Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Infected

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Infected

Unread postby fission1 » August 26th, 2006, 4:46 am

First-time poster...

I've run Ad-Aware SE Pro, which has found only tracking cookies. Have tried to run Spybot S&D and a2free, but before they can finish scanning, the system becomes unstable and locks up. I'm getting lots of IE popups, even when using Firefox and also with no browser open at all.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:35:20 AM, on 8/26/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
C:\PROGRAM FILES\FOLDER SHIELD\FSP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\PROGRAM FILES\FREERAM\FREERAM.EXE
C:\WINDOWS\UTAT\NTVDM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/red ... 409&c=1c00
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&sv ... 3&_lang=EN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... ar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [fsp] C:\PROGRAM FILES\FOLDER SHIELD\fsp.exe
O4 - HKLM\..\Run: [ryb81646] RUNDLL32.EXE w0cbfd18.dll,n 00381643000000020cbfd18
O4 - HKLM\..\Run: [ms03536007941] C:\WINDOWS\ms03536007941.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\DUCE6.exe
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\PROGRAM FILES\FREERAM\FREERAM.EXE
O4 - HKCU\..\Run: [Ciat] "C:\WINDOWS\utat\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [Lbjctxur] C:\WINDOWS\Application Data\Cdsi\gtf.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O15 - Trusted Zone: http://www.hotmail.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa
Top
Advertisement
Register to Remove

Unread postby Trogan » August 26th, 2006, 10:00 am

Hi fission1! Welcome to Malware Removal! :)

I would like to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button. It will open a Notepad file.
  • Copy & Paste the entire contents of that file back here
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

Re: Infected

Unread postby fission1 » August 26th, 2006, 5:15 pm

2 Pic 11.3.0
3D Canvas
3D Shadow by Lokas Software
3dem
4th of July Wishes Screen Saver
abrViewer.NET 1.0.1
Ad-Aware SE Professional
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat and Reader 6.0.3 Update
Adobe Download Manager 1.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe Shockwave Player
Adobe SVG Viewer 3.0
Alien Skin Eye Candy 5 Impact
Alien Skin Image Doctor 1.0
AliveColors Freeware
Apophysis 2.0
Ashampoo UnInstaller Suite Plus
a-squared Free 2.0
Atomic Clock Sync
B/Works for Digital Cameras
Behemot Graphics Editor 0.9.1
Blender (remove only)
Bricks'n'Tiles 1.5.2
Bryce(R) 5
Built-In Technician
Butterfly Fantasia Screen Saver
BySoft FreeRAM 4.0
Carbon Copy 32
Chaoscope 0.3
ClearSkinFX for Digital Cameras
ColorCastFX for Digital Cameras
Compaq Desktop100 Screen Saver
Compaq Diagnostics for Windows
Compaq IE Custom
Compaq IE5 Customization
Compaq OOBE Online
Compaq Quick Print
Compaq WebISP
Compaq WebReg
Compaq Wizard Host Online
Compaq.NET Registration
CPQ Hardware Discovery
Digital Camera Enhancer
Eye Candy 4000
FilterSIM for Digital Cameras
Folder Shield 1.3
Gallery Wizard
Google Toolbar for Internet Explorer
GrafxShop Suite 3.9
GTK+ 2.6.10-20050823 runtime environment
HijackThis 1.99.1
HotPixels Eliminator for Digital Cameras 1.0
HyperLoad - Golf Range
HyperLoad - Golf Course
HyperLoad - QB Shootout (NabiscoWorld)
HyperLoad - Soccer Shootout
Internet Explorer Q891781
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 6
Kai's Power Tools 3
Kai's Power Tools 5
Knoll Light Factory 2
KPT 6
KPT(R) effects(TM)
Lost Fractal Screen Saver
Microsoft .NET Framework 1.1
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft Windows Critical Update Notification
Mind-Boggling Fractals Lite
MOLA Extractor
MouseWare
Mozilla Firefox (1.5.0.6)
Now3D
On-Screen Display
OpenExpert 1.40
Outlook Express Q837009
PhotoFiltre
PIXELRULER
QuickTime
Reptile
RGB Lights 1.0
Sausage Software Common Files Package
Saver Forge 1.1.2
Serif 3DPlus 2.0
Shareaza version 2.2.1.0
Spybot - Search & Destroy 1.4
Sqirlz Water Reflections
SynTex
Terragen
The GIMP 2.2.11
Ulead Particle.Plugin 1.0
Uninstall Mystical
VectorEngineer Quick-Tools
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 KB908519 Update
Windows 98 KB918547 Update
Windows 98 Q823559 Update
Windows 98 Q888113 Update
Windows 98 Second Edition Digital Video Update
Windows Media Player system update (9 Series)
Wings 3D 0.98.35
Wink
WinRAR archiver
WinZip
World Machine 1.25 Basic Edition (remove only)
Xenofex 1.0
Yahoo! Messenger
Yahoo! Toolbar
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa
Top

Unread postby Trogan » August 27th, 2006, 8:21 am

Hi again fission1! Can you do the following...

I see you have peer2peer filesharing programs installed. Please do not use filesharing programs while we are cleaning up your computer. To do so could result in substantial setbacks as the majority of files available through filesharing are known to be infected. In addition, please refrain from downloads of any sort, other than those I request that you download.

=====

I don't see any indication of an Anti-Virus or Firewall. Please download one of the each from the list below - they are Free!

AV
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition

Firewall
Zone Alarm << I recommend this
Outpost Firewall

=====

Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

Lost Fractal Screen Saver << remove this if you do not know whay this is

=====

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O4 - HKLM\..\Run: [ryb81646] RUNDLL32.EXE w0cbfd18.dll,n 00381643000000020cbfd18
O4 - HKLM\..\Run: [ms03536007941] C:\WINDOWS\ms03536007941.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\DUCE6.exe
O4 - HKCU\..\Run: [Ciat] "C:\WINDOWS\utat\ntvdm.exe" -vt yazr
O4 - HKCU\..\Run: [Lbjctxur] C:\WINDOWS\Application Data\Cdsi\gtf.exe

O15 - Trusted Zone: http://www.hotmail.com
Note: Having entries in your Trusted Zone can be a security risk. I would suggest remove it, unless you are having problems accessing Hotmail.

- Close ALL open windows (especially Internet Explorer!)
Click Fix Checked

=====

We need to View hidden files and folders. Instructons on how do this can be found here.

Next, find and delete the following if found:

C:\WINDOWS\ryb81646.sys << This file. if you cannot find it there, please do a search for it
C:\WINDOWS\ms03536007941.exe << This file
C:\WINDOWS\DUCE6.exe << This file
C:\WINDOWS\w0cbfd18.dll << This file

C:\WINDOWS\Application Data\Cdsi << This folder
C:\WINDOWS\utat << This folder

=====

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=====

Check for updates on Ad-Aware and Spybot. Once updated, please reboot your computer into Safe Mode. Instructions on how to enter Safe Mode are available here

Once in Safe Mode, run a full system scan with Ad-Aware, removing everything found.

Reboot your computer again but back into Safe Mode. Now, run a scan with Spybot Search & Destroy.

Once the scans are completed, reboot back into Normal Mode. You can do this by restarting the computer normally, and this will get you back into Normal Mode.

=====

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:

    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.

=====

Please post the following:

1) Kaspersky log
2) New HijackThis log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

Re: Infected

Unread postby fission1 » August 27th, 2006, 4:15 pm

OK, first off:

When I was using P2P, I was working from lists of known good files from friends at deviantART.com, also I haven't run it in quite a while since I've got everything I was after...

Second: (I should have mention this sooner) I don't own this computer, it is on a LAN at the residential care facility where I live. There is some sort of AV/firewall in place, though I don't know what (MacAfee possibly?) or how good. Also, the other users of this computer (4 or 5) are mentally challenged, and I believe that one of them was surfing porn sites, leading to the problems we've been working on...

Now: I did everything you asked and all went well. Ad-Aware found a handful of tracking cookies and a few MRU lists (I removed them all). Spybot found Downloader.Tsupdate.L, which it fixed.

I ran the Kaspersy online scan which found 13 viruses(!), but it would only let me save as HTML, so I uploaded the file to my deviantART gallery. Here's a link to it:

http://ic3.deviantart.com/fs11/f/2006/2 ... 27_06.html

And lastly, the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:06 PM, on 8/27/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
C:\PROGRAM FILES\FOLDER SHIELD\FSP.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\PROGRAM FILES\FREERAM\FREERAM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/red ... 409&c=1c00
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&sv ... 3&_lang=EN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... ar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [fsp] C:\PROGRAM FILES\FOLDER SHIELD\fsp.exe
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\PROGRAM FILES\FREERAM\FREERAM.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... n_ansi.cab

Thanks for everthing so far!
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa
Top

Unread postby Trogan » August 28th, 2006, 9:22 pm

Hi fission1! Sorry for any delay, I was away for the weekend. Next, thanks for the info provided.

Regarding the Anti-Virus: I appreciate the fact that an Anti-Virus and Firewall may have been on the computer previously, however, the logs you provided do not show any signs of an Anti-Virus or Firewall protection. Therefore, I suggest downloading them from my previous instructions. :)

The link for the Kaspersky log isn't working. Would you still know what was found?

Please do the following...

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement."
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
    • J2SE Runtime Environment 5.0 Update 6
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.

=====

Please post a new HijackThis log, and let me the what Kaspersky found. :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

Re: Infected

Unread postby fission1 » August 28th, 2006, 11:53 pm

Very sorry about that link, I stripped the markup out of the HTML file and came up with this:

KASPERSKY ONLINE SCANNER REPORT

Sunday, August 27, 2006 2:28:39 PM
Operating System: Microsoft Windows 98 SE
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 27/08/2006
Kaspersky Anti-Virus database records: 218731

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target: My Computer

a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 32424
Number of viruses found: 13
Number of infected objects: 29 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:14:02


c:\WINDOWS\SYSTEM\qtsnl.dll
Infected: not-a-virus: AdWare.Win32.PurityScan.ak
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\cert8.db
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\key3.db
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\history.dat
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\Cache\_CACHE_MAP_
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\Cache\_CACHE_001_
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\Cache\_CACHE_002_
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\Cache\_CACHE_003_
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\parent.lock
Object is locked
skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\ff67f6m1.default\formhistory.dat
Object is locked
skipped

c:\WINDOWS\Downloaded Program Files\CONFLICT.1\HbInstIE.dll
Infected: not-a-virus: AdWare.Win32.HotBar.bj
skipped

c:\WINDOWS\Downloaded Program Files\CONFLICT.4\HbInstIE.dll
Infected: not-a-virus: AdWare.Win32.HotBar.bj
skipped

c:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe
Infected: Trojan-Downloader.Win32.Agent.alr
skipped

c:\WINDOWS\Downloaded Program Files\HbInstIE.dll
Infected: not-a-virus:AdWare.Win32.HotBar.bj
skipped

c:\WINDOWS\Downloaded Program Files\CONFLICT.3\HbInstIE.dll
Infected: not-a-virus:AdWare.Win32.HotBar.bj
skipped

c:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
Infected: not-a-virus:Downloader.Win32.WinFixer.o
skipped

c:\WINDOWS\SchedLog.Txt
Object is locked
skipped

c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat
Object is locked
skipped

c:\WINDOWS\Cookies\index.dat
Object is locked
skipped

c:\WINDOWS\History\History.IE5\index.dat
Object is locked
skipped

c:\WINDOWS\WIN386.SWP
Object is locked
skipped

c:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
Object is locked
skipped

c:\WINDOWS\ac3_0002.exe
Infected: Trojan-Downloader.Win32.Small.cyh
skipped

c:\WINDOWS\Setup90.exe/data0002
Infected: Trojan.Win32.VB.tg
skipped

c:\WINDOWS\Setup90.exe/data0005
Infected: Trojan.Win32.VB.tg
skipped

c:\WINDOWS\Setup90.exe/data0006
Infected: Trojan.Win32.VB.tg
skipped

c:\WINDOWS\Setup90.exe
NSIS: infected - 3
skipped

c:\WINDOWS\tapeG22.exe
Infected: Trojan.Win32.VB.tg
skipped

c:\WINDOWS\uni_ehhhh.exe
Infected: Trojan.Win32.VB.tg
skipped

c:\WINDOWS\uninst104.exe
Infected: Trojan.Win32.VB.tg
skipped

c:\WINDOWS\sys06007941536.exe
Infected: Trojan.Win32.VB.tg
skipped

c:\Program Files\a-squared Free\Quarantine\9ef880034bb5bef454566dee06642de2.a2q/WINDOWS/SYSTEM/Cdsi/jnlveqi.exe
Infected: not-a-virus:AdWare.Win32.PurityScan.et
skipped

c:\Program Files\a-squared Free\Quarantine\9ef880034bb5bef454566dee06642de2.a2q
ZIP: infected - 1
skipped

c:\Program Files\a-squared Free\Quarantine\176d206513533b03d5c87b34af7cad65.a2q/WINDOWS/SYSTEM/efcyvuv.dll
Infected: not-a-virus:AdWare.Win32.Virtumonde.cu
skipped

c:\Program Files\a-squared Free\Quarantine\176d206513533b03d5c87b34af7cad65.a2q
ZIP: infected - 1
skipped

c:\Program Files\a-squared Free\Quarantine\e95cfce6c82b342273318c1fe4c98c3e.a2q/WINDOWS/SYSTEM/winmiu32.dll
Infected: Packed.Win32.Klone.g
skipped

c:\Program Files\a-squared Free\Quarantine\e95cfce6c82b342273318c1fe4c98c3e.a2q
ZIP: infected - 1
skipped

c:\Program Files\a-squared Free\Quarantine\c80c7955fc591021e4b0c0282fe98f63.a2q/WINDOWS/SYSTEM/axmloodr.exe
Infected: not-a-virus:AdWare.Win32.HotBar.bq
skipped

c:\Program Files\a-squared Free\Quarantine\c80c7955fc591021e4b0c0282fe98f63.a2q
ZIP: infected - 1
skipped

c:\HJT\backups\backup-20060825-003722-195.dll
Infected: not-a-virus:AdWare.Win32.PurityScan.ak
skipped

c:\HJT\backups\backup-20060825-003722-310.dll
Infected: not-a-virus:AdWare.Win32.MediaMotor.p
skipped

c:\web.exe
Infected: Trojan-Downloader.Win32.Delf.ags
skipped

c:\wsetup.exe/Wink.exe
Infected: not-a-virus:AdWare.Win32.Agent.p
skipped

c:\wsetup.exe
CreateInstall: infected - 1
skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 10:16:35 PM, on 8/28/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
C:\PROGRAM FILES\FOLDER SHIELD\FSP.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\PROGRAM FILES\FREERAM\FREERAM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/red ... 409&c=1c00
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&sv ... 3&_lang=EN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... ar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [fsp] C:\PROGRAM FILES\FOLDER SHIELD\fsp.exe
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\PROGRAM FILES\FREERAM\FREERAM.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... n_ansi.cab
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa
Top

Unread postby Trogan » August 29th, 2006, 12:57 pm

Hi fission1,

I still don't see an Anti-Virus or Firewall on the computer. Without these, the computer will always be at risk from malware. I have listed some Free programs in my second post if you would like to have another look. :)

=====

Please download and run Purityscan Uninstaller

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan

=====

Please download Killbox and save it to your desktop.

Copy and paste everything in the Quote box below into Notepad, and save to the Desktop as Bad Files or similar
c:\WINDOWS\Downloaded Program Files\HbInstIE.dll
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\HbInstIE.dll
c:\WINDOWS\Downloaded Program Files\CONFLICT.3\HbInstIE.dll
c:\WINDOWS\Downloaded Program Files\CONFLICT.4\HbInstIE.dll
c:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe
c:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe
c:\WINDOWS\ac3_0002.exe
c:\WINDOWS\Setup90.exe
c:\WINDOWS\tapeG22.exe
c:\WINDOWS\uni_ehhhh.exe
c:\WINDOWS\uninst104.exe
c:\WINDOWS\sys06007941536.exe
c:\web.exe
c:\wsetup.exe
c:\Wink.exe

Next, open Killbox
Go to File tab and select Paste from Clipboard
Select the Delete on Reboot option
Select All Files
Now click on the Red Circle with the White X
Press Yes to reboot your computer.

Once rebooted, continue below

Post a new HijackThis log. Hopefully you would have installed an Anti-Virus and Firewall. ;)

Let me know how the computer is now please. :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

Re: Infected

Unread postby fission1 » August 29th, 2006, 1:28 pm

First, I haven't been ignoring your AV advice. When I'm not corresponding with you, this computer is shut down and the ethernet cable is unplugged. I got permission from the administrator here at the facility where I live to move this machine to a private area and to hook up to my own internet connection. That will be some time today or tomorrow at the latest. The absolute first thing I will do when I plug it in in my room is to dl and install AntiVir (that's what I used when I did have my own computer). Then I'll look at some reviews and get a good free firewall in place (I'll check your reccommendations for sure!). Also, I won't be using Internet Explorer at all in the future.

The computer is acting as good as I could ask for, the popups have stopped completely, windows have stopped losing focus, etc.....

And, the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:16:42 PM, on 8/29/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\MOTIVE\MOTIVEASSISTANT\MOTMON.EXE
C:\PROGRAM FILES\FOLDER SHIELD\FSP.EXE
C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
C:\PROGRAM FILES\FREERAM\FREERAM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/red ... 409&c=1c00
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.live.com/login.srf?id=2&sv ... 3&_lang=EN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redi ... ar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_6_0_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\MotiveAssistant\motmon.exe
O4 - HKLM\..\Run: [fsp] C:\PROGRAM FILES\FOLDER SHIELD\fsp.exe
O4 - HKLM\..\Run: [ATOMIC.EXE] C:\PROGRAM FILES\ATOMIC CLOCK SYNC\ATOMIC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [BySoft FreeRAM] C:\PROGRAM FILES\FREERAM\FREERAM.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redi ... 00&lc=0409 (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... n_ansi.cab
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa
Top

Unread postby Trogan » August 29th, 2006, 7:16 pm

Hi fission1! I'm glad the computer is back to normal, and that you will get an Anti-Virus and Firewall installed.

I'm pleased to say the HijackThis log is clean. You can delete the Purityscan Uninstaller tool, and Killbox as they are not needed anymore.

Here are some measures you can take to stay more secure online:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera.

Use a firewall to help prevent your PC(s) from being usurped by undesireables. If you don't have a Firewall, then choose one from the list here

Install an Anti-Virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have an Anti-Virus program, choose one from the list here

Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.
Run them both on a regular basis, following the manufacturer's recommendations.

Install and keep updated, SpywareBlaster and SpywareGuard

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Go to Start > Control Panel > Internet Options.
Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin
and then press "OK" to remove:

Go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents from within the following folders:
C:\Windows\temp
C:\temp <-- if you have one.
Note: Empty the contents but do not delete the folder(s).

Clear out temp files from the following location. Change "username" to whatever you have on your computer.
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin!

===============

If you have any more problems, post back. Otherwise, respond once more so we may archive this thread. :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London
Top

Re: Infected

Unread postby fission1 » August 29th, 2006, 7:23 pm

Many, many thanks for all your help and advice. It's been a heck of a few days, but you got me through it.

Take care...
f1
fission1
Active Member
 
Posts: 14
Joined: August 25th, 2006, 2:36 am
Location: St Olaf, Iowa
Top

Unread postby NonSuch » August 29th, 2006, 7:39 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Advertisement
Register to Remove
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 143 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index