Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Can't download anti-spyware programs or anti-virus programs

This is a discussion on Can't download anti-spyware programs or anti-virus programs within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi everyone, I have a friend wanting me to help with her computer. She runs an old Windows 98 machine


 
 
Thread Tools Search this Thread
Old 02-16-2006, 02:46 AM   #1
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home



Hi everyone,

I have a friend wanting me to help with her computer. She runs an old Windows 98 machine that has become infested with spyware and viruses.

Webpages keep being redirected to bizrate and bizoffers and any attempt to download software such as Ad-Aware or Spybot are being denied by Bad Gateway errors.

She can't download Hijack This or do any online virus scans because she's blocked from doing so by the spyware.

Would installing the MVPS Hosts file prevent the spyware from blocking access to these sites so that we can help her?

Please help.

Thanks.
Hustler24 is offline  
Sponsored Links
Advertisement
 
Old 02-16-2006, 05:43 AM   #2
TSF Enthusiast
 
POADB's Avatar
 
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,574
OS: Win7


It would definately be a start. Also try this:

Right click on this link https://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.

Next thing to try, is go into Add/Remove and check for the following programs. If you struggle removing, you can reboot to Safe Mode and try again.

180 Search Assistant
180Solutions
Active alert
Ad Service
AdTools
AdTools Service
Alexa toolbar
BargainBuddy
Bullseye Networks
CashBack
cosmi
DH
EasySearchBar
Elite Sidebar
Elite Toolbar
Freeze Clip Art
GAIN
Gator
Hotbar Outlook Tools
Hotbar Web Tools
HuntBar
Internet Optimizer
ISTbar
ISTSvc
MaxiFiles
Media Access
Media Gateway
MySearch
MyWay Search Bar
MyWebSearch
NavExcel Search Toolbar
NavHelper
ncase
Oemji Toolbar
Open Site
Preview AdService
Search Toolbar (HuntBar/WinTools)
ShopperReports by Hotbar
Sidefind
SideSearch
Slotchbar
Software Update Manager
SurfAccuracy
SurfSideKick
Upspiral Toolbar
TurboDownload
VBouncer
Viewpoint
Viewpoint Manager
Viewpoint Media Player
WareOut
WeatherBug
Web Rebates
Web Search Toolbar (WinTools)
Webhancer
WhenU (any entry)
WeirdOnTheWeb
Windows AdService
Windows AdStatus
Windows ServeAd
WinTools
WinTools Easy Installer
WSEM Update
Download Accelerator Plus
Kazaa
Kontiki
Messenger Plus
NetPumper
NewDotNet
P2P Networking
StarWare
WildTangent


Let us know how you get on
POADB is offline  
Old 02-21-2006, 05:01 AM   #3
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


Hi POADB,

My friend has said that she doesn't have any of the programs listed in her add/remove list.

She is having problems downloading the Hosts file and will try again tonight to download that and DelO15Domains.inf.

I will keep you posted.
Hustler24 is offline  
Sponsored Links
Advertisement
 
Old 02-21-2006, 06:26 PM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello Hustler24,

Perhaps you could download HijackThis to a floppy and take it to your friend's PC and post the log here. We may be able to see, and pull enough off her system to enable her to obtain online scans for more in depth scanning.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Double-click on the file you just downloaded.
Click on the "Unzip" button to install. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

Double click on HijackThis.exe to run the program.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file in this thread.

** Do not fix anything in HijackThis since they may be harmless.

Once clean, we'll help you get her protected.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 02-26-2006, 01:49 PM   #5
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


Log below:



Logfile of HijackThis v1.99.1
Scan saved at 20:38:03, on 26/02/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\IAU.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
A:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.zpecialoffer.com/indexie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.zpecialoffer.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.freeserve.net/packard-bell
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.zpecialoffer.com/indexie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://www.zpecialoffer.com/results.asp?keyword=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE
O4 - HKLM\..\Run: [BtStart] c:\Program Files\WIDCOMM\Bluetooth Software\bin\btstart.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Freeserve - {F721BCE0-55D7-11D4-A398-C55D27723235} - https://www.freeserve.net/packard-bell/ (file missing) (HKCU)
O9 - Extra button: PB Home - {F721BCE1-55D7-11D4-A398-C55D27723235} - https://www.packardbell-europe.com/ (file missing) (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .com/d/sr?xargs=02u3hs9yoajlUOwTCCRBClf8DhShGFQQcD9YPB7KgfiWVga2Wr8as17xKgsOdJk3dm%2BF82P5tAAYR57aLqlIUx4MD2PgyEvSn%2BZNVKSlyVLtsYPgTP7r7APP4I4Q4XPa0kQotVN/Sprk5Gykz: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=https://www.freeserve.net/packard-bell
O16 - DPF: NWGOUtility - https://www.nwolb.co.uk/nwol/classes/NWGOUtility.cab
O16 - DPF: SMapplet - https://www.nwolb.co.uk/nwol/rbs_htm...s/SMapplet.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - https://us.dl1.yimg.com/download.yaho...yiebio4025.cab
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - https://www.thepaymentcentre.com/build/vbiewer.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - https://www3.ca.com/securityadvisor/p...n/pestscan.cab
Hustler24 is offline  
Old 02-26-2006, 09:50 PM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi,

Please print these instructions or copy to Notepad for reference.

From Normal Mode:

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

O12 - Plugin for .com/d/sr?xargs=02u3hs9yoajlUOwTCCRBClf8DhShGFQQcD9YPB7Kg fiWVga2Wr8as17xKgsOdJk3dm%2BF82P5tAAYR57aLqlIUx4MD 2PgyEvSn%2BZNVKSlyVLtsYPgTP7r7APP4I4Q4XPa0kQotVN/Sprk5Gykz: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf3 2.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - https://www.thepaymentcentre.com/build/vbiewer.cab


Click 'Fix Checked' and close HijackThis.

----------------------

Reboot into Normal Mode.

----------------------

Microsoft Windows Update
Visit windowsupdate.com and install the latest service packs, patch’s and security updates for your system. Internet Explorer is outdated and leaving this system very vulnerable.

----------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner
  1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
  • Click on see report. Then click Save report
Please post that log in your next reply along with a new HijackThis log.

----------------------

If this system is still having difficulties downloading, you're going to have to use another PC to download programs to a disc to bring to this infected system. AdAware and Spybot do not use Internet Explorer to perform their updates, so updating hopefully will not be an issue. Let me know if it is.

Download and update the databases on each program before running.
  • Ad-Aware® SE Personal Edition
    *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
  • Spybot Search & Destroy Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button on top to Immunize your computer - you should do this each time there is an update. Click ’Check for Problems’ and fix all the entries, which are indicated in RED. Do NOT enable Spybot TeaTimer Resident protection at this time. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings. It may also hinder our fix at this point. You may enable it after the fix is complete.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at https://www.mwti.net/products/download_center.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use CTRL C on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 02-27-2006, 04:07 AM   #7
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


Thanks for your instructions Ried. Before I forward them on, shouldn't these entries be fixed too. They are EasySearch adware:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.zpecialoffer.com/indexie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.zpecialoffer.com (and all associated links - it is a restricted site)
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE - EASYSEARCH ADWARE.


Please let me know before forwarding on. Thanks.
Hustler24 is offline  
Old 02-27-2006, 05:04 AM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi Hustler24,

Most certainly those need to be fixed. Evidently a section of my fix didn't transfer properly --my apologies.

Please modify the fix accordingly:

Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show all files in the Hidden files section. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

-------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://www.zpecialoffer.com/indexie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.zpecialoffer.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = https://www.zpecialoffer.com/indexie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://www.zpecialoffer.com/results.asp?keyword=%s
O4 - HKLM\..\Run: [Microsoft Internet Acceleration Utility] C:\WINDOWS\IAU.EXE
O12 - Plugin for .com/d/sr?xargs=02u3hs9yoajlUOwTCCRBClf8DhShGFQQcD9YPB7Kg fiWVga2Wr8as17xKgsOdJk3dm%2BF82P5tAAYR57aLqlIUx4MD 2PgyEvSn%2BZNVKSlyVLtsYPgTP7r7APP4I4Q4XPa0kQotVN/Sprk5Gykz: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf3 2.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - https://www.thepaymentcentre.com/build/vbiewer.cab


Click 'Fix Checked' and close HijackThis.

-------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. (on some computers, you may need to press F5)
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

-------------------------

Delete the following file:

C:\WINDOWS\ IAU.EXE

Reboot into Normal Mode and continue with the rest of the instructions.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 02-27-2006, 06:26 AM   #9
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


Thanks for the update Lisa. I have emailed your instructions to her and will keep you informed.

I notice that she doesn't have any AV software at all on this system so we probably need to point her in the way of AVG or avast! when she gets back to me.
Hustler24 is offline  
Old 02-27-2006, 06:34 AM   #10
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


As soon as she can perform downloads, I will provide links for AV and Firewall. If problems are still arising, you may have to burn an AV and FW and make another trip out there.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 03-09-2006, 03:56 AM   #11
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


Hi,

My friend has fixed items with Hijack This but now cannot access any pages at all. I think it's the proxy 127.0.01:8080 causing the problems.

I've had her to submit a new HJT log for us to look at.
Hustler24 is offline  
Old 03-09-2006, 05:46 AM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi Hustler,

That entry is fine, bear in mind that HijackThis is only 1 of many tools needed to reveal any malware that may be present. See if this will help, have her download Hoster. It will fit on a floppy if she needs to use another PC to accomplish this.

Run Hoster.exe.
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Original Hosts and then click OK.
Click the X to exit the program.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 03-10-2006, 02:15 AM   #13
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


Hi,

My friend has run Hoster and can download emails but cannot access any webpages at all.

Latest logfile below:



Logfile of HijackThis v1.99.1
Scan saved at 18:30:35, on 09/03/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WIDCOMM\BLUETOOTH SOFTWARE\BTTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
A:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.wanadoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.freeserve.net/packard-bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BtStart] c:\Program Files\WIDCOMM\Bluetooth Software\bin\btstart.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Freeserve - {F721BCE0-55D7-11D4-A398-C55D27723235} - https://www.freeserve.net/packard-bell/ (file missing) (HKCU)
O9 - Extra button: PB Home - {F721BCE1-55D7-11D4-A398-C55D27723235} - https://www.packardbell-europe.com/ (file missing) (HKCU)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=https://www.freeserve.net/packard-bell
O16 - DPF: NWGOUtility - https://www.nwolb.co.uk/nwol/classes/NWGOUtility.cab
O16 - DPF: SMapplet - https://www.nwolb.co.uk/nwol/rbs_htm...s/SMapplet.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - https://us.dl1.yimg.com/download.yaho...yiebio4025.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - https://www3.ca.com/securityadvisor/p...n/pestscan.cab


Thanks.
Hustler24 is offline  
Old 03-10-2006, 10:36 AM   #14
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Download WinsockFix https://www.greyknight17.com/spy/WinsockFix.zip and unzip it. Then double click on WinsockFix.exe to run it.

-------------------------

If Winsock worked, have her download an AV and Firewall.

AVG Free at Grisoft. Scroll down the page a bit for install link. Install it and make sure to check for updates.

ZoneAlarm Free

-------------------------

If an online scan can be done, please have her do one at Panda and post the results here along with a new HijackThis log.

-------------------------

Also have her download and install the following. If she is still having difficulties viewing webpages, download this program to a disc. Install it, update it and run the scan.

Download, install & launch - Webroot SpySweeper ( Trial) (8.3 MB)

When SpySweeper starts, please accept any prompts to update definitions. Exit the program after you have updated.

-------------------------

Disconnect the PC from the internet.

-------------------------

Reboot your computer into Safe Mode.

-------------------------

Launch & use the diagnostic version of SpySweeper & configure it as follows:
  • Click on the Start button
  • After it has finished scanning, click the Next button
  • Allow Spysweeper to reboot your machine to remove the infected files.
## IMPORTANT - do not use your computer as you scan.

# Reboot back to Normal Mode

Launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.

Post that in your next reply along with a new HJT log.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 03-10-2006, 11:21 AM   #15
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


I've sent her the instructions and will keep you informed.

Thanks for the help.
Hustler24 is offline  
Old 03-14-2006, 02:44 AM   #16
TSF Enthusiast
 
Join Date: Mar 2005
Posts: 894
OS: Windows XP Home


WinsockFix didn't work I'm afraid.

I sent her a link to the EXE file directly because she can't unzip anything.

She has uninstalled her modem, so we'll have to reinstall it before we try anything else.
Hustler24 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 05:38 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts