Hijack This log: ceres.dll and other problems

mcall1sr · 06-30-2005, 01:27 PM

hi everyone,

I've been having problems with the ceres.dll bug. Also, AVG told me that the machine i'm using is infected with the startpage.16.M trojan. Here is my highjack this log. Any help you can give me is much appreciated!

Thanks everyone!

Steve

---
Logfile of HijackThis v1.99.1
Scan saved at 3:20:22 PM, on 6/30/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\KOHYKD.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\SYSTEM\richup.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [kohykd] c:\windows\system\kohykd.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\DESKTOP\SEFE.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

sUBs · 06-30-2005, 04:46 PM

Hi and Welcome to TSF!

Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription.

Your operating system is outdated. You're susceptible to infections that may otherwise be prevented on a properly updated system. Please visit the Windows Update site and install all available Critical Updates. This will patch your system with the most current security fixes and plug all the known vulnerabilities.

In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me.

Enable the viewing of Hidden files

Close all programs so that you are at your Desktop.
Double-click on the My Computer icon.
Select the View menu and then click Folder Options.
After the new window appears select the View tab.
Scroll down until you see the Show all files radio button and select it.
Press the Apply button and then the OK button and close the My Computer window.
Now your computer is configured to show all hidden files.

~~~~~~~~~~~~~~~

We require some additional files/programs for this fix. Please download the following files :-
Do not run any of the files unless instructed to do so

CleanUp! - Install

KillBox v2.0.0.175 - Save to Desktop.

Unplug your computer from the Internet when you have finished downloading.

~~~~~~~~~~~~~~~

Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ...

Search & Destroy Spybot's TeaTimer

Go to Tools>Resident - Deselect TeaTimer.

Microsoft AntiSpyware

Click on Options>Settings.
In the left pane, click on Real-time Protection.
Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup.
Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection.
After you've done these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Webroot SpySweeper

Go to the Options>Program Options.
Deselect Load at Windows Startup.
Click Shields and Deselect all items there.
Deselect Home page shield.
Deselect Automaticly restore default without notifiction.

Ad-aware's Ad-Watch

Right-click on the Ad-Watch icon in the system tray
At the bottom of the screen you will see 2 options Active and Automatic.
Deselect Active
Deselect Automatic
Go to "Tools & Preferences">Options
Deselectt "Load Ad-Watch at Windows startup"

~~~~~~~~~~~~~~~

Uninstall the following programs using Control Panel>Add/Remove Programs :

ViewPoint

~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\CERES.DLL
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\SYSTEM\richup.exe
c:\windows\system\kohykd.exe
C:\WINDOWS\DESKTOP\SEFE.EXE
C:\winstall.exe

Start KillBox.

Go to the File menu, and choose "Paste from Clipboard".
Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
Select/tick the following:
- "Delete on Reboot"
- "End Explorer Shell While Killing File"
- "Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

~~~~~~~~~~~~~~~

Upon reboot, Run a scan with HiJackThis & select(tick) the following & click "Fix checked" :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\SYSTEM\richup.exe
O4 - HKLM\..\Run: [kohykd] c:\windows\system\kohykd.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\DESKTOP\SEFE.EXE
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)

~~~~~~~~~~~~~~~

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

Click "Options..."
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click "OK"
Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders

~~~~~~~~~~~~~~~

Do an online scan at one of the following sites:

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Reboot & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply.

In your next post, please include:

Copy of HiJackThis log
List of files that online scans failed to disinfect

Please provide details of any problems you encountered whilst performing the above steps.

Tell me how your computer behaves now

mcall1sr · 06-30-2005, 10:23 PM

I followed the directions in the last post. After following the directions, my computer seems to be behaving fine. The Bitdefender scan still identified some trojans and viruses. Here is the Hijack This log and the report from the Bitdefender online scan:

Logfile of HijackThis v1.99.1
Scan saved at 12:17:26 AM, on 7/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

Bitdefender report:
C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk=>C:\WINDOWS\EXPLORER.EXE
Infected with: Win32.Bube.Gen

C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk=>C:\WINDOWS\EXPLORER.EXE
Disinfection failed

C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk=>C:\WINDOWS\EXPLORER.EXE
Deleted

C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk
Updated

C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk=>C:\WINDOWS\EXPLORER.EXE
Infected with: Win32.Bube.Gen

C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk=>C:\WINDOWS\EXPLORER.EXE
Disinfection failed

C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk=>C:\WINDOWS\EXPLORER.EXE
Deleted

C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk
Updated

C:\WINDOWS\Buddy.exe
Infected with: Trojan.Bettinet.79360.A

C:\WINDOWS\Buddy.exe
Disinfection failed

C:\WINDOWS\Buddy.exe
Deleted

C:\WINDOWS\EXPLORER.EXE
Infected with: Win32.Bube.Gen

C:\WINDOWS\EXPLORER.EXE
Disinfection failed

C:\WINDOWS\EXPLORER.EXE
Delete failed

C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o)=>bzip2_nsis0002
Infected with: Trojan.Downloader.Swizzor.L

C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o)=>bzip2_nsis0002
Disinfection failed

C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o)=>bzip2_nsis0002
Deleted

C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o)
Update failed

C:\Program Files\Network Associates\McAfee VirusScan\BootScan.exe
Suspected of: One_Half.3591

C:\Program Files\Network Associates\McAfee VirusScan\BootScan.exe
Disinfection failed

C:\Program Files\Network Associates\McAfee VirusScan\BootScan.exe
Deleted

C:\Program Files\Network Associates\McAfee VirusScan\Scan86.exe
Suspected of: One_Half.3591

C:\Program Files\Network Associates\McAfee VirusScan\Scan86.exe
Disinfection failed

C:\Program Files\Network Associates\McAfee VirusScan\Scan86.exe
Deleted

sUBs · 06-30-2005, 10:50 PM

Your log is clean. Well done

Do you have any more problems with your computer? If not, you should be set to go.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

mcall1sr · 06-30-2005, 11:00 PM

Thanks!

The only other problem i have is a minor one. When i close Internet Explorer, I get a message that states: "Microsoft Internet Explorer has encountered a problem and needs to close. We're sorry for the inconvenience." In the message box there's a checkbox for "Restart Microsoft Internet Explorer." When I uncheck the box and close the message, shortly after i get an "illegal operation" warning. When I close that box, nothing happens. This only occurs when I exit Internet explorer. Any ideas?

Steve

sUBs · 06-30-2005, 11:26 PM

It probably would help if you update Internet Explorer to the latest version - 6.0.2900.2180

mcall1sr · 07-01-2005, 12:23 AM

Thought everything was ok, but my pc started to do weird things, and when i ran hijack this to take a look, i found se.dll, among other things. here's the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 2:18:44 AM, on 7/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {322DABB6-E9D5-11D9-B169-00E08F3E5117} - C:\WINDOWS\SYSTEM\FNIELA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O18 - Filter: text/html - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL
O18 - Filter: text/plain - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL

sorry to be a bother...any more advice will help a ton...thanks!

Steve

sUBs · 07-01-2005, 12:46 AM

It's a fresh infection.

Download CWShredder - Save on Desktop. Run CWShredder & click on the [Check for update] button. Exit the program after it has updated itself.

Download & Save to a new folder on desktop SpSeHjfix.

~~~~~~~~~~~~

Disconnect from the net and close all programs.
Run SpSeHjfix and click on "Start Disinfection".

If SpSeHjfix finds the "system clean", it will not proceed with the next stage. Otherwise, it may reboot your machine to finish the cleaning process. A log of the fix will be created in the containing folder.
Run CWShredder & Click the [Fix] button.

~~~~~~~~~~~~~~~

Using KillBox

Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard.

C:\WINDOWS\SYSTEM\FNIELA.DLL
C:\WINDOWS\TEMP\se.dll

Start KillBox.

Go to the File menu, and choose "Paste from Clipboard".
Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there.
Select/tick the following:
- "Delete on Reboot"
- "End Explorer Shell While Killing File"
- "Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.
Click "Yes" at the 'Delete on Reboot' prompt. Click "Yes" at the Pending Operations prompt.

~~~~~~~~~~~~~~~

Upon reboot, Run a scan with HiJackThis & select(tick) the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {322DABB6-E9D5-11D9-B169-00E08F3E5117} - C:\WINDOWS\SYSTEM\FNIELA.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O18 - Filter: text/html - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL
O18 - Filter: text/plain - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL

~~~~~~~~~~~~~~~

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

Click "Options..."
Move the arrow down to Custom CleanUp!
Put a check next to the following:
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files
- [X]Scan local drives for temporary files (Please uncheck this option)
- Cleanup! All Users
Click "OK"
Press the "CleanUp!" button to start the program. Reboot/logoff when prompted.

* CleanUp! will delete all the files in your temp folders

~~~~~~~~~~~~~~~

Do an online scan at Panda

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Reboot and post a fresh HijackThis log along with the log that was created by SpSeHjfix

Tell me how your computer behaves now

mcall1sr · 07-01-2005, 02:32 AM

I followed the above directions. Here are the log files you asked for:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:46 AM, on 7/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab

-------------------------------------------------------

(7/1/05 3:10:00 AM) SPSeHjFix started v1.09
(7/1/05 3:10:00 AM) OS: Win98 (4.10.67766222)
(7/1/05 3:10:00 AM) Language: english
(7/1/05 3:10:02 AM) Disinfect started
(7/1/05 3:10:02 AM) Bad-Dll(IEP): se.dll
(7/1/05 3:10:02 AM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\FNIELA.DLL
(7/1/05 3:10:02 AM) Searchassistant Uninstaller - Keys Deleted
(7/1/05 3:10:02 AM) UBF: 6
(7/1/05 3:10:02 AM) UBB: 1
(7/1/05 3:10:02 AM) FilterKey: HKCR\text/html (deleted)
(7/1/05 3:10:02 AM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(7/1/05 3:10:02 AM) FilterKey: HKCR\CLSID\{322DABB5-E9D5-11D9-B169-00E07FECCF60} (deleted)
(7/1/05 3:10:02 AM) FilterKey: HKCR\text/plain (deleted)
(7/1/05 3:10:02 AM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(7/1/05 3:10:02 AM) FilterKey: HKCR\CLSID\{322DABB5-E9D5-11D9-B169-00E07FECCF60} (error while deleting)
(7/1/05 3:10:02 AM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{322DABB6-E9D5-11D9-B169-00E08F3E5117} (deleted)
(7/1/05 3:10:02 AM) BHO-Key: HKCR\CLSID\{322DABB6-E9D5-11D9-B169-00E08F3E5117} (deleted)
(7/1/05 3:10:02 AM) UBR: 25
(7/1/05 3:10:02 AM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(7/1/05 3:10:02 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://C:\WINDOWS\TEMP\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(7/1/05 3:10:02 AM) Stealth-String found: C:\WINDOWS\FVI.CPE
(7/1/05 3:10:02 AM) File added to delete: c:\windows\system\fniela.dll
(7/1/05 3:10:02 AM) File added to delete: c:\windows\system\fniela.dll
(7/1/05 3:10:02 AM) File added to delete: c:\windows\temp\se.dll
(7/1/05 3:10:02 AM) File added to delete: c:\windows\fvi.cpe
(7/1/05 3:10:02 AM) Reboot
(7/1/05 3:12:09 AM) SPSeHjFix 2nd Step
(7/1/05 3:12:09 AM) RunServicesOnce-Key: (edited)
(7/1/05 3:12:16 AM) Cleaned

sUBs · 07-01-2005, 02:54 AM

Doesn't it feel nice to be clean again?

Please read the link I provided you about THE ANTI-SPYWARE TUTORIAL. Get the tools to protect youself from further infections.

Please come back in 1-2 days to let us know your still clean.

mcall1sr · 07-01-2005, 08:17 AM

Thanks a lot!

06-30-2005, 01:27 PM	#1 (permalink)
mcall1sr Registered User Join Date: Jun 2005 Posts: 6 OS: Win98	Hijack This log: ceres.dll and other problems hi everyone, I've been having problems with the ceres.dll bug. Also, AVG told me that the machine i'm using is infected with the startpage.16.M trojan. Here is my highjack this log. Any help you can give me is much appreciated! Thanks everyone! Steve --- Logfile of HijackThis v1.99.1 Scan saved at 3:20:22 PM, on 6/30/05 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\WINDOWS\SYSTEM\KOHYKD.EXE C:\PROGRAM FILES\AIM\AIM.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\MSWHEEL.EXE C:\WINDOWS\SYSTEM\CFGWIZ32.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\EXPLORER.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [richup] C:\WINDOWS\SYSTEM\richup.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [kohykd] c:\windows\system\kohykd.exe O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\DESKTOP\SEFE.EXE O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab

06-30-2005, 04:46 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Hi and Welcome to TSF! Please subscribe to this thread so you'll be notified as soon as we post your fix. To do this, please click here. On the proceeding page, make sure Instant notification by email is selected, then click Add subscription. Your operating system is outdated. You're susceptible to infections that may otherwise be prevented on a properly updated system. Please visit the Windows Update site and install all available Critical Updates. This will patch your system with the most current security fixes and plug all the known vulnerabilities. In the meanwhile, I suggest that you stop using Interent Explorer until we've fully disinfected your machine. Please download & use an alternative browser like Firefox. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. During the course of disinfection, I may ask you to fix a program that you wish to retain. Please post back to inform me. Enable the viewing of Hidden files Close all programs so that you are at your Desktop. Double-click on the My Computer icon. Select the View menu and then click Folder Options. After the new window appears select the View tab. Scroll down until you see the Show all files radio button and select it. Press the Apply button and then the OK button and close the My Computer window. Now your computer is configured to show all hidden files. ~~~~~~~~~~~~~~~ We require some additional files/programs for this fix. Please download the following files :- Do not run any of the files unless instructed to do so CleanUp! - Install KillBox v2.0.0.175 - Save to Desktop. Unplug your computer from the Internet when you have finished downloading. ~~~~~~~~~~~~~~~ Some Anti-Spyware Programmes are known to intefere with HJT fixes. If you have these programmes, please disable them by doing so ... Search & Destroy Spybot's TeaTimer Go to Tools>Resident - Deselect TeaTimer. Microsoft AntiSpyware Click on Options>Settings. In the left pane, click on Real-time Protection. Under Startup Options, Deselect Enable the Microsoft AntiSpyware Security Agents on startup. Under Real-time spyware threat protection, Deselect Enable real-time spyware threat protection. After you've done these, click on the Save button and close Microsoft AntiSpyware. Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware. Webroot SpySweeper Go to the Options>Program Options. Deselect Load at Windows Startup. Click Shields and Deselect all items there. Deselect Home page shield. Deselect Automaticly restore default without notifiction. Ad-aware's Ad-Watch Right-click on the Ad-Watch icon in the system tray At the bottom of the screen you will see 2 options Active and Automatic. Deselect Active Deselect Automatic Go to "Tools & Preferences">Options Deselectt "Load Ad-Watch at Windows startup" ~~~~~~~~~~~~~~~ Uninstall the following programs using Control Panel>Add/Remove Programs : ViewPoint ~~~~~~~~~~~~~~~ Using KillBox Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\CERES.DLL C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\WINDOWS\SYSTEM\richup.exe c:\windows\system\kohykd.exe C:\WINDOWS\DESKTOP\SEFE.EXE C:\winstall.exe Start KillBox. Go to the File menu, and choose "Paste from Clipboard". Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there. Select/tick the following: "Delete on Reboot" "End Explorer Shell While Killing File" "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click *"Yes"* at the 'Delete on Reboot' prompt. Click *"Yes"* at the Pending Operations prompt. * If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try Killbox again. ~~~~~~~~~~~~~~~ Upon reboot, Run a scan with HiJackThis & select(tick) the following & click *"Fix checked"* : R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [richup] C:\WINDOWS\SYSTEM\richup.exe O4 - HKLM\..\Run: [kohykd] c:\windows\system\kohykd.exe O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\DESKTOP\SEFE.EXE O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM) ~~~~~~~~~~~~~~~ Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click *"Options..."* Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click *"OK"* Press the *"CleanUp!"* button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders ~~~~~~~~~~~~~~~ Do an online scan at one of the following sites: Panda BitDefender Trend Micro Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Reboot & Run a new scan with HiJackThis. Save the log file and post the contents in your next reply. In your next post, please include: Copy of HiJackThis log List of files that online scans failed to disinfect Please provide details of any problems you encountered whilst performing the above steps. Tell me how your computer behaves now __________________ Question - what have you done for the community today?

06-30-2005, 10:50 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Your log is clean. Well done Do you have any more problems with your computer? If not, you should be set to go. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated. In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

06-30-2005, 11:26 PM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	It probably would help if you update Internet Explorer to the latest version - 6.0.2900.2180 __________________ Question - what have you done for the community today?

07-01-2005, 12:46 AM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	It's a fresh infection. Download CWShredder - Save on Desktop. Run CWShredder & click on the [Check for update] button. Exit the program after it has updated itself. Download & Save to a new folder on desktop SpSeHjfix. ~~~~~~~~~~~~ Disconnect from the net and close all programs. Run SpSeHjfix and click on *"Start Disinfection". If SpSeHjfix finds the "system clean", it will not proceed with the next stage. Otherwise, it may reboot your machine to finish the cleaning process. A log of the fix will be created in the containing folder. Run CWShredder* & Click the [Fix] button. ~~~~~~~~~~~~~~~ Using KillBox Copy to clipboard, all the items below by highlighting them & pressing [CTRL]+[C] on your keyboard. C:\WINDOWS\SYSTEM\FNIELA.DLL C:\WINDOWS\TEMP\se.dll Start KillBox. Go to the File menu, and choose "Paste from Clipboard". Verify that you've done this properly by clicking the dropdown-arrow next to the "Full Path of File to Delete" field. The filenames you pasted will be found in there. Select/tick the following: "Delete on Reboot" "End Explorer Shell While Killing File" "Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click *"Yes"* at the 'Delete on Reboot' prompt. Click *"Yes"* at the Pending Operations prompt. ~~~~~~~~~~~~~~~ Upon reboot, Run a scan with HiJackThis & select(tick) the following & click *"Fix checked"* : R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: (no name) - {322DABB6-E9D5-11D9-B169-00E08F3E5117} - C:\WINDOWS\SYSTEM\FNIELA.DLL O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O18 - Filter: text/html - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL O18 - Filter: text/plain - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL ~~~~~~~~~~~~~~~ Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click *"Options..."* Move the arrow down to Custom CleanUp! Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click *"OK"* Press the *"CleanUp!"* button to start the program. Reboot/logoff when prompted. * CleanUp! will delete all the files in your temp folders ~~~~~~~~~~~~~~~ Do an online scan at Panda Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Reboot and post a fresh HijackThis log along with the log that was created by SpSeHjfix Tell me how your computer behaves now __________________ Question - what have you done for the community today?

06-30-2005, 10:23 PM	#3 (permalink)
mcall1sr Registered User Join Date: Jun 2005 Posts: 6 OS: Win98	I followed the directions in the last post. After following the directions, my computer seems to be behaving fine. The Bitdefender scan still identified some trojans and viruses. Here is the Hijack This log and the report from the Bitdefender online scan: Logfile of HijackThis v1.99.1 Scan saved at 12:17:26 AM, on 7/1/05 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\MSWHEEL.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab Bitdefender report: C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk=>C:\WINDOWS\EXPLORER.EXE Infected with: Win32.Bube.Gen C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk=>C:\WINDOWS\EXPLORER.EXE Disinfection failed C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk=>C:\WINDOWS\EXPLORER.EXE Deleted C:\WINDOWS\Start Menu\Programs\Accessories\System Tools\Scheduled Tasks.lnk Updated C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk=>C:\WINDOWS\EXPLORER.EXE Infected with: Win32.Bube.Gen C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk=>C:\WINDOWS\EXPLORER.EXE Disinfection failed C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk=>C:\WINDOWS\EXPLORER.EXE Deleted C:\WINDOWS\Start Menu\Programs\Accessories\Communications\Dial-Up Networking.lnk Updated C:\WINDOWS\Buddy.exe Infected with: Trojan.Bettinet.79360.A C:\WINDOWS\Buddy.exe Disinfection failed C:\WINDOWS\Buddy.exe Deleted C:\WINDOWS\EXPLORER.EXE Infected with: Win32.Bube.Gen C:\WINDOWS\EXPLORER.EXE Disinfection failed C:\WINDOWS\EXPLORER.EXE Delete failed C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o)=>bzip2_nsis0002 Infected with: Trojan.Downloader.Swizzor.L C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o)=>bzip2_nsis0002 Disinfection failed C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o)=>bzip2_nsis0002 Deleted C:\My Documents\Program Installations\bittorrent-3.3.exe=>(NSIS o) Update failed C:\Program Files\Network Associates\McAfee VirusScan\BootScan.exe Suspected of: One_Half.3591 C:\Program Files\Network Associates\McAfee VirusScan\BootScan.exe Disinfection failed C:\Program Files\Network Associates\McAfee VirusScan\BootScan.exe Deleted C:\Program Files\Network Associates\McAfee VirusScan\Scan86.exe Suspected of: One_Half.3591 C:\Program Files\Network Associates\McAfee VirusScan\Scan86.exe Disinfection failed C:\Program Files\Network Associates\McAfee VirusScan\Scan86.exe Deleted

06-30-2005, 11:00 PM	#5 (permalink)
mcall1sr Registered User Join Date: Jun 2005 Posts: 6 OS: Win98	Thanks! The only other problem i have is a minor one. When i close Internet Explorer, I get a message that states: "Microsoft Internet Explorer has encountered a problem and needs to close. We're sorry for the inconvenience." In the message box there's a checkbox for "Restart Microsoft Internet Explorer." When I uncheck the box and close the message, shortly after i get an "illegal operation" warning. When I close that box, nothing happens. This only occurs when I exit Internet explorer. Any ideas? Steve

07-01-2005, 12:23 AM	#7 (permalink)
mcall1sr Registered User Join Date: Jun 2005 Posts: 6 OS: Win98	Thought everything was ok, but my pc started to do weird things, and when i ran hijack this to take a look, i found se.dll, among other things. here's the hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 2:18:44 AM, on 7/1/05 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\STARTER.EXE C:\WINDOWS\SYSTEM\ATIPTAAA.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\PROGRAM FILES\AIM\AIM.EXE C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\MSWHEEL.EXE C:\WINDOWS\SYSTEM\INTERNAT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {322DABB6-E9D5-11D9-B169-00E08F3E5117} - C:\WINDOWS\SYSTEM\FNIELA.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab O18 - Filter: text/html - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL O18 - Filter: text/plain - {322DABB5-E9D5-11D9-B169-00E07FECCF60} - C:\WINDOWS\SYSTEM\FNIELA.DLL sorry to be a bother...any more advice will help a ton...thanks! Steve

07-01-2005, 02:54 AM	#10 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,473 OS: N/A	Doesn't it feel nice to be clean again? Please read the link I provided you about THE ANTI-SPYWARE TUTORIAL. Get the tools to protect youself from further infections. Please come back in 1-2 days to let us know your still clean. __________________ Question - what have you done for the community today?

07-01-2005, 08:17 AM	#11 (permalink)
mcall1sr Registered User Join Date: Jun 2005 Posts: 6 OS: Win98	Thanks a lot!