[Michael Font]

I use Windows 98 with Internet Explorer 6. When I go online I get a small moveable window marked C:/WINDOWS/odbc.hta which comes up usually when I shut a window. I can remove it by clicking on the time in the bottom right hand corner of the screen, but I would like to stop it appearing at all. It seemed to start soon after a virus attack which I think I've cleared. McAfee scans suggest no infection. I'd be very grateful for any suggestions for stopping this?

[cybertech]

Welcome to TSG!!

Make a folder on your hard drive, like My Documents\HJT
Download Hijackthis.
Unzip the file to the folder on your hard drive.

Double click on Hijackthis.exe then click on the "Scan" button, then click on "Save Log".

Copy and paste it back here and someone will be happy to review it.

Don't make any changes until instructed to do so.

[Michael Font]

Very many thanks. Here it is:

Logfile of HijackThis v1.97.7
Scan saved at 11:10:11, on 11/06/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\FLASH\FLSHSTAT.EXE
C:\PROGRAM FILES\ONTRACK\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BWV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\DESKTOP\MY DOCUMENTS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://ie-search.com/home.html (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie-search.com/home.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie-search.com/home.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://ie-search.com/home.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) =
http://ie-search.com/srchasst.html (obfuscated)
F1 - win.ini: load=C:\OPLIMIT\ocraware.exe
F1 - win.ini: run=hpfsched
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [VortexTray] ASP4TRAY.EXE
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
files\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VirusScan Online]
"C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE"
/checktask
O4 - HKLM\..\Run: [QuickTime Task]
"C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell32.dll /c /set
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe
c:\windows\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [V128IITV] Rundll32.exe
c:\windows\SYSTEM\v128iitv.dll,STBTV_SwitchTo640x480
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe
/embedding
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program
Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: BackWeb.lnk = C:\Program
Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft
Office\Office\OSA.EXE
O4 - Startup: FlashPath Status.lnk = C:\Program Files\FLASH\FLSHSTAT.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Startup: Fix-It.lnk = C:\Program Files\Ontrack\Fix-It\mxtask.exe
O8 - Extra context menu item: Web Search - C:\WINDOWS\ex.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop -
Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
O16 - DPF: {36C417C6-13C6-448B-9784-DD73A93B0582} (McAfee.com
Download+Installer Class) -
http://download.mcafee.com/molbin/shared/mcinstall.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup
Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {DA28C54E-D95C-11D3-9A01-005004677EF4} -
http://download.mcafee.com/molbin/clinic/CDM/McCDM.cab
O16 - DPF: {9F0F185C-B50B-11D2-B53F-00A0C98684AC} (McAfee PC Clinic
OilChange Class) -
http://download.mcafee.com/molbin/Oi...GOcCtl_new.cab
O16 - DPF: {13E39F7E-FDA8-11D2-99DC-00C04FF40D52} (McAfee OilChange
Multi-Product Support Filter) -
http://download.mcafee.com/molbin/Oi...e/MGOcFilt.cab
O16 - DPF: {BF31FA5E-AE8A-11D2-A1BD-0800300004C2} (McAfee PC Clinic Internet
Class) - http://download.mcafee.com/molbin/Shared/MCInet_new.cab
O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView
Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
O16 - DPF: {06D5218D-079C-11D3-B2D1-00A0C98684AC} (McAfee Hardware Finder
Control) - http://download.mcafee.com/molbin/cl...f/mghwinfo.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2...s.com/housecal
l/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://bin.mcafee.com/molbin/shared/...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
http://download.microsoft.com/downlo...0-9F5F-9490133
8C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update
Installation Engine) -
http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.co...7913.246296296
3
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) -
http://streamg.redhotnetworks.com/cabs/videox.cab
O19 - User stylesheet: C:\WINDOWS\color.css (file missing)


----- Original Message -----
From: "Tech Support Guy Forums Mailer" <contact@helponthe.net>
To: <michael.fontes@wanadoo.fr>
Sent: Friday, June 11, 2004 12:30 AM
Subject: Reply to post 'Malicious C:/WINDOWS/odbc.hta'

[$teve]

Go to http://computercops.biz/downloads-cat-14.html , and download the latest version of CWShredder by Merijn Bellekom, the creator of Hijack This.
Dont run it yet
-------------------------------------------------------------------------
Copy the Boldto notepad...save on the desktop as "fix.reg"

REGEDIT4

[-HKEY_CURRENT_USER\Software\iSearch]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explor er]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000

NOTE:for some reason a space will apear in Explor er (like that) you will need to remove it in notepad.No idea why this happens
----------------------------------------------------------------
Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resne.../Safemode.html
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
------------------------------------------------------------------
Double-clcik "fix.reg" and reply "yes" to add the contents to the registry.
-------------------------------------------------------------------
Nor run CWShredder,press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
After its done its thing hit the"How do i prevent reinfection" tab....
In particular pay attention to the patches for the operating system regarding the ByteVerify vulnerability which is how you got infected in the 1st place.

When it is finished restart your computer.
-----------------------------------------------------
Download and install all updates and security patches relevent for your operating system.

Post another log after.

[Michael Font]

This advice was absolutely brilliant and worked wonderfully well. I am most grateful for your prompt and most effective assistance. I will donate immediately. Michael Font