Tech Support banner

Status
Not open for further replies.
1 - 15 of 15 Posts

·
Registered
Joined
·
46 Posts
Discussion Starter #1
This message box opens at the start up. If I close it the desktop goes blank.
My work around is to leave it open, but place it as far off screen as possible. Is this the only solution available? The system's a 1999 Gateway with the supplied Windows 98 installed. Ran CWShredder, SpyBot, & AdAware. I get an Internet explorer error when trying a housecall scan at Trend Micro, so that's not an option I can use right now.

The system's wacky in other ways as well. But another day for that.
Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 10:00:24 AM, on 10/28/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: load=C:\Americ~1.0\BuddyList.exe
F1 - win.ini: run=c:\windows\system\NortonAntiVir\RegistryReminder.exe
O2 - BHO: (no name) - {E99896EC-2FA7-0D42-727A-B792E2646594} - C:\WINDOWS\SYSTEM\prorplmt\kdktpmds.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/banner/?661: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .dir: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NP32DSW.DLL
O12 - Plugin for .dcr: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NP32DSW.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
 

·
Registered
Joined
·
46 Posts
Discussion Starter #3
Thanks, I've all ready done that and replaced older system files with more recent ones from back-ups. The machine's still pretty gummed up though.
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Download and install CleanUp! but do not run it yet.

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Open My Computer>>View>>FolderOptions>>View Tab>>Advance Advanced settings box, under the "Hidden files" folder, select Show all files>>Apply>>OK

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

F1 - win.ini: load=C:\Americ~1.0\BuddyList.exe
F1 - win.ini: run=c:\windows\system\NortonAntiVir\RegistryRemind er.exe
O2 - BHO: (no name) - {E99896EC-2FA7-0D42-727A-B792E2646594} - C:\WINDOWS\SYSTEM\prorplmt\kdktpmds.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\SYSTEM\communicator.dll
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\Americ~1.0\BuddyList.exe
c:\windows\system\NortonAntiVir\RegistryReminder.exe
C:\WINDOWS\SYSTEM\prorplmt\kdktpmds.dll
C:\WINDOWS\SYSTEM\communicator.dll
C:\WINDOWS\srchupdt.exe


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
    [X]Scan local drives for temporary files (Please uncheck this option)
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows....

Please run an online scan at http://www.pandasoftware.com/products/activescan.htm
Make sure you click the ”Free Online Virus Scan” in the upper right hand corner of the page under the Free use Activescan header. We do NOT want the default spyXposer scan.
Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #5
Incident Status Location

Virus:W32/Admincash.B Disinfected Operating system
Adware:adware/cws No disinfected C:\WINDOWS\Favorites\LIVING\Insurance.lnk
Spyware:spyware/marketscore No disinfected C:\WINDOWS\SYSTEM\CSLOA.DLL
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM\cd_clint.dll
Adware:adware/addestroyer No disinfected C:\WINDOWS\SYSTEM\SWRT01.dll
Adware:adware/iguard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM\INNERADINSTALL.LOG
Adware:adware/topspyware No disinfected C:\WINDOWS\SYSTEM\spoolsrv32.exe
Adware:adware/spysheriff No disinfected C:\WINDOWS\SYSTEM\sefe.exe
Dialer:dialer.no No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\rdgUS1742.exe
Adware:adware/sbsoft No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.dll
Spyware:spyware/betterinet No disinfected C:\WINDOWS\INF\BIINI.INF
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\POLALL1R.INF
Spyware:spyware/lzio-media No disinfected C:\WINDOWS\io2uns.exe
Adware:adware/ezula No disinfected C:\WINDOWS\woinstall.exe
Adware:adware/ncase No disinfected C:\PROGRAM FILES\nCase
Adware:adware/stripplayer No disinfected C:\PROGRAM FILES\strip-player
Adware:adware/flashtrack No disinfected C:\PROGRAM FILES\Ftk
Adware:adware/powersearch No disinfected C:\PROGRAM FILES\PowerSearch
Adware:adware/portalscan No disinfected C:\PROGRAM FILES\COMMON FILES\Slmss
Adware:adware/sidesearch No disinfected C:\WINDOWS\Application Data\Lycos
Spyware:spyware/heterofind No disinfected C:\spe
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32
Adware:adware/xupiter No disinfected Windows Registry
Virus:Trj/Banbra.EV Disinfected C:\WINDOWS\Desktop\John's Folder\games\yay\Pool\XAimer\Keyboard.dll
Adware:Adware/eZula No disinfected C:\WINDOWS\Desktop\John's Folder\CDz\MP3 to WAV Decoder\MthreeTopText_ezStub.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\Desktop\tool.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\SYSTEM\IAicm.dll
Virus:Trojan Horse Disinfected C:\WINDOWS\SYSTEM\bH.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM\SWRT01.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM\BO2809040510.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM\xmltok.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\echn.dll
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\SYSTEM\spoolsrv32.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\SYSTEM\tool.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BI7.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BI6.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BIJ.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\BIK.INF
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\POLALL1R.INF
Dialer:Dialer.CBZ No disinfected C:\WINDOWS\Downloaded Program Files\rdgUS1742.exe
Dialer:Dialer.NO No disinfected C:\WINDOWS\Downloaded Program Files\gdnUS48.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/SaveNow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.dll
Adware:Adware/Adtomi No disinfected C:\WINDOWS\yahoostock28.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\MTE3MDk6ODoxNg-2.exe
Adware:Adware/Gator No disinfected C:\Program Files\GatInst\trickler_bic_dopewars_3013.exe
Possible Virus. No disinfected C:\Program Files\ScreenSaver Manager\Uninstall.exe
Virus:Bck/Agent.ANU Disinfected C:\Program Files\ScreenSaver Manager\vjbtvtl.exe
Adware:Adware/FlashTrack No disinfected C:\Program Files\Ftk\f.bak
Adware:Adware/FlashTrack No disinfected C:\Program Files\Ftk\ftkclean.exe
Adware:Adware/FlashTrack No disinfected C:\Program Files\Ftk\Ftkcpy_inst.exe
Adware:Adware/FlashTrack No disinfected C:\Program Files\Ftk\ftk.dll
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
Adware:Adware/PurityScan No disinfected C:\install_beakan01.exe
Virus:Trojan Horse.LC Disinfected C:\ones.RB0[Double-Click to Extract Text]
Adware:Adware/Startpage.JW No disinfected C:\spe\start.chm
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:10:29 PM, on 10/29/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/banner/?661: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .dir: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NP32DSW.DLL
O12 - Plugin for .dcr: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NP32DSW.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

--------------------------------------------------------------------------

No explorer error on start up! Thanks for the guidance!
Some of the scan report looks suspicious though, don't you think?
 

·
TSF Security Team, Emeritus
Joined
·
6,962 Posts
Yes... we have quite a bit more to do.

Run the Cleanup Utility again..and reboot/logoff when prompted. Then reboot back to safe mode. Open add/remove programs and remove any of the the followinf IF listed.

eZula
Stripplayer
Flashtrack
Powersearch
SaveNow (WhenU)
ScreenSaver Manager


Delete the following files and folders.....

*Note* Some of these may return or can't be deleted...so we will address them on the next pass. Just delete what you can,

C:\WINDOWS\Favorites\LIVING <--folder
C:\WINDOWS\SYSTEM\CSLOA.DLL
C:\WINDOWS\SYSTEM\cd_clint.dll
C:\WINDOWS\SYSTEM\SWRT01.dll
C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\SYSTEM\INNERADINSTALL.LOG
C:\WINDOWS\SYSTEM\spoolsrv32.exe
C:\WINDOWS\SYSTEM\sefe.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\rdgUS1742.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.dll
C:\WINDOWS\INF\BIINI.INF
C:\WINDOWS\INF\POLALL1R.INF
C:\WINDOWS\io2uns.exe
C:\WINDOWS\woinstall.exe
C:\PROGRAM FILES\nCase <--folder
C:\PROGRAM FILES\strip-player <--folder
C:\PROGRAM FILES\Ftk <--folder
C:\PROGRAM FILES\PowerSearch <--folder
C:\PROGRAM FILES\COMMON FILES\Slmss <--folder
C:\WINDOWS\Application Data\Lycos<--folder
C:\spe <--folder
C:\WINDOWS\bsx32 <--folder
C:\WINDOWS\Desktop\John's Folder\games\yay\Pool\XAimer\Keyboard.dll
C:\WINDOWS\Desktop\John's Folder\CDz\MP3 to WAV Decoder\MthreeTopText_ezStub.exe
C:\WINDOWS\Desktop\tool.exe
C:\WINDOWS\SYSTEM\IAicm.dll
C:\WINDOWS\SYSTEM\bH.dll
C:\WINDOWS\SYSTEM\SWRT01.dll
C:\WINDOWS\SYSTEM\BO2809040510.exe
C:\WINDOWS\SYSTEM\xmltok.dll
C:\WINDOWS\SYSTEM\echn.dll
C:\WINDOWS\SYSTEM\tool.exe
C:\WINDOWS\INF\BI7.INF
C:\WINDOWS\INF\BI6.INF
C:\WINDOWS\INF\BIJ.INF
C:\WINDOWS\INF\BIK.INF
C:\WINDOWS\INF\POLALL1R.INF
C:\WINDOWS\Downloaded Program Files\gdnUS48.exe
C:\WINDOWS\yahoostock28.exe
C:\WINDOWS\MTE3MDk6ODoxNg-2.exe
C:\Program Files\GatInst <--folder
C:\Program Files\ScreenSaver Manager <--folder
C:\Program Files\Ftk <--folder
C:\install_beakan01.exe
C:\ones.RB0[Double-Click to Extract Text]
C:\spe <--folder

Now boot back to normal mode. We are going to run 2 scanners this time....

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log".

I then need you to repeat the same procedure above again... using the TrendMicro scan tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.


After you run that scanner...run another Panda scan and post both the Panda scan log and the TrendMicro logs.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #7
I got through your instructions but was unable to run Trend Micro's Scan.
I saw another post pertaining to the same issue and ran a Kaspersky Scan, saved the file as text, and am running a Panda Scan as I write this. Will post the results when it's done.

Thanks for your help!
 

·
Registered
Joined
·
46 Posts
Discussion Starter #8
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, October 30, 2005 13:31:09
Operating System: Microsoft Windows 98
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/10/2005
Kaspersky Anti-Virus database records: 147683
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 31975
Number of viruses found: 8
Number of infected objects: 10
Number of suspicious objects: 6
Duration of the scan process: 5287 sec

Infected Object Name - Virus Name
c:\RECYCLED\DC14\Ftkcpy_inst.exe/data0002 Infected: Trojan.Win32.Starter.g
c:\RECYCLED\DC14\Ftkcpy_inst.exe Infected: Trojan.Win32.Starter.g
c:\WINDOWS\SYSTEM\Gksui16.EXE Infected: Virus.Win9x.CIH.corrupted
c:\WINDOWS\SYSTEM\mamc0mp.dll Infected: Trojan-Dropper.Win32.Bunch
c:\WINDOWS\SYSTEM\iegfxfrw.dll Infected: Trojan.Win32.StartPage.iv
c:\WINDOWS\SYSTEM\sxnngy\dudjo.exe Infected: Trojan-Downloader.Win32.Agent.lg
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SaveNow2.zip/SaveUninst.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\SaveNow2.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\PowerStrip.zip/PSLauncher.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\PowerStrip.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip/backup/1.2.4.0/wcmdmgr.exe Suspicious: Password-protected-EXE
c:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip Suspicious: Password-protected-EXE
c:\WINDOWS\Downloaded Program Files\rdgUS1742.exe Infected: Trojan.Win32.Dialer.ht
c:\WINDOWS\Downloaded Program Files\gdnUS48.exe Infected: Trojan-Downloader.Win32.Small.ayl
c:\Program Files\REAL\RealOne Player DB\Update\rnuninst.exe Infected: Virus.Win9x.CIH.corrupted
c:\Program Files\backups\backup-20051029-102940-259.dll Infected: Trojan-Downloader.Win32.Agent.lg

Scan process completed.
-------------------------------------------------------------------------



Incident Status Location

Adware:adware/cws No disinfected C:\WINDOWS\Favorites\SHOP\Discount.lnk
Adware:adware/virtualbouncer No disinfected C:\WINDOWS\SYSTEM\INNERVBINSTALL.LOG
Dialer:dialer.no No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\rdgUS1742.exe
Adware:adware/sbsoft No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.dll
Adware:adware/addestroyer No disinfected C:\WINDOWS\Start Menu\Programs\AdDestroyer
Adware:adware/xupiter No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\RECYCLED\DC3.DLL
Adware:Adware/TopSpyware No disinfected C:\RECYCLED\DC6.EXE
Adware:Adware/Transponder No disinfected C:\RECYCLED\DC9.INF
Adware:Adware/FlashTrack No disinfected C:\RECYCLED\DC14\f.bak
Adware:Adware/FlashTrack No disinfected C:\RECYCLED\DC14\ftkclean.exe
Adware:Adware/FlashTrack No disinfected C:\RECYCLED\DC14\Ftkcpy_inst.exe
Adware:Adware/FlashTrack No disinfected C:\RECYCLED\DC14\ftk.dll
Dialer:Dialer.CBZ No disinfected C:\WINDOWS\Downloaded Program Files\rdgUS1742.exe
Dialer:Dialer.NO No disinfected C:\WINDOWS\Downloaded Program Files\gdnUS48.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/SaveNow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.dll
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello kammra,

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

c:\WINDOWS\SYSTEM\Gksui16.EXE
c:\WINDOWS\SYSTEM\mamc0mp.dll
c:\WINDOWS\SYSTEM\iegfxfrw.dll
c:\WINDOWS\SYSTEM\sxnngy\dudjo.exe
c:\WINDOWS\Downloaded Program Files\rdgUS1742.exe
c:\WINDOWS\Downloaded Program Files\gdnUS48.exe
C:\WINDOWS\SYSTEM\INNERVBINSTALL.LOG
C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.dll


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
*Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it‘s there:

AdDestroyer

Delete the following folders:

C:\WINDOWS\Favorites\SHOP\Discount.lnk
C:\WINDOWS\Start Menu\Programs\AdDestroyer
Do a search for AdDestroyer and delete any additional folders if found.

Open Spybot Click on 'Recovery' in the left panel. Select all and 'Purge'.

Empty your Recycle Bin.

Reboot into Normal Mode. Run another scan with Panda and post the results here along with a new HijackThis log.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #10
Incident Status Location

Adware:adware/cws No disinfected C:\WINDOWS\Favorites\SHOP\Discount.lnk
Dialer:dialer.no No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\rdgUS1742.exe
Adware:adware/sbsoft No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.dll
Adware:adware/xupiter No disinfected Windows Registry
Dialer:Dialer.CBZ No disinfected C:\WINDOWS\Downloaded Program Files\rdgUS1742.exe
Dialer:Dialer.NO No disinfected C:\WINDOWS\Downloaded Program Files\gdnUS48.exe
Adware:Adware/SBSoft No disinfected C:\WINDOWS\Downloaded Program Files\webdlg32.inf
Adware:Adware/SaveNow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.dll
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
-------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 10:29:01 AM, on 11/1/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKCU\..\Run: [AIM] "C:\WINDOWS\Desktop\John's Folder\AIM +\AIM+\AIM+.exe" -cnetwait.odl
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .com/banner/?661: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .dir: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NP32DSW.DLL
O12 - Plugin for .dcr: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NP32DSW.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Reboot into Safe Mode.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\rdgUS1742.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\webdlg32.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.dll
C:\WINDOWS\Downloaded Program Files\gdnUS48.exe
C:\WINDOWS\Favorites\SHOP\Discount.lnk


Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
*Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [YES] at the Pending Operations prompt.

Reboot into Normal Mode. Run another scan with Panda and post the results here. How is your system running now?
 

·
Registered
Joined
·
46 Posts
Discussion Starter #12
No Explorer Illegal Operation at start up any more. Thanks!


Incident Status Location

Adware:adware/cws No disinfected C:\WINDOWS\Favorites\SHOP\Discount.lnk
Adware:adware/savenow No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf
Adware:adware/xupiter No disinfected Windows Registry
Virus:Trj/Downloader.FXO Disinfected C:\WINDOWS\SYSTEM\sxnngy\dudjo.exe
Possible Virus. No disinfected C:\Program Files\2Wire\sy_apps\dllupdate.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
We're almost there. :smile:

Reboot into Safe Mode and delete the following file and folder:

C:\WINDOWS\Favorites\SHOP
C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf

Reboot into Normal Mode. Run Panda again and post the results here along with a new HijackThis log.
 

·
Registered
Joined
·
46 Posts
Discussion Starter #14
Ried,

Thanks for all of your help.

I've deleted

C:\WINDOWS\Favorites\SHOP

But, I can't seem to find

C:\WINDOWS\DOWNLOADED PROGRAM FILES\WUInst.inf

even when doing a "Find File" search. I've got "Show Hidden Files" checked, but it doesn't appear anywhere except in the scans. Any clue how to find it?
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
The scan is giving us a full path, so it is there. :smile: Please make sure you're searching under the same user account as the scan was done in.
 
1 - 15 of 15 Posts
Status
Not open for further replies.
Top