Tech Support banner
Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
17 Posts
Discussion Starter · #1 ·
Since Ried was with me before, I suppose this is directed to him. Ran through the 5 steps on my ME machine. Symantec dectected adware.webbar and panda dectected reboot.F virus. Everything has been slow to load. I use this machine mainly to do audio file editing and upload/download bit torrents to/from bt.etree.org and other (legal) live music download sites. I upgraded my torrent client to azureus with encryption because my ISP is blocking torrents. The upgraded client would connect to peers for a few minutes then the PC would freeze once speeds got towards maximum. Hijackthis log posted for your expert analysis. - John

Logfile of HijackThis v1.99.1
Scan saved at 8:07:49 PM, on 2/2/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\BELKIN\BELKIN WIRELESS NETWORK UTILITY\WLANCFGG.EXE
C:\WINDOWS\SYSTEM\$SYS$FILESYSTEM\$SYS$DRMSERVER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [InvokeSvc.exe] C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
O4 - HKLM\..\Run: [$sys$DRMServer] C:\WINDOWS\SYSTEM\$sys$filesystem\$sys$DRMServer.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi John, :smile:

If you still have the results of the Panda scan, can you post them here please?
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #3 · (Edited)
Hi Ried, here goes it...

[edit-whoops, that was the old one. here's the current scan. the older version had the reboot.F (i can repost that if need be)]


I
Incident Status Location

Adware:adware/windowenhancer Not disinfected c:\windows\system\SBUtils
Adware:Adware/WindowEnhancer Not disinfected C:\WINDOWS\SYSTEM\SBUtils\SBWebCtl.dll
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/CentrPort Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.centrport.net/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.atwola.com/]
Spyware:Cookie/bravenetA Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.com.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/360i Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/WUpd Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/onestat.com Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/Clicktracks Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[stats1.clicktracks.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\WINDOWS\Profiles\funk junkie\Application Data\Mozilla\Firefox\Profiles\4ij1ejoy.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Profiles\funk junkie\Cookies\funk [email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\funk junkie\Cookies\funk [email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Profiles\funk junkie\Cookies\funk [email protected][3].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\funk junkie\Cookies\funk [email protected][3].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Profiles\funk junkie\Cookies\funk [email protected][2].txt
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Profiles\funk junkie\Cookies\funk [email protected][1].txt
Potentially unwanted tool:Application/KillApp.C Not disinfected C:\HP\bin\KillWind.exe
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\HP\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\HP\bin\KillIt.exe
Hacktool:HackTool/ProcLog.A Not disinfected C:\HP\bin\ProcessLogger.exe
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi John,

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Download and install CleanUp! but do not run it yet.

------------------------------------------------------------------

Open Computer. Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files option.
  • Also make sure there is no checkmark beside Hide file extensions for known file types Click OK.
------------------------------------------------------------------

Delete the following folder:

c:\windows\system\SBUtils


**If the above resists deletion, boot into Safe Mode to delete.

------------------------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.
Click OK
Press the CleanUp! button to start the program.

Reboot/logoff when prompted.

--------------------------------------------------------------------

Has there been any improvement?
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #5 ·
Holy cow, Ried. That clean-up program deleted 1.7 gigs of space on the c drive :eek: Unfortunately however, there is no noticeable improvement. Still very sluggish, and the PC still freezes when the torrent client gets up to speed.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi John,

CleanUp is a good tool. It would help if you use it to clean out that 'junk' from time to time. :smile:

I'm sorry, but this is as far as I can go with you, as the Forum Rules state the following:
We believe that the main purpose of P2P programs is to illegally download and use copyrighted material of whatever description. We further understand that there may be legal uses for P2P, but as we are not able to assess a user's intent when he/ she asks for help, we do not support P2P software and we will not assist any user in this regard. This includes but is not limited to Bearshare, Kazaa and many others.
You'll have to find a site that supports torrent.
 

·
Registered
Joined
·
17 Posts
Discussion Starter · #7 ·
Bummer. No sweat though. It's about time for a fresh install on this PC anyway. It was given to me a couple years ago, so there's no telling what has been on it before I got a hold of it. Thanks for all your help, Ried. And thanks for the space. :grin:
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
You're welcome, John. :smile:

If you do decide to reformat and reinstall ME, you'll want the same protective programs as we set up on the 98 machine:

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

Spyware Guard to catch and block spyware before it can execute.

IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 5000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4

Spybot - Search & Destroy 1.4
Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.
  • Now click Mode menu and choose 'Advanced Mode'.
  • Click on Immunize to your left.
  • Next, click the Immunize button on top to Immunize your computer - you need to do this each time there is an update.
  • Click 'Check for Problems' and fix all the entries, which are indicated in RED.

Adaware SE
Make sure it's the newest version and check for any updates before running it. Go to this Site to get the plug-in for fixing VX2 variants. Also make sure to Customize the settings in Adaware for better scan results. Run the scan and fix everything that it finds.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

****************************************************

If you're looking for an Anti Virus program that is compatible with 98/ME, please download and install this excellent and FREE anti-virus program:

Please download Active Virus Shield (powered by Kaspersky) and save it to your desktop.
  • Please remember to register for your Activation Code using a legitimate email address.
  • Double-click avs.msi to run the installer, but please uncheck "Install Security Toolbar" during the installation process:





  • Then please update the program and run a systemwide scan by selecting My Computer. Allow it to neutralize all that it finds.
  • When done, launch Active Virus Shield's main window.





  • Click the Scan button on the left, and then click Detected.
Note: You must only have 1 (one) AV installed at a time. More than 1 AV will conflict with each other and make your security less reliable as well as cause system instability.


Take care. :wave:
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top