Vollständige Version anzeigen : Need some help please.
After struggling for three days, this is my last hope before a complete reformat. I was able to clean out most of the malware using various software including Highjack This with the online analyzer but I can't find the malware that launches my default web browser followed by an annoying popup ad. Even as I post this message, I get a popup every 5 minutes. The only good side of this mess is that the popups are'nt PORN (yet!!!). Any help is much appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 2:00:14 PM, on 7/1/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PCMACLAN\ATMSG.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCSHLD9X.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\OASCLNT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCTSKSHD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\SYSRESET\MIRC.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS_V1.99.1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\McAgent.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MCTskShd] C:\PROGRA~1\MCAFEE.COM\AGENT\mctskshd.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Miramar Systems' PC MACLAN] c:\pcmaclan\ATMsg.exe -service
O4 - HKLM\..\RunServices: [McShld9x] C:\Program Files\McAfee.com\VSO\mcshld9x.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4749/mcfscan.cab
Hello and welcome to HijackThis.eu @ Ming294
First we need to know what is going wrong on your system.
Please load down the filelist.zip (http://www.hijackthis-forum.de/attachment.php?attachmentid=1111&d=1151094724) to your desktop.
Unzip this file to your desktop (free Zip-Tools (http://www.hijackthis-forum.de/showpost.php?p=10851&postcount=3))
Restart your system
Doubleclick onto the filelist.bat to run it
Your editor program will open
Highlight the content, chose copy & paste it to your following posting
Please note: we only need the last 30 days of every directory of this file
With Many Thanks to our Moderator Karl83 for creating this new tool.
Thanks so much for the help. My text file was too big to open with notepad so wordpad was use to view the log. Unfotunately, the tabs don't paste into this window properly. It's a mess. Sorry.
----- Root -----------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\
FILELIST TXT 43 07-01-06 8:47p filelist.txt
SCANDISK LOG 2,617 07-01-06 8:46p SCANDISK.LOG
FETNDI LOG 9,867 07-01-06 2:51p FETNDI.LOG
AGNTCL~1 LOG 2,391 06-29-06 8:43p agntclient.log
VS_30D~1 EXE 10,005,047 06-26-06 7:02p vs_30day_trial_10021_en-us.exe
MAS2_1~1 EXE 7,132,752 06-26-06 7:01p MAS2_167_en-US_42_trial30CNET.exe
VSL DL_ 12,288 04-30-06 9:03a VSL.dl_
----- System ---------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS\SYSTEM
NVAPPS XML 43,573 07-01-06 8:46p nvapps.xml
CMICNFG INI 171 07-01-06 4:14a CmiCnfg.ini
UZT915FB SYS 1,063 07-01-06 2:45a uzt915fb.sys
LBRTREND DLL 226,592 07-01-06 1:19a LBRTREND.DLL
QVARTZ DLL 226,592 07-01-06 1:19a QVARTZ.DLL
DXGEST DLL 226,592 07-01-06 1:19a DXGEST.DLL
AVL DLL 226,592 07-01-06 1:19a AVL.DLL
WKNASPI DLL 226,592 07-01-06 1:19a WKNASPI.DLL
MKHTMLED DLL 226,592 07-01-06 1:19a MKHTMLED.DLL
RDASETUP DLL 226,592 07-01-06 1:19a RDASETUP.DLL
MJLOCUSR DLL 226,592 07-01-06 1:19a MJLOCUSR.DLL
USDM32 DLL 226,592 07-01-06 1:19a USDM32.DLL
MTEXCL40 DLL 226,592 07-01-06 1:19a MTEXCL40.DLL
PGWEROLD DLL 226,592 07-01-06 1:19a PGWEROLD.DLL
SHLWOA DLL 226,592 07-01-06 1:19a SHLWOA.DLL
IDM32 DLL 226,592 07-01-06 1:19a IDM32.DLL
PCUSTAB DLL 226,592 07-01-06 1:19a PCUSTAB.DLL
VSL05 EXE 48,167 07-01-06 1:19a VSL05.exe
UZT915FB DLL 61,440 07-01-06 1:19a uzt915fb.dll
W0112E10 DLL 29,696 07-01-06 1:19a w0112e10.dll
SPORDER DLL 8,464 07-01-06 1:19a sporder.dll
UNINST~1 EXE 32,976 07-01-06 1:18a uninstIcn.exe
AVSDAM DLL 57,384 06-23-06 1:17p avsdam.dll
ICON_M~1 EXE 235,228 06-21-06 5:38p icon_mediamotor.exe
TS_MED~1 EXE 115,239 06-21-06 5:38p ts_mediamotor.exe
NODEIP~1 DLL 389,120 06-20-06 7:55p nodeipproc.dll
JGDW400 DLL 163,840 05-26-06 10:19p jgdw400.dll
JSCRIPT 001 465,864 05-17-06 11:43a JSCRIPT.001
JSCRIPT 002 465,864 05-17-06 11:43a JSCRIPT.002
----- Windows --------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS
SYSTEM DAT 4,902,944 07-01-06 8:47p SYSTEM.DAT
USER DAT 753,696 07-01-06 8:47p USER.DAT
HOSTS 0 07-01-06 8:46p hosts
SYSTEM INI 2,132 07-01-06 8:46p SYSTEM.INI
WAVEMIX INI 54 07-01-06 8:46p WAVEMIX.INI
POWERPNT INI 60 07-01-06 8:46p POWERPNT.INI
SCHEDLOG TXT 32,682 07-01-06 8:46p SchedLog.Txt
NDISLOG TXT 0 07-01-06 8:46p NDISLOG.TXT
WIN386 SWP 188,743,680 07-01-06 8:34p WIN386.SWP
TWAIN LOG 153 07-01-06 4:19p TWAIN.LOG
WINDOW~1 LOG 28,518 07-01-06 2:58p Windows Update.log
REGSAV~1 TXT 219,887 07-01-06 2:58p Reg Save Log.txt
FIXIEL~1 TXT 17,920 07-01-06 4:06a Fix IE Log.txt
IEPATC~1 LOG 523 07-01-06 2:43a IEPatchUninstall.log
UNQ32 DAT 3 07-01-06 2:00a unq32.dat
WIN320~1 EXE 143,360 07-01-06 1:53a win320787318143132006.exe
SYS021~1 EXE 143,360 07-01-06 1:53a sys021431387318.exe
DRSMAR~1 DAT 43 07-01-06 1:19a drsmartload2.dat
SRVDKL~1 EXE 235,134 07-01-06 1:19a srvdkldnzi.exe
SRVGVF~1 EXE 184,829 07-01-06 1:19a srvgvfjyzb.exe
JPTC DAT 27 07-01-06 1:19a jptc.dat
UNSTALL EXE 32,768 07-01-06 1:18a unstall.exe
MM06Y INI 259 07-01-06 1:18a mm06y.ini
CHAD_B~1 EXE 359,570 07-01-06 1:18a chad_bundle.exe
ELPP10~1 EXE 129,649 07-01-06 1:18a elpp100drop.exe
MTUNINST EXE 39,424 07-01-06 1:18a mtuninst.exe
KEYBOA~1 DAT 0 07-01-06 1:18a keyboard1.dat
NEWNAME DAT 0 07-01-06 1:18a newname.dat
MIRAR EXE 102,400 07-01-06 1:18a mirar.exe
TEMPF TXT 2 07-01-06 1:18a tempf.txt
WHINST~1 INI 359 07-01-06 1:18a whInstaller.ini
TTFCACHE 3,191 06-24-06 11:03p ttfCache
WMPLIB~1 DB 3,088,384 06-21-06 6:47p wmplibrary_v_0_12.db
876056 EXE 139,264 06-19-06 3:39p 876056.exe
NSREG DAT 0 06-07-06 6:35p nsreg.dat
MOZVER DAT 2,301 06-07-06 6:35p mozver.dat
UNINST~1 EXE 24,576 05-30-06 6:09p Uninstall.exe
----- Windows --------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS
SYSTEM DAT 4,902,944 07-01-06 8:47p SYSTEM.DAT
USER DAT 753,696 07-01-06 8:47p USER.DAT
HOSTS 0 07-01-06 8:46p hosts
SYSTEM INI 2,132 07-01-06 8:46p SYSTEM.INI
WAVEMIX INI 54 07-01-06 8:46p WAVEMIX.INI
POWERPNT INI 60 07-01-06 8:46p POWERPNT.INI
SCHEDLOG TXT 32,682 07-01-06 8:46p SchedLog.Txt
NDISLOG TXT 0 07-01-06 8:46p NDISLOG.TXT
WIN386 SWP 188,743,680 07-01-06 8:34p WIN386.SWP
TWAIN LOG 153 07-01-06 4:19p TWAIN.LOG
WINDOW~1 LOG 28,518 07-01-06 2:58p Windows Update.log
REGSAV~1 TXT 219,887 07-01-06 2:58p Reg Save Log.txt
FIXIEL~1 TXT 17,920 07-01-06 4:06a Fix IE Log.txt
IEPATC~1 LOG 523 07-01-06 2:43a IEPatchUninstall.log
UNQ32 DAT 3 07-01-06 2:00a unq32.dat
WIN320~1 EXE 143,360 07-01-06 1:53a win320787318143132006.exe
SYS021~1 EXE 143,360 07-01-06 1:53a sys021431387318.exe
DRSMAR~1 DAT 43 07-01-06 1:19a drsmartload2.dat
SRVDKL~1 EXE 235,134 07-01-06 1:19a srvdkldnzi.exe
SRVGVF~1 EXE 184,829 07-01-06 1:19a srvgvfjyzb.exe
JPTC DAT 27 07-01-06 1:19a jptc.dat
UNSTALL EXE 32,768 07-01-06 1:18a unstall.exe
MM06Y INI 259 07-01-06 1:18a mm06y.ini
CHAD_B~1 EXE 359,570 07-01-06 1:18a chad_bundle.exe
ELPP10~1 EXE 129,649 07-01-06 1:18a elpp100drop.exe
MTUNINST EXE 39,424 07-01-06 1:18a mtuninst.exe
KEYBOA~1 DAT 0 07-01-06 1:18a keyboard1.dat
NEWNAME DAT 0 07-01-06 1:18a newname.dat
MIRAR EXE 102,400 07-01-06 1:18a mirar.exe
TEMPF TXT 2 07-01-06 1:18a tempf.txt
WHINST~1 INI 359 07-01-06 1:18a whInstaller.ini
TTFCACHE 3,191 06-24-06 11:03p ttfCache
WMPLIB~1 DB 3,088,384 06-21-06 6:47p wmplibrary_v_0_12.db
876056 EXE 139,264 06-19-06 3:39p 876056.exe
NSREG DAT 0 06-07-06 6:35p nsreg.dat
MOZVER DAT 2,301 06-07-06 6:35p mozver.dat
UNINST~1 EXE 24,576 05-30-06 6:09p Uninstall.exe
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS\Tasks
SA DAT 6 07-01-06 8:46p SA.DAT
TUNE-U~1 JOB 502 07-01-06 7:00p Tune-up Application Start.job
MCAFEE~1 JOB 390 06-29-06 8:43p McAfee AntiSpyware.job
DESKTOP INI 65 01-03-06 10:39p desktop.ini
4 file(s) 963 bytes
0 dir(s) 513.09 MB free
----- Temp -----------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS\TEMP
WWWF010 TMP 179 07-01-06 8:47p wwwF010.TMP
SSK LOG 2,566 07-01-06 1:57a Ssk.log
8A56EAB7 TMP 122 06-25-06 5:32a 8A56EAB7.TMP
IEC7293 TMP 344,923 02-01-02 4:23p IEC7293.TMP
4 file(s) 347,790 bytes
0 dir(s) 513.09 MB free
Hello Ming294
You have a lot of unknown files on your system. We want to know more about these files. That means that we will have to analyse these software.
Make sure you set windows to see the hidden files and folders (http://www.xtra.co.nz/help/0,,4155-1916458,00.html).
Locate these files:
C:\WINDOWS\SYSTEM\CmiCnfg.ini
C:\WINDOWS\SYSTEM\uzt915fb.sys
C:\WINDOWS\SYSTEM\LBRTREND.DLL
C:\WINDOWS\SYSTEM\QVARTZ.DLL
C:\WINDOWS\SYSTEM\DXGEST.DLL
C:\WINDOWS\SYSTEM\VSL05.exe
C:\WINDOWS\SYSTEM\uzt915fb.dll
C:\WINDOWS\SYSTEM\w0112e10.dll
C:\WINDOWS\SYSTEM\uninstIcn.exe
C:\WINDOWS\SYSTEM\icon_mediamotor.exe
C:\WINDOWS\SYSTEM\nodeipproc.dll
C:\WINDOWS\SYSTEM\JSCRIPT.001
C:\WINDOWS\unq32.dat
C:\WINDOWS\win320787318143132006.exe
C:\WINDOWS\sys021431387318.exe
C:\WINDOWS\srvdkldnzi.exe
C:\WINDOWS\srvgvfjyzb.exe
C:\WINDOWS\mm06y.ini
C:\WINDOWS\chad_bundle.exe
C:\WINDOWS\elpp100drop.exe
Use your mouse, right click onto each file, read the properties > version >
I need to know the Company name, the file version, description and the copyright.
Please copy this information about every file to your thread.
For the greatest safety, it is recommended that
you may not do online-banking, file-sharing, mailing, messaging,
up and downloads behalve to security sites
until your system is of formatted or cleaned up.
Please remove the network cable/phone line from your machine.
Take a look to "Security Tips" in my signature.
-----------------------
Thanks again for the help...you guys are great.
Here's what I found. It's not much I'm afraid.
C:\WINDOWS\SYSTEM\CmiCnfg.ini___Configuration Settings___no other data
Cmicnfg.cpl___version 1, 0, 41, 12___Copyright (C) C-Media Corp. 2001-2002___CmiCnfg Dynamic Link Library
C:\WINDOWS\SYSTEM\uzt915fb.sys____no data
C:\WINDOWS\SYSTEM\LBRTREND.DLL___Nic Tech Networks___no other data
C:\WINDOWS\SYSTEM\QVARTZ.DLL___Nic Tech Networks___no other data
C:\WINDOWS\SYSTEM\DXGEST.DLL___Nic Tech Networks___no other data
C:\WINDOWS\SYSTEM\VSL05.exe___not there anymore
C:\WINDOWS\SYSTEM\uzt915fb.dll___no data
C:\WINDOWS\SYSTEM\w0112e10.dll___no data
C:\WINDOWS\SYSTEM\uninstIcn.exe___no data
C:\WINDOWS\SYSTEM\icon_mediamotor.exe___no data
C:\WINDOWS\SYSTEM\nodeipproc.dll___1, 0, 0, 1___OddBot Module___Copyright 2006___company name is "$"
C:\WINDOWS\SYSTEM\JSCRIPT.001___5.6.0.8831___Microsoft (r) JScript___Copyright © Microsoft Corp. 2002
C:\WINDOWS\unq32.dat___no data
C:\WINDOWS\win320787318143132006.exe___1.00.0019___product name is "saggy19"___no other data
C:\WINDOWS\sys021431387318.exe__.00.0019___product name is "saggy19"___no other data
C:\WINDOWS\srvdkldnzi.exe___no data
C:\WINDOWS\srvgvfjyzb.exe___no data
C:\WINDOWS\mm06y.ini___config setting___no other data
C:\WINDOWS\chad_bundle.exe___no data
C:\WINDOWS\elpp100drop.exe___no data
There was a file that did not appear on your list that I know is part of the problem. It's SHLWOA.dll and it boots up in regular and in safe mode and cannot be deleted because windows is using it. I tried to use the "delete on startup" option tool in HJT but that didn't work. This software is also a Nick Tech product.
I'm almost ready to reformat this pc....lol. I'm so mad.
BTW...if I unplug the network cable, the popups quit coming. Hey! that's the solution!!! I'll just not go on the net anymore...then no more popups. Excuse my sarcasm, please. Thanks again for the help.
Hello Ming
Thank you for the information of the files :thumbup:
Now we will have to go on, we need to find out, which kind of malware it is...
I am able to understand your sarcasm very good... :rolleyes:
Were did you get all these files from?
Please scan these files with HJT (http://www.hijackthis.de/avcheck.php) and Virustotal (http://www.virustotal.com/flash/index_en.html) and/or Jotti (http://virusscan.jotti.org/de/)
C:\WINDOWS\SYSTEM\CmiCnfg.ini
C:\WINDOWS\SYSTEM\uzt915fb.sys
C:\WINDOWS\SYSTEM\LBRTREND.DLL
C:\WINDOWS\SYSTEM\QVARTZ.DLL
C:\WINDOWS\SYSTEM\DXGEST.DLL
C:\WINDOWS\SYSTEM\uzt915fb.dll
C:\WINDOWS\SYSTEM\w0112e10.dll
C:\WINDOWS\SYSTEM\uninstIcn.exe
C:\WINDOWS\SYSTEM\icon_mediamotor.exe
C:\WINDOWS\SYSTEM\nodeipproc.dll
C:\WINDOWS\unq32.dat
C:\WINDOWS\win320787318143132006.exe
C:\WINDOWS\sys021431387318.exe
C:\WINDOWS\srvdkldnzi.exe
C:\WINDOWS\srvgvfjyzb.exe
C:\WINDOWS\mm06y.ini
C:\WINDOWS\chad_bundle.exe
C:\WINDOWS\elpp100drop.exe
You may want to make us know all about the results of the scans by copy&paste (look for an example (http://forum.hijackthis.de/showthread.php?t=9060)).
Hello Ruby,
I cannot thank you and your partners enough for the help!!! I stayed up all night scanning with VIRUSTOTAL and HJT. From the your list of potential problems, 6 or 7 showed positives. HJT only caught the CHAD exec. I scanned other things that looked suspicious and found 3 or 4 more. I will post post the logs if you are interested.
I deleted the bad items, but the SHLWOA.dll was in constant use by windows.The HJT "delete on startup" tool didn"t work, so I reinstalled an old floppy drive to use the boot diskette. The floppy drive was dead so I installed another HD and put XP Home on it. So finally after booting in XP, i was able to delete SHLWOA from my Win98SE.
Now there are no more popups, nor does my web browser launch by itself!!! I believe the malware came from a site called metacafe.com. It's loaded with ads. It's a great source of entertainment but I'll run all tools from your tutorials after each visit to that site.
I did have system freezes due to the fact that I had macafee and advir turned on at the same time. Now I just use AVAST which does not use as much system resource.
I do have another question. In all the sweeping, WORDPAD has quit working. I can still find pieces of the program. I've search all over Microsoft website for a fix. Also searched other web places. Nothing!!! Is there a way to restore this program in 98SE without reinstalling the whole system?
Well, thanks again. Although I could have reformated my computer 10 times in the time I've spent on this so far, I did learn very valuable lessons. I was gambling without protection for 9 months. I could have gone longer if not for metacafe. LOL I'm not gambling anymore.
Hello Ming
I am not so many enthousiast about what you did :(
We need to see all information of all Online Scans of all files we are asking for.
When there are files which are unknown new malware we ask our users to load these files up that the producers of Antivirus and Removers get a chance to add these new malwares to their products. That means that our users are protected in future from this new malware.
What do you want to do now? I have got no results .. I don't know which malware has remained on your system .. I don't know anything. How shall I go on now? Perhaps you can post another new filelist.bat of the same time?
Perhaps you want better formate and rebuild your system? Any idea?
word processor-Freeware (http://www.snapfiles.com/reviews/Jarte/jarte.html) (to replace Wordpad):
FAQ (http://www.jarte.com/faq.html#assoc): How do I associate a file type to Jarte (http://www.jarte.com/features.html) so that files of that type always open in Jarte whenever I double click on them?
Windows 95, Windows 98, & Windows NT:
o Find a file of the type you want to associate to Jarte in My Computer or in the Windows Explorer.
o Right click on the file while holding the Shift key down and select Open With from the pop-up menu.
o Select Jarte in the pop-up box. If Jarte is not in the list then click the Other button and find the Jarte program file. The Jarte program file is usually located at C:\Program Files\Jarte\Jarte.exe.
o Be sure the Always use this program check box is checked and then click Ok.
o You're done! Now do the same thing with an RTF file, TXT file, and any others you want Jarte (http://www.jarte.com/) to handle.
(Windows 98 Tutorial (http://www.bcschools.net/staff/Windows98.htm))
I'm sorry Ruby. I thought I was saving you from extra work. I didn't realize that you needed to track the data.
Below are the items that Virustotal found.
Complete scanning result of "elpp100drop.exe", received in VirusTotal at 07.04.2006, 19:45:51 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 no virus found
Authentium 4.93.8 07.03.2006 no virus found
Avast 4.7.844.0 07.03.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.04.2006 no virus found
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 no virus found
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2285 07.04.2006 no virus found
Ewido 3.5 07.04.2006 no virus found
Fortinet 2.77.0.0 07.03.2006 no virus found
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 no virus found
Kaspersky 4.0.2.24 07.04.2006 no virus found
McAfee 4799 07.04.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1643 07.04.2006 no virus found
Norman 5.90.23 07.04.2006 no virus found
Panda 9.0.0.4 07.04.2006 no virus found
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 no virus found
TheHacker 5.9.8.168 07.03.2006 Backdoor/IRC.Zapchast
UNA 1.83 07.04.2006 no virus found
VBA32 3.11.0 07.04.2006 no virus found
VirusBuster 4.3.7:9 07.04.2006 no virus found
Complete scanning result of "icon_mediamotor.exe", received in VirusTotal at 07.04.2006, 20:01:17 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 no virus found
Authentium 4.93.8 07.03.2006 no virus found
Avast 4.7.844.0 07.03.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.04.2006 no virus found
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 Adware.Iconclick
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2285 07.04.2006 no virus found
Ewido 3.5 07.04.2006 no virus found
Fortinet 2.77.0.0 07.03.2006 no virus found
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 no virus found
Kaspersky 4.0.2.24 07.04.2006 not-a-virus:AdWare.Win32.BHO.ao
McAfee 4799 07.04.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1643 07.04.2006 no virus found
Norman 5.90.23 07.04.2006 no virus found
Panda 9.0.0.4 07.04.2006 no virus found
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 no virus found
TheHacker 5.9.8.168 07.03.2006 no virus found
UNA 1.83 07.04.2006 no virus found
VBA32 3.11.0 07.04.2006 no virus found
VirusBuster 4.3.7:9 07.04.2006 no virus found
Aditional Information
File size: 235228 bytes
MD5: 1c9dcacb1a810b9df9e5552515ddf7ab
SHA1: eccd5dc31f7a251e21c1aa4a1bc9662b3e820a8c
Complete scanning result of "mirar.exe", received in VirusTotal at 07.04.2006, 20:31:20 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 ADSPY/NetNucleus.A
Authentium 4.93.8 07.03.2006 no virus found
Avast 4.7.844.0 07.03.2006 no virus found
AVG 386 07.04.2006 Adware Generic.NZB
BitDefender 7.2 07.04.2006 no virus found
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 no virus found
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2285 07.04.2006 no virus found
Ewido 3.5 07.04.2006 Adware.NetNucleus
Fortinet 2.77.0.0 07.03.2006 Adware/Mirar
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 no virus found
Kaspersky 4.0.2.24 07.04.2006 not-a-virus:AdWare.Win32.NetNucleus
McAfee 4799 07.04.2006 potentially unwanted program Adware-Mirar
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1644 07.04.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 07.04.2006 W32/NetNucleus.C
Panda 9.0.0.4 07.04.2006 Adware/Mirar
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 no virus found
TheHacker 5.9.8.168 07.03.2006 no virus found
UNA 1.83 07.04.2006 Adware.NetNucleus
VBA32 3.11.0 07.04.2006 AdWare.Win32.NetNucleus
VirusBuster 4.3.7:9 07.04.2006 no virus found
Aditional Information
File size: 102400 bytes
MD5: a9c2b4bbfd6f9d26983dce68b2ecbe11
SHA1: bb33ad59f1b8a6ba60b9e94f23821514f15507f0
Complete scanning result of "nodeipproc.dll", received in VirusTotal at 07.04.2006, 20:08:40 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 no virus found
Authentium 4.93.8 07.03.2006 no virus found
Avast 4.7.844.0 07.03.2006 no virus found
AVG 386 07.04.2006 no virus found
BitDefender 7.2 07.04.2006 no virus found
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 Adware.Iconclick
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2285 07.04.2006 no virus found
Ewido 3.5 07.04.2006 no virus found
Fortinet 2.77.0.0 07.03.2006 no virus found
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 no virus found
Kaspersky 4.0.2.24 07.04.2006 not-a-virus:AdWare.Win32.BHO.ao
McAfee 4799 07.04.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
NOD32v2 1.1643 07.04.2006 no virus found
Norman 5.90.23 07.04.2006 no virus found
Panda 9.0.0.4 07.04.2006 Suspicious file
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 no virus found
TheHacker 5.9.8.168 07.03.2006 no virus found
UNA 1.83 07.04.2006 no virus found
VBA32 3.11.0 07.04.2006 no virus found
VirusBuster 4.3.7:9 07.04.2006 no virus found
Aditional Information
File size: 389120 bytes
MD5: 06a7b755f62c8833267f93bfad8bea8e
SHA1: 1f9e2054dc21dfba9999bb38d97189461df18c91
Complete scanning result of "qdsszem.exe", received in VirusTotal at 07.04.2006, 21:13:19 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 no virus found
Authentium 4.93.8 07.03.2006 no virus found
Avast 4.7.844.0 07.03.2006 no virus found
AVG 386 07.04.2006 Clicker.BHH
BitDefender 7.2 07.04.2006 Trojan.Clicker.VB.BX
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 Trojan.Popuper
eTrust-InoculateIT 23.72.59 07.04.2006 Win32/SillyDL.846240!Trojan
eTrust-Vet 12.6.2285 07.04.2006 Win32/Notiex.E
Ewido 3.5 07.04.2006 Hijacker.VB.ij
Fortinet 2.77.0.0 07.03.2006 W32/Small.IJ!tr
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 Trojan-Clicker.Win32.VB.ij
Kaspersky 4.0.2.24 07.04.2006 Trojan-Clicker.Win32.VB.ij
McAfee 4799 07.04.2006 no virus found
Microsoft 1.1481 07.01.2006 TrojanDownloader:Win32/Small!AA7A
NOD32v2 1.1644 07.04.2006 probably a variant of Win32/TrojanDownloader.VB.HJ
Norman 5.90.23 07.04.2006 no virus found
Panda 9.0.0.4 07.04.2006 Adware/2Z0o
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 Trojan.Popper
TheHacker 5.9.8.168 07.03.2006 no virus found
UNA 1.83 07.04.2006 TrojanClicker.Win32.VB
VBA32 3.11.0 07.04.2006 Trojan-Clicker.Win32.VB.ij
VirusBuster 4.3.7:9 07.04.2006 no virus found
Aditional Information
File size: 983728 bytes
MD5: f1c08994f7ac3359049163c20721fab3
SHA1: 2b26366c1f00a8c19c9e34abb4f1f1e7bac1c5cf
Complete scanning result of "uni_ehhh.exe", received in VirusTotal at 07.04.2006, 20:38:05 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 ADSPY/DigInk.A
Authentium 4.93.8 07.03.2006 no virus found
Avast 4.7.844.0 07.03.2006 no virus found
AVG 386 07.04.2006 Generic.WMI
BitDefender 7.2 07.04.2006 no virus found
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 no virus found
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2285 07.04.2006 no virus found
Ewido 3.5 07.04.2006 no virus found
Fortinet 2.77.0.0 07.03.2006 suspicious
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 no virus found
Kaspersky 4.0.2.24 07.04.2006 no virus found
McAfee 4799 07.04.2006 no virus found
Microsoft 1.1481 07.01.2006 TagAsaurus (threat-c)
NOD32v2 1.1644 07.04.2006 no virus found
Norman 5.90.23 07.04.2006 no virus found
Panda 9.0.0.4 07.04.2006 Adware/DigInk
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 no virus found
TheHacker 5.9.8.168 07.03.2006 no virus found
UNA 1.83 07.04.2006 no virus found
VBA32 3.11.0 07.04.2006 no virus found
VirusBuster 4.3.7:9 07.04.2006 no virus found
Aditional Information
File size: 57344 bytes
MD5: 0205c15da605add27e08faa0d5b09177
SHA1: 9df280f886dcd96cd7ce064af115ca82294f5d17
Complete scanning result of "unin101.exe", received in VirusTotal at 07.04.2006, 20:40:23 (CET).
Antivirus Version Update Result
AntiVir 6.35.0.20 07.04.2006 ADSPY/DigInk
Authentium 4.93.8 07.03.2006 no virus found
Avast 4.7.844.0 07.03.2006 Win32:VB-NY
AVG 386 07.04.2006 Downloader.Generic2.CYH
BitDefender 7.2 07.04.2006 no virus found
CAT-QuickHeal 8.00 07.04.2006 no virus found
ClamAV devel-20060426 07.04.2006 no virus found
DrWeb 4.33 07.04.2006 Trojan.Click.1166
eTrust-InoculateIT 23.72.59 07.04.2006 no virus found
eTrust-Vet 12.6.2285 07.04.2006 no virus found
Ewido 3.5 07.04.2006 Hijacker.Small
Fortinet 2.77.0.0 07.03.2006 Dloader.S!tr
F-Prot 3.16f 07.03.2006 no virus found
F-Prot4 4.2.1.29 07.03.2006 no virus found
Ikarus 0.2.65.0 07.04.2006 no virus found
Kaspersky 4.0.2.24 07.04.2006 no virus found
McAfee 4799 07.04.2006 Generic Downloader.s
Microsoft 1.1481 07.01.2006 TagAsaurus (threat-c)
NOD32v2 1.1644 07.04.2006 no virus found
Norman 5.90.23 07.04.2006 no virus found
Panda 9.0.0.4 07.04.2006 Adware/DigInk
Sophos 4.07.0 07.04.2006 no virus found
Symantec 8.0 07.04.2006 no virus found
TheHacker 5.9.8.168 07.03.2006 no virus found
UNA 1.83 07.04.2006 no virus found
VBA32 3.11.0 07.04.2006 Trojan.Click.1166
VirusBuster 4.3.7:9 07.04.2006 no virus found
Aditional Information
File size: 53248 bytes
MD5: 8bf5212d23abe8f5671111ba1f8341f4
SHA1: 9a5813cfadf905c0763fc6338cfa329b3a24112d
This is what Spybot found.
--- Report generated: 2006-07-07 22:16 ---
7FaSSt: Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9}
CoolWWWSearch: IE Search page (Registry change, nothing done)
HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL=about:blank
CAS-Client: Data (File, nothing done)
C:\WINDOWS\jptc.dat
Command Service: Data (File, nothing done)
C:\windows\newname.dat
eAcceleration: Library (File, nothing done)
C:\WINDOWS\SYSTEM\sporder.dll
Smitfraud-C.: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drsmartload2
Smitfraud-C.: Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Smitfraud-C.: Data (File, nothing done)
c:\windows\drsmartload2.dat
Smitfraud-C.: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{3517FB25-305D-4012-B531-186E3851E7ED}
Smitfraud-C.: Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{4781DAA6-4DE5-47A1-B02A-945F0D017A9E}
Web-Nexus: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\qstat
Alexa Related: Link (Replace file, nothing done)
C:\WINDOWS\Web\RELATED.HTM
YazzleSnowball_Wars: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Snowball Wars
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
WebTrends live: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
Avenue A, Inc.: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
SurfSideKick: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
Advertising.com: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
DoubleClick: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
MediaMotor: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
MediaMotor: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
LinkSynergy: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, nothing done)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Firefox: default) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-07-07 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-07-07 Includes\Cookies.sbi (*)
2006-07-07 Includes\Dialer.sbi (*)
2006-07-07 Includes\Hijackers.sbi (*)
2006-07-07 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-07-07 Includes\Malware.sbi (*)
2006-07-07 Includes\PUPS.sbi (*)
2006-07-07 Includes\Revision.sbi (*)
2006-07-07 Includes\Security.sbi (*)
2006-07-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-07-07 Includes\Trojans.sbi (*)
And this is the fix log.
--- Report generated: 2006-07-07 22:24 ---
7FaSSt: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9}
CoolWWWSearch: IE Search page (Registry change, fixed)
HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\Search\SearchAssistant Explorer\Main\Default_Search_URL=about:blank
CAS-Client: Data (File, fixed)
C:\WINDOWS\jptc.dat
Command Service: Data (File, fixed)
C:\windows\newname.dat
eAcceleration: Library (File, fixed)
C:\WINDOWS\SYSTEM\sporder.dll
Smitfraud-C.: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\drsmartload2
Smitfraud-C.: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Smitfraud-C.: Data (File, fixed)
c:\windows\drsmartload2.dat
Smitfraud-C.: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{3517FB25-305D-4012-B531-186E3851E7ED}
Smitfraud-C.: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{4781DAA6-4DE5-47A1-B02A-945F0D017A9E}
Web-Nexus: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\qstat
Alexa Related: Link (Replace file, fixed)
C:\WINDOWS\Web\RELATED.HTM
YazzleSnowball_Wars: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Snowball Wars
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
WebTrends live: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
CasaleMedia: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
Avenue A, Inc.: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
SurfSideKick: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
Advertising.com: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
DoubleClick: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
MediaMotor: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
MediaMotor: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
LinkSynergy: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Internet Explorer: ming) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Avenue A, Inc.: Tracking cookie (Firefox: default) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
CasaleMedia: Tracking cookie (Firefox: default) (Cookie, fixed)
DoubleClick: Tracking cookie (Firefox: default) (Cookie, fixed)
MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)
Advertising.com: Tracking cookie (Firefox: default) (Cookie, fixed)
Winsoftware.WinAntiVirusPro2006: Tracking cookie (Firefox: default) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2006-07-07 unins000.exe (51.41.0.0)
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-07-07 Includes\Cookies.sbi (*)
2006-07-07 Includes\Dialer.sbi (*)
2006-07-07 Includes\Hijackers.sbi (*)
2006-07-07 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-07-07 Includes\Malware.sbi (*)
2006-07-07 Includes\PUPS.sbi (*)
2006-07-07 Includes\Revision.sbi (*)
2006-07-07 Includes\Security.sbi (*)
2006-07-07 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-07-07 Includes\Trojans.sbi (*)
Here is a new HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 10:49:56 PM, on 7/8/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\PCMACLAN\ATMSG.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\SPYWARE\HIJACKTHIS_V1.99.1.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\GATEWAY\2PORTALMON.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [Miramar Systems' PC MACLAN] c:\pcmaclan\ATMsg.exe -service
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4749/mcfscan.cab
This is a new file list
----- Root -----------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\
FILELIST TXT 43 07-08-06 11:18p filelist.txt
SCANDISK LOG 8,318 07-07-06 1:52p SCANDISK.LOG
MSDOS SYS 1,694 07-04-06 10:16p MSDOS.SYS
CONFIG SYS 10 07-04-06 10:13p CONFIG.SYS
FETNDI LOG 13,338 07-04-06 5:43p FETNDI.LOG
BOOTLOG TXT 82,686 07-03-06 9:59p BOOTLOG.TXT
BOOTLOG PRV 92,280 07-03-06 9:54p BOOTLOG.PRV
AUTOEXEC BAT 0 07-03-06 9:54p AUTOEXEC.BAT
SETUPLOG TXT 76,141 07-03-06 9:53p SETUPLOG.TXT
NETLOG TXT 12,735 07-03-06 9:53p NETLOG.TXT
DETLOG TXT 8,172 07-03-06 9:49p DETLOG.TXT
BOOTSECT DOS 512 07-03-06 9:47p BOOTSECT.DOS
BOOT INI 186 07-03-06 9:47p BOOT.INI
SUHDLOG DAT 7,778 07-03-06 9:47p SUHDLOG.DAT
SYSTEM 1ST 4,902,944 07-03-06 9:47p SYSTEM.1ST
W98UNDO INI 367,648 07-03-06 9:43p W98UNDO.INI
W98UNDO DAT 113,640,586 07-03-06 9:43p W98UNDO.DAT
WINLFN INI 17,120 07-03-06 9:42p WINLFN.INI
MSDOS BAK 1,676 07-03-06 9:41p MSDOS.BAK
CONFIG DOS 10 07-01-06 10:00p CONFIG.DOS
VS_30D~1 EXE 10,005,047 06-26-06 7:02p vs_30day_trial_10021_en-us.exe
MAS2_1~1 EXE 7,132,752 06-26-06 7:01p MAS2_167_en-US_42_trial30CNET.exe
SETUPXLG TXT 419 02-17-06 6:35p SETUPXLG.TXT
----- System ---------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS\SYSTEM
NVAPPS XML 43,573 07-08-06 10:03p nvapps.xml
NSCOMPAT TLB 23,392 07-03-06 9:54p nscompat.tlb
AMCOMPAT TLB 16,832 07-03-06 9:54p amcompat.tlb
HWINFOD VXD 10,982 07-03-06 9:53p HwInfoD.vxd
FOLDER HTT 13,122 07-03-06 9:52p folder.htt
DESKTOP INI 266 07-03-06 9:52p desktop.ini
VMM32 VXD 928,226 07-03-06 9:48p VMM32.VXD
CMICNFG INI 171 07-01-06 4:14a CmiCnfg.ini
UNINST~1 EXE 32,976 07-01-06 1:18a uninstIcn.exe
NODEIP~1 DLL 389,120 06-20-06 7:55p nodeipproc.dll
A
----- Windows --------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS
WIN386 SWP 146,800,640 07-08-06 11:17p WIN386.SWP
SYSTEM DAT 4,902,944 07-08-06 11:17p SYSTEM.DAT
USER DAT 946,208 07-08-06 11:17p USER.DAT
WINDOW~1 LOG 43,490 07-08-06 11:10p Windows Update.log
SYSTEM INI 2,029 07-08-06 10:03p SYSTEM.INI
WAVEMIX INI 54 07-08-06 10:03p WAVEMIX.INI
POWERPNT INI 60 07-08-06 10:03p POWERPNT.INI
SCHEDLOG TXT 32,682 07-08-06 10:03p SchedLog.Txt
NDISLOG TXT 0 07-08-06 10:03p NDISLOG.TXT
WININIT BAK 46 07-08-06 1:25p WININIT.BAK
SHELLI~1 1,102,997 07-05-06 11:17p ShellIconCache
TTFCACHE 3,191 07-05-06 9:38p ttfCache
WIN INI 6,979 07-04-06 10:16p WIN.INI
PROTOCOL INI 322 07-04-06 5:43p protocol.ini
REGSAV~1 TXT 1,249,153 07-04-06 5:06a Reg Save Log.txt
HOSTS 0 07-04-06 2:17a hosts
DEFAULT SFC 74,586 07-03-06 9:54p Default.sfc
HWINFO DAT 278,560 07-03-06 9:53p HWINFO.DAT
FOLDER HTT 13,122 07-03-06 9:52p folder.htt
DESKTOP INI 266 07-03-06 9:52p desktop.ini
PROGMAN INI 0 07-03-06 9:52p progman.ini
QTW INI 28 07-03-06 9:47p QTW.INI
MSOFFICE INI 26 07-03-06 9:47p MSOFFICE.INI
SYSTEM CB 116 07-03-06 9:47p SYSTEM.CB
CONTROL INI 833 07-03-06 9:47p CONTROL.INI
SETVER EXE 18,939 07-03-06 9:47p SETVER.EXE
WINSOCK DLL 21,504 07-03-06 9:44p WINSOCK.DLL
WIN --- 6,979 07-03-06 9:43p WIN.---
POWERPNT --- 60 07-03-06 9:39p POWERPNT.---
SYSTEM --- 2,051 07-03-06 9:39p SYSTEM.---
WMPLIB~1 DB 3,088,384 07-03-06 9:03p wmplibrary_v_0_12.db
MING000 PWL 688 07-01-06 9:31p MING000.PWL
TWAIN LOG 153 07-01-06 4:19p TWAIN.LOG
FIXIEL~1 TXT 17,920 07-01-06 4:06a Fix IE Log.txt
IEPATC~1 LOG 523 07-01-06 2:43a IEPatchUninstall.log
MM06Y INI 259 07-01-06 1:18a mm06y.ini
MTUNINST EXE 39,424 07-01-06 1:18a mtuninst.exe
KEYBOA~1 DAT 0 07-01-06 1:18a keyboard1.dat
TEMPF TXT 2 07-01-06 1:18a tempf.txt
NSREG DAT 0 06-07-06 6:35p nsreg.dat
MOZVER DAT 2,301 06-07-06 6:35p mozver.dat
UNINST~1 EXE 24,576 05-30-06 6:09p Uninstall.exe
PROTOCOL --- 322 04-17-06 12:59a PROTOCOL.---
WMSYSPRX PRX 288,880 01-31-06 7:03p WMSysPrx.prx
ENDEC 2WR 8,762 01-29-06 10:54a endec.2wr
DIRECTX LOG 99,281 01-03-06 11:25p DirectX.log
WININIT SAV 8,916 01-03-06 11:24p WININIT.SAV
STI_TR~1 LOG 0 01-03-06 10:58p Sti_Trace.log
OEWABLOG TXT 1,285 01-03-06 10:43p OEWABLog.txt
BRNDLOG TXT 10,313 01-03-06 10:43p brndlog.txt
RUNONC~1 TXT 27,516 01-03-06 10:43p RunOnceEx Log.txt
MSIMGSIZ DAT 16,384 01-03-06 10:42p MSIMGSIZ.DAT
DAHOTFIX LOG 6,648 01-03-06 10:41p dahotfix.log
VMINST LOG 2,148 01-03-06 10:41p vminst.log
ACTIVE~1 TXT 45,916 01-03-06 10:39p Active Setup Log.txt
IESETU~1 TXT 100,028 01-03-06 10:39p IE Setup Log.Txt
CMCDPLAY INI 26 01-03-06 9:02p CMCDPLAY.INI
CMISETUP INI 94 01-03-06 9:02p CMISETUP.INI
MING PWL 688 01-03-06 8:52p MING.PWL
TELEPHON INI 225 01-03-06 8:50p TELEPHON.INI
ODBCINST INI 1,443 01-03-06 8:50p ODBCINST.INI
MSOFFICE --- 26 01-03-06 8:40p MSOFFICE.---
QTW --- 28 01-03-06 8:40p QTW.---
JAVAWS EXE 127,078 11-10-05 1:03p javaws.exe
JAVAW EXE 49,250 11-10-05 11:27a javaw.exe
JAVA EXE 49,248 11-10-05 11:27a java.exe
HH EXE 10,752 04-13-05 5:06p hh.exe
CMUDA INI 121,329 05-18-04 9:20a Cmuda.ini
VIA4IN1 EXE 200,704 04-07-04 3:21p VIA4in1.exe
MSVBVM60 DLL 1,386,496 02-23-04 1:00a MSVBVM60.DLL
VGXUNI~1 EXE 33,792 11-06-03 5:14p vgxuninst.exe
OEUNINST EXE 33,792 07-07-03 12:41p oeuninst.exe
IEUNINST EXE 33,792 03-03-03 10:24a ieuninst.exe
WJVIEW EXE 171,792 02-28-03 6:26p WJVIEW.EXE
SETDEBUG EXE 46,352 02-28-03 6:26p SETDEBUG.EXE
JVIEW EXE 172,304 02-28-03 6:26p JVIEW.EXE
CLSPACK EXE 49,424 02-28-03 6:26p CLSPACK.EXE
EXTRAC32 EXE 132,608 08-29-02 12:00a EXTRAC32.EXE
REGTLIB EXE 40,960 08-31-99 4:55p REGTLIB.EXE
DEFAULT SF0 76,690 05-03-99 1:29p Default.sf0
NETDET INI 7,885 04-23-99 10:22p NETDET.INI
PIDGEN DLL 27,616 04-23-99 10:22p PIDGEN.DLL
SUBACK BIN 229,680 04-23-99 10:22p SUBACK.BIN
W98SETUP BIN 168,096 04-23-99 10:22p W98SETUP.BIN
LICENSE TXT 32,424 04-23-99 10:22p LICENSE.TXT
SUPPORT TXT 845 04-23-99 10:22p SUPPORT.TXT
MPLAYER EXE 159,744 04-23-99 10:22p MPLAYER.EXE
RUNHELP CAB 6,325 04-23-99 10:22p RUNHELP.CAB
JAUTOEXP DAT 6,550 04-23-99 10:22p JAUTOEXP.DAT
NDDEAPI DLL 14,032 04-23-99 10:22p NDDEAPI.DLL
NDDENB DLL 10,976 04-23-99 10:22p NDDENB.DLL
SCRIPT DOC 38,400 04-23-99 10:22p SCRIPT.DOC
DOSREP EXE 89,147 04-23-99 10:22p DOSREP.EXE
EXPLORER EXE 180,224 04-23-99 10:22p EXPLORER.EXE
FONTVIEW EXE 49,152 04-23-99 10:22p FONTVIEW.EXE
GRPCONV EXE 55,488 04-23-99 10:22p GRPCONV.EXE
MSNMGSR1 EXE 65,536 04-23-99 10:22p MSNMGSR1.EXE
NETDDE EXE 56,880 04-23-99 10:22p NETDDE.EXE
PIDSET EXE 40,960 04-23-99 10:22p PIDSET.EXE
SIGVERIF EXE 131,072 04-23-99 10:22p SIGVERIF.EXE
TUNEUP EXE 110,592 04-23-99 10:22p TUNEUP.EXE
UPWIZUN EXE 57,344 04-23-99 10:22p UPWIZUN.EXE
WINREP EXE 438,272 04-23-99 10:22p WINREP.EXE
BACKGRND GIF 103,582 04-23-99 10:22p BACKGRND.GIF
CLOUD GIF 11,306 04-23-99 10:22p CLOUD.GIF
CONTENT GIF 248 04-23-99 10:22p CONTENT.GIF
HLPBELL GIF 1,407 04-23-99 10:22p HLPBELL.GIF
HLPCD GIF 1,492 04-23-99 10:22p HLPCD.GIF
HLPGLOBE GIF 1,603 04-23-99 10:22p HLPGLOBE.GIF
HLPLOGO GIF 1,185 04-23-99 10:22p HLPLOGO.GIF
HLPSTEP1 GIF 1,107 04-23-99 10:22p HLPSTEP1.GIF
HLPSTEP2 GIF 1,154 04-23-99 10:22p HLPSTEP2.GIF
HLPSTEP3 GIF 1,249 04-23-99 10:22p HLPSTEP3.GIF
WINLOGO GIF 1,813 04-23-99 10:22p WINLOGO.GIF
HTMLHELP HTM 520 04-23-99 10:22p HTMLHELP.HTM
README HTM 617 04-23-99 10:22p README.HTM
READM_01 HTZ 609 04-23-99 10:22p READM_01.HTZ
READM_02 HTZ 4,426 04-23-99 10:22p READM_02.HTZ
DELETEFI INI 5,068 04-23-99 10:22p DELETEFI.INI
DOSREP INI 865 04-23-99 10:22p DOSREP.INI
HTMLHELP INI 3,598 04-23-99 10:22p HTMLHELP.INI
MSDFMAP INI 1,405 04-23-99 10:22p MSDFMAP.INI
DOSPRMPT PIF 545 04-23-99 10:22p DOSPRMPT.PIF
EXPLORER SCF 80 04-23-99 10:22p EXPLORER.SCF
CONFIG TXT 17,643 04-23-99 10:22p CONFIG.TXT
DISPLAY TXT 20,821 04-23-99 10:22p DISPLAY.TXT
FAQ TXT 13,236 04-23-99 10:22p FAQ.TXT
GENERAL TXT 41,040 04-23-99 10:22p GENERAL.TXT
HARDWARE TXT 39,715 04-23-99 10:22p HARDWARE.TXT
MOUSE TXT 5,946 04-23-99 10:22p MOUSE.TXT
MSDOSDRV TXT 45,575 04-23-99 10:22p MSDOSDRV.TXT
NETWORK TXT 35,121 04-23-99 10:22p NETWORK.TXT
HWINFO EXE 110,592 04-23-99 10:22p HWINFO.EXE
PROGRAMS TXT 47,829 04-23-99 10:22p PROGRAMS.TXT
RECOVER TXT 4,083 04-23-99 10:22p RECOVER.TXT
TIPS TXT 12,668 04-23-99 10:22p TIPS.TXT
SMARTDRV EXE 45,379 04-23-99 10:22p SMARTDRV.EXE
HIDCI DLL 3,216 04-23-99 10:22p HIDCI.DLL
HIMEM SYS 33,191 04-23-99 10:22p HIMEM.SYS
RAMDRIVE SYS 12,663 04-23-99 10:22p RAMDRIVE.SYS
LOGOS SYS 129,078 04-23-99 10:22p LOGOS.SYS
LOGOW SYS 129,080 04-23-99 10:22p LOGOW.SYS
1STBOOT BMP 1,518 04-23-99 10:22p 1STBOOT.BMP
CIRCLES BMP 190 04-23-99 10:22p Circles.bmp
WAVES BMP 190 04-23-99 10:22p Waves.bmp
PINSTR~1 BMP 578 04-23-99 10:22p Pinstripe.bmp
TILES BMP 578 04-23-99 10:22p Tiles.bmp
SETUP BMP 308,280 04-23-99 10:22p Setup.bmp
WIN COM 24,791 04-23-99 10:22p WIN.COM
CONFDENT CPE 4,357 04-23-99 10:22p CONFDENT.CPE
FYI CPE 4,473 04-23-99 10:22p FYI.CPE
GENERIC CPE 5,935 04-23-99 10:22p GENERIC.CPE
URGENT CPE 4,345 04-23-99 10:22p URGENT.CPE
MORICONS DLL 84,416 04-23-99 10:22p MORICONS.DLL
MSOWS409 DLL 122,936 04-23-99 10:22p MSOWS409.DLL
COMMAND COM 93,890 04-23-99 10:22p COMMAND.COM
ASD EXE 61,440 04-23-99 10:22p ASD.EXE
CLEANMGR EXE 131,072 04-23-99 10:22p CLEANMGR.EXE
CONTROL EXE 2,112 04-23-99 10:22p CONTROL.EXE
CVT1 EXE 114,688 04-23-99 10:22p CVT1.EXE
CVTAPLOG EXE 77,824 04-23-99 10:22p CVTAPLOG.EXE
DEFRAG EXE 253,952 04-23-99 10:22p DEFRAG.EXE
EMM386 EXE 125,495 04-23-99 10:22p EMM386.EXE
MM2ENT EXE 32,768 04-23-99 10:22p MM2ENT.EXE
NOTEPAD EXE 53,248 04-23-99 10:22p NOTEPAD.EXE
PACKAGER EXE 77,824 04-23-99 10:22p PACKAGER.EXE
PROGMAN EXE 113,456 04-23-99 10:22p PROGMAN.EXE
REGEDIT EXE 118,784 04-23-99 10:22p REGEDIT.EXE
RG2CATDB EXE 40,960 04-23-99 10:22p RG2CATDB.EXE
RUNDLL EXE 4,960 04-23-99 10:22p RUNDLL.EXE
RUNDLL32 EXE 24,576 04-23-99 10:22p RUNDLL32.EXE
SCANDSKW EXE 4,896 04-23-99 10:22p SCANDSKW.EXE
SCANREGW EXE 86,016 04-23-99 10:22p SCANREGW.EXE
BUBBLES BMP 2,118 04-23-99 10:22p Bubbles.bmp
TASKMAN EXE 49,152 04-23-99 10:22p TASKMAN.EXE
TASKMON EXE 28,672 04-23-99 10:22p TASKMON.EXE
VCMUI EXE 45,056 04-23-99 10:22p VCMUI.EXE
WELCOME EXE 278,528 04-23-99 10:22p WELCOME.EXE
WINFILE EXE 155,424 04-23-99 10:22p WINFILE.EXE
WINHELP EXE 2,416 04-23-99 10:22p WINHELP.EXE
WINHLP32 EXE 319,488 04-23-99 10:22p WINHLP32.EXE
WININIT EXE 41,973 04-23-99 10:22p WININIT.EXE
WINVER EXE 3,648 04-23-99 10:22p WINVER.EXE
WUPDMGR EXE 57,344 04-23-99 10:22p WUPDMGR.EXE
WINUPD ICO 10,134 04-23-99 10:22p WINUPD.ICO
IOS INI 12,327 04-23-99 10:22p IOS.INI
SCANREG INI 787 04-23-99 10:22p SCANREG.INI
STRAWM~1 BMP 590 04-23-99 10:22p Straw Mat.bmp
ASPI2HLP SYS 1,105 04-23-99 10:22p ASPI2HLP.SYS
CMD640X SYS 24,626 04-23-99 10:22p CMD640X.SYS
CMD640X2 SYS 20,901 04-23-99 10:22p CMD640X2.SYS
DBLBUFF SYS 2,614 04-23-99 10:22p DBLBUFF.SYS
IFSHLP SYS 3,708 04-23-99 10:22p IFSHLP.SYS
SFCSYNC TXT 1,735 04-23-99 10:22p SFCSYNC.TXT
TWAIN DLL 87,328 04-23-99 10:22p TWAIN.DLL
TWAIN_32 DLL 94,208 04-23-99 10:22p TWAIN_32.DLL
CDPLAYER EXE 106,496 04-23-99 10:22p CDPLAYER.EXE
TRIANG~1 BMP 198 04-23-99 10:22p Triangles.bmp
MSNCREAT EXE 45,056 04-23-99 10:22p MSNCREAT.EXE
TOUR98 EXE 188,416 04-23-99 10:22p TOUR98.EXE
TWUNK_16 EXE 48,560 04-23-99 10:22p TWUNK_16.EXE
TWUNK_32 EXE 90,112 04-23-99 10:22p TWUNK_32.EXE
SERVICES TXT 5,130 04-23-99 10:22p SERVICES.TXT
PROTOCOL 800 04-23-99 10:22p PROTOCOL
SERVICES 6,007 04-23-99 10:22p SERVICES
SNMPAPI DLL 32,768 04-23-99 10:22p SNMPAPI.DLL
NETWORKS 407 04-23-99 10:22p NETWORKS
ARP EXE 28,672 04-23-99 10:22p ARP.EXE
FTP EXE 45,056 04-23-99 10:22p FTP.EXE
HOSTS SAM 736 04-23-99 10:22p HOSTS.SAM
LMHOSTS SAM 3,717 04-23-99 10:22p LMHOSTS.SAM
NETSTAT EXE 32,768 04-23-99 10:22p NETSTAT.EXE
PING EXE 24,576 04-23-99 10:22p PING.EXE
ROUTE EXE 32,768 04-23-99 10:22p ROUTE.EXE
TELNET EXE 77,824 04-23-99 10:22p TELNET.EXE
TRACERT EXE 20,480 04-23-99 10:22p TRACERT.EXE
WINIPCFG EXE 53,248 04-23-99 10:22p WINIPCFG.EXE
PROTMAN DOS 22,810 04-23-99 10:22p PROTMAN.DOS
WRITE EXE 20,480 04-23-99 10:22p WRITE.EXE
NBTSTAT EXE 34,543 04-23-99 10:22p NBTSTAT.EXE
INETMIB1 DLL 53,248 04-23-99 10:22p INETMIB1.DLL
DRWATSON EXE 139,264 04-23-99 10:22p DRWATSON.EXE
EXPLORER 001 180,224 04-23-99 10:22p EXPLORER.001
RUNDLL32 001 24,576 04-23-99 10:22p RUNDLL32.001
PRINTERS TXT 25,422 04-23-99 10:22p PRINTERS.TXT
CARVED~1 BMP 582 04-23-99 10:22p Carved Stone.bmp
HOUNDS~1 BMP 470 04-23-99 10:22p Houndstooth.bmp
BLUERI~1 BMP 194 04-23-99 10:22p Blue Rivets.bmp
BLACKT~1 BMP 182 04-23-99 10:22p Black Thatch.bmp
CHANNE~1 SCR 91,888 04-23-99 10:22p Channel Screen Saver.SCR
INETMIB1 001 53,248 04-23-99 10:22p INETMIB1.001
IPCONFIG EXE 53,248 04-23-99 10:22p IPCONFIG.EXE
DIRECTCC EXE 69,632 04-23-99 10:22p DIRECTCC.EXE
NET EXE 356,134 04-23-99 10:22p NET.EXE
NET MSG 109,196 04-23-99 10:22p NET.MSG
NETH MSG 73,275 04-23-99 10:22p NETH.MSG
PROTMAN EXE 14,952 04-23-99 10:22p PROTMAN.EXE
WINPOPUP EXE 27,600 04-23-99 10:22p WINPOPUP.EXE
NDISHLP SYS 6,140 04-23-99 10:22p NDISHLP.SYS
SNDREC32 EXE 110,592 04-23-99 10:22p SNDREC32.EXE
SNDVOL32 EXE 69,632 04-23-99 10:22p SNDVOL32.EXE
TASKMON 001 28,672 04-23-99 10:22p TASKMON.001
MS-DOS~1 PIF 3,181 04-23-99 10:22p MS-DOS Mode for Games.pif
MS-DOS~2 PIF 3,372 04-23-99 10:22p MS-DOS Mode for Games with EMS and XMS Support.pif
ISUNINST EXE 306,688 10-29-98 4:45p IsUninst.exe
QFECHECK EXE 36,864 07-27-98 2:48p QFECheck.exe
246 file(s) 170,889,916 bytes
0 dir(s) 1,179.63 MB free
----- Tasks ----------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS\Tasks
SA DAT 6 07-08-06 10:03p SA.DAT
TUNE-U~1 JOB 502 07-05-06 11:00p Tune-up Application Start.job
DESKTOP INI 65 04-23-99 10:22p desktop.ini
3 file(s) 573 bytes
0 dir(s) 1,179.63 MB free
----- Temp -----------------------------
Volume in drive C is CENTRAL_30
Volume Serial Number is 6C24-3B91
Directory of C:\WINDOWS\TEMP
1,179.63 MB free
Hello Ming
Please load down a Trial version of www.kaspersky.com (http://www.kaspersky.com/trials)
(Kaspersky Anti-Virus 6.0).
Update the program online.
Now turn off your computer and remove the network cable/phone line from your machine.
Reboot your computer in Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)
Scan your system with Kaspersky in Safe Mode.
Let the program delete everything it finds.
Save the logfile or post a screeshot of everything what was found..
-> Post the Kaspersky logfile, please. Thank you.
Please Note: Shut down your other Antivirus while working with KAV, otherwise your system could crash down.
These files could not be quarantined, so they were deleted
deleted: adware not-a-virus:AdWare.Win32.MediaTickets.u File: c:\WINDOWS\mtuninst.exe/UPX
deleted: adware not-a-virus:AdWare.Win32.BHO.ao File: c:\WINDOWS\SYSTEM\nodeipproc.dll
deleted: adware not-a-virus:AdWare.Win32.BHO.ao File: c:\System Volume Information\_restore{A6DD6DCB-89B0-454F-8909-D26EA2D6B0D1}\RP1\A0000039.EXE/stream/data0001
deleted: adware not-a-virus:AdWare.Win32.PurityScan.ep File: c:\System Volume Information\_restore{A6DD6DCB-89B0-454F-8909-D26EA2D6B0D1}\RP1\A0000040.EXE/data0002
deleted: adware not-a-virus:AdWare.Win32.Look2Me.ap File: c:\System Volume Information\_restore{A6DD6DCB-89B0-454F-8909-D26EA2D6B0D1}\RP1\A0000043.DLL/FakeNeo
Hello Ming
Please follow these instructions:
Please print out this instructions or safe it as a textfile (*.txt)
since we will ask you to work offline in safe mode.
Follow the numbers.
1
Download for free:
clearprog (http://www.clearprog.de/index.php?lang=en)
2
Disconnect to the Internet.
3
Turn to safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam).
4
Delete the content of the temporary folders:
4-1
Go to START > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked. Press OK to remove them.
4-2
Go to START> run> type %temp% and press [enter]. Do this for every account.
4-3
Go to START>Control Panel>Internet Options>tab programs> and click restore websettings.
4-4
1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive
4-5
Delete the whole content of C:\Documents and Settings\Your Name\Local Settings\Temp <== this folder.
5
Reboot your system into normal mode.
6
Run the ClearProg
"Clear all" and "Clear" must be checkmarked.
Delete the content of your temporary folders and files.
Please set the checkmarks as to be seen on this picture:
http://image.hijackthis.eu/ClearProg/clearprog.jpg
program feature:
the program deletes the surftracks of the browser:
- supported browsers: Internet Explorer, Netscape, Mozilla, FireFox and Opera
-> cookies
-> history
-> temporary internet files (cache)
-> the registered URLs
-> autocompleting entries in webforms
-> download lists of the Netscape/Opera
further the among other things following things can be deleted:
-> recycle
-> document files in the starting menu
-> windows temp files
-> execute entries in the startmenu
- file lists of ms Office programs
- file lists of the Windows Media Player and the RealPlayer
- own files with filter (can be selected)
7
Please load down a Trial version of CounterSpy (http://research.sunbelt-software.com/download.cfm).
Update the program online.
Now turn off your computer and remove the network cable/phone line from your machine.
Reboot your computer into Safe Mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)
Scan your system with CounterSpy in Safe Mode.
Let the program remove everything it finds:
Options > remove
- when the Scan is finished you can decide for:
*Ignore
*Remove
*Quarantine
Please chose Remove and restart your system.
Save the logfile.
-> Post the CounterSpy logfile, please.
Counterspy log:
Spyware Scan Details
Start Date: 7/12/06 7:43:50 PM
End Date: 7/12/06 7:50:33 PM
Total Time: 6 mins 43 secs
Detected spyware
MediaTickets CDT Spyware more information...
Details: Mediatickets is a spyware program that displays advertisements, reduces the security settings for the Trusted Sites zone in Internet Explorer, and attempts to fraudulently install trusted publishers.
Status: Deleted
Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \SharedDLLs C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx .Owner {9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx {9EB320CE-BE1D-4304-A081-4B4665414BEF}
Mirar Toolbar more information...
Details: Mirar is actually adware that monitors the surfing activity of its users. It sends details of website visits to its home server so that targeted advertising can be returned to the user's PC.
Status: Deleted
Infected registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32 {00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib {566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1037B06C-84B7-4240-8D80-485810A0497D} _INN_WebBandEvents
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib {F8310E7D-4C4D-46A4-A068-B5BB99411CC7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1} INN_BarDummy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib {566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D} INN_Bar_Helper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32 {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib {566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F} INN_WebBand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{224302B0-94E9-45C2-9E5B-BA989EE556E1}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib Version 1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib Version 1.0
Hello Ming
Since CounterSpy doesn't delete all malwares with only one scan, please reboot your system, take a new scan with CounterSpy, remove again all malware. Save the logfile. Reboot your system. Repeat the scan.... as long as anything is found.
Please post all these logfiles of CounterSpy.
Run HijackThis again, have it save another new log and post it too.
vBulletin v3.6.8, Copyright ©2000-2007, Jelsoft Enterprises Ltd.