Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Sneaky Virus Problem

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Sneaky Virus Problem

Unread postby fission1 » August 7th, 2008, 7:10 pm

Greetings,

I am, unfortunately, stuck with this machine running Windows 98, AMD-K6 3D processor and 80MB RAM... 8^)

Recently I was downloading some fonts and when I unzipped them later I found one that contained an .exe which I scanned with avast!. It detected a virus and the file was deleted, so I thought that was the end of it. Since then I've had problems with fonts not displaying properly in Windows Explorer, dialogs and web pages. Boxes show instead of some characters, the characters that don't display changes after each reboot. Some text on web pages displays in a badly pixelated font. Also, when I try to open Photoshop I get the following error:

Microsoft Visual C++ Runtime Library
Runtime Error!

C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\PHOTOSHOP.EXE

This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.


I've also had problems, on and off, with Firefox not starting (shows in Task Manager but doesn't start). When I try to open a link in a new tab Firefox freezes, then when I Ctr+Alt+Del to shut it down <unknown> shows in the program list. HiJackThis took 4 tries to open too, same problem as FF above.

I did a full scan with Avast set on thorough, it found nothing.

I didn't have Ad-Aware, and since the latest version doesn't support win98 I downloaded version 6.0 from oldversion.com, it was the newest they had. When I tried to update the reference file the updater ran a few seconds and said 'Done', so that was no help. 8^(

Scanned with Bazooka, nothing detected...

Scanned with Spybot S&D, found and fixed 1 problem:

Alexa Related
(SRI $9263101F) Link
C:\WINDOWS\WEB\RELATED.HTM


Below is the log I finally got from HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:10 PM, on 8/7/08
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\FDF\FAST2.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joesmoke.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
O4 - HKUS\.DEFAULT\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -

--
End of file - 3060 bytes


I hope we can clear up this problem, it's very aggravating! 8^)

fission1
(Randy Gilson)
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa
Advertisement
Register to Remove

Re: Sneaky Virus Problem

Unread postby MWR 3 day Mod » August 13th, 2008, 11:40 am

Hi, fission1

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Sneaky Virus Problem

Unread postby suebaby41 » August 15th, 2008, 3:17 pm

Welcome to the Malware removal Forums. Since it has been a few days since you scanned your computer with HijackThis, please post a new HijackThis Log. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Sneaky Virus Problem

Unread postby fission1 » August 15th, 2008, 4:26 pm

Thank you very much for your reply, I understand completely that you're all very busy...

Here's a fresh HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:14 PM, on 8/15/08
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\FDF\FAST2.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joesmoke.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
O4 - HKUS\.DEFAULT\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

--
End of file - 3013 bytes
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa

Re: Sneaky Virus Problem

Unread postby suebaby41 » August 17th, 2008, 11:43 pm

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

I noticed that you have some programs that need to be updated.

Your Java Runtime Environment is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove the older versions of Java Runtime Environment..
  • Close any programs you may have running, ESPECIALLY your web browser
  • Click Start > Control Panel.
  • Click Add/Remove Programs.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer after all Java components are removed.
Please download the latest Java Runtime Environment.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 7. The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right. When a new window opens, you will see
    NOTE: This page offers files for different platforms - please be sure to download the proper file(s) for your platform.
    Required: You must accept the license agreement to download the product.
  • Click to place a check mark by Accept License Agreement.
  • Make the selection corresponding to your computer platform. For Windows, click on Windows Offline Installation, Multi-languagelink to download. Save it to your desktop.
  • On your desktop, double-click on jre-6u7-windows-i586-p.exe to install the newest version.
After you have installed the Java software on your computer, you must restart your browser. You can verify that Java Runtime Environment (RTE) has been installed correctly by clicking on the Verify Installation button on the Welcome To Java and Verify Installation page.

Your "Adobe Reader" is out of date.
You may want to download the latest version, Adobe® Reader® 9.

Step 3

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  1. Detects and removes malware ( viruses, worms, trojans, etc. )
  2. Detects and removes grayware and spyware
  3. Restores damage caused by malware to your system.
  4. Notifies about vulnerabilities in installed programs and connected network services.
  5. Multi-platform support for: Windows, Linux, Solaris.
  6. Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 4

Please download Spybot-S&D.
Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

Step 5

Please download Ad-Aware 2008.
Please check this link, Ad-Aware 2007/ 2008 for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 6

I recommend using Spyware Blaster.
Please download SpywareBlaster. SpywareBlaster helps to:
  1. Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  2. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  3. Restrict the actions of potentially unwanted sites in Internet Explorer.
Please see Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware for instructions on how to download, install, and use SpywareBlaster.

Step 7

CCleaner is a tool for cleaning temporary files stored on your computer which may help improve performance.
  1. Please download CCleaner
  2. Starting with v1.27.260, "CCleaner" installs the "Yahoo Toolbar" as an option which IS checked by default during the installation. IF you do NOT want it, REMOVE the check when provided with the option OR download the toolbar free Basic version instead of the Standard Build.
  3. Unzip the file to install.
  4. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours.
  5. Select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies.
      • Clean all the entries in the Windows Explorer section.
      • Clean all entries in the System section.
      • Clean all entries in the Advanced section.
      • Clean any others that you choose.
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Clean any others that you choose.
  6. Click the Run Cleaner button.
  7. A pop up box will appear advising this process will permanently delete files from your system.
  8. Click OK. CCleaner will scan and clean your system.
  9. Click Exit when done.
Do not run it yet.
CAUTION: Please use the "Issues" button ONLY if you know how to use it. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

Step 8

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joesmoke.com/

Did you set the above entry as your homepage? In my research, I found only one entry.

Joe Smoke's where you can find cheap prices on tax free, duty free name brand (ie Marlboro, Winston) cigarettes, cigars, snuff and chew tobacco for sale.

Step 9

Please disconnect from the Internet. Please close ALL browser windows (including this one).

Step 10

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\SSV.DLL


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 11

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow_Computer_Check_here_first_it_may_not_be_malware.
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 12

Let’s run CCleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 13

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the list of file names and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Sneaky Virus Problem

Unread postby fission1 » August 19th, 2008, 6:32 am

Greetings,

First of all, many thanks for your help...

Step 2:

I have updated Java to 6u7 and tried to update Adobe Reader but their site doesn't offer a version compatible with win98.

Step 3:

I've run 2 of the online scanners (BitDefender and Computer Associates - nothing found). I'll begin the Trend Micro scan shortly and then proceed with the remaining steps.

Thanks again,
fission1
(Randy Gilson)
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa

Re: Sneaky Virus Problem

Unread postby suebaby41 » August 19th, 2008, 1:14 pm

You are welcome. How is your computer behaving now?
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Sneaky Virus Problem

Unread postby fission1 » August 19th, 2008, 5:57 pm

Greetings,

OK, I finished all the steps except updating Adobe Reader, there isn't a new version compatible with win98.

The 3 online scanners (BitDefender, Computer Associates and Trend Micro) found nothing.

Ran Spybot S&D - found nothing.

I wasn't able to install Ad-Aware 2008, not compatible with win98.

Installed SpywareBlaster and enabled all protections.

Ran CCleaner as directed

Yes, the start page was set by me.

Fixed the 6 items in HJT.

I still get this error when trying to open Photoshop 7:

Microsoft Visual C++ Runtime Library
Runtime Error!

C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\PHOTOSHOP.EXE

This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.

After this error occurs I get the font problems mentioned in my original post. Rebooting clears this up temporarily.

New HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:05:20 PM, on 8/19/08
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\FDF\FAST2.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joesmoke.com/
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray
O4 - HKUS\.DEFAULT\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab

--
End of file - 2906 bytes

Also, I would like to go through the Optional Fixes at some point...

Thanks,
fission1
(Randy Gilson)
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa

Re: Sneaky Virus Problem

Unread postby suebaby41 » August 22nd, 2008, 3:50 pm

From my research, your computer problem may be a corrupt or missing MSVCRT.DLL.

  1. Try this in Normal Mode. If that does not work, try it in Safe Mode.
  2. Go to Start->Run and type in sfc and hit OK.
  3. Leave it on the first option and let it scan.
  4. If it finds any files missing/corrupted, it may ask for the Windows CD.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Sneaky Virus Problem

Unread postby fission1 » August 22nd, 2008, 5:26 pm

Greetings,

I ran sfc and found no problems. This is the info on msvcrt.dll from the sfc log:

[C:\WINDOWS\SYSTEM]

File:
msvcrt.dll

Change:
Updated

Previous Version:
5.00.7128

Previous Date:
5/11/98

New Version:
6.10.8924.0

New Date:
5/4/01

CRC Match:
No

I also searched for the file and found 3 of them in the following folders:

C:\WINDOWS\SYSTEM
C:\Program Files\Ahead\Nero
C:\Program Files\Java\jre1.6.0_07\bin

I don't have a win98 cd (this is a borrowed/discarded computer 8^). If I can find and download the original version of msvcrt.dll (5.00.7128) could I replace the one in C:\WINDOWS\SYSTEM (6.10.8924.0)? (after backing up the existing one, of course) Or... ?

fission1
(Randy Gilson)
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa

Re: Sneaky Virus Problem

Unread postby suebaby41 » August 23rd, 2008, 10:01 pm

I do not see any obvious signs of malware.

OK, I finished all the steps except updating Adobe Reader, there isn't a new version compatible with win98.

I believe that version 6 is the latest Adobe Reader compatible with Windows 98. See the Adobe Forums regarding Windows 98.
I still get this error when trying to open Photoshop 7:

Microsoft Visual C++ Runtime Library
Runtime Error!

C:\PROGRAM FILES\ADOBE\PHOTOSHOP 7.0\PHOTOSHOP.EXE

This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information.

Let's see if this works. Please download DirectX End-User Runtime Web Installer.
Also, I would like to go through the Optional Fixes at some point...

FAST2.EXE (FastDefrag defragmenting software) process can be removed to free up resources without compromising system performance. Fast Defrag 2 Standard (Std) - frees and optimizes RAM (Random Access Memory) and the swap-file usage. Company AMS Network URL: http://www.amsn.ro/index.php?action=2. This is a valid program but it is not required to run on startup. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. Item(s) to fix in HijackThis:

O4 - HKCU\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray

O4 - HKUS\.DEFAULT\..\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray (User 'Default user')

You have Adobe Gamma Loader.exe running at Startup. Adobe Gamma Loader.exe is installed alongside Adobe Creative Studio products and allows the color calibration of your video output device. This is a non-essential process. You will still be able to start it manually if you need it. You can fix this with HijackThis. Item(s) to fix in HijackThis:

O4 - .DEFAULT Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')

O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


Please post a new HijackThis log.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Sneaky Virus Problem

Unread postby fission1 » August 24th, 2008, 10:08 am

OK,

I installed DirectX 9 and fixed the startup items. The Visual C++ Runtime error persists...

New HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:27 AM, on 8/24/08
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.joesmoke.com/
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/vi ... ebscan.cab

--
End of file - 2460 bytes

fission1
(Randy Gilson)
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa

Re: Sneaky Virus Problem

Unread postby suebaby41 » August 24th, 2008, 1:43 pm

I installed DirectX 9 and fixed the startup items. The Visual C++ Runtime error persists...

My expertise is dealing with malware and I prefer that you get the help of computer expert(s) in solving your problem. Please include a link to this thread so that the computer experts may see what we have done. Please post your question(s) in one of the following excellent forums where the computer experts may help you:

5 Star Support Computer Forum
5 Star Support Forums > Computer Operating Systems > Windows 95/98/ME

BleepingComputer's Computer Forum
BleepingComputer.com > Operating Systems > Windows 95/98/ME

Castlecops' Computer forum
Windows 95/98/ME Please read Termination of Support for Win98/SE/ME; Impact on Security

CyberTechHelp Hardware Forum
Windows 98

Tech Support Forum's computer forum
Win 98 & ME Support.

Your log appears to be clean. Please advise me of any problems you still have.

Tips To Protect Your Computer
  • Avoid inviting the monsters in by clicking on links in instant messages.
  • Avoid opening email attachments.
  • Avoid visiting every poker site on the net.
  • Avoid downloading all that free cute junk.
  • Avoid using the peer-to-peer file sharing.
  • Avoid getting those handy toolbar doodads for your browsers.
  • There are horrible critters out there just waiting to pounce on your system if you only pass by where they are lurking, which may be at some seemingly innocent web site. Be careful because some of these monsters are so vicious that no one can possibly save you once you let them in.
  • Remember that new bad stuff emerges every week of the year. Take responsibility for protecting your system because you are its first and best defense.

Tools Downloaded To Clean Your Computer

I asked you to install some tools. Whether or not you need to keep these programs must be decided by you. If you choose to uninstall them, follow these directions:
  1. Click Start > Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight the program, click Remove.
  4. Close the Add or Remove Programs and the Control Panel windows.
Optional Tools:
  1. CCleaner is a tool for cleaning temporary files stored on your computer which may help improve performance. Scan weekly if you have high Internet use.
  2. Spybot-S&D is a tool to remove Spyware from Your Computer. Scan weekly if you have high Internet use.
  3. HijackThis may be uninstalled; however, if you should ever encounter another problem and seek help in this forum or others like it, you will need to download this application.
Please take the time to read the "Steps To Keep Your Computer Clean And Secure" below.

Steps To Keep Your Computer Clean And Secure:

Please follow these simple steps in order to keep your computer clean and secure:
  1. Make your Internet Explorer more secure: This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    5. When all these settings have been made, click on the OK button.
    6. If it asks you if you want to save the settings, press the Yes button.
    7. Next press the Apply button and then the OK to exit the Internet Properties page.
  2. Use a Firewall: - I cannot stress how important it is that you use a Firewall on your computer.  Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls. For more information about firewalls, please read Understanding and Using Firewalls.
  3. Use An Antivirus Software and Keep It Updated: - It is very important that your computer has an antivirus software running on your machine.  This alone can save you a lot of trouble with malware in the future.  It is imperative that you update your antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out. For an article on antivirus programs and a listing of some available ones see the link below:
    Computer Safety On line - Anti-Virus
  4. You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware from Your Computer
  5. Update SpywareBlaster (at least weekly): SpywareBlaster will add a large list of programs and sites into your Internet Explorer and Firec settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  6. Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click OK.
  7. Use an alternative instant messenger program:.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  8. Please read Tony Klein's excellent article: How I got Infected in the First Place
  9. Please read Understanding Spyware, Browser Hijackers, and Dialers
  10. Please read Simple and easy ways to keep your computer safe and secure on the Internet.
  11. If you are using Internet Explorer, please consider using an alternate browser: Please download Firefox 2 which is compatible with Windows 98, Windows 98 SE, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. Note: Firefox 2.0.0.x will be maintained with security and stability updates until mid-December, 2008. Mozilla's Firefox browser is fantastic.
    Another good browser is Opera . Opera 9 comes loaded with the tools to keep you productive and safe. Try it today, it's absolutely free. Some of the Opera features are: Customization, BitTorrent, Content blocker, Add your favorite search engines, Thumbnail preview of tabs, Widgets, Transfer manager, Tabbed browsing, Password manager, Sessions (You can save a collection of open tabs as a session, for later retrieval, or start with the pages you had open when Opera was last closed.), Keyboard Shortcuts, Cookie control, a multitude of languages, Validate code, Toggle graphics and style sheets, and Special features such as Full-screen mode, Kiosk mode. Installing Opera 9 on Windows 95, 98 or NT 4.0 requires the Windows Installer to be installed on your system. Alternatively you can select the classic installer when downloading Opera, but then you must manually download the language files for languages other than US English.
  12. Update all these programs regularly: Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  13. If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.
Good luck!
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm

Re: Sneaky Virus Problem

Unread postby fission1 » August 24th, 2008, 3:10 pm

Thank you very much! Your time and efforts have been greatly appreciated. Thank you also for all the great links and advice, I'm quite sure they will prove invaluable.

I still get the Visual C++ Runtime error when trying to open Photoshop, followed by the font display problems (until after a reboot). I'll continue on in one of the other forums you mentioned... 8^)

Thanks again, and good luck to you in the fight against malware!

fission1
(Randy Gilson)
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa

Re: Sneaky Virus Problem

Unread postby suebaby41 » August 24th, 2008, 5:42 pm

You are welcome. I am glad we could help.
User avatar
suebaby41
MRU Master
MRU Master
 
Posts: 2053
Joined: February 8th, 2005, 7:38 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 72 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware