Help with my Windows 98 PC Please!

**ljgwtg** · 03-17-2005, 04:49 PM

Hi.
I'm having problems with my Win98 PC. It locks up on a regular basis and trys to connect to the internet. When I tried to access this website, it took me to arrow.com first.

I've downloaded adaware se and cleanup.exe and ran them both. I ran Hijack this and Hijack this analyzer. The log is at the end of this post. I have Norton antivirus 2002 running on this PC. Thanks in advance for your help.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:38:58 PM, on 3/17/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\REAL\PLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWEBCAP.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O1 - Hosts: 172.18.3.31 DL2500O DL2500O-1
O1 - Hosts: 172.18.4.31 DL2500O-2
O1 - Hosts: 172.18.3.32 DL2500P DL2500P-1
O1 - Hosts: 172.18.4.32 DL2500P-2
O1 - Hosts: 172.18.3.38 DL2500Q DL2500Q-1
O1 - Hosts: 172.18.4.38 DL2500Q-2
O1 - Hosts: 172.18.3.231 GDSCON1 GDSCON1-1
O1 - Hosts: 172.18.4.231 GDSCON1-2
O1 - Hosts: 172.18.3.232 GDSCON2 GDSCON2-1
O1 - Hosts: 172.18.4.232 GDSCON2-2
O1 - Hosts: 172.18.3.171 HRF3 N2B-GDS-PRT-A
O1 - Hosts: 172.18.1.50 GMS-PI-Server gms-pi-server-1 #GMS PI HOME NODE (Virtual IP Address)
O1 - Hosts: 172.18.2.50 gms-pi-server-2 #Alt IP address for GMS PI Home Node (Virtual IP Address)
O1 - Hosts: 172.18.1.51 DL2550V DL2550V-1 AppGmsPiA AppGmsPiA-1 #AppGmsPiA
O1 - Hosts: 172.18.2.51 DL2550V-2 AppGmsPiA-2
O1 - Hosts: 172.18.1.52 DL2550W DL2550W-1 AppGmsPiB AppGmsPiB-1 #AppGmsPiB
O1 - Hosts: 172.18.2.52 DL2550W-2 AppGmsPiB-2
O1 - Hosts: 172.18.1.55 DL2550X DL2550X-1 AppGmsIpiA AppGmsIpiA-1 #AppGmsIpiA
O1 - Hosts: 172.18.2.55 DL2550X-2 AppGmsIpiA-2
O1 - Hosts: 172.18.1.56 DL25504U DL25504U-1 AppGmsIpiB AppGmsIpiB-1 #AppGmsIpiB
O1 - Hosts: 172.18.2.56 DL25504U-2 AppGmsIpiB-2
O1 - Hosts: 172.18.1.57 gms-pi-int gms-pi-int-1 #GMS PI Interface NODE (Virtual IP Address)
O1 - Hosts: 172.18.2.57 gms-pi-int-2 #Alternate IP address for GMS Pi Interface Node (Virtual)
O1 - Hosts: 172.18.1.53 AppGmsApiA AppGmsApiA-1 DL25501A DL25501A-1 #DL25501A
O1 - Hosts: 172.18.2.53 AppGmsApiA-2 DL25501A-2
O1 - Hosts: 172.18.1.54 AppGmsApiB AppGmsApiB-1 DL25501B DL25501B-1 #DL25501B
O1 - Hosts: 172.18.2.54 AppGmsApiB-2 DL25501B-2
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [startIE] C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O4 - HKLM\..\Run: [RealTray] C:\REAL\PLAYER\REALPLAY.EXE SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O9 - Extra button: Dell Home - {3B810760-C28F-11D3-A235-F0445AC10000} - http://www.dell.com/ (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O15 - Trusted Zone: http://www.wwforum.com
O15 - Trusted Zone: http://hrpr.papl.com
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {D0CCA5F4-6A25-422F-BB4D-9A632C24F2F8} (IIDActiveXCP.ucTest) - file://G:\Information Solutions\Pynchon\IIDActiveXCP.CAB
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://app-admin-1/tsweb/mstscax.cab
O16 - DPF: {433C8F9A-1BBC-434E-B9E0-F0CCA04F3E27} (IID.uscLogin) - file://E:\iid\Iid Application\IID.CAB
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://app-admin-1/tsweb/msrdp.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/151076db280f739...p/RdxIE601.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -

End of KRC HijackThis Analyzer Log.
====================================================================

greyknight17 · 03-17-2005, 05:13 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below.

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngi neMain
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/151076db280f73...ip/RdxIE601.cab

Do you know what the following program(s) are for? If not, fix it in HijackThis:

O1 - Hosts: 172.18.3.31 DL2500O DL2500O-1
O1 - Hosts: 172.18.4.31 DL2500O-2
O1 - Hosts: 172.18.3.32 DL2500P DL2500P-1
O1 - Hosts: 172.18.4.32 DL2500P-2
O1 - Hosts: 172.18.3.38 DL2500Q DL2500Q-1
O1 - Hosts: 172.18.4.38 DL2500Q-2
O1 - Hosts: 172.18.3.231 GDSCON1 GDSCON1-1
O1 - Hosts: 172.18.4.231 GDSCON1-2
O1 - Hosts: 172.18.3.232 GDSCON2 GDSCON2-1
O1 - Hosts: 172.18.4.232 GDSCON2-2
O1 - Hosts: 172.18.3.171 HRF3 N2B-GDS-PRT-A
O1 - Hosts: 172.18.1.50 GMS-PI-Server gms-pi-server-1 #GMS PI HOME NODE (Virtual IP Address)
O1 - Hosts: 172.18.2.50 gms-pi-server-2 #Alt IP address for GMS PI Home Node (Virtual IP Address)
O1 - Hosts: 172.18.1.51 DL2550V DL2550V-1 AppGmsPiA AppGmsPiA-1 #AppGmsPiA
O1 - Hosts: 172.18.2.51 DL2550V-2 AppGmsPiA-2
O1 - Hosts: 172.18.1.52 DL2550W DL2550W-1 AppGmsPiB AppGmsPiB-1 #AppGmsPiB
O1 - Hosts: 172.18.2.52 DL2550W-2 AppGmsPiB-2
O1 - Hosts: 172.18.1.55 DL2550X DL2550X-1 AppGmsIpiA AppGmsIpiA-1 #AppGmsIpiA
O1 - Hosts: 172.18.2.55 DL2550X-2 AppGmsIpiA-2
O1 - Hosts: 172.18.1.56 DL25504U DL25504U-1 AppGmsIpiB AppGmsIpiB-1 #AppGmsIpiB
O1 - Hosts: 172.18.2.56 DL25504U-2 AppGmsIpiB-2
O1 - Hosts: 172.18.1.57 gms-pi-int gms-pi-int-1 #GMS PI Interface NODE (Virtual IP Address)
O1 - Hosts: 172.18.2.57 gms-pi-int-2 #Alternate IP address for GMS Pi Interface Node (Virtual)
O1 - Hosts: 172.18.1.53 AppGmsApiA AppGmsApiA-1 DL25501A DL25501A-1 #DL25501A
O1 - Hosts: 172.18.2.53 AppGmsApiA-2 DL25501A-2
O1 - Hosts: 172.18.1.54 AppGmsApiB AppGmsApiB-1 DL25501B DL25501B-1 #DL25501B
O1 - Hosts: 172.18.2.54 AppGmsApiB-2 DL25501B-2
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O15 - Trusted Zone: http://www.wwforum.com
O15 - Trusted Zone: http://hrpr.papl.com

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\PROGRAM FILES\AWS\ - only if you uninstalled WEATHERBUG
C:\PROGRA~1\WILDTA~1\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

**ljgwtg** · 03-18-2005, 02:17 PM

I ran the fixes, and am posting the Hijack This Analyzer log. The hosts entries date back to when I used to use this machine for work. Since I no longer need those entries, I removed them.

Thanks so much for your help!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 5:01:21 PM, on 3/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE
C:\REAL\PLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB07.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWEBCAP.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL
O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [startIE] C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe
O4 - HKLM\..\Run: [RealTray] C:\REAL\PLAYER\REALPLAY.EXE SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe
O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Dell Home - {3B810760-C28F-11D3-A235-F0445AC10000} - http://www.dell.com/ (file missing) (HKCU)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {D0CCA5F4-6A25-422F-BB4D-9A632C24F2F8} (IIDActiveXCP.ucTest) - file://G:\Information Solutions\Pynchon\IIDActiveXCP.CAB
O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://app-admin-1/tsweb/mstscax.cab
O16 - DPF: {433C8F9A-1BBC-434E-B9E0-F0CCA04F3E27} (IID.uscLogin) - file://E:\iid\Iid Application\IID.CAB
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://app-admin-1/tsweb/msrdp.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) -

End of KRC HijackThis Analyzer Log.
====================================================================

CTSNKY · 03-18-2005, 07:10 PM

You did very well........Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

**ljgwtg** · 03-19-2005, 10:47 AM

Everything looks good. Thanks for your help.

03-17-2005, 04:49 PM	#1 (permalink)
ljgwtg I helped the forums. Join Date: Mar 2005 Posts: 16 OS: XP	Help with my Windows 98 PC Please! Hi. I'm having problems with my Win98 PC. It locks up on a regular basis and trys to connect to the internet. When I tried to access this website, it took me to arrow.com first. I've downloaded adaware se and cleanup.exe and ran them both. I ran Hijack this and Hijack this analyzer. The log is at the end of this post. I have Norton antivirus 2002 running on this PC. Thanks in advance for your help. ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 7:38:58 PM, on 3/17/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE C:\REAL\PLAYER\REALPLAY.EXE C:\WINDOWS\SYSTEM\HPZTSB07.EXE C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWEBCAP.EXE C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F1 - win.ini: run=hpfsched O1 - Hosts: 172.18.3.31 DL2500O DL2500O-1 O1 - Hosts: 172.18.4.31 DL2500O-2 O1 - Hosts: 172.18.3.32 DL2500P DL2500P-1 O1 - Hosts: 172.18.4.32 DL2500P-2 O1 - Hosts: 172.18.3.38 DL2500Q DL2500Q-1 O1 - Hosts: 172.18.4.38 DL2500Q-2 O1 - Hosts: 172.18.3.231 GDSCON1 GDSCON1-1 O1 - Hosts: 172.18.4.231 GDSCON1-2 O1 - Hosts: 172.18.3.232 GDSCON2 GDSCON2-1 O1 - Hosts: 172.18.4.232 GDSCON2-2 O1 - Hosts: 172.18.3.171 HRF3 N2B-GDS-PRT-A O1 - Hosts: 172.18.1.50 GMS-PI-Server gms-pi-server-1 #GMS PI HOME NODE (Virtual IP Address) O1 - Hosts: 172.18.2.50 gms-pi-server-2 #Alt IP address for GMS PI Home Node (Virtual IP Address) O1 - Hosts: 172.18.1.51 DL2550V DL2550V-1 AppGmsPiA AppGmsPiA-1 #AppGmsPiA O1 - Hosts: 172.18.2.51 DL2550V-2 AppGmsPiA-2 O1 - Hosts: 172.18.1.52 DL2550W DL2550W-1 AppGmsPiB AppGmsPiB-1 #AppGmsPiB O1 - Hosts: 172.18.2.52 DL2550W-2 AppGmsPiB-2 O1 - Hosts: 172.18.1.55 DL2550X DL2550X-1 AppGmsIpiA AppGmsIpiA-1 #AppGmsIpiA O1 - Hosts: 172.18.2.55 DL2550X-2 AppGmsIpiA-2 O1 - Hosts: 172.18.1.56 DL25504U DL25504U-1 AppGmsIpiB AppGmsIpiB-1 #AppGmsIpiB O1 - Hosts: 172.18.2.56 DL25504U-2 AppGmsIpiB-2 O1 - Hosts: 172.18.1.57 gms-pi-int gms-pi-int-1 #GMS PI Interface NODE (Virtual IP Address) O1 - Hosts: 172.18.2.57 gms-pi-int-2 #Alternate IP address for GMS Pi Interface Node (Virtual) O1 - Hosts: 172.18.1.53 AppGmsApiA AppGmsApiA-1 DL25501A DL25501A-1 #DL25501A O1 - Hosts: 172.18.2.53 AppGmsApiA-2 DL25501A-2 O1 - Hosts: 172.18.1.54 AppGmsApiB AppGmsApiB-1 DL25501B DL25501B-1 #DL25501B O1 - Hosts: 172.18.2.54 AppGmsApiB-2 DL25501B-2 O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe O4 - HKLM\..\Run: [startIE] C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe O4 - HKLM\..\Run: [RealTray] C:\REAL\PLAYER\REALPLAY.EXE SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui" O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 O9 - Extra button: Dell Home - {3B810760-C28F-11D3-A235-F0445AC10000} - http://www.dell.com/ (file missing) (HKCU) O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll O15 - Trusted Zone: http://www.wwforum.com O15 - Trusted Zone: http://hrpr.papl.com O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {D0CCA5F4-6A25-422F-BB4D-9A632C24F2F8} (IIDActiveXCP.ucTest) - file://G:\Information Solutions\Pynchon\IIDActiveXCP.CAB O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://app-admin-1/tsweb/mstscax.cab O16 - DPF: {433C8F9A-1BBC-434E-B9E0-F0CCA04F3E27} (IID.uscLogin) - file://E:\iid\Iid Application\IID.CAB O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://app-admin-1/tsweb/msrdp.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/151076db280f739...p/RdxIE601.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) - End of KRC HijackThis Analyzer Log. ====================================================================

03-17-2005, 05:13 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation. Download CWShredder and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: WeatherBug - it's adware. If you didn't install this yourself, uninstall it. If you did install it yourself, you may keep it and ignore any fixes/deletions listed below. WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngi neMain O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU) O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/151076db280f73...ip/RdxIE601.cab Do you know what the following program(s) are for? If not, fix it in HijackThis: O1 - Hosts: 172.18.3.31 DL2500O DL2500O-1 O1 - Hosts: 172.18.4.31 DL2500O-2 O1 - Hosts: 172.18.3.32 DL2500P DL2500P-1 O1 - Hosts: 172.18.4.32 DL2500P-2 O1 - Hosts: 172.18.3.38 DL2500Q DL2500Q-1 O1 - Hosts: 172.18.4.38 DL2500Q-2 O1 - Hosts: 172.18.3.231 GDSCON1 GDSCON1-1 O1 - Hosts: 172.18.4.231 GDSCON1-2 O1 - Hosts: 172.18.3.232 GDSCON2 GDSCON2-1 O1 - Hosts: 172.18.4.232 GDSCON2-2 O1 - Hosts: 172.18.3.171 HRF3 N2B-GDS-PRT-A O1 - Hosts: 172.18.1.50 GMS-PI-Server gms-pi-server-1 #GMS PI HOME NODE (Virtual IP Address) O1 - Hosts: 172.18.2.50 gms-pi-server-2 #Alt IP address for GMS PI Home Node (Virtual IP Address) O1 - Hosts: 172.18.1.51 DL2550V DL2550V-1 AppGmsPiA AppGmsPiA-1 #AppGmsPiA O1 - Hosts: 172.18.2.51 DL2550V-2 AppGmsPiA-2 O1 - Hosts: 172.18.1.52 DL2550W DL2550W-1 AppGmsPiB AppGmsPiB-1 #AppGmsPiB O1 - Hosts: 172.18.2.52 DL2550W-2 AppGmsPiB-2 O1 - Hosts: 172.18.1.55 DL2550X DL2550X-1 AppGmsIpiA AppGmsIpiA-1 #AppGmsIpiA O1 - Hosts: 172.18.2.55 DL2550X-2 AppGmsIpiA-2 O1 - Hosts: 172.18.1.56 DL25504U DL25504U-1 AppGmsIpiB AppGmsIpiB-1 #AppGmsIpiB O1 - Hosts: 172.18.2.56 DL25504U-2 AppGmsIpiB-2 O1 - Hosts: 172.18.1.57 gms-pi-int gms-pi-int-1 #GMS PI Interface NODE (Virtual IP Address) O1 - Hosts: 172.18.2.57 gms-pi-int-2 #Alternate IP address for GMS Pi Interface Node (Virtual) O1 - Hosts: 172.18.1.53 AppGmsApiA AppGmsApiA-1 DL25501A DL25501A-1 #DL25501A O1 - Hosts: 172.18.2.53 AppGmsApiA-2 DL25501A-2 O1 - Hosts: 172.18.1.54 AppGmsApiB AppGmsApiB-1 DL25501B DL25501B-1 #DL25501B O1 - Hosts: 172.18.2.54 AppGmsApiB-2 DL25501B-2 O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe O15 - Trusted Zone: http://www.wwforum.com O15 - Trusted Zone: http://hrpr.papl.com Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\PROGRAM FILES\AWS\ - only if you uninstalled WEATHERBUG C:\PROGRA~1\WILDTA~1\ Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

03-18-2005, 02:17 PM	#3 (permalink)
ljgwtg I helped the forums. Join Date: Mar 2005 Posts: 16 OS: XP	Next round... I ran the fixes, and am posting the Hijack This Analyzer log. The hosts entries date back to when I used to use this machine for work. Since I no longer need those entries, I removed them. Thanks so much for your help! ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 5:01:21 PM, on 3/18/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE C:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXE C:\REAL\PLAYER\REALPLAY.EXE C:\WINDOWS\SYSTEM\HPZTSB07.EXE C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWEBCAP.EXE C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F1 - win.ini: run=hpfsched O2 - BHO: AIM Helper - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\PROGRAM FILES\AIM TOOLBAR\AIMHELPER.DLL O4 - HKLM\..\Run: [EM_EXEC] c:\logitech\mouse\system\em_exec.exe O4 - HKLM\..\Run: [startIE] C:\WINDOWS\NOTEPAD.EXE qazwsx.hsq O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\AVEO\ATTUNE\bin\AttnEngn.exe O4 - HKLM\..\Run: [RealTray] C:\REAL\PLAYER\REALPLAY.EXE SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [PPWebCap] C:\PROGRAM FILES\SCANSOFT\PAPERPORT\PPWebCap.exe O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui" O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl O9 - Extra button: Dell Home - {3B810760-C28F-11D3-A235-F0445AC10000} - http://www.dell.com/ (file missing) (HKCU) O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab O16 - DPF: {D0CCA5F4-6A25-422F-BB4D-9A632C24F2F8} (IIDActiveXCP.ucTest) - file://G:\Information Solutions\Pynchon\IIDActiveXCP.CAB O16 - DPF: {1FB464C8-09BB-4017-A2F5-EB742F04392F} (Microsoft Terminal Services Control (redist)) - http://app-admin-1/tsweb/mstscax.cab O16 - DPF: {433C8F9A-1BBC-434E-B9E0-F0CCA04F3E27} (IID.uscLogin) - file://E:\iid\Iid Application\IID.CAB O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://app-admin-1/tsweb/msrdp.cab O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/system...SysProfLCD.CAB O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} (Oracle JInitiator 1.1.8.18) - End of KRC HijackThis Analyzer Log. ====================================================================

03-18-2005, 07:10 PM	#4 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	You did very well........Your log is clean. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ GO BIG BLUE!!

03-19-2005, 10:47 AM	#5 (permalink)
ljgwtg I helped the forums. Join Date: Mar 2005 Posts: 16 OS: XP	Thanks so much Everything looks good. Thanks for your help.