Problem with Ceres virus

MelanieMcKenzie · 07-07-2005, 12:34 PM

I caught the Ceres virus from doing an alltheweb.com search and went to a page that took a long time to load before I realized a Trojan horse was being put on my computer. I ctr+alt+del and restarted my computer. I had the same problem back in March with a Cool Web virus and was able to get rid of it, by following step by step instructions. So I already had several programs on my computer. AdAware Personal Edition, Grisoft Virus Scanner, Cool Websearch shredder, HiJack This and Clean Up.

When I performed my first ad scan it detected ceres had been put on my computer, so I removed them. I then did a grisoft virus scan and it showed 18 viruses 10 which were backup ones. So I put those in a virus vault. I also did a HiJack this log and saw there were several programs running that didn't need to and deleted them. I used the CWShredder which didn't detect anything. Used CleanUp to get rid of temp files and restarted the computer.

I fear that the virus is now hiding somewhere on my computer because after running these virus-protection programs, several times, I still get on the computer and my mouse jumps from place to place. I can type in the address bar, but when I press enter it doesn't take me anywhere like it usually does. The address bar's appearance length changes. Pages and programs open that I didn't click on. I know something is still on my computer but don't know where to find it. Could anybody please help me.

Here's my HiJack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 1:29:26 PM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

I would appreciate any assistance, thanks in advance

MelanieMcKenzie · 07-07-2005, 02:51 PM

So I decided to download a registry cleaner called Registry Mechanic, it detected 232 problems and only could fix/remove 128 using the free edition. After I used this program, I scanned using Ad Aware SE Personal and it detected 28 infected files. I wasn't on the internet but I saw a grey box come up that look like it was deleting something or updating something on my computer and then my computer refreshed. During that 5 second period, the Ad Aware had frozen up, right when I was going to remove the files.

I did the HiJack this scan again and saw that ceres.dll was on here again and cekqmu. I also did a ctrl+alt+del to see which programs were running and I see these programs running that I don't recognize:

Cekqmu
Rundll32
Mkcompat
Lexbces
Thnall5c

I'm not sure about any but cekqmu, can anyone help? Now my toolbars are changing from the yahoo toolbar to some unreconizable one, and my computer freezes up when I try to press the back button and then gives me an Internet Explorer error and closes. My mouse is still jumping around. I don't know what to do. I went into run, put in regedit and looked under local and user folders and saw some things there I didn't recognize looked them up on the internet, saw some were known spy programmers/companies. Is it okay if I delete those or should I just leave them alone?

Well anyway, here's my log. I keep deleting ceres.dll and cekqmu but it keeps coming back after I restart:

Logfile of HijackThis v1.99.1
Scan saved at 3:36:32 PM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\CEKQMU.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\MKCOMPAT.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [cekqmu] c:\windows\system\cekqmu.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

MicroBell · 07-08-2005, 12:48 AM

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature.

Make sure you run each of those. Do so in safe mode if they freeze in normal windows. We also need to look a little deeper..

Download Silent runners.Vbs http://www.silentrunners.org/
1. Make sure you have any script blocking software disabled
2. Run the program. It will take a few minutes to complete.
3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.

Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…BEFORE!!! running this tool.

Download this virus checker and tool from eScan Mwav.exe (Use Link 3)

1. Save it to a folder.
2. Reboot into safe mode
3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything)
4. Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane (Bottom Window)
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after.

*Note* If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning.

We are not going to use this to remove anything..but to ID the bad guys.

Once you copy that to a notepad file...highlight the text and copy it here.

MelanieMcKenzie · 07-08-2005, 06:44 PM

I'm working on doing everything that you told me to and I really appreciate you taking your time to help. I don't have a lot of room on my computer, I have about 100megs of space left. I'm really not as computer savvy as I put on, sorry to ask, but what do you mean when you say turn all script-blocking software off? Thank You again for your help.

MelanieMcKenzie · 07-08-2005, 11:43 PM

I've spent almost the whole day trying to get rid of this pest of a virus that keeps coming back no matter what. I followed your instruction, downloaded the Spybot Search & Destroy program, downloaded the VX2 addon for Ad Aware SE, downloaded Silent runner and the mwav.exe file.

Here is what the Silent runner pulled up in its 'Startup Programs' log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CountrySelection" = "pctptt.exe" [null data]
"MMTray" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"LXSUPMON" = "C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN" ["Lexmark"]
"LexStart" = "Lexstart.exe" ["Lexmark International, Inc."]
"LexmarkPrinTray" = "PrinTray.exe" ["Lexmark"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"PTSNOOP" = "ptsnoop.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR" (3D Text.scr) [MS]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]

"{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 10 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
---------- (total run time: 59 seconds)

When I ran the eScan program this is what it found:

Object "DealHelper Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\mfc42.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\msvcrt.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\olepro32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4CB63E61-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4CB63E62-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{00024512-0000-0000-c000-000000000046}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000c0114-0000-0000-c000-000000000046}" refers to invalid object "E:\OFFICE\MSO97.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CCE598AC-6F44-40F6-9CAF-0B44E92D91B1}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E5828A3F-CC30-4BBD-AE9B-F910540C9697}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2698707D-8E34-4419-8857-7D39E6C91ECF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6C78F520-093A-4BE5-835E-B10A154E79B7}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3F80DF75-DC58-4C97-BEC1-7B537D3C7638}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{355942B4-F4BD-4E52-BB99-BA47D54A5290}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B6FF182-BB12-4593-9CCE-01E77CC9CBEB}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C52AA105-192E-4323-80FE-BE530F534BB3}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D38D306E-F673-4FF3-9A3A-A51C381964D1}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AE286D4E-ECD6-493B-AEDD-9EFC9BBB2F27}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CA8DDC8E-7CEE-4679-80A8-8C9E97972C13}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{78CB6B0C-3CA6-4E1B-8E32-1D39B613BBFF}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{45D2B671-7F6E-4943-BEDD-81B115BCB856}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1F217046-17D9-4BD4-9216-B66DD7865B61}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{809F805E-9967-4948-B265-0BD8190E260C}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C4B962A6-4789-46F3-AC41-087049097D65}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1626520F-8CFC-4EEE-8A0C-B1D4B5F6B135}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{006762EE-7806-47D8-BF63-174BB599E265}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4043D27A-99EB-4FC1-87D4-44AA02AB7B09}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{06DFF208-D911-44EA-8631-4C29329467AB}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4A963577-C27B-4164-A9BF-E1D1738E61B8}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5B2A5B4E-6665-419D-8808-680CD852B3B9}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3AEE3932-59BB-11D3-A8CC-005004A0F323}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5F6B2D5A-CFEB-11D3-A74E-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0410820E-D7CB-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{66DD4567-DA5C-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F5E941E8-DA94-11D3-8B69-00105AA31C20}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{CD961C04-E3BC-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F0CABE45-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F0CABE48-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F09500A4-0A08-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2418A360-9707-11D9-9144-0004BABBBC80}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{43F02779-6D88-4958-8AD3-83C12D86ADC7}" refers to invalid object "blank". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5A61B58E-2B0A-4B67-A882-FFC6FEAF12EE}" refers to invalid object "C:\KASPERSKY\KAVVLG.DLL". Action Taken: No Action Taken.
Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken.
Entry "HKCR\TSHOOT.TSHOOTCtrl.1" refers to invalid object "{4B106874-DD36-11D0-8B44-00A024DD9EFF}". Action Taken: No Action Taken.
Entry "HKCR\AOLCoach.TrainerOCXCtrl" refers to invalid object "{E04EAE82-14Ad-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEBrowserHelperObj.1" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEBrowserHelperObj" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIETools.1" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIETools" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEUrlManager.1" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken.
Entry "HKCR\ELNK.PnIEUrlManager" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken.
Entry "HKCR\PN.PnDeskband.1" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken.
Entry "HKCR\PN.PnDeskband" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken.
Entry "HKCR\WebP2PInstaller.Installer.1" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken.
Entry "HKCR\WebP2PInstaller.Installer" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken.
Entry "HKCR\JCDE_Stack" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken.
Entry "HKCR\JCDE_Stack.1" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken.
Entry "HKCR\SWin32.SDWin32.1" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken.
Entry "HKCR\SWin32.SDWin32" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken.
Entry "HKCR\ToolBand.posHelp.1" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken.
Entry "HKCR\ToolBand.posHelp" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken.
File C:\WINDOWS\Buddy.exe tagged as "not-a-virus:AdWare.BetterInternet.d". Action Taken: No Action Taken.
File C:\WINDOWS\newdevin.exe tagged as "not-a-virus:AdWare.BookedSpace.c". Action Taken: No Action Taken.
File C:\WINDOWS\ru.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\in10b6s.dll infected by "Trojan-Dropper.Win32.Mudrop.k" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dosxpd.exe tagged as "not-a-virus:AdWare.Msnagent.a". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\SWin32.dll tagged as "not-a-virus:AdWare.Adstart.j". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\sprmove.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\istinstall_adlogix.exe infected by "Trojan-Downloader.Win32.IstBar.er" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\fixmapirs.exe tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\cekqmu.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\diantzpt.exe infected by "Trojan.Win32.DNSChanger.o" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\dwcrnt.exe infected by "HackTool.Win32.Hidd.h" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken.
File C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Documents\My Music\From Internet\plvx2cleaner.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\My Documents\My Music\From Internet\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\DFX\MUSICMATCH\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\Installs\ymsgrie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\Common\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\updates\ypsr_prog_01.14.00_us_setup3_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins\vx2cleaner\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

This is my new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:34:35 AM, on 7/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SKYTOWN.EXE
C:\WINDOWS\SYSTEM\SKYTOWN.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

I've deleted everything in virus vaults, that was quarantined and set my deleted files not to go to the recycle bin. I still don't know what's the going on (obviously eh?) because I had performed the Ad Aware scan and the Spybot and removed and purged all the viruses it pulled up, but the mwav.exe still pulled up all of what it did. This is very frustrating. Again, I thank you for all your help.

MelanieMcKenzie · 07-08-2005, 11:49 PM

ogfile of HijackThis v1.99.1
Scan saved at 12:42:46 AM, on 7/9/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\DMLADM.EXE
C:\WINDOWS\SYSTEM\DMLADM.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe
O4 - HKCU\..\RunServices: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe
O4 - HKCU\..\RunOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe
O4 - HKCU\..\RunServicesOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

The HJT log on the previous post was done while on the internet (sorry forgot), this is the one that shows the newly changed virus file names.

MicroBell · 07-09-2005, 03:54 PM

Ok Mel. Here we go.....

You may want to print these instructions out so you can follow along.

Open My Computer>>View>>FolderOptions>>View Tab>>Advance Advanced settings box, under the "Hidden files" folder, select Show all files>>Apply>>OK

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/actives..._principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed.

VIEWPOINT
E2Give

Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure)

C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\DMLADM.EXE

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe
O4 - HKCU\..\RunServices: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe
O4 - HKCU\..\RunOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe
O4 - HKCU\..\RunServicesOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe

C:\Program Files\Viewpoint <--delete that folder.
C:\Program Files\E2G <--delete that folder.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\SYSTEM\DMLADM.exe
C:\WINDOWS\Buddy.exe
C:\WINDOWS\newdevin.exe
C:\WINDOWS\ru.exe
C:\WINDOWS\SYSTEM\in10b6s.dll
C:\WINDOWS\SYSTEM\dosxpd.exe
C:\WINDOWS\SYSTEM\SWin32.dll
C:\WINDOWS\SYSTEM\sprmove.exe
C:\WINDOWS\SYSTEM\istinstall_adlogix.exe
C:\WINDOWS\SYSTEM\fixmapirs.exe
C:\WINDOWS\SYSTEM\cekqmu.exe
C:\WINDOWS\SYSTEM\diantzpt.exe
C:\WINDOWS\SYSTEM\dwcrnt.exe

Once you reboot....

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows..post another hijackthis log and the log from the following scan...

Run an online scan from http://www.pandasoftware.com/actives..._principal.htm

Select the "Autofix/Clean" option. Save the activescan log it creates and post it here.

MelanieMcKenzie · 07-10-2005, 05:53 PM

Things are starting to look better. Let me bring you up to date on what's happened. I went to www3 and Trend Micro Housecall online scanners and it cleared out the infected areas, but said that it could not fix 2 critical errors and I would need an MS03-014 and an MS03-030, I know they're patches, but have no idea where to get them. It said that is how the hackers or spyware were able to get into my computer.

Well I deleted all the programs and when I deleted them, they didn't come up in HJT anymore, so I didn't have to kill those. But, in addition to doing everything you told me, I also redid the Spybot Search & Destroy and the Ad-Aware scan and the AVG and now they're saying there's not anything on my computer, but when I did the Panda Software scan it detected 13. These lil buggers are persistent. They just will not go away.

This is my log from the scan:

Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\retpdat32.xml
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\sp32.xml
Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\adupdmanager.xml
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmltok.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\BIINI.INF
Spyware:Spyware/WareOut No disinfected C:\WINDOWS\SYSTEM32\wosys32.dll
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Application Data\tvmcwrd.dll
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Application Data\tvmuknwrd.dll
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
The scan was not able to disinfect those files

This is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:51:35 PM, on 7/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab

Thanks for taking a look and for all your time. Things are starting to get a lot better for my computer, definitely not as many popups and, my mouse jumps but not as frequently.

MicroBell · 07-10-2005, 08:00 PM

When your as infected as you were...it takes several passes to clean out all these guys. Anyway...the MS03-014 and an MS03-030 are microsoft patches which can be obtained at the windows update page..

http://v4.windowsupdate.microsoft.com/en/default.asp

Lets do some more cleaning. Please reboot into safe mode.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\SYSTEM\UpdInst.exe
C:\WINDOWS\SYSTEM\retpdat32.xml
C:\WINDOWS\SYSTEM\sp32.xml
C:\WINDOWS\SYSTEM\adupdmanager.xml
C:\WINDOWS\SYSTEM\xmlparse.dll
C:\WINDOWS\SYSTEM\xmltok.dll
C:\WINDOWS\SYSTEM\exclean.exe
C:\WINDOWS\INF\ALCHEM.INF
C:\WINDOWS\INF\BIINI.INF
C:\WINDOWS\SYSTEM32\wosys32.dll
C:\WINDOWS\Application Data\tvmcwrd.dll
C:\WINDOWS\Application Data\tvmuknwrd.dll
C:\keys.ini

**Note** Also look for any of the following files and add them to the deletion process above.

alchem.cab
ALCHEM.EXE
alchem.inf
ALCHEM.INI

C:\WINDOWS\Application Data\ <-- in this folder add any file that begins with the letters tvm You want to delete any file that looks simular to those 2 listed in the above log.

Once you reboot....do another Panda scan and post it's log. Also post another Silentrunners log.

MelanieMcKenzie · 07-11-2005, 02:15 PM

I ran the killbox program and at first it didn't wipe them out because I went to scan with Panda and noticed that a lot of files were still infected and I noticed some of the filenames, I deleted like xmlparse and retpdat32 still there so I went to find file and deleted them manually there then ran killbox in normal mode, rebooted and ran in safe mode also and manually deleted anything that was there too. I also saw *.lgc file extensions for alchem and tvm, so I deleted those too, I hope I didn't mess up my computer. I had no idea my computer was that infected. I hope this spyware is what's taken up so much space, because I'm missing like 100megs of space on my computer.

I ran Panda and it found 1 spyware here:

Incident Status Location

Spyware:Spyware/New.net No disinfected Windows Registry

Here are the silent runners on my computer:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CountrySelection" = "pctptt.exe" [null data]
"MMTray" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."]
"LXSUPMON" = "C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN" ["Lexmark"]
"LexStart" = "Lexstart.exe" ["Lexmark International, Inc."]
"LexmarkPrinTray" = "PrinTray.exe" ["Lexmark"]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"PTSNOOP" = "ptsnoop.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR" (3D Text.scr) [MS]

Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]

"{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."]

Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 18 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 25 seconds.
---------- (total run time: 87 seconds)

Thanks a lot, I really apprecite it.

MicroBell · 07-12-2005, 02:01 AM

Outstanding!!

Please open your Task Scheduler and get rid of this task if listed...
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]

Other then that...the logs are clean. If you want to locate that New.net registry entry..you can do so in regedit. It's files are gone..so it's no biggie.

Please post one last hijackthis log so I can confirm it's clean.

MelanieMcKenzie · 07-12-2005, 11:40 AM

You just don't know how happy I was to hear that my computer has no more infections. Do you think it would be a good idea to delete all of the spyware protection programs because they are taking up a lot of room on my computer and I don't have enough space or will the viruses come back again once I don't have a blocker. I was thinking about just downloading a firewall from webroot and the patches and just using those instead of all the virus and spyware protection programs. I want to keep AVG and Ad Aware.

You are truly a blessing and I know from now on, I will only trust certain sites. Can you tell me what my browser settings should be to prevent this from happening again. God Bless you and you have a wonderful day, I sure will knowing that I don't have to worry about any of this anymore.

Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:10 PM, on 7/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\LXSUPMON.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab

Thanks so much!

MicroBell · 07-12-2005, 03:23 PM

Great Job Mel!! Your log is clean. Please visit microsofts windows update page and make sure you have all the lastest patchs installed for 98 and IE6. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself!

Yes you can remove those tools we used to clean. The problem is you need to add some more (from that link I posted) to protect the PC. You need to layer the protection...so one or two programs is not going to cut it. I would recommend the following at a minimum..

Real time Protection!

1. Firewall (Any..I use ZoneAlarm)
2. AVG
3. SpywareBlaster
4. SpywareGuard

Spyware Cleaners! (Run once a week)

1. Adaware SE
2. Spybot
3. Cleanup utility

I use the combo above plus a few others...and haven't had spyware or a virus on my system in over 2 years. Have a look here at how to tighten up IE..... http://bshagnasty.home.att.net/browsersettings.htm

Please reply one last time so I know you got this message and I can move this to resolved.

MelanieMcKenzie · 07-12-2005, 05:10 PM

Just giving you the last reply so you can move it to the resolved folder. Thanks for your time and expertise. Enjoy the rest of your day.

07-07-2005, 12:34 PM	#1 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Problem with Ceres virus I caught the Ceres virus from doing an alltheweb.com search and went to a page that took a long time to load before I realized a Trojan horse was being put on my computer. I ctr+alt+del and restarted my computer. I had the same problem back in March with a Cool Web virus and was able to get rid of it, by following step by step instructions. So I already had several programs on my computer. AdAware Personal Edition, Grisoft Virus Scanner, Cool Websearch shredder, HiJack This and Clean Up. When I performed my first ad scan it detected ceres had been put on my computer, so I removed them. I then did a grisoft virus scan and it showed 18 viruses 10 which were backup ones. So I put those in a virus vault. I also did a HiJack this log and saw there were several programs running that didn't need to and deleted them. I used the CWShredder which didn't detect anything. Used CleanUp to get rid of temp files and restarted the computer. I fear that the virus is now hiding somewhere on my computer because after running these virus-protection programs, several times, I still get on the computer and my mouse jumps from place to place. I can type in the address bar, but when I press enter it doesn't take me anywhere like it usually does. The address bar's appearance length changes. Pages and programs open that I didn't click on. I know something is still on my computer but don't know where to find it. Could anybody please help me. Here's my HiJack This Log: Logfile of HijackThis v1.99.1 Scan saved at 1:29:26 PM, on 7/7/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab I would appreciate any assistance, thanks in advance

07-07-2005, 02:51 PM	#2 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Updates So I decided to download a registry cleaner called Registry Mechanic, it detected 232 problems and only could fix/remove 128 using the free edition. After I used this program, I scanned using Ad Aware SE Personal and it detected 28 infected files. I wasn't on the internet but I saw a grey box come up that look like it was deleting something or updating something on my computer and then my computer refreshed. During that 5 second period, the Ad Aware had frozen up, right when I was going to remove the files. I did the HiJack this scan again and saw that ceres.dll was on here again and cekqmu. I also did a ctrl+alt+del to see which programs were running and I see these programs running that I don't recognize: Cekqmu Rundll32 Mkcompat Lexbces Thnall5c I'm not sure about any but cekqmu, can anyone help? Now my toolbars are changing from the yahoo toolbar to some unreconizable one, and my computer freezes up when I try to press the back button and then gives me an Internet Explorer error and closes. My mouse is still jumping around. I don't know what to do. I went into run, put in regedit and looked under local and user folders and saw some things there I didn't recognize looked them up on the internet, saw some were known spy programmers/companies. Is it okay if I delete those or should I just leave them alone? Well anyway, here's my log. I keep deleting ceres.dll and cekqmu but it keeps coming back after I restart: Logfile of HijackThis v1.99.1 Scan saved at 3:36:32 PM, on 7/7/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE C:\WINDOWS\SYSTEM\CEKQMU.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\MKCOMPAT.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [cekqmu] c:\windows\system\cekqmu.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

07-08-2005, 12:48 AM	#3 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	Hi and Welcome to TSF Before attacking an adware/spyware problem with hijackthis make sure you have already run ad-aware SE with VX2 add-on cleaner, Spybot Search & Destroy (with updated database) and CWShredder as these programs will clean a lot of the crap out first. All links to programs are in my signature. Make sure you run each of those. Do so in safe mode if they freeze in normal windows. We also need to look a little deeper.. Download Silent runners.Vbs http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post. Please empty any Quarantine folder in your antivirus, empty your recycle bin and purge/delete all recovery items in the spybot program if you use it…BEFORE!!! running this tool. Download this virus checker and tool from eScan Mwav.exe (Use Link 3) 1. Save it to a folder. 2. Reboot into safe mode 3. Double click the Mwav.exe file.(This is a stand alone tool and NOT just a virus checker......so it won't install anything) 4. Select all local drives, scan all files, press SCAN and when it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane (Bottom Window) Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and save it to a notepad file. DO NOT post the log from the “View Log” button as that log does NOT contain the info we are after. Note If prompted that a Virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything..but to ID the bad guys. Once you copy that to a notepad file...highlight the text and copy it here. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

07-08-2005, 06:44 PM	#4 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Thanks so much I'm working on doing everything that you told me to and I really appreciate you taking your time to help. I don't have a lot of room on my computer, I have about 100megs of space left. I'm really not as computer savvy as I put on, sorry to ask, but what do you mean when you say turn all script-blocking software off? Thank You again for your help.

07-08-2005, 11:43 PM	#5 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Long Day I've spent almost the whole day trying to get rid of this pest of a virus that keeps coming back no matter what. I followed your instruction, downloaded the Spybot Search & Destroy program, downloaded the VX2 addon for Ad Aware SE, downloaded Silent runner and the mwav.exe file. Here is what the Silent runner pulled up in its 'Startup Programs' log: "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows 98 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CountrySelection" = "pctptt.exe" [null data] "MMTray" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."] "LXSUPMON" = "C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN" ["Lexmark"] "LexStart" = "Lexstart.exe" ["Lexmark International, Inc."] "LexmarkPrinTray" = "PrinTray.exe" ["Lexmark"] "AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."] "ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"] "PTSNOOP" = "ptsnoop.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR" (3D Text.scr) [MS] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "blank" [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] "{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "blank" [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Missing lines (compared with English-language version): [Strings]: 1 line ---------- + This report excludes default entries except where indicated. + To see everywhere* the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 10 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 20 seconds. ---------- (total run time: 59 seconds) When I ran the eScan program this is what it found: Object "DealHelper Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "Kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\mfc42.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\msvcrt.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\System32\olepro32.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ScanFile.ocx". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\asinst.dll". Action Taken: No Action Taken. Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ActiveX.ocx". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D3B1DE00-6B94-1069-8754-08002B2BD64F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4CB63E61-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4CB63E62-C611-11D0-83AA-000092900184}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{34C9990F-CBD7-11D2-AE0E-00C04FAEA83F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{00024512-0000-0000-c000-000000000046}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{000c0114-0000-0000-c000-000000000046}" refers to invalid object "E:\OFFICE\MSO97.DLL". Action Taken: No Action Taken. Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{CCE598AC-6F44-40F6-9CAF-0B44E92D91B1}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{E5828A3F-CC30-4BBD-AE9B-F910540C9697}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2698707D-8E34-4419-8857-7D39E6C91ECF}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{6C78F520-093A-4BE5-835E-B10A154E79B7}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3F80DF75-DC58-4C97-BEC1-7B537D3C7638}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{355942B4-F4BD-4E52-BB99-BA47D54A5290}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1B6FF182-BB12-4593-9CCE-01E77CC9CBEB}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C52AA105-192E-4323-80FE-BE530F534BB3}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{D38D306E-F673-4FF3-9A3A-A51C381964D1}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{AE286D4E-ECD6-493B-AEDD-9EFC9BBB2F27}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{CA8DDC8E-7CEE-4679-80A8-8C9E97972C13}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{78CB6B0C-3CA6-4E1B-8E32-1D39B613BBFF}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{45D2B671-7F6E-4943-BEDD-81B115BCB856}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1F217046-17D9-4BD4-9216-B66DD7865B61}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{809F805E-9967-4948-B265-0BD8190E260C}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{C4B962A6-4789-46F3-AC41-087049097D65}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1626520F-8CFC-4EEE-8A0C-B1D4B5F6B135}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{006762EE-7806-47D8-BF63-174BB599E265}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4043D27A-99EB-4FC1-87D4-44AA02AB7B09}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{06DFF208-D911-44EA-8631-4C29329467AB}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{4A963577-C27B-4164-A9BF-E1D1738E61B8}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5B2A5B4E-6665-419D-8808-680CD852B3B9}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3AEE3932-59BB-11D3-A8CC-005004A0F323}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5F6B2D5A-CFEB-11D3-A74E-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{0410820E-D7CB-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{66DD4567-DA5C-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F5E941E8-DA94-11D3-8B69-00105AA31C20}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{CD961C04-E3BC-11D3-A74F-0050DA126772}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F0CABE45-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F0CABE48-0484-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{F09500A4-0A08-11D4-B137-00C04FA03009}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{8BBDA254-CE76-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{80373D03-D993-11D3-A2CE-00108335731F}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{1EFD6A40-3999-11CF-9150-00AA0059F70D}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{3775D2E0-7C5D-11CF-899E-00AA00688B10}" refers to invalid object "D:\PROGRAM\32\MCI32.OCX". Action Taken: No Action Taken. Entry "HKCR\CLSID\{2418A360-9707-11D9-9144-0004BABBBC80}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{43F02779-6D88-4958-8AD3-83C12D86ADC7}" refers to invalid object "blank". Action Taken: No Action Taken. Entry "HKCR\CLSID\{5A61B58E-2B0A-4B67-A882-FFC6FEAF12EE}" refers to invalid object "C:\KASPERSKY\KAVVLG.DLL". Action Taken: No Action Taken. Entry "HKCR\Overview.Document" refers to invalid object "{DA23B9C9-6893-11D0-8534-00C04FD7AD0C}". Action Taken: No Action Taken. Entry "HKCR\TSHOOT.TSHOOTCtrl.1" refers to invalid object "{4B106874-DD36-11D0-8B44-00A024DD9EFF}". Action Taken: No Action Taken. Entry "HKCR\AOLCoach.TrainerOCXCtrl" refers to invalid object "{E04EAE82-14Ad-41CB-BF5A-45556ABB8347}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEBrowserHelperObj.1" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEBrowserHelperObj" refers to invalid object "{4B5F2E08-6F39-479a-B547-B2026E4C7EDF}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIETools.1" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIETools" refers to invalid object "{0A630752-8FAE-4b5d-B42C-AB1DE5E589E2}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEUrlManager.1" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken. Entry "HKCR\ELNK.PnIEUrlManager" refers to invalid object "{FFEBB637-61A0-4597-884F-ED234C6C2AB8}". Action Taken: No Action Taken. Entry "HKCR\PN.PnDeskband.1" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken. Entry "HKCR\PN.PnDeskband" refers to invalid object "{D7F30B62-8269-41AF-9539-B2697FA7D77E}". Action Taken: No Action Taken. Entry "HKCR\WebP2PInstaller.Installer.1" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken. Entry "HKCR\WebP2PInstaller.Installer" refers to invalid object "{1D6711C8-7154-40BB-8380-3DEA45B69CBF}". Action Taken: No Action Taken. Entry "HKCR\JCDE_Stack" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken. Entry "HKCR\JCDE_Stack.1" refers to invalid object "{CC7A6223-3759-4075-8CEA-971F5CFC0ED2}". Action Taken: No Action Taken. Entry "HKCR\SWin32.SDWin32.1" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken. Entry "HKCR\SWin32.SDWin32" refers to invalid object "{5FA6752A-C4A0-4222-88C2-928AE5AB4966}". Action Taken: No Action Taken. Entry "HKCR\ToolBand.posHelp.1" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken. Entry "HKCR\ToolBand.posHelp" refers to invalid object "{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}". Action Taken: No Action Taken. File C:\WINDOWS\Buddy.exe tagged as "not-a-virus:AdWare.BetterInternet.d". Action Taken: No Action Taken. File C:\WINDOWS\newdevin.exe tagged as "not-a-virus:AdWare.BookedSpace.c". Action Taken: No Action Taken. File C:\WINDOWS\ru.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\in10b6s.dll infected by "Trojan-Dropper.Win32.Mudrop.k" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\dosxpd.exe tagged as "not-a-virus:AdWare.Msnagent.a". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\SWin32.dll tagged as "not-a-virus:AdWare.Adstart.j". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\sprmove.exe infected by "Trojan-Dropper.Win32.Agent.hy" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\istinstall_adlogix.exe infected by "Trojan-Downloader.Win32.IstBar.er" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\fixmapirs.exe tagged as "not-a-virus:AdWare.FindSpy.a". Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\cekqmu.exe infected by "Trojan.Win32.Agent.ay" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\diantzpt.exe infected by "Trojan.Win32.DNSChanger.o" Virus! Action Taken: No Action Taken. File C:\WINDOWS\SYSTEM\dwcrnt.exe infected by "HackTool.Win32.Hidd.h" Virus! Action Taken: No Action Taken. File C:\WINDOWS\COMMAND\EBD\EBD.CAB tagged as not-a-virus:Tool.DOS.Restart. No Action Taken. File C:\WINDOWS\Windows Update Setup Files\searchbarsetup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\My Documents\My Music\From Internet\plvx2cleaner.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\My Documents\My Music\From Internet\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\DFX\MUSICMATCH\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\Installs\ymsgrie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\Common\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\YPSR\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\YPSR\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Yahoo!\YPSR\updates\ypsr_prog_01.14.00_us_setup3_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins\vx2cleaner\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken. This is my new HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 12:34:35 AM, on 7/9/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\SKYTOWN.EXE C:\WINDOWS\SYSTEM\SKYTOWN.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab I've deleted everything in virus vaults, that was quarantined and set my deleted files not to go to the recycle bin. I still don't know what's the going on (obviously eh?) because I had performed the Ad Aware scan and the Spybot and removed and purged all the viruses it pulled up, but the mwav.exe still pulled up all of what it did. This is very frustrating. Again, I thank you for all your help.

07-08-2005, 11:49 PM	#6 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	New HJT Log ogfile of HijackThis v1.99.1 Scan saved at 12:42:46 AM, on 7/9/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\DMLADM.EXE C:\WINDOWS\SYSTEM\DMLADM.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O4 - HKCU\..\Run: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe O4 - HKCU\..\RunServices: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe O4 - HKCU\..\RunOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe O4 - HKCU\..\RunServicesOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab The HJT log on the previous post was done while on the internet (sorry forgot), this is the one that shows the newly changed virus file names.

07-09-2005, 03:54 PM	#7 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	Ok Mel. Here we go..... You may want to print these instructions out so you can follow along. Open My Computer>>View>>FolderOptions>>View Tab>>Advance Advanced settings box, under the "Hidden files" folder, select Show all files>>Apply>>OK Please go to at least two of these sites and run an online Virus Scan. Be sure to have the AutoFix box(es) checked. http://housecall.trendmicro.com/ http://www3.ca.com/virusinfo/virusscan.aspx http://www.pandasoftware.com/actives..._principal.htm http://www.bitdefender.com/scan/license.php http://us.mcafee.com/root/mfs/default.asp http://security.symantec.com/sscv6/d...d=ie&venid=sym http://www3.ca.com/virusinfo/virusscan.aspx Download and install CleanUp! but do not run it yet. NOTE Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove the following if listed. VIEWPOINT E2Give Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be but make sure) C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE C:\WINDOWS\SYSTEM\DMLADM.EXE Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKCU\..\Run: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe O4 - HKCU\..\RunServices: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe O4 - HKCU\..\RunOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe O4 - HKCU\..\RunServicesOnce: [DMLADM] C:\WINDOWS\SYSTEM\DMLADM.exe C:\Program Files\Viewpoint <--delete that folder. C:\Program Files\E2G <--delete that folder. Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\SYSTEM\DMLADM.exe C:\WINDOWS\Buddy.exe C:\WINDOWS\newdevin.exe C:\WINDOWS\ru.exe C:\WINDOWS\SYSTEM\in10b6s.dll C:\WINDOWS\SYSTEM\dosxpd.exe C:\WINDOWS\SYSTEM\SWin32.dll C:\WINDOWS\SYSTEM\sprmove.exe C:\WINDOWS\SYSTEM\istinstall_adlogix.exe C:\WINDOWS\SYSTEM\fixmapirs.exe C:\WINDOWS\SYSTEM\cekqmu.exe C:\WINDOWS\SYSTEM\diantzpt.exe C:\WINDOWS\SYSTEM\dwcrnt.exe Once you reboot.... Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files [X]Scan local drives for temporary files (Please uncheck this option) Cleanup! All Users Click OK Press the CleanUp!* button to start the program. Reboot/logoff when prompted. Once back to normal windows..post another hijackthis log and the log from the following scan... Run an online scan from http://www.pandasoftware.com/actives..._principal.htm Select the "Autofix/Clean" option. Save the activescan log it creates and post it here. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

07-10-2005, 05:53 PM	#8 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Good Evening Things are starting to look better. Let me bring you up to date on what's happened. I went to www3 and Trend Micro Housecall online scanners and it cleared out the infected areas, but said that it could not fix 2 critical errors and I would need an MS03-014 and an MS03-030, I know they're patches, but have no idea where to get them. It said that is how the hackers or spyware were able to get into my computer. Well I deleted all the programs and when I deleted them, they didn't come up in HJT anymore, so I didn't have to kill those. But, in addition to doing everything you told me, I also redid the Spybot Search & Destroy and the Ad-Aware scan and the AVG and now they're saying there's not anything on my computer, but when I did the Panda Software scan it detected 13. These lil buggers are persistent. They just will not go away. This is my log from the scan: Incident Status Location Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM\UpdInst.exe Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\retpdat32.xml Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\sp32.xml Adware:Adware/AdLogix No disinfected C:\WINDOWS\SYSTEM\adupdmanager.xml Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmlparse.dll Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmltok.dll Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\exclean.exe Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\ALCHEM.INF Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\BIINI.INF Spyware:Spyware/WareOut No disinfected C:\WINDOWS\SYSTEM32\wosys32.dll Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Application Data\tvmcwrd.dll Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Application Data\tvmuknwrd.dll Adware:Adware/DelFinMedia No disinfected C:\keys.ini The scan was not able to disinfect those files This is my new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 4:51:35 PM, on 7/10/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab Thanks for taking a look and for all your time. Things are starting to get a lot better for my computer, definitely not as many popups and, my mouse jumps but not as frequently.

07-10-2005, 08:00 PM	#9 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	When your as infected as you were...it takes several passes to clean out all these guys. Anyway...the MS03-014 and an MS03-030 are microsoft patches which can be obtained at the windows update page.. http://v4.windowsupdate.microsoft.com/en/default.asp Lets do some more cleaning. Please reboot into safe mode. Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\SYSTEM\UpdInst.exe C:\WINDOWS\SYSTEM\retpdat32.xml C:\WINDOWS\SYSTEM\sp32.xml C:\WINDOWS\SYSTEM\adupdmanager.xml C:\WINDOWS\SYSTEM\xmlparse.dll C:\WINDOWS\SYSTEM\xmltok.dll C:\WINDOWS\SYSTEM\exclean.exe C:\WINDOWS\INF\ALCHEM.INF C:\WINDOWS\INF\BIINI.INF C:\WINDOWS\SYSTEM32\wosys32.dll C:\WINDOWS\Application Data\tvmcwrd.dll C:\WINDOWS\Application Data\tvmuknwrd.dll C:\keys.ini Note Also look for any of the following files and add them to the deletion process above. alchem.cab ALCHEM.EXE alchem.inf ALCHEM.INI C:\WINDOWS\Application Data\ <-- in this folder add any file that begins with the letters tvm You want to delete any file that looks simular to those 2 listed in the above log. Once you reboot....do another Panda scan and post it's log. Also post another Silentrunners log. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

07-11-2005, 02:15 PM	#10 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Looks like we've made a lot of progress... I ran the killbox program and at first it didn't wipe them out because I went to scan with Panda and noticed that a lot of files were still infected and I noticed some of the filenames, I deleted like xmlparse and retpdat32 still there so I went to find file and deleted them manually there then ran killbox in normal mode, rebooted and ran in safe mode also and manually deleted anything that was there too. I also saw .lgc file extensions for alchem and tvm, so I deleted those too, I hope I didn't mess up my computer. I had no idea my computer was that infected. I hope this spyware is what's taken up so much space, because I'm missing like 100megs of space on my computer. I ran Panda and it found 1 spyware here: Incident Status Location Spyware:Spyware/New.net No disinfected Windows Registry Here are the silent runners on my computer: "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows 98 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "CountrySelection" = "pctptt.exe" [null data] "MMTray" = "C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe" ["MUSICMATCH, Inc."] "LXSUPMON" = "C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN" ["Lexmark"] "LexStart" = "Lexstart.exe" ["Lexmark International, Inc."] "LexmarkPrinTray" = "PrinTray.exe" ["Lexmark"] "AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."] "AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."] "PTSNOOP" = "ptsnoop.exe" [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++} "KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("] {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"] "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."] AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState WIN.INI & SYSTEM.INI launch points: ----------------------------------- SYSTEM.INI [boot] "SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR" (3D Text.scr) [MS] Enabled Scheduled Tasks: ------------------------ "Tune-up Application Start" -> launches: "walign" [MS] "RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4 C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "blank" [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] "{43F02779-6D88-4958-8AD3-83C12D86ADC7}" = "Advanced Searchbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "blank" [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL" ["Yahoo! Inc."] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL" ["Yahoo! Inc."] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Missing lines (compared with English-language version): [Strings]: 1 line ---------- + This report excludes default entries except where indicated. + To see everywhere the script checks and everything it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 18 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 25 seconds. ---------- (total run time: 87 seconds) Thanks a lot, I really apprecite it.

07-12-2005, 02:01 AM	#11 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	Outstanding!! Please open your Task Scheduler and get rid of this task if listed... "RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found] Other then that...the logs are clean. If you want to locate that New.net registry entry..you can do so in regedit. It's files are gone..so it's no biggie. Please post one last hijackthis log so I can confirm it's clean. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

07-12-2005, 11:40 AM	#12 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Thank Goodness for the Experts...!!! You just don't know how happy I was to hear that my computer has no more infections. Do you think it would be a good idea to delete all of the spyware protection programs because they are taking up a lot of room on my computer and I don't have enough space or will the viruses come back again once I don't have a blocker. I was thinking about just downloading a firewall from webroot and the patches and just using those instead of all the virus and spyware protection programs. I want to keep AVG and Ad Aware. You are truly a blessing and I know from now on, I will only trust certain sites. Can you tell me what my browser settings should be to prevent this from happening again. God Bless you and you have a wonderful day, I sure will knowing that I don't have to worry about any of this anymore. Here it is: Logfile of HijackThis v1.99.1 Scan saved at 12:28:10 PM, on 7/12/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\RUNDLL32.EXE C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE C:\WINDOWS\SYSTEM\LXSUPMON.EXE C:\WINDOWS\SYSTEM\PRINTRAY.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\WINDOWS\SYSTEM\LEXBCES.EXE C:\WINDOWS\SYSTEM\RPCSS.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = yahoo.com O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN5\YCOMP5_6_0_0.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab Thanks so much!

07-12-2005, 03:23 PM	#13 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,962 OS: Windows XP-Pro SP2	Great Job Mel!! Your log is clean. Please visit microsofts windows update page and make sure you have all the lastest patchs installed for 98 and IE6. Please read through the spyware prevention section on how to protect yourself from spyware/adware Here and use the recommend programs and methods to protect yourself! Yes you can remove those tools we used to clean. The problem is you need to add some more (from that link I posted) to protect the PC. You need to layer the protection...so one or two programs is not going to cut it. I would recommend the following at a minimum.. Real time Protection! 1. Firewall (Any..I use ZoneAlarm) 2. AVG 3. SpywareBlaster 4. SpywareGuard Spyware Cleaners! (Run once a week) 1. Adaware SE 2. Spybot 3. Cleanup utility I use the combo above plus a few others...and haven't had spyware or a virus on my system in over 2 years. Have a look here at how to tighten up IE..... http://bshagnasty.home.att.net/browsersettings.htm Please reply one last time so I know you got this message and I can move this to resolved. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

07-12-2005, 05:10 PM	#14 (permalink)
MelanieMcKenzie Registered User Join Date: Jul 2005 Posts: 16 OS: Win98SE	Last reply Just giving you the last reply so you can move it to the resolved folder. Thanks for your time and expertise. Enjoy the rest of your day.