My computer is infected with SpySheriff (and maybe more?)

[Countryboy]

Hi, I double clicked on what I thought was an html file but it was a cunningly disguised exe file and now I'm infected with SpySheriff and possibly other things.

Adaware finds 3 registry entries everytime I reboot and Spy Bot Search and destroy finds Windows.System (2 entries), SpySheriff (1 entry) and Windows.Explorer (1 entry) every time I reboot, even though I'm telling them to remove the entries.

Your help is greatly appreciated. Thanks.

I have been through the 5 Step process and my HJT log is below:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:57 PM, on 30-08-06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SERVICES.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SERVICES.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SERVICES] C:\WINDOWS\SYSTEM\SERVICES.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [SERVICES] C:\WINDOWS\SYSTEM\SERVICES.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab

[Countryboy]

I hope you don't mind me bumping my problem, I'm soooo fed up with pop ups telling me 'my personal data successfully tracked' and my IE browser infected with some similar banner...

Any help would be greatly appreciated..

TIA

CB.

[POADB]

Welcome to TSF.

Please try the following:

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

*Note* Alternet download sites for smitrem... http://www.downloads.subratam.org/smitRem.exe
http://www.bleepingcomputer.com/file...ar/smitRem.exe


Download DelDomains.inf
Right-click and select..... Save Target As

To use: Right-click and select....... Install (no need to restart)
**Note** This will remove all entries in the "Trusted Zone"


Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido

• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT Ewido anti-spyware. Do Not run a scan just yet, we will shortly.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O4 - HKCU\..\Run: [SERVICES] C:\WINDOWS\SYSTEM\SERVICES.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web
Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

Reboot back into Windows and click the Panda ActiveScan shortcut.
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[Countryboy]

Thanks for the help POADB.

I've downloaded the stuff as per the instructions, but I haven't installed Adaware SE yet. I have Adaware 6.0 with the latest updates on my computer. To install Adaware SE I first have to uninstall Adaware 6.0. Should I uninstall it in favour of Adaware SE? Also I'm running Windows 98 SE and Ewido doesn't run on that platform (only 2000 and XP)...

I'd rather not take any further action until I have your OK.

Thanks and regards,

CB.

[POADB]

Ewido was an oversight on my part. It's left over in a speech for 2000/XP, therefore please ignore it's usage.

You can use Adawre 6.

The important tool here is SmitRem, as it works on 98 and targets the majority of the Smitfraud family.

Please complete the Online scan also, as this wil lshow us what's left.

[Countryboy]

Hi POADB, the only problem I encountered whilst following the instructions was when I tried to do this: 'Next go to Control Panel click Display > Desktop > Customize Desktop > Web'.. A popup came up saying 'Your system administrator disabled the Display control panel'. I found out from the web how to reset it. One of the popups that I had been seeing was saying 'run time error' could it be that the two are related? Somehow at least once it was changed back and I had to reset it again. I ran Adaware as instructed, it found one item that I had it remove. Once completed I re-ran HJT.

My system 'seems' to be running ok now, I've not yet seen any more of the 'Warning! Your personal data successfully tracked' windows and the banner seems to have disappeared from the IE browser.

However, out of interest I ran SpyBot Search and Destroy and it still finds an entry for: 'Windows.System', 'SpySheriff', 'Windows SecurityCenter.TaskManager' and Windows.Explorer. I didn't take any action just noted the entries. I then ran Adaware again and it found the three following registry items, again I took no action:

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 1
Objects found so far: 1

Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainStart Pageabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Start Page
Data : "about:blank"


Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 2
Objects found so far: 3

Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:02:03 PM, on 05-09-06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Here is my 'smitfiles.txt':


smitRem © log file
version 3.1

by noahdfear


Windows 98 [Version 4.10.2222]


Running from
C:\WINDOWS\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting registry repairs
Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~





~~~~ wininet.dll ~~~~

wininet.dll Clean!! :)

And here is my Panda Scan report:


Incident Status Location

Virus:Bck/Hacdef.FF Disinfected Operating system
Potentially unwanted tool:application/regclean32 Not disinfected C:\WINDOWS\Application Data\Registry Cleaner
Virus:Bck/Hacdef.FF Disinfected C:\WINDOWS\SYSTEM\services.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem\Process.exe
Virus:W97M/Marker.AO Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\uu61stcj.default\Mail\Local Folders\Inbox[UCASCH004exp.doc]
Virus:W97M/Marker.AO Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\uu61stcj.default\Mail\Local Folders\Inbox[ENTFORm4.doc]
Virus:W97M/Marker.AO Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\uu61stcj.default\Mail\Local Folders\Outlook Express Mail.sbd\Inbox[UCASCH004exp.doc]
Virus:W97M/Marker.AO Disinfected C:\WINDOWS\Application Data\Thunderbird\Profiles\uu61stcj.default\Mail\Local Folders\Outlook Express Mail.sbd\Inbox[ENTFORm4.doc]
Adware:Adware/SaveNow Not disinfected C:\Program Files\GDivX Zenith Player\SaveInstWm.exe
Adware:Adware/Alexa-Toolbar Not disinfected C:\Yaffles\Yaffles from ThinkPad\cntdwnsetup.exe
Adware:Adware/Look2Me Not disinfected C:\Yaffles\Yaffles from ThinkPad\vtool\kill2me.zip[Kill2Me.exe]
Virus:Trj/Downloader.JM Disinfected C:\Yaffles\Yaffles from ThinkPad\Security\HJT\backup-20040629-110730-580.inf
Potentially unwanted tool:Application/MyWay Not disinfected C:\Yaffles\Yaffles from ThinkPad\Security\HJT\backup-20040629-110730-974.dll
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Yaffles\Yaffles from ThinkPad\Security\HJT\backup-20041012-142747-872.inf
Adware:Adware/nCase Not disinfected C:\temp\Cdvdpro.exe[saap.exe]
Adware:Adware/nCase Not disinfected C:\temp\Cdivx.exe[msbb.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\RAR\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\RAR\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\RAR\smitRem.exe[smitRem/Process.exe]
Virus:W97M/Marker.AO Disinfected Local Folders\Inbox\UCA\UCASCH004exp.doc
Virus:W97M/Marker.AO Disinfected Local Folders\Inbox\UCA\ENTFORm4.doc

I hope this is everything you need. I'm sorry about the length of this append!

Cheers,

CB.

[POADB]

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O4 - HKCU\..\Run: [SERVICES] C:\WINDOWS\SYSTEM\SERVICES.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Exit HJT

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

Please delete the following files:

C:\Program Files\GDivX Zenith Player\SaveInstWm.exe
C:\Yaffles\Yaffles from ThinkPad\cntdwnsetup.exe
C:\temp\Cdvdpro.exe[saap.exe]
C:\temp\Cdivx.exe

Download SDFix and save it to your desktop.

Run SDFix

• In Safe Mode, right click the SDFix.zip folder and choose Extract All,
• Open the extracted folder and double click RunThis.bat to start the script.
• Type Y to begin the script.
• It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• Your system will take longer that normal to restart as the fixtool will be running and removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
• Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

[Countryboy]

Hi POADB, thanks very much for your perseverance with my problem(s). Your help is greatly appreciated.

None of these appeared in my latest HJT log:

O4 - HKCU\..\Run: [SERVICES] C:\WINDOWS\SYSTEM\SERVICES.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

I deleted the files you specified:

C:\Program Files\GDivX Zenith Player\SaveInstWm.exe
C:\Yaffles\Yaffles from ThinkPad\cntdwnsetup.exe
C:\temp\Cdvdpro.exe[saap.exe]
C:\temp\Cdivx.exe

Except I didn't understand the saap.exe bit. I did a search but it wasn't found.

I downloaded SDFix but when I came to run it I discovered it also is only for Windows 2000 and XP and not Win 98SE that I am running.

Attached below for reference is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:58 PM, on 06-09-06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\PROXOMITRON NAOKO-4\PROXOMITRON.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

Thanks again.

CB

[POADB]

C:\temp\Cdvdpro.exe[saap.exe] should have been C:\temp\Cdvdpro.exe

But you can clear the whole Temp folder if you wish. I was expecting Cleanup to have all ready taken care of it, to be honest.

Thanks for confirming SDFix is not W98 comatible.

We'll take another scan to see what's lurking.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[Countryboy]

Hi POADB, the only choice I had at the end of the scan was to save the file as an htm/html file so that is what I did. I'm not able to attach the file so I copied it to Wordpad and pasted it here. Unfortunately the formatting is lost but I hope that doesn't invalidate its usefulness. It looks pretty ugly to me, I hope it means something to you.....

KASPERSKY ONLINE SCANNER REPORT
Thursday, September 07, 2006 9:57:33 PM
Operating System: Microsoft Windows 98 SE
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/09/2006
Kaspersky Anti-Virus database records: 221638


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
a:\
c:\
d:\
e:\
f:\

Scan Statistics
Total number of scanned objects 24527
Number of viruses found 8
Number of infected objects 16 / 0
Number of suspicious objects 5
Duration of the scan process 00:57:50

Infected Object Name Virus Name Last Action
c:\WIN386.SWP Object is locked skipped

c:\WINDOWS\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\MSHist012006090720060908\index.dat Object is locked skipped

c:\WINDOWS\Application Data\Identities\{F323108A-0C65-11D6-987D-0007950D7AB5}\Microsoft\Outlook Express\Inbox.dbx/[From "Rosemary Fisher" <_owletts@care4free.net>][Date Mon, 10 Dec 2001 13:05:45 +0000]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped

c:\WINDOWS\Application Data\Identities\{F323108A-0C65-11D6-987D-0007950D7AB5}\Microsoft\Outlook Express\Inbox.dbx/[From "Rosemary Fisher" <_owletts@care4free.net>][Date Mon, 10 Dec 2001 13:05:45 +0000]/stuff.MP3.pif Infected: Email-Worm.Win32.BadtransII skipped

c:\WINDOWS\Application Data\Identities\{F323108A-0C65-11D6-987D-0007950D7AB5}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 1, suspicious - 1 skipped

c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow1.zip/SaveUninst.exe Suspicious: Password-protected-EXE skipped

c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WhenUSaveNow1.zip ZIP: suspicious - 1 skipped

c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\VcodecIntcodec.zip/uninst.exe Suspicious: Password-protected-EXE skipped

c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\VcodecIntcodec.zip ZIP: suspicious - 1 skipped

c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

c:\WINDOWS\Cookies\index.dat Object is locked skipped

c:\WINDOWS\SchedLog.Txt Object is locked skipped

c:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

c:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

c:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

c:\WINDOWS\UserData\index.dat Object is locked skipped

c:\Program Files\Sygate\SPF\debug.log Object is locked skipped

c:\Program Files\Sygate\SPF\syslog.log Object is locked skipped

c:\Program Files\Sygate\SPF\seclog.log Object is locked skipped

c:\Program Files\Sygate\SPF\tralog.log Object is locked skipped

c:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped

c:\Program Files\Symantec AntiVirus\Quarantine\67B70000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped

c:\Program Files\Symantec AntiVirus\Quarantine\35D30000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped

c:\Program Files\Symantec AntiVirus\Quarantine\67B70002.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped

c:\Program Files\Symantec AntiVirus\Quarantine\DE630000.VBN Infected: Backdoor.Win32.HacDef.dx skipped

c:\Program Files\Symantec AntiVirus\Quarantine\67B70004.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped

c:\Yaffles\Yaffles from ThinkPad\Security\HJT\backup-20040629-110730-974.dll Infected: not-a-virus:AdWare.Win32.MyWay.c skipped

c:\temp\intcodec-v6.550.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.afe skipped

c:\temp\intcodec-v6.550.exe/stream Infected: Trojan-Downloader.Win32.Zlob.afe skipped

c:\temp\intcodec-v6.550.exe NSIS: infected - 2 skipped

c:\temp\intcodec-v6.550.exe UPX: infected - 2 skipped

c:\temp\intcodec-v6.550.exe PE_Patch.UPX: infected - 2 skipped

c:\RAR\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

c:\RAR\SmitfraudFix.zip ZIP: infected - 1 skipped

c:\RAR\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

Scan process completed.

Thanks and regards,

CB.

[POADB]

You should remove the infected files from Symantec's quarantine folder. Please use Symantec's guide to remove them.

Please delete this folder:

C:\Yazzle\

Please clear the entire contents of:

C:\temp\

I advise that you delete emails from this person, out of OutLook.

Rosemary Fisher

Kaspersky has detected suspicious items from this contact.

Empty your Recycle Bin, run cleanup and reboot your computer.

Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

Please post that log in your next reply.

Please run HJT and post a new log.

Describe how your computer is performing now.

[Countryboy]

Hi POADB, thanks for sticking with me

You said 'You should remove the infected files from Symantec's quarantine folder', but there were no files in the quarantine folder.

I deleted both folders 'Yaffles' and 'temp'.

I deleted the emails from 'Rosemary Fisher'.

I emptied the Recycle Bin, ran cleanup and rebooted.

Here is the Panda Active Scan Report:


Incident Status Location

Potentially unwanted tool:application/regclean32 Not disinfected C:\WINDOWS\Application Data\Registry Cleaner
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\SDFix.zip[SDFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitrem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\sdfix\SDFix\Process.exe

Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:55 PM, on 08-09-06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\GSICON.EXE
C:\WINDOWS\SYSTEM\DSLAGENT.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080;https=localhost:8080
O2 - BHO: Hitware Popup Killer Lite - {604B283A-4E26-4504-98E7-72859F949547} - C:\PROGRA~1\HITWAR~1\SYPCMS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] DSLAGENT.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...bscan_ansi.cab

Regarding my computer performance. I'm not getting any 'security' (nor any other) popups now and the IE browser seems to be back to normal.

My biggest concern is that Spybot S&D still reports an entry for:
'Windows.System', 'SpySheriff', 'Windows SecurityCenter.TaskManager' and Windows.Explorer
and Adaware still finds an entry:
Vendor:Windows
Category:Vulnerability
Object Type:RegData
Size:-
Location:...\Windows\CurrentVersion\Policies\System "DisableTaskMgr" ()
Last Activity:08-09-06
Risk LevelLow
Comment:Possible unintended lockout from Task Manager (Task manager access disabled)
Description:General Windows Security Issue.Your system security may be compromised.

Cheers,

CB.

[POADB]

Interesting.

Your results are looking clear.

c:\Program Files\Symantec AntiVirus\Quarantine\ < - this is the folder I want you to clear, as Kapersky found infections in them.

Can you run Task Manager?
Press Ctrl + Alt + Del if Task Manager opens, then you're not locked out.

Download Dr.Web CureIt & save it on desktop. We shall be using it later

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

[Countryboy]

Just a quickie POADB, I'll do the rest later on...

You said ':\Program Files\Symantec AntiVirus\Quarantine\ < - this is the folder I want you to clear, as Kapersky found infections in them.' But Symantec shows the Quarantine folder with nothing in it....

This is really odd, is there any way I could locate and delete the file?

You said 'Can you run Task Manager? Press Ctrl + Alt + Del if Task Manager opens, then you're not locked out.

And the answer is yes I can run the Task Manager.

Thanks and regards,

CB.

[POADB]

Do a Search on your Computer for *.vbn
This will search your computer for all files with the file extension VBN.
Delete the numbered files that show in this folder:

C:\Program Files\Symantec AntiVirus\Quarantine\

Let me know how you get on with DrWeb

[Countryboy]

Hi POADB, I searched for files of type .vbn but none were found... very curious.

I ran the DrWeb scan as requested, here are the results, I thought there were four entries, should I run it again to check?

Process.exe;C:\WINDOWS\Desktop\smitRem;Tool.Prockill;Incurable.Moved.;
Process.exe;C:\smitrem\smitRem;Tool.Prockill;Incurable.Moved.;
Sys486.exe;C:\Sys;Trojan.Robber;Deleted.;

I ran Adaware again and it came up clean, Spybot S&D now only finds 1 entry for Windows.Explorer and 1 entry for SpySheriff.

Progress is definitely being made, thanks!

Cheers,

CB.

[POADB]

Can you post a log from SpyBot? It would be interesting to see where it finds the entries.

[Countryboy]

Hi POADB, the log is below..

Were the DrWeb results significant?

--- Search result list ---
Windows.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn!=W=0

SpySheriff: Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn!=dword:0


--- Spybot - Search && Destroy version: 1.3 ---
2006-09-08 Includes\Cookies.sbi
2006-09-08 Includes\Dialer.sbi
2006-09-08 Includes\Hijackers.sbi
2006-09-08 Includes\Keyloggers.sbi
2006-09-08 Includes\Malware.sbi
2006-09-08 Includes\Revision.sbi
2006-09-08 Includes\Security.sbi
2006-09-08 Includes\Spybots.sbi
2006-09-08 Includes\Trojans.sbi
2005-02-17 Includes\Tracks.uti
2006-09-08 Includes\PUPS.sbi
2004-11-29 Includes\LSP.sbi


--- System information ---
Windows 98 (Build: 2222) A
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Buffer Overrun in Microsoft Data Access Components Could Lead to Code Execution
/ DirectX: DirectX Update 819696
/ Windows Media Player: Windows Media Update 819639
/ Windows Media Player: Windows Media Update 837272
/ Windows Media Player: Windows Media Update 885492
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)


--- Startup entries list ---
Located: HK_LM:Run, ccApp
command: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
size: 67184
MD5: eb992a85c604a9977e1161e6560ba611

Located: HK_LM:Run, C-Media Mixer
command: Mixer.exe /startup
file: C:\WINDOWS\Mixer.exe
size: 794624
MD5: c4af378e453e8941b1f9c44821456492

Located: HK_LM:Run, CountrySelection
command: pctptt.exe
file: C:\WINDOWS\pctptt.exe
size: 71168
MD5: aba61c54d15255813c031a928d0e41f1

Located: HK_LM:Run, CriticalUpdate
command: C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
file: C:\WINDOWS\SYSTEM\wucrtupd.exe
size: 131072
MD5: 047d008c28818ff85cd77daede62bc3e

Located: HK_LM:Run, DSLAGENTEXE
command: DSLAGENT.EXE
file: C:\WINDOWS\SYSTEM\DSLAGENT.EXE
size: 16384
MD5: bdfeba9fe0a57cd2b1e4df98d567b48f

Located: HK_LM:Run, GSICONEXE
command: GSICON.EXE
file: C:\WINDOWS\SYSTEM\GSICON.EXE
size: 65536
MD5: 6da50d09c391449fe81affebfb06186e

Located: HK_LM:Run, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:Run, LoadQM
command: loadqm.exe
file: C:\WINDOWS\loadqm.exe
size: 7536
MD5: 69d7217f9d7f49d6706baf90f52b472b

Located: HK_LM:Run, PTSNOOP
command: ptsnoop.exe

Located: HK_LM:Run, ScanRegistry
command: C:\WINDOWS\scanregw.exe /autorun
file: C:\WINDOWS\scanregw.exe
size: 86016
MD5: f123231689e2ab2fa5c636b99314501f

Located: HK_LM:Run, SystemTray
command: SysTray.Exe
file: C:\WINDOWS\SYSTEM\SysTray.Exe
size: 32768
MD5: 73681085dcd0997e531240100ca12b28

Located: HK_LM:Run, TaskMonitor
command: C:\WINDOWS\taskmon.exe
file: C:\WINDOWS\taskmon.exe
size: 28672
MD5: f795110611101279aa15997801abaca0

Located: HK_LM:Run, Tweak UI
command: RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
file: C:\WINDOWS\RUNDLL32.EXE
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
file: C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
size: 120640
MD5: fb7c5949dca2d774461758c0f259f470

Located: HK_LM:RunServices, ccEvtMgr
command: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
size: 255600
MD5: ed26d9d0fc355fc48b90d5226462faae

Located: HK_LM:RunServices, ccSetMgr
command: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
file: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
size: 243312
MD5: e7c059304fe47b7f8fa5341dd17ef9dc

Located: HK_LM:RunServices, defwatch
command: C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
file: C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
size: 30528
MD5: 64bfd65d2384521f2c55ea2d417a7275

Located: HK_LM:RunServices, LoadPowerProfile
command: Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
file: C:\WINDOWS\Rundll32.exe
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:RunServices, rtvscn95
command: C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
file: C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
size: 1058632
MD5: 469179f8821752d18c24f62bcf69e858

Located: HK_LM:RunServices, SchedulingAgent
command: mstask.exe
file: C:\WINDOWS\SYSTEM\mstask.exe
size: 111888
MD5: e2460018cb7c7d185b6278f7c1770151

Located: HK_LM:RunServices, Tweak UI
command: RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
file: C:\WINDOWS\RUNDLL32.EXE
size: 24576
MD5: 3857d93aa630abbd63467db4aeffce2c

Located: HK_LM:RunServices, (DISABLED)
command:

Located: HK_CU:Run, MsnMsgr
command: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\MSN Messenger\MsnMsgr.Exe
size: 6856704
MD5: 79ac63592f9b6750f2026a2520c11bee



--- Browser helper object list ---
{604B283A-4E26-4504-98E7-72859F949547} (Hitware Popup Killer Lite)
BHO name:
CLSID name: Hitware Popup Killer Lite
description: Hitware Popup Killer Lite
classification: Legitimate
known filename: sypcms.dll
info link:
info source: TonyKlein
Path: C:\PROGRA~1\HITWAR~1\
Long name: sypcms.dll
Short name: SYPCMS.DLL
Date (created): 13-02-04 7:37:26 AM
Date (last access): 14-09-06
Date (last write): 13-02-04 7:37:26 AM
Filesize: 150528
Attributes: archive
MD5: 32E59271C1D6347D1F205BF43728675E
CRC32: 1F21D366
Version: 0.3.0.0

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 03-11-03 2:17:44 PM
Date (last access): 14-09-06
Date (last write): 03-11-03 2:17:44 PM
Filesize: 54248
Attributes: archive
MD5: FC7850324464E4D19A24A03D882B5CC4
CRC32: 452E8571
Version: 0.6.0.0



--- ActiveX list ---
Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Internet Explorer Classes for Java (Internet Explorer Classes for Java)
DPF name: Internet Explorer Classes for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\iejava.cab
info link:
info source: Patrick M. Kolla

{9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class)
DPF name:
CLSID name: Update Class
description: Windows Update
classification: Legitimate
known filename: %WINDIR%\System32\iuctl.dll,iuengine.dll
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\
Long name: iuctl.dll
Short name: IUCTL.DLL
Date (created): 21-08-03 4:47:54 PM
Date (last access): 14-09-06
Date (last write): 21-08-03 4:47:54 PM
Filesize: 162400
Attributes:
MD5: DB2F1F57D3057FEBC19C61AB9AA77198
CRC32: 5A03D776
Version: 0.5.0.3

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\SYSTEM\MACROMED\FLASH\
Long name: Flash8.ocx
Short name: FLASH8.OCX
Date (created): 27-08-05 1:38:56 PM
Date (last access): 13-09-06
Date (last write): 27-08-05 1:38:56 PM
Filesize: 1435272
Attributes:
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 0.8.0.0

{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: webscan.dll
Short name: WEBSCAN.DLL
Date (created): 21-07-06 6:50:14 PM
Date (last access): 11-09-06
Date (last write): 21-07-06 6:50:14 PM
Filesize: 180282
Attributes:
MD5: C2AB04247A8FE05AFC924447568D18C5
CRC32: 5C6624F7
Version: 0.1.0.1

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
DPF name:
CLSID name: BDSCANONLINE Control
Path: C:\WINDOWS\DOWNLO~1\
Long name: oscan8.ocx
Short name: OSCAN8.OCX
Date (created): 01-06-06 2:54:16 AM
Date (last access): 13-09-06
Date (last write): 01-06-06 2:54:16 AM
Filesize: 471040
Attributes:
MD5: 9026F860148F0569BD92AEEFC4BDDFD7
CRC32: D1520CCE
Version: 0.1.0.0

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Path: C:\WINDOWS\DOWNLOADED PROGRAM FILES\
Long name: asinst.dll
Short name: ASINST.DLL
Date (created): 11-04-06 5:10:10 PM
Date (last access): 13-09-06
Date (last write): 11-04-06 5:10:10 PM
Filesize: 135168
Attributes:
MD5: 7267AE9C8DF527C30885DC29687D2A9B
CRC32: 1B1733A3
Version: 0.58.0.5

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object)
DPF name:
CLSID name: CKAVWebScan Object
Path: C:\WINDOWS\SYSTEM\KASPERSKY LAB\KASPERSKY ONLINE SCANNER\
Long name: kavwebscan.dll
Short name: KAVWEB~1.DLL
Date (created): 20-03-06 1:16:18 PM
Date (last access): 11-09-06
Date (last write): 20-03-06 1:16:18 PM
Filesize: 790528
Attributes:
MD5: 18A743EBF05BD2E8D6004E1EFEA4E2A8
CRC32: 4259AC71
Version: 0.5.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 14-09-06 12:12:14 PM

PID: 4291821213 (2121243777) C:\WINDOWS\SYSTEM\KERNEL32.DLL
PID: 4294182605 (4294846797) C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
PID: 4294256137 (4294325969) C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
PID: 4294301705 (4294325969) C:\WINDOWS\SYSTEM\PSTORES.EXE
PID: 4294325969 (4294846797) C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
PID: 4294356353 (4294325969) C:\WINDOWS\SYSTEM\DDHELP.EXE
PID: 4294391137 (4294469693) C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
PID: 4294432493 (4294846797) C:\PROGRAM FILES\PROXOMITRON NAOKO-4\PROXOMITRON.EXE
PID: 4294548941 (4294705685) C:\WINDOWS\SYSTEM\RNAAPP.EXE
PID: 4294617953 (4294846797) C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
PID: 4294647413 (4294846797) C:\WINDOWS\MIXER.EXE
PID: 4294650741 (4294846797) C:\WINDOWS\SYSTEM\GSICON.EXE
PID: 4294660421 (4294846797) C:\WINDOWS\SYSTEM\DSLAGENT.EXE
PID: 4294665241 (4294548941) C:\WINDOWS\SYSTEM\TAPISRV.EXE
PID: 4294673041 (4294846797) C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
PID: 4294679241 (4294846797) C:\WINDOWS\LOADQM.EXE
PID: 4294690245 (4294846797) C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
PID: 4294714129 (4294846797) C:\WINDOWS\TASKMON.EXE
PID: 4294756653 (4294904073) C:\WINDOWS\SYSTEM\mmtask.tsk
PID: 4294764273 (4294851513) C:\WINDOWS\SYSTEM\WMIEXE.EXE
PID: 4294846797 (4294859829) C:\WINDOWS\EXPLORER.EXE
PID: 4294851513 (4294859829) C:\WINDOWS\SYSTEM\SYSTRAY.EXE
PID: 4294859829 (4294917753) C:\WINDOWS\SYSTEM\MSTASK.EXE
PID: 4294879461 (4294917753) C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
PID: 4294889165 (4294917753) C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
PID: 4294904073 (4291821213) C:\WINDOWS\SYSTEM\MSGSRV32.EXE
PID: 4294917753 (4294904073) C:\WINDOWS\SYSTEM\MPREXE.EXE
PID: 4294921005 (4294917753) C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
PID: 4294933349 (4294917753) C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 14-09-06 12:12:14 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
http://search.msn.com/spbasic.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\@
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\SYSTEM\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\@
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MS.w95.spi.osp
GUID: {FF017DE1-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\mswsosp.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\mswsosp.dll
DB protocol: MS.w95.spi.*

Protocol 1: MS.w95.spi.tcp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 2: MS.w95.spi.udp
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 3: MS.w95.spi.raw
GUID: {FF017DE0-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\msafd.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\msafd.dll
DB protocol: MS.w95.spi.*

Protocol 4: MS.w95.spi.rsvptcp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Protocol 5: MS.w95.spi.rsvpudp
GUID: {ECBDCBA0-334A-11D0-BD88-0000C082E69A}
Filename: C:\WINDOWS\SYSTEM\rsvpsp.dll
Description: Microsoft Windows 9x/ME network protocol
DB filename: %windir%\system\rsvoso.dll
DB protocol: MS.w95.spi.*

Namespace Provider 0: DNS Name Space Provider.
GUID: {FF017DE2-CAE9-11CF-8A99-00AA0062C609}
Filename: C:\WINDOWS\SYSTEM\rnr20.dll
Description: Microsoft Windows 9x/ME name space provider
DB filename: %windir%\system\rnr20.dll
DB protocol: DNS Name Space Provider.

Cheers,

CB.

[POADB]

Hi:

Did you follow this part of my first set of instructions? Please advise:

Next go to Control Panel click Display > Desktop > Customize Desktop > Web
Remove the check by "View my Active desktop as a web page".
Click OK then Apply and OK.

That should relate to:

Quote:

Windows.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Policies\Explorer\ForceActiveDesktopOn !=W=0

SpySheriff: Settings (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Policies\Explorer\ForceActiveDesktopOn !=dword:0

This would identify that the Active Desktop has been disabled.

How is the computer performing generally?

[Countryboy]

Hi POADB, I did indeed 'Remove the check by "View my Active desktop as a web page", Click OK then Apply and OK.'

The route for me on Win98SE was Control Panel > Display > Web

I re-ran Spybot S&D and this time I told it to fix the problem. When I rebooted and scanned again it no longer finds those two entries. So hopefully that is an end to it.

My computer is running clean with no pop-ups or any indication of browser hijacks. It may be running a little slowly, I have my fingers crossed that it's not due to anything untoward.

Regarding the DrWeb scan, do I need to do anything about the results?

Process.exe;C:\WINDOWS\Desktop\smitRem;Tool.Procki ll;Incurable.Moved.;
Process.exe;C:\smitrem\smitRem;Tool.Prockill;Incur able.Moved.;
Sys486.exe;C:\Sys;Trojan.Robber;Deleted.;

Should I rerun any of the tools to make sure nothing remains?

I have really appreciated your support and expertise in getting my computer clean again. I felt such an idiot to have been so careless.

Thanks and regards,

CB.