Post by: chels82 on April 20, 2005, 10:48:02 PM
Thanks.
Logfile of HijackThis v1.99.1
Scan saved at 8:41:25 PM, on 4/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM\SERVICES\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipcons.biz/index.php?id=11258 (http://\"http://ipcons.biz/index.php?id=11258\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\RunServices: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thun32.dll
Post by: guestolo on April 20, 2005, 11:12:44 PM
Can you please
download startdreck.zip (http://\"http://www.niksoft.at/php/dl.php?f=startdreck.zip\")
UNZIP to its own folder.... DoubleClick: 'StartDreck.exe'
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post this log
Copy and Paste the contents of that log back here
Post by: chels82 on April 21, 2005, 07:25:01 PM
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Chelsea at DELL INSPIRON
»Registry
»Run Keys
»Current User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Default User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
*Service Host=C:\WINDOWS\SYSTEM\Services\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
»Files
»System/Drivers
»Running Processes
+FFEFED8B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFBAEF=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFB2F7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE5D4F=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE27EB=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEDBDB=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
+FFFE9157=C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
+FFFEA32F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD6BCF=C:\WINDOWS\EXPLORER.EXE
+FFFDA6BB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC75A3=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFC6723=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFC05F7=C:\WINDOWS\TASKMON.EXE
+FFFC2A57=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFCDECF=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
+FFFCCDAB=D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
+FFFCF703=C:\WINDOWS\SYSTEM\SERVICES\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
+FFFC8813=D:\PROGRAM FILES\AIM\AIM.EXE
+FFFB1A93=D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
+FFFA28EB=D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
+FFFA81BF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF87007=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF6EBE3=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF6C0FB=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF53C13=D:\AMERICA ONLINE 9.0\SHELLMON.EXE
+FFF54DD7=C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
+FFF34387=D:\PROGRAM FILES\STARTD\STARTDRECK.EXE
»Application specific
Post by: guestolo on April 22, 2005, 12:11:35 AM
UNZIP it to a folder of your choice
Copy and paste these instructions to a Notepad file then close all browser windows
With all other windows closed, including this one
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipcons.biz/index.php?id=11258 (http://\"http://ipcons.biz/index.php?id=11258\")
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O9 - Extra button: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Still with all other windows closed
Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
C:\WINDOWS\System\srvc32.exe
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Do the same for these paths to the file names
C:\WINDOWS\System\Services\{641CAE39-D4CF-43BB-ACB3-6F30FD67922D}\SVCHOST.EXE
C:\WINDOWS\System\Services\{641CAE39-D4CF-43BB-ACB3-6F30FD67922D}\SECURITY.EXE
C:\WINDOWS\System\spoolsrv32.exe
C:\WINDOWS\SYSTEM\WLDR.DLL
C:\WINDOWS\SYSTEM\thun32.dll
C:\WINDOWS\SYSTEM\thun.dll
Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
Back in windows
find and delete this folder
C:\WINDOWS\System\Services <-this folder
Can you please look at this link recommended by Symantecs and see if any registry entries have been added or modified
http://securityresponse.symantec.com/avcen...oor.fivsec.html (http://\"http://securityresponse.symantec.com/avcenter/venc/data/backdoor.fivsec.html\")
If your unsure about modifying the registry or uncomfortable with it
Please post back and let me know
Post back a fresh hijackthis log afterwards
Edit>>Too late now, but I had you delete file on reboot a few files where the directory didn't exist, we'll get them next time
I changed the above instructions slightly
Post by: chels82 on April 22, 2005, 02:17:08 AM
Logfile of HijackThis v1.99.1
Scan saved at 12:15:50 AM, on 4/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258 (http://\"http://ipassist.biz/index.php?id=11258\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)
Post by: Shame311 on April 22, 2005, 03:19:06 AM
~guestolo~
Post by: windycitygolfer on April 23, 2005, 08:58:27 AM
http://www.pcworld.idg.com.au/index.php/id...40;fp;16;fpid;0 (http://\"http://www.pcworld.idg.com.au/index.php/id;1868041540;fp;16;fpid;0\")
The example link in the article looks exactly like the problem my friend has except that his links point to ipassist.biz. I haven't tried using this fix yet but if someone here does, please post the result. Thanks in advance.
Post by: chels82 on April 23, 2005, 02:26:16 PM
Post by: guestolo on April 23, 2005, 02:41:35 PM
Download and save to Desktop DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button
Post back this log
Could you also do the following
Download this virus checker from eScan
Mwav.exe (http://\"ftp://ftp.microworldsystems.com/download/tools/mwav.exe\")
There's nothing to install, save it and then double click to run
It will self extract
In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and paste it back here in your reply
****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are
Could you also supply a fresh Hijackthis log
Post by: chels82 on April 23, 2005, 07:50:39 PM
DLL Compare log
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
863 items found: 863 files, 0 directories.
Total of file sizes: 141,339,684 bytes 134.79 M
--------------------End log---------------------
Mwav log
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MTC.dll infected by "Trojan-Downloader.Win32.Agent.ga" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mxbkup.exe infected by "Trojan.Win32.DNSChanger.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mstep.dll infected by "Trojan-Downloader.Win32.Murlo.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\truettf.exe infected by "not-a-virus:AdWare.Msnagent.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustme.exe infected by "Trojan.Win32.StartPage.vb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustom32.dll infected by "Trojan.Win32.StartPage.sl" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sysobj.exe infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\notepad.com infected by "Trojan-Downloader.Win32.Delf.ks" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srdrv32.dll infected by "Trojan-Downloader.Win32.Small.aoa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srpcsrv32.dll infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\spoolsrv32.exe infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\x.exe infected by "Trojan-Dropper.Win32.Small.uy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\CTIVSDU7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\MPBWL83Q\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\MPBWL83Q\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\4HEFG5UN\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\W90ZKFC7\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\W90ZKFC7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\CTIVSDU7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\MPBWL83Q\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\MPBWL83Q\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\4HEFG5UN\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\W90ZKFC7\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\W90ZKFC7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\SYSTEM\MTC.dll infected by "Trojan-Downloader.Win32.Agent.ga" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mxbkup.exe infected by "Trojan.Win32.DNSChanger.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mstep.dll infected by "Trojan-Downloader.Win32.Murlo.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\truettf.exe infected by "not-a-virus:AdWare.Msnagent.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustme.exe infected by "Trojan.Win32.StartPage.vb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustom32.dll infected by "Trojan.Win32.StartPage.sl" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sysobj.exe infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\notepad.com infected by "Trojan-Downloader.Win32.Delf.ks" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srdrv32.dll infected by "Trojan-Downloader.Win32.Small.aoa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srpcsrv32.dll infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\spoolsrv32.exe infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\x.exe infected by "Trojan-Dropper.Win32.Small.uy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\CTIVSDU7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\MPBWL83Q\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\MPBWL83Q\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\4HEFG5UN\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\W90ZKFC7\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\W90ZKFC7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\m.exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.
File C:\r.exe infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File D:\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 5:50:48 PM, on 4/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\TEMP\MWAVSCAN.COM
C:\WINDOWS\TEMP\KAVSS.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258 (http://\"http://ipassist.biz/index.php?id=11258\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)
Post by: guestolo on April 23, 2005, 11:40:00 PM
Can I ask you to do a couple more things for me
Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save and post the list that's produced
Also in Misc tools section, could you click the Hosts file Manager
Click the "Open In Notepad" button
Post the whole contents of the Hosts text file that opens
Post by: chels82 on April 24, 2005, 12:01:34 AM
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
HijackThis 1.99.1
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
Microsoft Excel 97
Microsoft Fax
Microsoft Internet Explorer 6 and Internet Tools
Microsoft Music Control
Microsoft Office 2000 Standard
Microsoft Outlook Express 6
Microsoft Picture It! 99
Microsoft Publisher 2000 Deluxe Disc 1
Microsoft Publisher 2000 Deluxe Disc 2
Microsoft Small Business Financial Manager 97
Microsoft Wallet
Microsoft Web Publishing Wizard 1.6
QuickTime
RealPlayer Basic
Restore Winsock 1.1 Configuration
Spybot - Search & Destroy 1.3
Viewpoint Media Player
Windows Media Player 7.1
WinZip
WinZip Self-Extractor
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Post by: guestolo on April 24, 2005, 12:25:52 AM
==Download and Install this small program
to help clean your temp folders,cookies, recylebin, etc..
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
==Download and UNZIP to desktop IEFix.zip
So you now have IEFix.reg on the desktop
We'll need this later, don't run it yet, but ensure you unzip it for now
[attachment=164:attachment]
Please save these instructions to a Notepad file and save it to your Desktop
Disconnect from the Internet
I'm going to ask you to restart in safe mode soon, if your unsure how to would you please look at the link I supplied below ahead of time
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet
Instead,
Do another scan with Hijackthis and put a check next to these entries:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258 (http://\"http://ipassist.biz/index.php?id=11258\")
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on IEFix.reg and allow to merge to the registry
Stay in safe mode
Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
Keep track of any file that won't delete, we'll need those in a bit
C:\WINDOWS\SYSTEM\MTC.dll
Do the same for these paths to the file names
C:\WINDOWS\SYSTEM\mxbkup.exe
C:\WINDOWS\SYSTEM\mstep.dll
C:\WINDOWS\SYSTEM\connmie.exe
C:\WINDOWS\SYSTEM\truettf.exe
C:\WINDOWS\SYSTEM\dxconf.exe
C:\WINDOWS\SYSTEM\iecustme.exe
C:\WINDOWS\SYSTEM\iecustom32.dll
C:\WINDOWS\SYSTEM\ctbasxt.exe
C:\WINDOWS\SYSTEM\sysobj.exe
C:\WINDOWS\SYSTEM\notepad.com
C:\WINDOWS\SYSTEM\srdrv32.dll
C:\WINDOWS\SYSTEM\srpcsrv32.dll
C:\WINDOWS\SYSTEM\spoolsrv32.exe
C:\WINDOWS\SYSTEM\x.exe
C:\m.exe
C:\r.exe
For any file that wouldn't delete, again enter that into Killbox, but this time
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
Don't allow to reboot until you have entered the last path to the filename
or Restart anyways
Back in Windows
Download and Install the free version of Ad-Aware SE Personal 1.05 (http://\"http://www.lavasoftusa.com/support/download/\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Post back a fresh Hijackthis log afterwards
Post by: chels82 on April 24, 2005, 04:42:29 PM
Logfile of HijackThis v1.99.1
Scan saved at 2:35:54 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\CWB3DSND.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Post by: Guest on April 24, 2005, 05:44:44 PM
First - Uninstall Google's Toolbar if you have one - I am pretty sure it s infected (then you will reinstall it within 2 minutes from toolbar.google.com
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />then delete this string
C:\WINDOWS\SYSTEM\SERVICES\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
Using program stardrek.exe (http://\"http://www.niksoft.at/php/dl.php?f=startdreck.zip\") or registry cleaner, or do Run > regedit > Local Machine > Windows > Run.. and find it yourself
Delete all files in Documents Settings/user/Local Settings/
Use Microsoft AntiSpyware to check if you dont have anything more.
Hope this will help.
It helped me at least
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />Best regards!
Andy
Post by: Guest on April 24, 2005, 05:48:14 PM
thank you!
_____
Andy
Post by: Guest on April 24, 2005, 05:58:32 PM
I have thesу domains for search results in my browser
ipassist.biz; ipcons.biz
this guys are russians, ver sorry for them, because I am russian too
their fake logos:
Skoro Mir Izmenitsa Corp
skorokonecmira.com, Inc
Post by: guestolo on April 24, 2005, 06:07:01 PM
Try this please
Download and save Remove.zip
Unzip the contents to desktop, we'll need this in a bit
[attachment=166:attachment]
From my signature below download CWShredder.exe and save to desktop
Copy and paste these instructions too a notepad file
Disconnect from the Internet
Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
Don't allow to reboot until you have entered the last path to the filename
C:\WINDOWS\System\spoolsrv32.exe
Do the same for this path to the file name
c:\windows\TEMP\se.dll
Additionally use the "Unregister .dll before delete" button on this file name if able too
Allow the computer to reboot or reboot anyways when entering the last file
Back in windows, don't open any browser windows
Instead, Run Windows CleanUp! again
Don't restart the computer after the scan
Instead
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on Remove.reg and allow to merge to the registry
Afterwards, Open CWShredder.exe
Click the FIX button, allow to fix whatever it finds
RESTART your computer again after it's done
Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab--- Reset home page
Post back a fresh Hijackthis log afterwards
Post by: chels82 on April 24, 2005, 07:34:40 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:20:39 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\CWB3DSND.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
Post by: guestolo on April 24, 2005, 07:43:11 PM
Can you do the following with Startdreck again
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post this log
Post by: chels82 on April 24, 2005, 08:22:52 PM
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Chelsea at DELL INSPIRON
»Registry
»Run Keys
»Current User
»Run
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Default User
»Run
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
»RunServicesOnce
**bt=rundll32 C:\WINDOWS\DISPLWY.TXT,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
»Files
»System/Drivers
»Running Processes
+FFEFED15=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFBA71=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFADC1=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE5709=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE3809=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE2DD1=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
+FFFE9CA1=C:\WINDOWS\EXPLORER.EXE
+FFFEA465=C:\WINDOWS\RUNDLL32.EXE
+FFFD8B69=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC51F9=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFC43F1=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFC1E85=C:\WINDOWS\TASKMON.EXE
+FFFC0A79=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC94DD=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
+FFFDAEE9=C:\WINDOWS\RUNDLL32.EXE
+FFFCD311=D:\PROGRAM FILES\AIM\AIM.EXE
+FFFB735D=D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
+FFFCCB6D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFBA869=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF7C6B1=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF9E9F1=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF6CD65=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF6C645=D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
+FFF7848D=D:\AMERICA ONLINE 9.0\SHELLMON.EXE
+FFF667F5=C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
+FFF49421=D:\PROGRAM FILES\STARTD\STARTDRECK.EXE
»Application specific
Post by: guestolo on April 24, 2005, 08:38:31 PM
After we run this next tool, try not to do too much browsing on the net until we get some tools on your computer to keep you clean
Download and save to Desktop
SpSeHjFix109.zip (http://\"http://www.derbilk.de/404.html\")
From that link
Unzip the contents, so you now have SpSeHjfix109.exe on your desktop
Disconnect completely from the Internet
Restart into safe mode
Run SpSeHjfix109.exe by clicking the Start Disinfection
It should reboot your computer
Back in Windows>>The tool would of created a log, could you copy and paste that log to a location such as MyDocuments, just so we don't overwrite it when we run the tool again
Run
SpSeHjfix109.exe again
Post back the logs from SpSeHjfix and a new Hijackthis log
and a new Startdreck log
As mentioned, don't do too much surfing until we get some protection on your computer
If the tool won't remove this infection, we will do it manually
EDIT>>When I linked you too Symantecs, did you follow the below instructions they recommended
To restore security settings in Internet Explorer
1. Open Internet Explorer
2. Go to the Tools menu and click on Internet Options
3. Click on the security tab
4. For each Zone, configure the security settings appropriately or click on Default Level to change settings to default.
Post by: chels82 on April 25, 2005, 08:25:15 PM
(4/24/05 9:01:10 PM) SPSeHjFix started v1.09
(4/24/05 9:01:10 PM) OS: Win98SE A (4.10.67766446)
(4/24/05 9:01:10 PM) Language: english
(4/24/05 9:01:14 PM) Disinfect started
(4/24/05 9:01:14 PM) Bad-Dll(IEP): (not found)
(4/24/05 9:01:14 PM) Bad-Dll(IEP) in BHO: (not found)
(4/24/05 9:01:14 PM) UBF: 4
(4/24/05 9:01:14 PM) UBB: 0
(4/24/05 9:01:14 PM) UBR: 13
(4/24/05 9:01:14 PM) Bad IE-pages:
(4/24/05 9:01:14 PM) Stealth-String not found:
(4/24/05 9:01:14 PM) Not infected->END
(4/24/05 10:35:05 PM) SPSeHjFix started v1.09
(4/24/05 10:35:05 PM) OS: Win98SE A (4.10.67766446)
(4/24/05 10:35:05 PM) Language: english
(4/24/05 10:35:07 PM) Disinfect started
(4/24/05 10:35:07 PM) Bad-Dll(IEP): (not found)
(4/24/05 10:35:07 PM) Bad-Dll(IEP) in BHO: (not found)
(4/24/05 10:35:07 PM) UBF: 4
(4/24/05 10:35:07 PM) UBB: 0
(4/24/05 10:35:07 PM) UBR: 13
(4/24/05 10:35:07 PM) Bad IE-pages:
(4/24/05 10:35:07 PM) Stealth-String not found:
(4/24/05 10:35:07 PM) Not infected->END
Logfile of HijackThis v1.99.1
Scan saved at 6:17:36 PM, on 4/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\IPCONFIG.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
StartDreck (build 2.1.7 public stable) - 2005-04-25 @ 18:18:33 (GMT -07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Chelsea at DELL INSPIRON
»Registry
»Run Keys
»Current User
»Run
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Default User
»Run
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=c:\windows\WScript.exe "%1" %*
+.jse
*JSEFile=c:\windows\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
+.vbs
*VBSFile=c:\windows\WScript.exe "%1" %*
+.vbe
*VBEFile=c:\windows\WScript.exe "%1" %*
+.wsh
*WSHFile=c:\windows\WScript.exe "%1" %*
+.wsf
*WSFFile=c:\windows\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\America Online 9.0 Tray Icon.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\America Online 9.0 Tray Icon.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=c:\DELL\WINBATCH.EXE
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\SYSTEM\autoexec.nt
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
»System/Drivers
»Running Processes
+FFEFD203=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF8567=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF92D7=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE681F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE00B7=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE0C2B=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
+FFFEA0C7=C:\WINDOWS\EXPLORER.EXE
+FFFDDC1B=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFDA1DF=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFD9937=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFC410B=C:\WINDOWS\TASKMON.EXE
+FFFC5A57=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC2947=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
+FFFC051F=D:\PROGRAM FILES\AIM\AIM.EXE
+FFFCBC93=D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
+FFFBE5DF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFCC067=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF874EB=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF86437=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF9231B=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF64E0F=D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
+FFF8B8EB=C:\WINDOWS\NOTEPAD.EXE
+FFF7580F=D:\PROGRAM FILES\STARTD\STARTDRECK.EXE
»NT Services
»Application specific
Post by: guestolo on April 25, 2005, 08:47:23 PM
But you were definitely infected as your hijackthis log and Startdreck log showed
And now there clear
Now that your clean, before you do any browsing, you should visit Windows Updates
Install all Latest Critical Updates and Service Packs
Restart your computer when prompted and then keep revisiting Windows updates until your have All Latest Critical updates installed
Don't install the Recommended updates unless they are something preferred
Getting all the latest updates will help to keep your system secure
After you are happy you have installed them all
You don't appear to be running any Anti-Virus software on your computer
This is not safe
If you have your own to install, install it now and check for updates and run a full system scan
If you don't have your own, I would greatly advise you to Install the free version of
AVG 7
Go to this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down to the free download link
AVG Free Edition installation files
File Version
avg70free_308a468.exe <-this link
Save the installer to desktop and then double click to Install
Restart the computer if prompted
After installation>>Check for updates and then run a Full system Scan
Once that is done
You should set up protection against future attacks
SpywareBlaster 3.3 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
After installing IE-Spyad, don't be surprised if you have a hard time running a scan with Hijackthis
IE-Spyad adds all those registry entries and Hijackthis checks that part of the registry
It seems to be a Windows 98 issue, not to worry
Post back and let me know how everything is running after doing the above
Also, are you running through any Firewall protection?