hijack log

[jkr48625]

hello, this is my log.

Logfile of HijackThis v1.99.1
Scan saved at 10:11:22 PM, on 10/1/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KERNELS8.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\STONEDRV.EXE
C:\WINDOWS\SYSTEM\DLH9JKDQ2.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\VXGAMET2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\ADIRSS.EXE
C:\WINDOWS\SYSTEM\KERNELS8.EXE
C:\WINDOWS\SYSTEM\TASKDIR.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {21E2E1E7-0289-C215-9740-01CD9D787FF5} - C:\WINDOWS\SYSTEM\OUVZALF.DLL
O2 - BHO: (no name) - {3E25C58D-4DC1-C1F7-EF81-08CD48A263DC} - C:\WINDOWS\SYSTEM\KEMDBIL.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [BootLocker] C:\Program Files\BootLocker\BootLockerStartup.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\SYSTEM\adirss.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\Run: [uaepuun.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\uaepuun.dll,hdoxved
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\RunOnce: [BootLocker] C:\PROGRAM FILES\BOOTLOCKER\winlock.exe /L /S
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [shell] "C:\WINDOWS\SYSTEM\ibm00007.exe"
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\SYSTEM\taskdir.exe
O4 - Startup: BootLocker Tray.lnk = C:\Program Files\BootLocker\BLTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O21 - SSODL: JaKuXmCXD - {17071A81-BDAD-B02B-429E-BFD255199012} - C:\WINDOWS\SYSTEM\LTGK.DLL

i didnt enable all in msconfig's startup just in case it hangs but should i remove this as well?
lcholwk.dll c:\windows\rundll32.exe C:\windows\system\lcholwk.dll,wvxnrlg (all in a single line)

i tried running spybot on window's startup but it hanged. i tried to run spyblaster & lavasoft ad-aware but couldnt.

[classicsoftware]

You have posted here before. Is this the same PC you asked for help about? Did you follow all of the instructions then?

You never finished Thisthread.

WE WILL HELP YOU, BUT YOU HAVE TO AGREE TO FINISH WHAT YOU START

Your PC is massively infected including a rootkit. You need to clean it or reformat it.

Now, what do you want to do? If you want us to help you clean it up, Please enable everything in MS-Config and run HJT again and post a fresh log.

[Budfred]

It would have helped if you had said what the problem is, but since there is so much crap on this system, we can start with a fix and you can say what is happening next time... Please open a HJT scan and put checks by:

O2 - BHO: (no name) - {21E2E1E7-0289-C215-9740-01CD9D787FF5} - C:\WINDOWS\SYSTEM\OUVZALF.DLL
O2 - BHO: (no name) - {3E25C58D-4DC1-C1F7-EF81-08CD48A263DC} - C:\WINDOWS\SYSTEM\KEMDBIL.DLL
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\Run: [adir] C:\WINDOWS\SYSTEM\adirss.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\Run: [uaepuun.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\uaepuun.dll,hdoxved
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [shell] "C:\WINDOWS\SYSTEM\ibm00007.exe"
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\SYSTEM\taskdir.exe
O21 - SSODL: JaKuXmCXD - {17071A81-BDAD-B02B-429E-BFD255199012} - C:\WINDOWS\SYSTEM\LTGK.DLL

If you didn't use Spybot to set this, put a check by it too:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all open windows except HJT and press Fix checked...

Find and delete:

c:\windows\system\stonedrv.exe
C:\WINDOWS\SYSTEM\adirss.exe
C:\WINDOWS\SYSTEM\kernels8.exe
C:\WINDOWS\SYSTEM\uaepuun.dll
C:\Windows\xpupdate.exe
C:\WINDOWS\SYSTEM\ibm00007.exe
C:\WINDOWS\SYSTEM\taskdir.exe
C:\WINDOWS\SYSTEM\LTGK.DLL

I forget if these tools will run on Win98, if they do, please run them...

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

and...

Please download, install, and update Ewido anti-spyware

1. Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
   
2. After the update finishes (the status bar at the bottom will display "Update successful")
   
3. Close ewido. Do not run it yet.

Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.

• In Safe Mode, load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  
• Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  
• Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  
• Restart back into Normal Mode.

Please perform another scan with Hijack This, and then post back with a copy of the Ewido log and the new HijackThis log. Also post the DrWebCureIt log if you were able to run it...

[jkr48625]

classicsoftware, this is another comp.

i cannot find
C:\WINDOWS\SYSTEM\ibm00007.exe
i cannot delete
C:\WINDOWS\SYSTEM\LTGK.DLL - the specific file is used by windows


DRWEB LOG

DC0.EXE;C:\RECYCLED;Trojan.DownLoader.10891;Incura ble.Moved.;
DC1.EXE;C:\RECYCLED;Trojan.DownLoader.10891;Incura ble.Moved.;
DC5.EXE;C:\RECYCLED;Trojan.DownLoader.10891;Incura ble.Moved.;
dlh9jkdq6.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader. based;Incurable.Moved.;
dlh9jkdq7.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader. based;Incurable.Moved.;
vxgamet2.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader.b ased;Incurable.Moved.;
6.dlb;C:\WINDOWS\TEMP;Trojan.DownLoader.based;Incu rable.Moved.;
7.dlb;C:\WINDOWS\TEMP;Trojan.DownLoader.based;Incu rable.Moved.;
vxt2.game;C:\WINDOWS\TEMP;Trojan.DownLoader.based; Incurable.Moved.;
vx2.game;C:\WINDOWS\TEMP;Trojan.DownLoader.based;I ncurable.Moved.;
mirc.exe;C:\WINDOWS\Desktop\mIRC-sysreset;Program.mIRC.616;Incurable.Moved.;
HDPlugin1015.dll;C:\WINDOWS\Downloaded Program Files\CONFLICT.5;Adware.Gator;Incurable.Moved.;
ibm00009.dll;C:\WINDOWS\SYSTEM;Probably DLOADER.PWS.Trojan;Incurable.Will be moved after reboot.;
DC3.EXE;C:\RECYCLED;Trojan.Proxy.1052;Deleted.;
DC8.EXE;C:\RECYCLED;Trojan.EmailSpy;Deleted.;
iexplore.exe;C:\WINDOWS;Trojan.StartPage.1090;Dele ted.;
dlh9jkdq5.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader. 12453;Deleted.;
maxd641.exe;C:\WINDOWS\SYSTEM;Dialer.Member;Delete d.;
vxgamet1.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader.1 2041;Deleted.;
vxgamet3.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader.9 540;Deleted.;
vxgame1.exe;C:\WINDOWS\SYSTEM;Trojan.Proxy.1154;De leted.;
vxgame3.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader.12 995;Deleted.;
vxgame4.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader.11 981;Deleted.;
image.gif.exe;C:\WINDOWS\SYSTEM;Trojan.EmailSpy;De leted.;
2236_32.dll;C:\WINDOWS\SYSTEM;Trojan.Proxy.1087;De leted.;
adir.dll;C:\WINDOWS\SYSTEM;Trojan.PWS.Micro;Delete d.;
vxgame6.exe;C:\WINDOWS\SYSTEM;Trojan.Proxy.1052;De leted.;
qvxgamet4.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader. 13332;Deleted.;
ibm00009.exe;C:\WINDOWS\SYSTEM;Trojan.PWS.Snap;Del eted.;
5.dlb;C:\WINDOWS\TEMP;Trojan.DownLoader.12453;Dele ted.;
maxdd1.game;C:\WINDOWS\TEMP;Dialer.Member;Deleted. ;
vxt1.game;C:\WINDOWS\TEMP;Trojan.DownLoader.12041; Deleted.;
vxt3.game;C:\WINDOWS\TEMP;Trojan.DownLoader.9540;D eleted.;
vx1.game;C:\WINDOWS\TEMP;Trojan.Proxy.1154;Deleted .;
vx3.game;C:\WINDOWS\TEMP;Trojan.DownLoader.12995;D eleted.;
vx6.game;C:\WINDOWS\TEMP;Trojan.Proxy.1052;Deleted .;
winDF8C.TMP;C:\WINDOWS\TEMP;Trojan.Proxy.1154;Dele ted.;
3fe7.$$$;C:\WINDOWS\TEMP;Trojan.PWS.Snap;Deleted.;
vx4.game;C:\WINDOWS\TEMP;Trojan.DownLoader.11981;D eleted.;
win9F53.TMP;C:\WINDOWS\TEMP;Trojan.Proxy.1154;Dele ted.;
csmphnop.exe;C:\WINDOWS\TEMP;Trojan.MulDrop.3299;D eleted.;
qvxt4.game;C:\WINDOWS\TEMP;Trojan.DownLoader.13332 ;Deleted.;
rsysinit.exe;C:\WINDOWS\TEMP;Trojan.Reboot;Deleted .;
win2202.TMP;C:\WINDOWS\TEMP;Trojan.Proxy.1154;Dele ted.;
winDB8A.TMP;C:\WINDOWS\TEMP;Trojan.Proxy.1154;Dele ted.;
win5CE6.TMP;C:\WINDOWS\TEMP;Trojan.Proxy.1154;Dele ted.;
winmm[1].exe;C:\WINDOWS\Temporary Internet Files\Content.IE5\SV8PWHWV;Trojan.MulDrop.3299;Del eted.;

do i have to enable all under "startup" tab from msconfig before posting a hijack log? i will post an ewido log later, i have to leave for work

oh, ewido needs windows 2000 & above to be installed. i'm running win98se.

[Budfred]

If you click on the Normal Mode option and Okay in msconfig without rebooting, it will show items in the HJT log without giving them a chance to run...

Try running DrWeb again in Safe Mode and see if it picks up anymore... We can use other scans after that... Also, try running this one, it may not work in Win98 either, but worth a try...

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

[jkr48625]

i couldnt run SDFix in safe mode but here's the hijack and drweb log:


Logfile of HijackThis v1.99.1
Scan saved at 7:35:17 PM, on 10/2/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\PEERGUARDIAN2\PG2.EXE
C:\PROGRAM FILES\TUNEUP UTILITIES 2006\MEMOPTIMIZER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [BootLocker] C:\Program Files\BootLocker\BootLockerStartup.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\Run: [lcholwk.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lcholwk.dll,wvxnrlg
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\PROGRAM FILES\TUNEUP UTILITIES 2006\MEMOPTIMIZER.EXE" autostart
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - Startup: BootLocker Tray.lnk = C:\Program Files\BootLocker\BLTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O21 - SSODL: JaKuXmCXD - {17071A81-BDAD-B02B-429E-BFD255199012} - C:\WINDOWS\SYSTEM\LTGK.DLL (file missing)


LTGK.DLL;C:\WINDOWS\SYSTEM;Trojan.DownLoader.6332; Deleted.;
mirc.exe;C:\WINDOWS\Desktop\mIRC-sysreset;Program.mIRC.616;;
mirc.exe;C:\WINDOWS\Desktop\mIRC-sysreset\mirc616sysreset;Program.mIRC.616;;

[Budfred]

Quote:

i couldnt run SDFix in safe mode but here's the hijack and drweb log:

What did it say?? What was the problem??

This log is still heavily infected... I don't remember what will or won't run on Win98... Try this one:

* Click here to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.

• Then click the F-Secure Online Scanner Next Generation Beta link.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy and paste what's present under results in your next reply.

[jkr48625]

Finished - Run This

bad command or file name
bad command or file name
syntax error

*i did run it in safe mode

[Budfred]

It may just not run on Win98... Just go ahead with the F-Secure scan...

[jkr48625]

Quote:

Originally Posted by Budfred

It may just not run on Win98... Just go ahead with the F-Secure scan...

that didnt work as well. i get an error msg - reopen browser, try again (ld 19) -
should i try trendmirco instead?

[Budfred]

You can try a TrendMicro scan if you would like, but it is for a different problem... I am trying to find something that will look for a rootkit... Try this one:

Quote:

Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/Files/RootkitRevealer.zip
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.

To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....

[jkr48625]

Quote:

Originally Posted by Budfred

You can try a TrendMicro scan if you would like, but it is for a different problem... I am trying to find something that will look for a rootkit... Try this one:

i have a problem when running rootkit, it says a required .dll file, psapi.dll, was not found

now, i cant even get trendmicro to work. it doesnt seem to be scanning anything even though i'm at step 3: listing and removing detected infections. would i be able to see the files listed while scanning in IE?

[Budfred]

Quote:

Originally Posted by jkr48625

i have a problem when running rootkit, it says a required .dll file, psapi.dll, was not found

now, i cant even get trendmicro to work. it doesnt seem to be scanning anything even though i'm at step 3: listing and removing detected infections. would i be able to see the files listed while scanning in IE?

I am not sure what you are asking... Are you trying to run the scan from IE?? There is a version that doesn't require IE, but the standard one does...

Here is another rootkit scan to try:

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

If the results are pages long, let me know before you starting pasting them here...

[jkr48625]

Quote:

Originally Posted by Budfred

I am not sure what you are asking... Are you trying to run the scan from IE?? There is a version that doesn't require IE, but the standard one does...

i cant get it to work on either ie or firefox

Quote:

Originally Posted by Budfred

Here is another rootkit scan to try:

cant run on win98se

[Budfred]

Ok, I am losing track of what we are going after here... Please post another HJT log after reboot and let me know what is going on with your computer... Also, please note what happened when you tried to delete this file:

c:\windows\system\stonedrv.exe

[jkr48625]

Logfile of HijackThis v1.99.1
Scan saved at 5:28:18 PM, on 10/5/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [BootLocker] C:\Program Files\BootLocker\BootLockerStartup.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\Run: [lcholwk.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lcholwk.dll,wvxnrlg
O4 - HKLM\..\RunServices: [BootLocker0] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker1] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker2] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker3] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker4] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker5] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\RunOnce: [BootLocker] C:\PROGRAM FILES\BOOTLOCKER\winlock.exe /L /S
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\PROGRAM FILES\TUNEUP UTILITIES 2006\MEMOPTIMIZER.EXE" autostart
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - Startup: BootLocker Tray.lnk = C:\Program Files\BootLocker\BLTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O21 - SSODL: JaKuXmCXD - {17071A81-BDAD-B02B-429E-BFD255199012} - C:\WINDOWS\SYSTEM\LTGK.DLL (file missing)


as for c:\windows\system\stonedrv.exe - cant find the file, probably deleted after running drweb-cureit

[Budfred]

Quote:

as for c:\windows\system\stonedrv.exe - cant find the file, probably deleted after running drweb-cureit
Edit/Delete Message

It is still showing up in your HJT log and it isn't listed in what I assume is your DrWeb log... What makes you think that DrWeb took it out... Also, as I asked before, what is going on with your computer??

Please open an HJT scan and put checks by:

O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\Run: [lcholwk.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lcholwk.dll,wvxnrlg
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O21 - SSODL: JaKuXmCXD - {17071A81-BDAD-B02B-429E-BFD255199012} - C:\WINDOWS\SYSTEM\LTGK.DLL (file missing)

Close all open windows except HJT and press Fix checked...

Find and delete:

C:\WINDOWS\SYSTEM\kernels8.exe
c:\windows\system\stonedrv.exe
C:\WINDOWS\SYSTEM\lcholwk.dll
C:\WINDOWS\SYSTEM\LTGK.DLL

Use Windows Search with the Advanced options and in Safe Mode if needed...

Reboot and post a fresh HJT log and report on how your system is running...

[jkr48625]

here's the new log

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [BootLocker] C:\Program Files\BootLocker\BootLockerStartup.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [BootLocker0] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker1] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker2] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker3] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker4] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker5] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunOnce: [BootLocker] C:\PROGRAM FILES\BOOTLOCKER\winlock.exe /L /S
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\PROGRAM FILES\TUNEUP UTILITIES 2006\MEMOPTIMIZER.EXE" autostart
O4 - Startup: BootLocker Tray.lnk = C:\Program Files\BootLocker\BLTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab


as for:
Find and delete:
C:\WINDOWS\SYSTEM\kernels8.exe
c:\windows\system\stonedrv.exe
C:\WINDOWS\SYSTEM\lcholwk.dll
C:\WINDOWS\SYSTEM\LTGK.DLL

i didnt find any of these files.

my pc seems to be working fine

[classicsoftware]

[Boot into safe mode and run Hijackthis:

Place a check next to:

O4 - HKLM\..\Run: [BootLocker] C:\Program Files\BootLocker\BootLockerStartup.exe
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\SYSTEM\kernels8.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\Run: [lcholwk.dll] C:\WINDOWS\rundll32.exe C:\WINDOWS\SYSTEM\lcholwk.dll,wvxnrlg
O4 - HKLM\..\RunServices: [BootLocker0] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker1] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker2] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker3] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker4] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [BootLocker5] C:\PROGRAM FILES\BOOTLOCKER\Msgsvr32.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\RunOnce: [BootLocker] C:\PROGRAM FILES\BOOTLOCKER\winlock.exe /L /S
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - Startup: BootLocker Tray.lnk = C:\Program Files\BootLocker\BLTray.exe
O21 - SSODL: JaKuXmCXD - {17071A81-BDAD-B02B-429E-BFD255199012} - C:\WINDOWS\SYSTEM\LTGK.DLL (file missing)

Close all open program and browser windows except for HJT and click fix checked.

Boot back into normal mode and post a new HJT LOG.

Are you using this PC to make these posts? If yes, do you have access to a different PC of we take this off line for a while?

[Budfred]

classicsoftware... did you find evidence that Bootlocker is bad... What I found suggested it was okay... Those other things are not in the log anymore...

jkr48625... Please do not edit out any part of the HJT log... it makes our job more difficult...

Please use Killbox to try and kill those bad files:

Download Killbox:

http://www.atribune.org/downloads/KillBox.exe

Then copy/paste this list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It should be able to accept the whole list, but if it doesn't you will need to enter them one at a time... Do not click through to close it out and reboot until they have all been entered... Once they are all entered, click through to kill them...

C:\WINDOWS\SYSTEM\kernels8.exe
c:\windows\system\stonedrv.exe
C:\WINDOWS\SYSTEM\lcholwk.dll
C:\WINDOWS\SYSTEM\LTGK.DLL

You also seem to have managed to install NewDotNet since we started this, so please use the techniques here to uninstall it...

http://www.newdotnet.com/removal.html

Reboot and post a fresh HJT log with a report on how the Killbox and NewDotNet uninstall went...

[mjc]

Actually, looking over the info at Bootlocker's home page, it would probably be much safer to uninstall it with the uninstaller, at least until everything is cleaned.

[jkr48625]

"You also seem to have managed to install NewDotNet since we started this, so please use the techniques here to uninstall it...

http://www.newdotnet.com/removal.html

Reboot and post a fresh HJT log with a report on how the Killbox and NewDotNet uninstall went..."


i didnt find any of these files:
New.net Application or New.net Domains uninstallX_XX.exe
NDNuninstallx_xx.exe

it is showing up under hijack after i enable all on msconfig. on msconfig, under startup tab, it says:
new.net startup -
rundll32 c:\program~1\newdot~1\newdot~2.dll,newdotnetstartu p

i did enable "startup menu" on msconfig but i cant access the safe mode option screen

[Budfred]

I am afraid I don't know what you are talking about... You can't get into Safe Mode?? You can't uninstall NewDotNet?? Please be clear...

[jkr48625]

ignore the part about safe mode, i had to uninstall bootlocker to access safe mode.

i did run killbox.exe and here's the new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 10:51:37 PM, on 10/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\PROGRA~1\NORTON~2\ADVTOOLS\NPROTECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\PROGRAM FILES\TUNEUP UTILITIES 2006\MEMOPTIMIZER.EXE" autostart
O4 - Startup: BootLocker Tray.lnk = C:\Program Files\BootLocker\BLTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\stream~1\msniffer.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab

[mjc]

Like I thought...Bootlocker and most other protection/security programs can interfere with clean up and should be disabled for the duration. It is also a good idea to pull the affected machine offline or disconnect it from the network, except as needed to download software/updates.

Fighting crapware always brings to mind this quote...

Quote:

I think I should warn you all, when a vampire bites it, it's never a pretty sight. No two bloodsuckers go the same way. Some yell and scream, some go quietly, some explode, some implode, but all will try to take you with them.

(substitute malware/virus for vampires/bloodsucker)