Troj_Agent.jah

[funk.pie]

Greetings ,
A few evenings ago I noticed a new program on my desktop called spysherrif. I ran a virus scan on trendmicro and it came up TROJ_AGENT.JAH. It was also called downloader-AFH. Ever since, in IE, when a result from a google search is clicked, the page that pulls up is not the intended page. It gets redirected, seemingly to a bogus webpage. Using firefox does not seem to be affected. I read through the "read before posting" sticky and followed the directions. I was hoping someone can direct my in the right direction on how to get rid of whatever it is on my PC. Trendmicro also called the virus troj/spywad-AO and win32/oneraw!generic. A hijackthis log is included below. Thanks for anything you can do.

Logfile of HijackThis v1.99.1
Scan saved at 8:52:35 PM, on 1/24/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\SYSTEM\yaemu.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://shelbyville.webmail.summitpolymers.com/dwa7.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.1.3...bble-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.8.1.3...jong-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.8.4.5...pit2-en_US.cab
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...47/mcfscan.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.116.23,85.255.112.74

[funk.pie]

to the top...

[funk.pie]

bumpski

[Ried]

Hello funk.pie and welcome to TSF,

We need to go after the Wareout infection first. Once I see that is gone, we will go after the Smitfraud infection.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

• Save it to your desktop and run it.
• Click "Next", then Install, make sure "Run fixit" is checked and click Finish.
• The fix will begin: Please follow the prompts.
• You will be asked to reboot your computer: Please do so.
• Your system may take longer than usual to load and this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

--------------------------------------------------------------------

Run HijackThis. Click "Do a System Scan Only" , and place a check next to the following items (if found):

O4 - HKLM\..\Run: [yaemu.exe] C:\WINDOWS\SYSTEM\yaemu.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.116.23,85.255.112.74

Click FIX CHECKED. Close HijackThis.

--------------------------------------------------------------------

Open My Computer. Select the View menu and click Folder Options.
*Select the View Tab
*Select Show all files in the Hidden files section.
*Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following file:

C:\WINDOWS\SYSTEM\ yaemu.exe

--------------------------------------------------------------------

Please include the following in your next reply:

C:\fixwareout\report.txt
New HijackThis log

[funk.pie]

Alright, thanks for the info, Reid! FWIW, there was no such file C:\windows\system\yaemu.exe to delete.

anyhow, here are the reports:

Fixwareout
Last edited 1/27/2007
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}87C2B4A54000-3EB8-BD11-287A-0A3104D7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\lonmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\yqdm


Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"csscj.exe"=-
"dmnol.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be legitimate FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

ECHO is off
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM\CSSCJ.EXE 51,756 2007-01-18
C:\WINDOWS\SYSTEM\DMPGA.EXE 60,456 1999-04-23
C:\WINDOWS\SYSTEM\DMNOL.EXE 60,456 1999-04-23


Logfile of HijackThis v1.99.1
Scan saved at 7:40:06 PM, on 1/29/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://shelbyville.webmail.summitpolymers.com/dwa7.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.1.3...bble-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.8.1.3...jong-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.8.4.5...pit2-en_US.cab
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...47/mcfscan.cab

****in along...

[Ried]

Hiya,

Now we can finish off Wareout and move on to the rest of the infection aboard.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download smitrem and save the file to your desktop.

--------------------------------------------------------------------

Download Adaware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Don't run it yet!

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. (On some systems this is the F5 key)
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Run a scan in HijackThis. Check the following and click 'Fix checked' (after checking them):

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close HijackThis.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files

C:\WINDOWS\SYSTEM\ CSSCJ.EXE
C:\WINDOWS\SYSTEM\ DMPGA.EXE
C:\WINDOWS\SYSTEM\ DMNOL.EXE

--------------------------------------------------------------------

Run the smitRem.exe tool you downloaded earlier. There should be a folder called smitrem created on your desktop. Open it and double click on the RunThis file. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Post that log along with all others requested in your next reply.

--------------------------------------------------------------------

If you are using Windows 95/98 or Windows ME, you MUST do the following steps that are enclosed in the starting and ending double lines before proceeding any further (if you have problems STOP right now and tell me what the problem is):
========================================================================
Go to Start->Run and type in Notepad and hit OK. Then copy and paste the following into Notepad:

Code:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Save the file as "copy.bat" . Make sure to save it with the quotes. Double click on it.

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Go to Start->Run and type in Notepad and hit OK. Then copy and paste the following into Notepad:

Code:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat" . Make sure to save it with the quotes. Double click on it.
========================================================================

Open Ad-aware and do a full scan. Remove all it finds.

--------------------------------------------------------------------

Right click on your desktop and go to Properties. Then go to the Desktop tab and click on Customize Desktop. Go to the Web tab and delete everything there except My Current Home Page (which should be unchecked). Click OK.

--------------------------------------------------------------------

Restart your computer to get back to Normal Mode.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

smitrem.txt
Panda results
New HijackThis log

[funk.pie]

Just to make sure:

Quote:

Originally Posted by Ried

========================================================================
Go to Start->Run and type in Notepad and hit OK. Then copy and paste the following into Notepad:

Code:

copy c:\windows\system\wininet.dll c:\windows\desktop
del copy.bat

Do not include the word "code" with the pasted text, correct?

Quote:

Originally Posted by Ried

Save the file as "copy.bat" . Make sure to save it with the quotes. Double click on it.

Save to the desktop?

Quote:

Originally Posted by Ried

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Reboot back into safe mode, correct?

Quote:

Originally Posted by Ried

Go to Start->Run and type in Notepad and hit OK. Then copy and paste the following into Notepad:

Code:

del c:\windows\system\wininet.dll
del c:\windows\system\oleadm.dll
del c:\windows\system\oleext.dll
copy c:\windows\desktop\wininet.dll c:\windows\system
del delete.bat

Save the file as "delete.bat" . Make sure to save it with the quotes. Double click on it.
========================================================================

Same procedure as previous, correct?

I won't be able to get to this till later tonight. Thankyou, Reid. -John

[Ried]

My apologies for not being more clear on that. You are correct on all points, John. Just copy/paste the text inside the code box, save it to your desktop and reboot back into Safe Mode.

[funk.pie]

Quote:

Originally Posted by Ried

Reboot. Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

I tried to do the scan in normal mode, but I could not connect to the internet. I rebooted again back into normal mode and did the scan. The scan did not find anything.

Quote:

Originally Posted by Ried

Right click on your desktop and go to Properties. Then go to the Desktop tab and click on Customize Desktop. Go to the Web tab and delete everything there except My Current Home Page (which should be unchecked). Click OK.

This option is not available. I do not have a desktop tab.

I'm afraid we didn't get it. There is still a file called wininet.dll on my desktop. But, here are the logs.

-----------------------------------------------------------------------------------------

smitRem © log file
version 3.2

by noahdfear


Windows 98 [Version 4.10.2222]


Running from
C:\WINDOWS\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~

amcompat.tlb
nscompat.tlb


~~~ Icons in system folder ~~~



~~~ Windows directory ~~~

wupdmgr.exe


~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting registry repairs
Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~



~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~





~~~~ wininet.dll ~~~~

wininet.dll Clean!! :)

--------------------------------------------------------------------------------

Incident Status Location

Adware:adware/limeshop Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Desktop\smitRem\Process.exe
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\john@atwola[1].txt
Spyware:Cookie/Target Not disinfected C:\WINDOWS\Cookies\john@target[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Cookies\john@com[1].txt

---------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:25:15 AM, on 1/31/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [LimeShop] wjview /cp:p "C:\Program Files\LimeShop\System\Code" Main lp: "C:\Program Files\LimeShop"
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://shelbyville.webmail.summitpolymers.com/dwa7.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/amp...1.11_en_dl.cab
O16 - DPF: Word Craft by pogo - http://game1.pogo.com/applet-6.8.1.3...bble-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.8.1.3...jong-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.8.4.5...pit2-en_US.cab
O16 - DPF: Yahoo! Euchre - http://download2.games.yahoo.com/gam...ts/y/et3_x.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...47/mcfscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

[funk.pie]

Sorry, I meant to say that I tried to do the scan in safe mode, but could not connect to the internet. So I rebooted to normal mode and ran the scan. The scan did not find anything.

Back in safe mode now, I also remember when I ran the batch file to del wininet.dll, oleadm.dll, and oleext.dll, that the dos window said access denied to delete the wininet.dll and only one of the two others were present. I can't remember which one. I hope that is helpful. Have a good one, Ried, and thanks for all of your assistance.

[Ried]

Hi,

Quote:

Scan the desktop folder with eTrust Web Scanner at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx. When done, make sure the box is checked for wininet.dll and click cure.

Sorry, but I have to ask--you did scan the desktop wininet.dll and had the box checked for wininet.dll, correct?

-----------------------------------------------------

Right click on your desktop and select Properties--look to the top of that dialog box for the Web tab (should be toward the top right)

[funk.pie]

Quote:

Originally Posted by Ried

Hi,



Sorry, but I have to ask--you did scan the desktop wininet.dll and had the box checked for wininet.dll, correct?

-----------------------------------------------------

Right click on your desktop and select Properties--look to the top of that dialog box for the Web tab (should be toward the top right)

I navigated to the weblink, and checked the box 'desktop' under my computer, c drive, windows, then clicked scan. I tried again to see if I could find an option to just scan the file wininet.dll, but failed to find it as a choice by itself. Seems the web tool would only scan folders, but not files. Maybe I didn't look carefully enough.

As far as the desktop properties, yeah I found the web tab and there was nothing listed, not even My Current home page. I think smitRem cleared all of that. When I launch firefox now it pulls up a blank page, and IE pulls up the microsoft webpage.

It is quite possible I did something wrong here, so hopefully you can follow my rehashing of the events from last night. Anything else I can do to help? Shall I try again this evening? Thanks for you patience, Ried. Good day.

[funk.pie]

So I fiddled around in safe mode last night, trying to get an internet connection. I saw that my ethernet card is disabled in safe mode, which would explain alot. Any idea how to get my PC to run in safe mode without disabling the ethernet card? I'm guessing the reason the scan does not find anything is that the virus somehow hides itself if booted in normal mode. Really trying to see this through to the end

[Ried]

Hi,

Sorry for the delay. We're just going to flat out replace that file to be sure it is not still infected--you should not be getting an 'access denied' on that.

Please copy these instrustions to Notepad and save to your desktop for reference.

******************************************************

Download KillBox. (it's important that you get version v2.0.0.175)

---------------------------------------------------------------------

Download the wininet.dll for Windows 98 from here

Extract (unzip) it to C:\Windows\System folder. If you receive a message that it already exists--click 'Yes' to replace it.

---------------------------------------------------------------------

Launch KillBox.exe & select the following options:

• delete on Reboot

Copy/paste the following bolded text into the 'Full Path of file to delete' field:

c:\windows\desktop\wininet.dll

Select/tick the following:

* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting"
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click Yes at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

---------------------------------------------------------------------

Please let me know if you were successful.

[funk.pie]

No complaints here Ried, I'll let you know how it goes. Thanks.

[funk.pie]

Hi Ried,

I'm getting a message from winzip when trying to overwrite the existing wininet.dll file that says the following:

Extracting to "c:\windows\system\"
Use Path: yes Overlay Files: yes
Error: The process cannot access the file because
it is being used by another process.
Cannot create c:\windows\system\WININET.DLL

I tried to replace it in safe mode as well to no avail.

[Ried]

Just to be clear, you do have 2 wininet.dll files--one on the desktop and one in the system folder, correct?

Let's do this:

Upload this file C:\windows\system\wininet.dll to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "Submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

**Other than the issue we're trying to clear up now, how is the system behaving?

[funk.pie]

Quote:

Originally Posted by Ried

Just to be clear, you do have 2 wininet.dll files--one on the desktop and one in the system folder, correct?

Correct sir

Quote:

Originally Posted by Ried

Let's do this:

Upload this file C:\windows\system\wininet.dll to http://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "Submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

Service load: 0% 100%
File: Wininet.dll
Status: OK
MD5 3d5062a7667913b9b515cc5769e9fb31
Packers detected: -

Scan taken on 02 Feb 2007 01:48:20 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Quote:

Originally Posted by Ried

**Other than the issue we're trying to clear up now, how is the system behaving?

Actually, the PC seems to be running pretty good. It boots pretty quickly (for a pentium II), and not a lot of wait time for applications to load, ie firefox, winamp, etc...I have been noticing kind of a flash on the screen every once and a while lately, especially when visiting this site. Hasn't froze up in I can't remember how long. If that spysheriff thing hadn't randomly shown up on the desktop, I wouldn't have even thought anything was wrong. My wife uses this computer more than me, so she may think otherwise. She loves to try and run multiple windows and tasks at once and bogs it down, but I think that is just the fact this machine has 96 MB of RAM. For the most part, the PC seems fine to me. Now my other machine, an HP w/ WinME is a different story. We can talk about that one later, but first things first.

And again, thanks for the help.

[Ried]

I have an old 98se I try to do the same thing on and I'll tell ya--it's definitely a RAM issue there.

The jotti scan is a good report--I think it's safe to say the wininet.dll in the system folder is indeed the legit one.

Go ahead and follow the Killbox instructions for getting rid of the one on your desktop.

As all the logs are coming back clean, you should be good to go.

Re-Hide your system files:

*Open My Computer.
*Select the View
*Select the Folder Options option.
*Select the View tab. option.
*Select the Advance Advanced settings box option.
*Select the Hidden files folder.
*Deselect the Show all files option
*Click Apply to confirm.
*Click OK.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them: (The following are compatible with Windows 98/ME )

Download the McAfee Site Advisor--free. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, Bad.

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

• Now navigate to C:\ie-spyad. Double click to open it.
• From within the folder, double-click install.bat
• Select Option #2 - Install the new IE-SPYAD list, by typing 2
• Then return to the main menu.
• Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.


If you wish, begin a new HijackThis thread for your ME system and I'll take a look at that for you as well.

[funk.pie]

Looks like we can consider this matter closed! Killbox got rid of the extra file on the desktop, and I downloaded each linked software per instructions on the 98 machine. I must say I will take you up on the offer to check out the hijackthis log for my ME machine. I'll start a new thread in a day or two. Thanks for all the excellent step by step instruction, Ried! We'll talk again soon.
- John