] C:\WINDOWS\SYSTEM\MSLUI4.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » July 4th, 2005, 11:42 pm

Please download FxIeplgn from here:

http://securityresponse.symantec.com/av ... Ieplgn.exe

Save it to the desktop for later use.

-------


Please Download RKFiles.zip

Create a new folder C:\Antispyware\RKFiles
Extract the contents of RKFiles.zip into the new folder you just created.

Next, Create a new Folder on Desktop. Name that Folder QOOLOGIC
Please download Findqoologic into the new Folder, and then unzip it into the new Folder.

---------

You might want to print out instructions cus we need IE closed during fix including this window.

----------

Go to Add/Remove programs in the Control Panel and find the following:

The E2GBHO variant has an entry in the Control Panel’s Add/Remove Programs feature — choose ‘E2Give Browser Add On’ Uninstall it.

-----------

Scan with Hijackthis and check the boxes next to all these,

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKCU\..\Run: [MSLUI4] C:\WINDOWS\SYSTEM\MSLUI4.exe
O4 - HKCU\..\RunOnce: [MSLUI4] C:\WINDOWS\SYSTEM\MSLUI4.exe


Now close all other windows, then click Fix Checked.

After that, restart the computer in Safe mode. When the computer is starting, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Enable hidden files by doing this:

* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Then find and delete these files:

C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTB.DLL
C:\WINDOWS\wupdt.exe
C:\WINDOWS\AUNPS2.DLL <- if not found, then search computer
C:\WINDOWS\SYSTEM\MSLUI4.exe



Run FxIeplgn.exe you downloaded earlier.
click start to run scan.

It will remove registry items and files associated with IePlugin.
Save the log please.

Open the C:\Antispyware\RKFiles folder
Double click on RKFILES.BAT

Give it time to run. this may take a while.
Save the text file it creates.
It should save by default to C:\Log.txt

Next, open the QOOLOGIC Folder and Locate and double-click the Find-Qoologic.bat file to run it.
Wait until a text file opens, post it in a reply to your thread after doing the rest of what follows here.
It'll take a while to run a full scan so please be patient.


Reboot normally and post the RKFiles, qoologic, FxIEplgn, and a new hijackthis log.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » July 6th, 2005, 7:08 pm

Hi Nick,
Did everything you said.
Could not find these 3 files=
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTB.DLL
C:\WINDOWS\wupdt.exe

Deleted these 2 =
C:\WINDOWS\AUNPS2.DLL <- if not found, then search computer
C:\WINDOWS\SYSTEM\MSLUI4.exe

Thanks, and here are the 4 scans=
ECHO is off

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\msxmidi.exe: FSG!

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\tdtb.exe: UPX!
C:\WINDOWS\Buddy.exe: UPX!
C:\WINDOWS\ScrBlaze.scr: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t
C:\WINDOWS\loadclean.exe: UPX!
Finished
bye
________________________

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»



»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

____________________
Symantec Adware.IEPlugin Removal Tool 1.0.5


registry: HKEY_USERS\.DEFAULT\Software\intexp (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Bargains (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\CashBack (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CB.UrlCatcher (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CB.UrlCatcher.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1C896551-8B92-4907-8C06-15DB2D1F874A} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2BF1BF3-1FDB-4C93-8874-0B09E71C594C} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3155057-4C2C-4078-8576-50486693FD49} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.BottomFrame.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.LeftFrame.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IMIToolbar.PopupWindow.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{220959EA-B54C-4201-8DF2-1CFAC8B59FD7} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3E589169-86AD-44FE-B426-F0BF105D5582} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6A288140-3E1C-4CD9-AAC5-E20FDD4F5D64} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7371AD3F-C419-4DC0-8E8A-E21FAFAD53E0} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E2468} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{98B2DDBA-6DA2-4421-AF2B-814E98F53649} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED12468} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E4458B4A-6149-4450-84F2-864ADB7E8C52} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NLS.UrlCatcher (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NLS.UrlCatcher.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Remove (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516E2A3} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{57ADD57B-173E-418A-8F70-17E5C9F2BCC9} (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wbho.Band.1 (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\eXactUtil (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\NaviSearch (key deleted)
c:\WINDOWS\SYSTEM\ide21201.vxd: (deleted)
c:\WINDOWS\SYSTEM\exul.exe: (deleted)
c:\WINDOWS\SYSTEM\javexulm.vxd: (deleted)
c:\WINDOWS\SYSTEM\exclean.exe: (deleted)
c:\WINDOWS\SYSTEM\exul1.exe: (deleted)
c:\WINDOWS\SYSTEM\exul3.exe: (deleted)

process: EXPLORER.EXE (terminated)
c:\WINDOWS\Desktop\hijackthis\backups\backup-20050629-190353-958.dll: (deleted)

c:\WINDOWS\Desktop\hijackthis\backups\backup-20050629-190353-304.dll: (deleted)

c:\WINDOWS\Desktop\hijackthis\backups\backup-20050704-070226-842.dll: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\CPWP8VQX\trans[1].gif: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\CPWP8VQX\dotclear[1].gif: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\SZAZGJQP\pixel[1].gif: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\T5XLX39W\trans[1].gif: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\OP2FG5IV\pixel[1].gif: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\OP2FG5IV\dotclear[1].gif: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\OP2FG5IV\spc[1].gif: (deleted)
c:\WINDOWS\Temporary Internet Files\Content.IE5\OP2FG5IV\spc2[1].gif: (deleted)
c:\Program Files\Netscape\Users\abs400059\Cache\MVALUEFP.GIF: (deleted)
c:\Program Files\Netscape\Users\abs400059\Cache\M03O2R4D.GIF: (deleted)
c:\Program Files\Netscape\Users\abs400059\Cache\M005NH38.GIF: (deleted)
c:\Program Files\Netscape\Users\abs400059\Cache\MUS9697O.GIF: (deleted)
c:\Temp\bb_welcome.html: (deleted)
c:\Temp\bb_welcome1.swf: (deleted)
c:\Temp\blank.gif: (deleted)
c:\Temp\icon.gif: (deleted)
c:\unzipped\v1_images\space.gif: (deleted)
c:\package_MARKETING30.exe: (deleted)
C:\WINDOWS\SYSTEM\bbchk.exe: (deleted)
C:\WINDOWS\redir.txt: (deleted)

registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main: Use Custom Search URL (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl (key deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: Search Bar (value deleted)
registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main: Use Custom Search URL (value deleted)
registry: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components: GeneralFlags (value set to 0x00000004 (4))

Adware.IEPlugin has been successfully removed from your computer!

Here is the report:

The total number of the scanned files: 38109
The number of deleted files: 29
The number of threat processes terminated: 0
The number of other processes terminated: 1
The number of registry entries fixed: 51
_________________

Logfile of HijackThis v1.99.1
Scan saved at 3:55:19 PM, on 7/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » July 7th, 2005, 6:41 am

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, but don't run it yet. Copy the following files to notepad and save it to your desktop for easy access.

C:\WINDOWS\msxmidi.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\Buddy.exe
C:\WINDOWS\loadclean.exe


Reboot to safe mode and open Killbox. Add each of the files that you saved to notepad, one at a time. After adding a file, check the box to delete on reboot and check "end explorer.exe while killing file" and "unregister dll before deleting" if not greyed out. Click OK, but select NO until all of the files have been added. When you add the last file, then click yes to reboot.

Allow it to reboot.


After rebooting, visit the Panda online scan and do a scan. Make sure you select auto clean and let it fix what it finds. At the end, it will give you an option to save the log, do so and post that into your next reply.

I don't see a resident antivirus on the computer. Online scans can remove problems, but only after you ave been infected. I suggest you download AVG, it is free and fully functional. http://free.grisoft.com/doc/1

Last you really need to go to Go to Windows Updates and download all critical updates. Your version of Internet Explorer is badly out of date.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » July 7th, 2005, 3:21 pm

Hi Nick,
Did what you said up to this point=

After rebooting, visit the Panda online scan and do a scan. Make sure you select auto clean and let it fix what it finds. At the end, it will give you an option to save the log, do so and post that into your next reply.

But could not find link to run scan from.
Do you have the link?
Thanks, Claude
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » July 7th, 2005, 3:59 pm

User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 42 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware