|
|
|
|
|
||
|
NOTE: Using robot software to mass-download the site degrades the server and is prohibited. See here for more. Find The PC Guide helpful? Please consider a donation to The PC Guide Tip Jar. Visa/MC/Paypal accepted. |
|
|
|
#1
11-07-2004, 06:41 PM
|
|||
|
|||
aboutblank search
Hi
I have been hijacked with a new homepage thing and want to get rid of it but not pay for a spyware program. I have scanned with free version of Adawre or something and it found the nasties. I have CWShredder but it won't update. When I try to install the update it comes with a message " A required .DLL file OLEACC.DLL was not found" I am not sure how to use the HiJack this. I am not great with computers. Can any one help? Thanks 
|
|
#2
11-07-2004, 07:06 PM
|
||||
|
||||
|
That file can be downloaded from http://www.dll-files.com/dllindex/dl...s.shtml?oleacc
To use Hijack this, copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
__________________
be wary of strong drink - it may make you shoot at tax collectors, and miss!
|
|
#3
11-07-2004, 07:15 PM
|
||||
|
||||
|
Sounds like you have definitely been hijacked. One of the experts will be along and help you. You need to be careful what you do with HijackThis. At this time, the only thing to do is run HJT (make sure it is in its own folder, not in temp or on the desktop), SAVE the log (do not fix antything). Then post your log back here in this thread for the experts to see. You post the log by doing a reply to this thread, copy and paste the log(do not send attachment) here in you post. Someone will check it and advise you.
You should be sure you have all patches and service packs for you OS installed; have a running and up-to-date antivirus program, and have either a hardware or software firewall, or both. These are minimums.
__________________
Pop Pop =========== "Anyone who has never made a mistake has never tried anything new." Albert Einstein
|
|
#4
11-07-2004, 08:23 PM
|
||||
|
||||
|
While I do not disagree in principle with pop pop,that keeping your system fully updated is important, trying to install SP2 on an infected machine can be a recipe for disaster! Leave updates until you know the computer is clear of malware/hijackers.
__________________
be wary of strong drink - it may make you shoot at tax collectors, and miss!
|
|
#5
11-07-2004, 08:24 PM
|
|||
|
|||
|
This is Hijack this log.
I had to do it from the desktop that's where it is. Logfile of HijackThis v1.97.7 Scan saved at 13:18:24, on 8/11/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\APPHA.EXE C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Offline (HKLM) O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM) O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM) O9 - Extra button: Wallpaper (HKLM) O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...890.6237615741 O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Shockwave Director Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...9296baab e1d6 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab Thanks 
|
|
#6
11-08-2004, 12:28 AM
|
||||
|
||||
|
David,
Somehow I did not see your post before mine. Sorry. And you are correct, of course, about SP2 installs on unclean machines. I'll be more careful in the future.
__________________
Pop Pop =========== "Anyone who has never made a mistake has never tried anything new." Albert Einstein
|
|
#7
11-09-2004, 12:11 AM
|
||||
|
||||
|
I don't think this will work. We may have to download another program to deal with this, but let's give it a try.
Boot into safe mode and have HJT fix the following R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank O2 - BHO: (no name) - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\tubps.dll O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/...nfo/webscan.cab Delete the following files: C:\WINDOWS\SYSTEM\APPHA.EXE C:\WINDOWS\tubps.dll Re-boot into regular mode and re-post your HJT log. We need help from Budfred on this but the worst that can happen is it will come back. In that case we will need to use a different tool before cleaing with HJT.
|
|
#8
11-09-2004, 12:26 AM
|
||||
|
||||
|
You are right classicsoftware, that won't work and it may even make cleanup more difficult.... This is a really nasty CWS variant that take a rather complex fix to kill.... I will give it a shot, but it requires that you follow the directions precisely K1wial or it will simply morph and we will have to start over....
Quote:
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#9
11-09-2004, 03:36 AM
|
|||
|
|||
|
Problem Again
Thanks Budfred
But the program didn't work. It came up with message "PSSERVICE.EXE file is linked to missing export NETAP132.DLL NetServer Enum. Is this because this nasty thing has deleted files I need to get rid of it?
|
|
#10
11-10-2004, 12:46 AM
|
||||
|
||||
|
I am not sure what that means... I will have to ask if anyone else knows in the forum it comes from unless someone here knows what that is about...
In the meanwhile... Try downloading it on another computer if you can and try running it again... It may be that the download was corrupted somehow...
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#11
11-10-2004, 08:13 AM
|
||||
|
||||
|
Hope this helps
http://www.trendmicro.com/vinfo/viru...F.73.B&VSect=T And this http://forums.thetechguys.com/archiv...hp/t-9267.html
__________________
Ernie The difference between perseverance and obstinancy is that one is made from strong will, and the other from strong won't Henry Ward Beecher Do you have reading problems? Don't let it deter you. This is what YOU can do if you try http://www.erniek.eclipse.co.uk
|
|
#12
11-10-2004, 09:38 PM
|
||||
|
||||
|
Well, based on those links and the info at SWI, it would probably be a good idea to run the Housecall online virus scan and try again... If it doesn't work, use the regedit in the second post to run GetServices... If you have trouble figuring out how to set it up, post back... Start with the online virus scan and a run of GetServices though since that is easier....
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#13
11-11-2004, 12:02 AM
|
|||
|
|||
|
I couldn't open the Housecall online scan. It just went not found page. I did the Bitdefender scan and this is some of what it did:
C:\WINDOWS\SYSTEM\q78kdov0.dll: infected with Trojan.Dialer.Coulom.B C:\WINDOWS\SYSTEM\q78kdov0.dll: disinfection failed C:\WINDOWS\SYSTEM\appha.exe: infected with Trojan.Downloader.Agent.BQ C:\WINDOWS\SYSTEM\appha.exe: disinfection failed C:\WINDOWS\SYSTEM\ipyn32.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\ipyn32.exe: disinfection failed C:\WINDOWS\SYSTEM\sdklp32.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\sdklp32.exe: disinfection failed C:\WINDOWS\SYSTEM\msaf32.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\msaf32.exe: disinfection failed C:\WINDOWS\SYSTEM\msaf.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\msaf.exe: disinfection failed C:\WINDOWS\SYSTEM\ntde.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\ntde.exe: disinfection failed C:\WINDOWS\SYSTEM\atlik.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\atlik.exe: disinfection failed C:\WINDOWS\SYSTEM\atlew.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\atlew.exe: disinfection failed C:\WINDOWS\SYSTEM\winsm.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\winsm.exe: disinfection failed C:\WINDOWS\SYSTEM\addga.exe: infected with Trojan.Downloader.Agent.CD C:\WINDOWS\SYSTEM\addga.exe: disinfection failed C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom.zip=>alan stuart@advertising[4].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom.zip=>sbRecovery.in i: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom1.zip=>alan stuart@servedby.advertising[7].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom1.zip=>sbRecovery.i ni: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom2.zip=>alan stuart@servedby.advertising[6].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom2.zip=>sbRecovery.i ni: password protected C:\Destroy\Recovery\Advertisingcom10.zip=>sbRecove ry.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom11.zip=>alan stuart@rd.advertising[2].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom12.zip=>alan stuart@servedby.advertising[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom12.zip=>sbRecovery. ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom13.zip=>alan stuart@servedby.advertising[4].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom13.zip=>sbRecovery. ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>RELATED.HTM: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip=>alan stuart@atdmt[3].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip=>alan stuart@atdmt[2].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip=>alan stuart@bfast[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip=>anyuser@bfast[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\BonziBuddy.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip=>alan stuart@www.qksrv[2].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip=>sbRecover y.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip=>alan stuart@www.qksrv[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip=>sbRecove ry.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip=>alan stuart@qksrv[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip=>sbRecove ry.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction3.zip=>alan stuart@commission-junction[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction3.zip=>sbRecove ry.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoreMetrics.zip=>alan stuart@data.coremetrics[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\CoreMetrics.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip=>alan stuart@doubleclick[2].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip=>alan stuart@doubleclick[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc.zip=>alan stuart@engage[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eGroup.zip=>sbRecovery.reg: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eGroup.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc1.zip=>alan stuart@engage[2].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc1.zip=>sbRecovery.ini: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc2.zip=>anyuser@engage[1].txt: password protected C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\EngageInc2.zip=>sbRecovery.ini: password protected C:\RECYCLED\DC14.$$$: infected with Trojan.Downloader.Agent.Z C:\RECYCLED\DC14.$$$: disinfection failed C:\spmario\gate.exe: infected with Trojan.StartPage.OZ C:\spmario\gate.exe: disinfection failed It actually was more than this but it wouldn't fit in message. So it doesn't look like anything is fixed. I'm not sure I know what you mean about using regedit in the second post and I can't run Getright. Cheers
|
|
#14
11-11-2004, 01:09 AM
|
||||
|
||||
|
Did you use the Housecall link in my signature?? I just tried it and it worked.... Try that again, but it would probably also be a good idea to download and run the trial version of TDS3 or TrojanHunter since they specialize in trojans....
TDS3: http://tds.diamondcs.com.au/index.php?page=download TrojanHunter: http://www.trojanhunter.com/ I believe you have to manually update both of them... Don't worry about the listings with Spybot in them, that is just where they are cached until you clear the Spybot cache... You won't be able to run GetServices until something changes and nothing has yet... I will post the Regedit if needed later...
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#15
11-11-2004, 09:13 PM
|
|||
|
|||
|
I am a bit embarrassed. I seem to have fixed my problem by running the AVG antivirus I have loaded on my computer. When I first did this I hadn't updated it and it didn't pick up the Trojans. But after updating it, it did and got rid of them. I hope this is sorted now. Thanks for your help. I wasn't really aware there was so much of this crap going on but it strikes me that there is big business for the anti spyware programmers. Do these people invent the very spyware that they fix? I did notice that the pop ups that came up with my about blank "home page" were for Adaware!
I did get the housecall online to open from your signature today Budfred.
|
|
#16
11-11-2004, 09:33 PM
|
||||
|
||||
|
Ad-Aware (Lavasoft) doesn't do popups... If you saw them with that name, they probably led to a rogue program like NoAdware... The rogues often use spoofs of the legit programs names to get you to download their trash... And no, the people that write the legitimate anti-spyware programs are not the same as the people writing the spyware... The people that write the rogue programs may write some of it however, one jerk even bragged that he might do that when his ripoff program was challenged... Go here to learn more about rogues:
http://www.spywarewarrior.com/rogue_anti-spyware.htm As for AVG fixing the problem... unless it has had a major update, it is unlikely that it has dealt with this problem... Trendmicro was working on a fix, but I haven't heard of AVG having one... It would be a good idea to post a fresh HJT log anyway since there was some other malware there that needed attention, but it would also be good to check for any remaining signs of the main problem....
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#17
11-12-2004, 11:38 AM
|
||||
|
||||
|
You should be checking AVG, Spybot, and Adaware no more than about every three days for updates, and running them no less than that. If you are doing a lot of game, gambling, and other such sites--run them before shut down. Consider downloading installing and updating Spyware Blaster, and MRU Blaster. Some of us also like A-Squared, and Script Sentry. Try also http://www.grc.com/freepopular.htm , I use Decombobulator, LeakTest, and UnplugnPray. There is also a good browser tests at Jason's Tool Box.
__________________
Best//Donn Actor Kevin Kline was asked once (Actor's Studio) how he can play his comedy rolls with such repeated and consistent passion. His response: "I don't know, I just can't imagine not being happy."
|
|
#18
11-13-2004, 04:52 AM
|
|||
|
|||
|
Yes Budfred I think you are right, I haven't got rid of the lot yet. There is one virus that AVG listed that it couldn't get rid of. It comes up with the message on boot up. i 'll put the Hijack this log to see if you can pin point the problems. I'll have a go with the Trojan Hunter also. I'm obviously not vigilant enough in keeping the crap out of my computer.
Here's the Hijack this log anyway Logfile of HijackThis v1.97.7 Scan saved at 21:38:44, on 13/11/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.realenz.co.nz/misc/menumapOK.cfm?district=17 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: Offline (HKLM) O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM) O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM) O9 - Extra button: Wallpaper (HKLM) O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM) O9 - Extra button: Real.com (HKLM) O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...890.6237615741 O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Macromedia Shockwave Director Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...9296baab e1d6 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: ppctlcab - http://www3.ca.com/securityadvisor/pest/ppctlcab.CAB O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab Cheers
|
|
#19
11-14-2004, 01:01 AM
|
||||
|
||||
|
There is a new tool now that can simplify identifying the bad service, so let's try that instead... Follow the instructions for GetService, but use this instead... Be sure to not reboot or log off until I can get the complete fix back to you...
http://home.comcast.net/~rand1038/vb...viceFilter.zip
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#21
11-14-2004, 02:30 AM
|
||||
|
||||
|
Doh!! I missed that you have Win98... I apologize... that explains why neither program works.... The good news is that this will be easier to fix because of that...
Download this: http://www.malwarebytes.biz/AboutBuster.zip Download this too, although you may not need it: http://www.bleepingcomputer.com/files/shell98.php Use the link in my signature to download the latest version of HJT (yours if very much outdated) and CWShredder... Boot to Safe Mode... Run About Buster at least twice, run CWShredder a couple of times, run Ad-Aware SE (assuming you updated it earlier)... and then boot to Normal mode and run the updated HJT and then post the fresh log...
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#22
11-14-2004, 04:07 AM
|
|||
|
|||
|
I have tried to follow your instructions but i goofed. I forgot to do the Aboutbuster in safe mode. it did pick up stuff though. i can't run Coolweb Search as discussed earlier - I tried to get the required .dll file but I don't know how to save to Windows\system as is required. Sorry that I'm so inept.
I did download the updated Hijack this And will post the log now before going to bed. It's not late here but I'm very tired. (9pm) Oh, I don't have Ad-Aware SE. I have been downloading all these fixes and things ther's so bloody many. Logfile of HijackThis v1.98.2 Scan saved at 20:57:22, on 14/11/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: Class - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\SYSTEM\OLINE.DLL O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...9296baab e1d6 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: ppctlcab - http://www3.ca.com/securityadvisor/pest/ppctlcab.CAB O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)
|
|
#23
11-14-2004, 08:38 PM
|
||||
|
||||
|
Have you tried downloading and running CWShredder since you started the cleanup... if not, do so... Also, do the same with the other scans... The more we clean up, the more the various programs should work...
Please open HJT and check these items: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\tubps.dll/sp.html#29126 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\tubps.dll/sp.html#29126 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O1 - Hosts: 64.91.255.87 www.dcsresearch.com O2 - BHO: Class - {A9DBFCDF-AFF2-11A7-49FB-BA932BD2618D} - C:\WINDOWS\SYSUS.DLL (file missing) O4 - HKLM\..\RunServices: [APPHA.EXE] C:\WINDOWS\SYSTEM\APPHA.EXE O15 - Trusted Zone: *.05p.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.scoobidoo.com O15 - Trusted Zone: *.searchbarcash.com O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6 O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing) I couldn't confirm if these are good or bad... if you don't recognize them, check them too: O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\SYSTEM\OLINE.DLL O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\SYSTEM\WEBZONE.DLL O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta Now close all open windows except HJT and click on Fix Checked... Reboot and post a fresh log... We may need to do more digging to get out the hidden DLL, but I am hoping the scans will take care of it, especially Trendmicro and/or CWShredder 2.0....
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
|
#24
11-15-2004, 04:02 AM
|
|||
|
|||
|
Logfile of HijackThis v1.98.2
Scan saved at 20:55:40, on 15/11/04 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\TREND PC-CILLIN 98\IOMON98.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\TREND PC-CILLIN 98\WEBTRAP.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\MEDIACTR.EXE C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE C:\PROGRAM FILES\MEDIASCAPE\TOUCH MANAGER\TOUCHMGR.EXE C:\PROGRA~1\MEDIAS~1\ONSCRE~1\OSD.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Mediascape\Touch Manager\MediaCtr.exe O4 - HKLM\..\Run: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [IOMON98.EXE] "C:\Program Files\Trend PC-cillin 98\IOMON98.EXE" O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O12 - Plugin for .scr: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: BBSetup - http://www.bonzi.com/freebuddy/bbsetup.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab O16 - DPF: v2cab - http://searchmiracle.com/cab/v2cab.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...9296baab e1d6 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab O16 - DPF: ppctlcab - http://www3.ca.com/securityadvisor/pest/ppctlcab.CAB O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing) I followed those instructions and above is the new scan. I still can't get CoolWeb update to install to use.
|
|
#25
11-15-2004, 11:28 PM
|
||||
|
||||
|
Did you try to fix these items??
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6 O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing) If not, please do so.... Where are you trying to download CWShredder?? The new version is not available in all the same sites as the old one and it is now distributed by InterMute which will try to sell you other products... Also, Cool Web is the problem, not the fix... CWShredder is the fix... Download it from here: http://www.intermute.com/spysubtract..._download.html
__________________
Budfred ..... Caveat Emptor.... Helpful links SpywareBlaster... HijackThis... ATF Cleaner... Post a complaint about malware here!! So how did I get infected in the first place?? MS MVP 2006 and ASAP member since 2004... If you PM me for help, expect an irritated response... Post in the forum...
|
 |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Rate This Thread | |
|
|
