Win98 Problems Hijack Log

[Ohiostatewoody5]

i wasnt able to save a log to paste it but i was able to take a picture, any help would be appreciated. I have no virus protection programs and a few spyware blockers. I downloaded Counterspy from download.com and it seemed to make my computer 10x worse.

[sUBs]

Please tell me why you're unable to save a log.

[Ohiostatewoody5]

I can save the log but it seems to only want to open up with winzip and i get this message... THe Winzip wizard can not open this file. It does not appear to be a valid archive. If you downloaded this file, please try to download it again. If you want to add the file to an archive, first create or open the archive and drop the file again.

[sUBs]

Launch notepad & go to File > Open.
Browse to where the log's located & open it

[Ohiostatewoody5]

Logfile of HijackThis v1.99.1
Scan saved at 5:30:49 PM, on 3/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AdobeReaderPro] MSNSERVE.EXE
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
O4 - HKLM\..\RunServices: [AdobeReaderPro] MSNSERVE.EXE
O4 - HKLM\..\RunServices: [AdmTask] C:\Program Files\AdmTask\admtask.exe /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O15 - Trusted Zone: http://*.winsoftware.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} (CodeBabyObject Object) - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/int...ctXInstall.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://install.charter.com/diskless/bin/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab

[sUBs]

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

First off, let's fix your file associations. That's what preventing the Hijackthis log from opening with Notepad.

1. In Windows Explorer or My Computer, locate the HijackThis log
2. Right-click the file, and then click Open With. If Open With is not an option, hold down the SHIFT key while right-clicking the file. Open With should now be an option.
3. In the Open With dialog box, select the program - Notepad - that you want to use to open the file.
4. Click to select the Always use this program to open these files check box to make this the default program to open files with the same file-name extension.
5. Click OK.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install - CleanUp.exe (not recommended for WinXP64)

Please download AVG Antivirus and update it's virus definitions. Also ensure that it's real time scanning engine is enabled

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [AdobeReaderPro] MSNSERVE.EXE
O4 - HKLM\..\RunServices: [AdobeReaderPro] MSNSERVE.EXE
O15 - Trusted Zone: http://*.winsoftware.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.17.186/images/PopupSh.ocx


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• MSNSERVE.EXE

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! does not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Have AVG do a system wide scan & allow it to disinfect ALL that it finds.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

1. HiJackThis
2. Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[Ohiostatewoody5]

Im getting quite a few popups and i get download box that wants me to download iframes3 i think its from ad.yieldmanager or something like that.
when i check ctrl alt delete i have quite a few iexplores going.

here is my hijack this log and the kasper results

Logfile of HijackThis v1.99.1
Scan saved at 9:30:57 PM, on 3/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\SLEEPY\SLPTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\SLEEPY\MONITOR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [AdmTask] C:\Program Files\AdmTask\admtask.exe /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} (CodeBabyObject Object) - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/int...ctXInstall.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://install.charter.com/diskless/bin/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...bscan_ansi.cab


Kasper Results

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, March 06, 2006 21:17:39
Operating System: Microsoft Windows 98 SE
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/03/2006
Kaspersky Anti-Virus database records: 180584
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\
f:\

Scan Statistics:
Total number of scanned objects: 39437
Number of viruses found: 32
Number of infected objects: 66
Number of suspicious objects: 2
Duration of the scan process: 3303 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\MKCMS.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\SYSTEM\DINHPAST.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\SYSTEM\MARD3X40.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\SYSTEM\bk.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
c:\WINDOWS\SYSTEM\bk.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa
c:\WINDOWS\SYSTEM\bk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
c:\WINDOWS\SYSTEM\RFSAPI32.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\SYSTEM\qodsregk.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m
c:\WINDOWS\SYSTEM\MHJT3032.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\SYSTEM\lrpsd11n.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\SYSTEM\SVROBJ.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\SYSTEM\dlvx_xx07.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ap
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\RegistryCleaner.zip/soproc.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\RegistryCleaner.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Downloaded Program Files\turbo.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.as
c:\WINDOWS\Downloaded Program Files\WUInst.dll Infected: not-a-virus:AdWare.Win32.SaveNow.ab
c:\WINDOWS\Downloaded Program Files\ashton.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.as
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D51-ACAD-11DA-960C-00E07D\0DC22D57-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.Maxifiles.j
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D51-ACAD-11DA-960C-00E07D\0DC22D5A-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.Maxifiles.w
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D51-ACAD-11DA-960C-00E07D\0DC22D5B-ACAD-11DA-960C-00E07D/Catcher.dll Infected: not-a-virus:AdWare.Win32.Maxifiles.w
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D51-ACAD-11DA-960C-00E07D\0DC22D5B-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.Maxifiles.w
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D51-ACAD-11DA-960C-00E07D\0DC22D5C-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.Maxifiles.s
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D7F-ACAD-11DA-960C-00E07D\0DC22D80-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.Perfnav.a
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D83-ACAD-11DA-960C-00E07D\0DC22D84-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.WebRebates.b
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D83-ACAD-11DA-960C-00E07D\0DC22D85-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.HelpExpress
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22D94-ACAD-11DA-960C-00E07D\0DC22D96-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.Softomate.k
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DA6-ACAD-11DA-960C-00E07D\0DC22DA7-ACAD-11DA-960C-00E07D Infected: not-a-virus:Server-Proxy.Win32.MarketScode.c
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DA6-ACAD-11DA-960C-00E07D\0DC22DA8-ACAD-11DA-960C-00E07D Infected: not-a-virus:Server-Proxy.Win32.MarketScode.c
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DAA-ACAD-11DA-960C-00E07D\0DC22DAB-ACAD-11DA-960C-00E07D/InpB/TvmBho.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.k
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DAA-ACAD-11DA-960C-00E07D\0DC22DAB-ACAD-11DA-960C-00E07D/InpB/TvmCore.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.m
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DAA-ACAD-11DA-960C-00E07D\0DC22DAB-ACAD-11DA-960C-00E07D/InpB/Tvm.exe Infected: not-a-virus:AdWare.Win32.TotalVelocity.k
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DAA-ACAD-11DA-960C-00E07D\0DC22DAB-ACAD-11DA-960C-00E07D/InpB Infected: not-a-virus:AdWare.Win32.TotalVelocity.k
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DAA-ACAD-11DA-960C-00E07D\0DC22DAB-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.TotalVelocity.k
c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\0DC22DB4-ACAD-11DA-960C-00E07D\0DC22DB5-ACAD-11DA-960C-00E07D Infected: not-a-virus:AdWare.Win32.SaveNow.bo
c:\WINDOWS\browserxtras\pn\remove.exe/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f
c:\WINDOWS\browserxtras\pn\remove.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval.f
c:\WINDOWS\browserxtras\pn\remove.exe Infected: Trojan-Downloader.Win32.Keenval.f
c:\WINDOWS\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw
c:\WINDOWS\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg
c:\WINDOWS\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg
c:\WINDOWS\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg
c:\WINDOWS\pf78.exe Infected: Trojan.Win32.VB.tg
c:\My Documents\CPmIRCv21.zip/cpmirc21.exe/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
c:\My Documents\CPmIRCv21.zip/cpmirc21.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
c:\My Documents\CPmIRCv21.zip Infected: not-a-virus:Client-IRC.Win32.mIRC.603
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0018.BIN/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0018.BIN/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.BargainBuddy.a
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0025.BIN/UCMIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0025.BIN/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0025.BIN Infected: not-a-virus:AdWare.Win32.Ucmore
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0027.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0027.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0027.BIN/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0027.BIN/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0027.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bl
c:\My Documents\My Deliveries\cnet\setupmp3towav.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl
c:\My Documents\ssbuilder3.exe/data0013 Infected: not-a-virus:AdWare.Win32.ComedyPlanet.b
c:\My Documents\ssbuilder3.exe Infected: not-a-virus:AdWare.Win32.ComedyPlanet.b
c:\My Documents\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
c:\My Documents\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
c:\Program Files\Support.com\backup\ho\hosts\3397_50ca3e631_/hosts Infected: Trojan-Clicker.Win32.Qhost.a
c:\Program Files\Support.com\backup\ho\hosts\3397_50ca3e631_ Infected: Trojan-Clicker.Win32.Qhost.a
c:\NNSCAA638.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet
c:\ZICORN001.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.m
c:\ventfe1.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
c:\ventfe1.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e

Scan process completed.

[sUBs]

Please download L2M9xFix

Unzip it to the desktop and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

[Ohiostatewoody5]

Logfile of HijackThis v1.99.1
Scan saved at 9:47:25 PM, on 3/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\NMISYS32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SLEEPY\MONITOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [AdmTask] C:\Program Files\AdmTask\admtask.exe /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} (CodeBabyObject Object) - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/int...ctXInstall.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://install.charter.com/diskless/bin/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...bscan_ansi.cab






Log Text

Log of L2M9XFix v1.01a

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:

C:\WINDOWS\system\DINHPAST.DLL
C:\WINDOWS\system\dlvx_xx07.dll
C:\WINDOWS\system\lrpsd11n.dll
C:\WINDOWS\system\MARD3X40.DLL
C:\WINDOWS\system\MHJT3032.DLL
C:\WINDOWS\system\MKCMS.DLL
C:\WINDOWS\system\mxvbvm60.dll
C:\WINDOWS\system\RFSAPI32.DLL
C:\WINDOWS\system\SVROBJ.DLL
C:\WINDOWS\system\WSNMM.DLL

************

Registry entries found:

[HKEY_CLASSES_ROOT\CLSID\{94E86CE0-ACB1-11DA-960C-00E07DD2C0DE}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\MARD3X40.DLL"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{E671A67A-F56C-93AC-6AE5-F5B4423DD64B}"=""


************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

[sUBs]

Good work. Let's hit it when it's down

Please read this post completely before begining the fix.


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Download KillBox v2.0.0.175.exe (it's important that you get version v2.0.0.175)


* * * * * * KILLBOX * * * * * * * * * * * * * * * * * * * * * * *


Launch KillBox.exe & select the following options:

• delete on Reboot
• All files (if available)

Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy

• c:\WINDOWS\Downloaded Program Files\turbo.inf
  c:\WINDOWS\Downloaded Program Files\WUInst.dll
  c:\WINDOWS\Downloaded Program Files\ashton.inf
  c:\WINDOWS\SYSTEM\bk.exe
  c:\WINDOWS\SYSTEM\RFSAPI32.DLL
  c:\WINDOWS\SYSTEM\qodsregk.exe
  c:\WINDOWS\SYSTEM\SVROBJ.DLL
  c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\RegistryCleaner.zip
  c:\WINDOWS\pf78.exe
  c:\My Documents\My Deliveries\cnet\setupmp3towav.exe
  c:\My Documents\ssbuilder3.exe
  c:\My Documents\BSINSTALL.exe
  c:\Program Files\Support.com\backup\ho\hosts\3397_50ca3e631_
  c:\NNSCAA638.EXE
  c:\ZICORN001.exe
  c:\ventfe1.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* Click Yes at the Delete on Reboot prompt.
* Click Yes at the 'Pending Operations prompt'.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• c:\WINDOWS\browserxtras\

Delete the contents of this folder, leaving it empty:

• c:\WINDOWS\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions

4. Click OK
5. Press the CleanUp! button to start the program.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:

1. HiJackThis
2. Online scan

Please update us on how the computer behaves now

[Ohiostatewoody5]

i haven't experienced anymore popups or download boxes.

Logfile of HijackThis v1.99.1
Scan saved at 10:49:20 PM, on 3/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\NMISYS32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\SLEEPY\MONITOR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [AdmTask] C:\Program Files\AdmTask\admtask.exe /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} (CodeBabyObject Object) - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/int...ctXInstall.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://install.charter.com/diskless/bin/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...bscan_ansi.cab




Incident Status Location

Spyware:spyware/betterinet Not disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl.exe
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Potentially unwanted tool:application/winantivirus2006 Not disinfected C:\PROGRAM FILES\WinAntiVirus Pro 2006
Adware:adware/savenow Not disinfected C:\PROGRAM FILES\VVSN
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\FLASHTLK.INF
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\INF\BIINI.INF
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\DINHPAST.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\dlvx_xx07.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\lrpsd11n.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\MARD3X40.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\MHJT3032.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\MKCMS.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\mxvbvm60.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\RFSAPI32.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\SVROBJ.DLL
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\Desktop\l2m9xfix\backups\WSNMM.DLL
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Program Files\Common Files\WinAntiVirus Pro 2006\WapCHK.dll
Adware:Adware/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd

[sUBs]

Please read this post completely before begining the fix.

Reboot to Safe Mode


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

• Lycos / SideSearch
  WinAntiVirus Pro 2006
  VVSN
  Kazaa

Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\WINDOWS\INF\BIINI.INF
  C:\WINDOWS\ss3unstl.exe
  C:\PROGRAM FILES\Lycos
  C:\PROGRAM FILES\WinAntiVirus Pro 2006
  C:\PROGRAM FILES\VVSN
  C:\WINDOWS\INF\FLASHTLK.INF
  C:\WINDOWS\INF\BIINI.INF
  C:\WINDOWS\Desktop\l2m9xfix\
  C:\Program Files\Common Files\WinAntiVirus Pro 2006\
  C:\Program Files\Kazaa\

Run CleanUp once more before rebooting to Normal Mode to post a new HJT log

[Ohiostatewoody5]

I didnt have

Lycos/Sidesearch
WinAntiVirus Pro 2006
VVSN
Kazaa

in my add/remove but i did have

Internet Explorer Q896727
Internet Explorer Q903235
Microsoft data Access components KB870669
Microsoft VGX833989
Outlook Express Q837009
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 Q823559 Update
Windows 98 Q888113 Update
win32 BL application

Im sure a few of those are normal but i just thought i would put them up just in case.

I also found a few extra files while i was deleting files in Safe mode.

I found WinAntiVirus Pro 2006 Folder in Windows\Application Data Folder
VVSN.lgc in Windows\Applog
Kazaa1~~C
Kazaa1~~D
I deleted all of those


Logfile of HijackThis v1.99.1
Scan saved at 11:39:38 PM, on 3/6/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\MSGSYS32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\SLEEPY\MONITOR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AdmTask] C:\Program Files\AdmTask\admtask.exe /m
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [AdmTask] C:\Program Files\AdmTask\admtask.exe /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .ipp: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\PROGRA~1\INTERN~1\Plugins\npimth32.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {4E71E6DD-FB37-4641-A96E-4456399A6DB0} (CodeBabyObject Object) - http://jade.bioware.com/codebaby/codebaby.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/int...ctXInstall.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://install.charter.com/diskless/bin/tgctlcm.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/Verizo...oadControl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/Sha...in/AvSniff.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...bscan_ansi.cab

[sUBs]

Your log is clean. Well done
Do you have any more problems with your computer? If not, you should be set to go.

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[Ohiostatewoody5]

Thanks for the help, Ill be sure to make a contribution.
Just so i know is it alright to run ad-aware SE personal, Browser Hijack blaster, Spyware blaster and pop up stopper regularly?

[sUBs]

Quote:

Just so i know is it alright to run ad-aware SE personal, Browser Hijack blaster, Spyware blaster and pop up stopper regularly?

Yes, that's a wise choice of preventive measures.