Author Topic: IPcons.biz? (Read 5033 times)

chels82 · « **on:** April 20, 2005, 10:48:02 PM »

This is a recent problem that just started about two days ago. I started getting a popup called IPcons. I've tried a few things to delete but none have been successful. I'm posting my HijackThis log below. Any help would be great.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:25 PM, on 4/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM\SERVICES\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipcons.biz/index.php?id=11258
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\RunServices: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - C:\WINDOWS\SYSTEM\thun32.dll

guestolo · « **Reply #1 on:** April 20, 2005, 11:12:44 PM »

Hi chels82, I want to check on something
Can you please
download startdreck.zip

UNZIP to its own folder.... DoubleClick: 'StartDreck.exe'

Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post this log

Copy and Paste the contents of that log back here

chels82 · « **Reply #2 on:** April 21, 2005, 07:25:01 PM »

StartDreck (build 2.1.7 public stable) - 2005-04-21 @ 17:23:53 (GMT -07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Chelsea at DELL INSPIRON

»Registry
»Run Keys
»Current User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Default User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
*Service Host=C:\WINDOWS\SYSTEM\Services\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
*Srv32 spool service=C:\WINDOWS\System\spoolsrv32.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
»Files
»System/Drivers
»Running Processes
+FFEFED8B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFBAEF=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFB2F7=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE5D4F=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE27EB=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEDBDB=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
+FFFE9157=C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
+FFFEA32F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD6BCF=C:\WINDOWS\EXPLORER.EXE
+FFFDA6BB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC75A3=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFC6723=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFC05F7=C:\WINDOWS\TASKMON.EXE
+FFFC2A57=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFCDECF=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
+FFFCCDAB=D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
+FFFCF703=C:\WINDOWS\SYSTEM\SERVICES\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
+FFFC8813=D:\PROGRAM FILES\AIM\AIM.EXE
+FFFB1A93=D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
+FFFA28EB=D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
+FFFA81BF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF87007=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF6EBE3=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF6C0FB=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF53C13=D:\AMERICA ONLINE 9.0\SHELLMON.EXE
+FFF54DD7=C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
+FFF34387=D:\PROGRAM FILES\STARTD\STARTDRECK.EXE
»Application specific

guestolo · « **Reply #3 on:** April 22, 2005, 12:11:35 AM »

==Download the Pocket Killbox
UNZIP it to a folder of your choice

Copy and paste these instructions to a Notepad file then close all browser windows
With all other windows closed, including this one

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipcons.biz/index.php?id=11258

O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\SYSTEM\Services\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE

O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

O9 - Extra button: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {2F94A560-A6E6-11D9-AB5E-444553540000} - (no file) (HKCU)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Still with all other windows closed
Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System\srvc32.exe

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Do the same for these paths to the file names

C:\WINDOWS\System\Services\{641CAE39-D4CF-43BB-ACB3-6F30FD67922D}\SVCHOST.EXE
C:\WINDOWS\System\Services\{641CAE39-D4CF-43BB-ACB3-6F30FD67922D}\SECURITY.EXE
C:\WINDOWS\System\spoolsrv32.exe
C:\WINDOWS\SYSTEM\WLDR.DLL
C:\WINDOWS\SYSTEM\thun32.dll
C:\WINDOWS\SYSTEM\thun.dll

Allow the computer to Reboot
or Restart anyways when you've entered the last full path to the file name
Back in windows

find and delete this folder
C:\WINDOWS\System\Services <-this folder

Can you please look at this link recommended by Symantecs and see if any registry entries have been added or modified
http://securityresponse.symantec.com/avcen...oor.fivsec.html
If your unsure about modifying the registry or uncomfortable with it
Please post back and let me know

Post back a fresh hijackthis log afterwards

Edit>>Too late now, but I had you delete file on reboot a few files where the directory didn't exist, we'll get them next time
I changed the above instructions slightly

chels82 · « **Reply #4 on:** April 22, 2005, 02:17:08 AM »

I followed your directions and here is what I came up with. I did go to the Symantec page and found a few of the registry entries in there. I deleted them.

Logfile of HijackThis v1.99.1
Scan saved at 12:15:50 AM, on 4/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)

Shame311 · « **Reply #5 on:** April 22, 2005, 03:19:06 AM »

Log Removed

~guestolo~

windycitygolfer · « **Reply #6 on:** April 23, 2005, 08:58:27 AM »

I'm not sure if this will help but I found this article just released on PC World that mentions this particular spyware issue. It also has a free download link to HijackGuard that supposedly fixes this issue:

http://www.pcworld.idg.com.au/index.php/id...40;fp;16;fpid;0

The example link in the article looks exactly like the problem my friend has except that his links point to ipassist.biz. I haven't tried using this fix yet but if someone here does, please post the result. Thanks in advance.

chels82 · « **Reply #7 on:** April 23, 2005, 02:26:16 PM »

it looks like i don't have IPcons anymore...i have IPassist now. it's really weird. i tried that fix and it didn't find anything on my computer.

guestolo · « **Reply #8 on:** April 23, 2005, 02:41:35 PM »

Can I have you try the following please
Download and save to Desktop DLLCompare

Start the Program and click the Run Locate.com

Let it complete the SCAN, which won't take long

Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.

Click the Make a Log of what was found button
Post back this log

Could you also do the following
Download this virus checker from eScan
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

In Mwav
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
Give this scan time to finish, it's very thorough
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL and the C" keys on your Keyboard to copy all found in the lower pane and paste it back here in your reply

****If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Could you also supply a fresh Hijackthis log

chels82 · « **Reply #9 on:** April 23, 2005, 07:50:39 PM »

Here are the logs you needed.

DLL Compare log

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />"
________________________________________________

863 items found: 863 files, 0 directories.
Total of file sizes: 141,339,684 bytes 134.79 M

--------------------End log---------------------

Mwav log

File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\MTC.dll infected by "Trojan-Downloader.Win32.Agent.ga" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mxbkup.exe infected by "Trojan.Win32.DNSChanger.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mstep.dll infected by "Trojan-Downloader.Win32.Murlo.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\truettf.exe infected by "not-a-virus:AdWare.Msnagent.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustme.exe infected by "Trojan.Win32.StartPage.vb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustom32.dll infected by "Trojan.Win32.StartPage.sl" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sysobj.exe infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\notepad.com infected by "Trojan-Downloader.Win32.Delf.ks" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srdrv32.dll infected by "Trojan-Downloader.Win32.Small.aoa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srpcsrv32.dll infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\spoolsrv32.exe infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\x.exe infected by "Trojan-Dropper.Win32.Small.uy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\CTIVSDU7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\MPBWL83Q\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\MPBWL83Q\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\4HEFG5UN\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\W90ZKFC7\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\CONTENT.IE5\W90ZKFC7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\CTIVSDU7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\MPBWL83Q\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\MPBWL83Q\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\4HEFG5UN\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\W90ZKFC7\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\TEMPOR~1\Content.IE5\W90ZKFC7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\SYSTEM\MTC.dll infected by "Trojan-Downloader.Win32.Agent.ga" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mxbkup.exe infected by "Trojan.Win32.DNSChanger.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\mstep.dll infected by "Trojan-Downloader.Win32.Murlo.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\connmie.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\truettf.exe infected by "not-a-virus:AdWare.Msnagent.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dxconf.exe infected by "not-a-virus:AdWare.FindSpy.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustme.exe infected by "Trojan.Win32.StartPage.vb" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\iecustom32.dll infected by "Trojan.Win32.StartPage.sl" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\ctbasxt.exe infected by "Trojan.Win32.StartPage.fw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sysobj.exe infected by "HackTool.Win32.Hidd.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\notepad.com infected by "Trojan-Downloader.Win32.Delf.ks" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srdrv32.dll infected by "Trojan-Downloader.Win32.Small.aoa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\srpcsrv32.dll infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\spoolsrv32.exe infected by "Trojan.Win32.TopAntiSpyware.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\x.exe infected by "Trojan-Dropper.Win32.Small.uy" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\CTIVSDU7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\MPBWL83Q\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\MPBWL83Q\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\4HEFG5UN\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\W90ZKFC7\$file[2] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temporary Internet Files\Content.IE5\W90ZKFC7\$file[1] infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\m.exe infected by "Trojan-Dropper.Win32.Small.oy" Virus. Action Taken: No Action Taken.
File C:\r.exe infected by "Trojan-Dropper.Win32.Small.vn" Virus. Action Taken: No Action Taken.
File D:\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Hijack This log

Logfile of HijackThis v1.99.1
Scan saved at 5:50:48 PM, on 4/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\TEMP\MWAVSCAN.COM
C:\WINDOWS\TEMP\KAVSS.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunServices: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)

guestolo · « **Reply #10 on:** April 23, 2005, 11:40:00 PM »

Sorry for the delay

Can I ask you to do a couple more things for me

Open Hijackthis>>Open Misc tools section>>Open Uninstall Manager
Click the SAVE LIST button
Save and post the list that's produced

Also in Misc tools section, could you click the Hosts file Manager
Click the "Open In Notepad" button
Post the whole contents of the Hosts text file that opens

chels82 · « **Reply #11 on:** April 24, 2005, 12:01:34 AM »

Thanks for all your help so far. I'd be totally clueless on what to do.

America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
HijackThis 1.99.1
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
Microsoft Excel 97
Microsoft Fax
Microsoft Internet Explorer 6 and Internet Tools
Microsoft Music Control
Microsoft Office 2000 Standard
Microsoft Outlook Express 6
Microsoft Picture It! 99
Microsoft Publisher 2000 Deluxe Disc 1
Microsoft Publisher 2000 Deluxe Disc 2
Microsoft Small Business Financial Manager 97
Microsoft Wallet
Microsoft Web Publishing Wizard 1.6
QuickTime
RealPlayer Basic
Restore Winsock 1.1 Configuration
Spybot - Search & Destroy 1.3
Viewpoint Media Player
Windows Media Player 7.1
WinZip
WinZip Self-Extractor

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

guestolo · « **Reply #12 on:** April 24, 2005, 12:25:52 AM »

Can you do the following

==Download and Install this small program
to help clean your temp folders,cookies, recylebin, etc..
Windows Cleanup
Install for now, don't run a scan yet

==Download and UNZIP to desktop IEFix.zip
So you now have IEFix.reg on the desktop
We'll need this later, don't run it yet, but ensure you unzip it for now
[attachment=164:attachment]

Please save these instructions to a Notepad file and save it to your Desktop
Disconnect from the Internet
I'm going to ask you to restart in safe mode soon, if your unsure how to would you please look at the link I supplied below ahead of time
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Don't log off or restart yet

Instead,
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ipassist.biz/index.php?id=11258

O21 - SSODL: OLE Module - {0656A137-B161-CADD-9777-E37A75727E78} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on IEFix.reg and allow to merge to the registry

Stay in safe mode
Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
Keep track of any file that won't delete, we'll need those in a bit

C:\WINDOWS\SYSTEM\MTC.dll

Do the same for these paths to the file names

C:\WINDOWS\SYSTEM\mxbkup.exe
C:\WINDOWS\SYSTEM\mstep.dll
C:\WINDOWS\SYSTEM\connmie.exe
C:\WINDOWS\SYSTEM\truettf.exe
C:\WINDOWS\SYSTEM\dxconf.exe
C:\WINDOWS\SYSTEM\iecustme.exe
C:\WINDOWS\SYSTEM\iecustom32.dll
C:\WINDOWS\SYSTEM\ctbasxt.exe
C:\WINDOWS\SYSTEM\sysobj.exe
C:\WINDOWS\SYSTEM\notepad.com
C:\WINDOWS\SYSTEM\srdrv32.dll
C:\WINDOWS\SYSTEM\srpcsrv32.dll
C:\WINDOWS\SYSTEM\spoolsrv32.exe
C:\WINDOWS\SYSTEM\x.exe
C:\m.exe
C:\r.exe

For any file that wouldn't delete, again enter that into Killbox, but this time
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
Don't allow to reboot until you have entered the last path to the filename

or Restart anyways
Back in Windows

Download and Install the free version of Ad-Aware SE Personal 1.05
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer to finish the cleaning process

Post back a fresh Hijackthis log afterwards

chels82 · « **Reply #13 on:** April 24, 2005, 04:42:29 PM »

It looks like i have about:blank now. argh, why do i keep getting these?!

Logfile of HijackThis v1.99.1
Scan saved at 2:35:54 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\CWB3DSND.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Guest · « **Reply #14 on:** April 24, 2005, 05:44:44 PM »

I have just removed this [censored].

First - Uninstall Google's Toolbar if you have one - I am pretty sure it s infected (then you will reinstall it within 2 minutes from toolbar.google.com

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

then delete this string
C:\WINDOWS\SYSTEM\SERVICES\{D29B29E0-B1C8-11D9-AB5E-444553540000}\SVCHOST.EXE
Using program stardrek.exe or registry cleaner, or do Run > regedit > Local Machine > Windows > Run.. and find it yourself

Delete all files in Documents Settings/user/Local Settings/

Use Microsoft AntiSpyware to check if you dont have anything more.

Hope this will help.

It helped me at least

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Best regards!
Andy

Guest · « **Reply #15 on:** April 24, 2005, 05:48:14 PM »

btw thank you guestolo very much - your posts helped me a lot!

thank you!

_____
Andy

Guest · « **Reply #16 on:** April 24, 2005, 05:58:32 PM »

I have found this page through google, so I think it will be very usefull to add more related keywords here

I have thesу domains for search results in my browser

ipassist.biz; ipcons.biz

this guys are russians, ver sorry for them, because I am russian too

their fake logos:

Skoro Mir Izmenitsa Corp
skorokonecmira.com, Inc

guestolo · « **Reply #17 on:** April 24, 2005, 06:07:01 PM »

Don't give up Chels

Try this please
Download and save Remove.zip
Unzip the contents to desktop, we'll need this in a bit
[attachment=166:attachment]

From my signature below download CWShredder.exe and save to desktop

Copy and paste these instructions too a notepad file

Disconnect from the Internet
Run Pocket KillBox>>Now killbox and this notepad file is open
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
Don't allow to reboot until you have entered the last path to the filename

C:\WINDOWS\System\spoolsrv32.exe

Do the same for this path to the file name

c:\windows\TEMP\se.dll
Additionally use the "Unregister .dll before delete" button on this file name if able too

Allow the computer to reboot or reboot anyways when entering the last file

Back in windows, don't open any browser windows

Instead, Run Windows CleanUp! again
Don't restart the computer after the scan

Instead
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on Remove.reg and allow to merge to the registry

Afterwards, Open CWShredder.exe
Click the FIX button, allow to fix whatever it finds

RESTART your computer again after it's done

Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab--- Reset home page

Post back a fresh Hijackthis log afterwards

chels82 · « **Reply #18 on:** April 24, 2005, 07:34:40 PM »

My laptop seems to be unusually slow now. Do I still have spyware?

Logfile of HijackThis v1.99.1
Scan saved at 5:20:39 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\WINDOWS\RUNDLL32.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\CWB3DSND.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email Removed/computercheckup/qdiagcc.cab

guestolo · « **Reply #19 on:** April 24, 2005, 07:43:11 PM »

Yup, you picked up a new one it seems

Can you do the following with Startdreck again

Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.

Use the "save" tab, to save, name and post this log

News:

Author Topic: IPcons.biz? (Read 5033 times)

chels82

chels82

chels82

Shame311

chels82

chels82

chels82

chels82

Guest

Guest

Guest

chels82