Need Help With Trojan !!!!!!! :([RESOLVED]

[dave.c]

Hi Guys,
Trying to fix a friends PC which was infected with mailware amnogst others.
I taught I had got rid of them all but in the system tray there is a red circle with a white cross through it..... Saying "You're Computer Is Infected". It has something to do with Av Gold but I cannot seem to get rid of it.
Also the IE hompage keeps reverting back to about:blank even after I change it.
It is a stand alone Win 98 PC which is up to date with Windows patches and anti virus etc.. When I try run regedit.. it says that registry editing has been disabled by your administrator.

I have used adware, spybot, a square, shredder,online trojan scans.

All help greatfully received.
I have attached the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:10:04, on 30/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TPPALDR.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\HOOKDUMP.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PCANYWHERE\AWHOST32.EXE
C:\WINDOWS\DESKTOP\ANTISPY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easons.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8681F5FE-10E5-BC0E-53C2-DCC12E244065} - C:\WINDOWS\IPYB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [e-DT LAN Sniffer] C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

[dave.c]

anyone ??

[Suitcasehero]

WARNING
You are running HiJackThis from an inappropriate location. It should be run from a permanent folder. This program creates backup files which we may need to use later. If the program is in a temporary folder, important backups may be accidentally deleted.

1.Please go into Windows Explorer
2.Click on C:\
3.Click on File > New > Folder
4.Call it HJT, or another name of your choice.


download hijackthis analyzer, move it to the folder with hijack this, run it and post both new logs please
HiJackThis&HiJackThisAnalyzer

Your Freind-Suitcase

[dave.c]

Cheers.

Here are the logs from both highjacks

Analyzer ::

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 16:25:03, on 30/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\WINDOWS\SYSTEM\HOOKDUMP.EXE
C:\PROGRAM FILES\PCANYWHERE\AWHOST32.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easons.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8681F5FE-10E5-BC0E-53C2-DCC12E244065} - C:\WINDOWS\IPYB.DLL
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [e-DT LAN Sniffer] C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab


End of KRC HijackThis Analyzer Log.
====================================================================



HighJack this::

Logfile of HijackThis v1.99.1
Scan saved at 16:25:03, on 30/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TPPALDR.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\HOOKDUMP.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PCANYWHERE\AWHOST32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\EXCEL.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easons.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8681F5FE-10E5-BC0E-53C2-DCC12E244065} - C:\WINDOWS\IPYB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [e-DT LAN Sniffer] C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab

[sUBs]

Hi and Welcome to TSF!

Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me.

Enable the viewing of Hidden files

• Close all programs so that you are at your Desktop.
• Double-click on the My Computer icon.
• Select the View menu and then click Folder Options.
• After the new window appears select the View tab.
• Scroll down until you see the Show all files radio button and select it.
• Press the Apply button and then the OK button and close the My Computer window.
• Now your computer is configured to show all hidden files.

=============

Download CleanUp! - Install but do not run it yet.

Download Hoster - Save to desktop.

Download KillBox v2.0.0.175 - Save to desktop.

Download DelO15Domains.inf - Right click & choose "Save As...". Save it to Desktop as DelO15Domains.inf.

Download Ewido Security Suite - Install & Update it’s database but do not run it yet.

Download Smitfraud.reg - Right click & choose "Save As...". Save it to Desktop as Smitfraud.reg.

Download CWShredder - Save on Desktop. Run CWShredder & click on the [Check for update] button. Exit the program after it has updated itself.

Download & Save to a new folder on desktop SpSeHjfix.

Disconnect from the internet & close all browsers.


=============

Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ...

Search & Destroy Spybot's TeaTimer

• Go to Tools>Resident - Deselect TeaTimer.

Microsoft AntiSpyware

• Click on Options>Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
• Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
• After you've done these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Webroot SpySweeper

• Go to the Options>Program Options.
• Deselect Load at Windows Startup.
• Click Shields and Deselect all items there.
• Deselect Home page shield.
• Deselect Automaticly restore default without notifiction.

Ad-aware's Ad-Watch

• Right-click on the Ad-Watch icon in the system tray
  At the bottom of the screen you will see 2 options Active and Automatic.
• Deselect Active
• Deselect Automatic
• Go to "Tools & Preferences">Options
• Deselectt "Load Ad-Watch at Windows startup"

=============

Double click on Smitfraud.reg and answer "Yes" when prompted to merge into the registry.

• Disconnect from the net and close all programs.
• Run SpSeHjfix and click on "Start Disinfection".

If SpSeHjfix finds the "system clean", it will not proceed with the next stage. Otherwise, it may reboot your machine to finish the cleaning process. A log of the fix will be created in the containing folder.
Run CWShredder & Click the [Fix] button.

Post the log that was created by SpSeHjfix in your next reply

=============

Uninstall the following programs using Control Panel>Add/Remove Programs :

• Security IGuard
  Virtual Maid
  Search Maid
  AntivirusGold

=============

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

• C:\WINDOWS\System\hp596C.tmp
  C:\WINDOWS\System\hp5F27.tmp
  C:\WINDOWS\System\hpC776.tmp
  C:\WINDOWS\System\hookdump.exe
  C:\wp.exe
  C:\wp.bmp
  C:\bsw.exe
  C:\WINDOWS\sites.ini
  C:\WINDOWS\popuper.exe
  C:\WINDOWS\system\hhk.dll
  C:\WINDOWS\System\helper.exe
  C:\WINDOWS\System\intmonp.exe
  C:\WINDOWS\System\msmsgs.exe
  C:\WINDOWS\System\ole32vbs.exe
  C:\WINDOWS\system\msole32.exe
  C:\WINDOWS\System\shnlog.exe
  C:\WINDOWS\System\intmon.exe
  C:\WINDOWS\System\msmsgs.exe
  C:\WINDOWS\System\LogFiles\A5281300.so
  C:\WINDOWS\System\winnook.exe
  C:\WINDOWS\desktop.html
  C:\WINDOWS\screen.html
  C:\WINDOWS\zloader3.exe
  C:\WINDOWS\system\oleadm.dll
  C:\WINDOWS\system\oleadm32.dll

Start KillBox.

1. Go to the File menu, and choose "Paste from Clipboard".
   Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
2. Select/tick the following:
   • "Delete on Reboot"
   • "End Explorer Shell While Killing File"
   • "Unregister.dll Before Deleting" if it's not grayed out.
3. Click the RED X button.
4. Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


=============

Reboot to Safe Mode

1. Shut Windows down, and then turn off the computer.
2. Restart the computer. The computer begins processing a set of instructions known as the Basic Input/Output System (BIOS). What is displayed depends on the BIOS manufacturer. Some computers display a progress bar that refers to the word BIOS, while others may not display any indication that this process is happening.
3. As soon as the BIOS has finished loading, begin tapping the F8 key on your keyboard. Continue to do so until the
   Windows Advanced Options menu appears.
4. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

=============

Close all other windows.
Run a HiJackThis Scan & Select(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vlmrk.dll/sp.html#55135
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {8681F5FE-10E5-BC0E-53C2-DCC12E244065} - C:\WINDOWS\IPYB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\SYSTEM\hookdump.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Click "Fix checked" for HJT to fix them


=============

Locate and delete the following folder(s), if present:

• C:\Program Files\AntivirusGold\
  C:\Program Files\Search Maid\
  C:\Program Files\Virtual Maid\
  C:\Windows\System32\Log Files\
  C:\Program Files\Security iGuard\

=============

Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen).

Run Hoster.exe. Choose the 'Restore Original Hosts' button and press OK.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

1. Click "Options..."
2. Move the arrow down to Custom CleanUp!
3. Put a check next to the following:
   • Empty Recycle Bins
   • Delete Cookies
   • Delete Prefetch files
   • [X]Scan local drives for temporary files (Please uncheck this option)
   • Cleanup! All Users
4. Click "OK"
5. Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders


=============

Reboot to Normal Mode.

Do an online scan at one of the following sites:

• Panda
• BitDefender
• Trend Micro

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Reboot Again & run a new HiJackThis scan. Save the log file and post it in your next reply.

In your next post, please include:

• Copy of HiJackThis log
• SpSeHjfix log
• List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps.

[dave.c]

After I try run the Ewido Security Suite I am told that my operating system must be 2000 or greater. The Pc is running windows 98.

I have downaloaded and installed the others as requested...

What shall i do next ??

[sUBs]

Sorry..my fault. Forgot that Ewido doesn't run on Win98

Skip Ewido but do the Panda scan.

[dave.c]

Cheers sUBs

Here's the highjackthis log

Logfile of HijackThis v1.99.1
Scan saved at 12:40:29, on 1/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\TPPALDR.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PCANYWHERE\AWHOST32.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.easons.com/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\SYSTEM\taskmon.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [e-DT LAN Sniffer] C:\Program Files\HP\e-DiagTools\edtlancfg.exe OS
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a2\a2guard.exe"
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.111.39.1

Here's the spsehjfix log



(7/1/05 11:18:45) SPSeHjFix started v1.09
(7/1/05 11:18:45) OS: Win98SE A (4.10.67766446)
(7/1/05 11:18:45) Language: english
(7/1/05 11:18:48) Disinfect started
(7/1/05 11:18:48) Bad-Dll(IEP): vlmrk.dll
(7/1/05 11:18:48) UBF: 4
(7/1/05 11:18:48) UBB: 0
(7/1/05 11:18:48) UBR: 18
(7/1/05 11:18:48) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\vlmrk.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://C:\WINDOWS\vlmrk.dll/sp.html#55135
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://C:\WINDOWS\vlmrk.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\vlmrk.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://C:\WINDOWS\vlmrk.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://C:\WINDOWS\vlmrk.dll/sp.html#55135
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://C:\WINDOWS\vlmrk.dll/sp.html#55135
(7/1/05 11:18:48) Stealth-String not found:
(7/1/05 11:18:48) No Files to delete. End without Reboot
(7/1/05 11:18:52) Disinfect started
(7/1/05 11:18:52) Bad-Dll(IEP): vlmrk.dll
(7/1/05 11:18:52) UBF: 4
(7/1/05 11:18:52) UBB: 0
(7/1/05 11:18:52) UBR: 18
(7/1/05 11:18:52) Bad IE-pages:
(7/1/05 11:18:52) Stealth-String not found:
(7/1/05 11:18:52) No Files to delete. End without Reboot
(7/1/05 11:18:59) Disinfect started
(7/1/05 11:18:59) Bad-Dll(IEP): vlmrk.dll
(7/1/05 11:18:59) UBF: 4
(7/1/05 11:18:59) UBB: 0
(7/1/05 11:18:59) UBR: 18
(7/1/05 11:18:59) Bad IE-pages:
(7/1/05 11:18:59) Stealth-String not found:
(7/1/05 11:18:59) No Files to delete. End without Reboot

i could not use the pandda scan as it kept saying that the pandasoftware srever failed to acknowledge my request so i used bitdefnder instead.

Here is the log from bitdefender:
BitDefender Online Scanner - Real Time Virus Report



Generated at: Fri, Jul 01, 2005 - 12:13:20


--------------------------------------------------------------------------------



Scan Info



Scanned Files
81788

Infected Files
3


Virus Detected



Trojan.Downloader.Agent.BC
3










--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.





3 dll files were found to be infected but bitscanner deleted them.

Have run bitdefender again and found no problems.

So here's hoping !!

[sUBs]

Please ask you friend how it feels to be 'clean' again

The log is clean. Well done
Do you have any more problems with your computer? If not, you should be set to go.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

• Sygate Personal Firewall
• Kerio Personal Firewall
• ZoneAlarm

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.


In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[dave.c]

Cheers sUbs...

Thanx a million and the next time you are in Dublin, there is a pint of guinness waiting for you !!

[Lobos]

Since this issue appears to be resolved ... this Topic has been closed.

If you need this topic reopened, please contact a one of the moderators with the Link of this thread.
and we will open it back up