1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Back again! Please forgive me. about.blank crap

Discussion in 'Virus & Other Malware Removal' started by kmbja711, Sep 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. kmbja711

    kmbja711 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    12
    Well I need help again, but this time I didn't do it. Just inherited a older gateway from my father in law. Thought I'd fire it up for the kids to use as a school computer. Notice right away with the pop ups ,home page change, different search engines. Had this problem long time ago, which I'll admit was my fault, and you guys helped out. Please help me out again! I promise not to tie up another thread on this same subject.
    Ran spybot with no luck.
    Ran hijack this

    Logfile of HijackThis v1.98.2
    Scan saved at 9:57:13 PM, on 9/2/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MFCDS32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
    C:\SIERRA\CARDSTUDIO\PLNRNOTE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {B36BF8D0-78A6-6627-C70B-89B4CE7916F8} - C:\WINDOWS\IEHJ.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [MFCDS32.EXE] C:\WINDOWS\SYSTEM\MFCDS32.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com

    Thanks
    Kurt
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Remove these entries from HJT (make that all other windows are closed)

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mhgcn.dll/sp.html#29126
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {B36BF8D0-78A6-6627-C70B-89B4CE7916F8} - C:\WINDOWS\IEHJ.DLL
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.blazefind.com
    O15 - Trusted Zone: *.05p.com
    O15 - Trusted Zone: *.searchmiracle.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.my-internet.info
    O15 - Trusted Zone: *.scoobidoo.com
    O15 - Trusted Zone: *.searchbarcash.com


    Next, go to the below website and click the submit button on the top of the page. Copy and paste this in there: C:\WINDOWS\SYSTEM\MFCDS32.EXE. Paste the results back onto this page.

    http://virusscan.jotti.dhs.org/

    Next, download this file and save it. Unzip it, and open runme.bat. Type in 2 and press enter. a notepad file will come up - copy and paste that that log here. Also, please post an updated hijackthis log.
     
  3. kmbja711

    kmbja711 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    12
    I remove the enteries and ran virrus scan, here is the log of that scan. Having trouble with pv.zip. I un-zip it , the msdos window opens, but it will not allow me to enter anything. It windows up a finished-runme window that says "this MS-DOS program has terminated"

    Should I run another HJT now and post it before I resolve pv.zip problem?

    thanks for the quick replie
    kurt

    Service load: 0% 100%

    File: MFCDS32.EXE.
    Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    Packers detected: None

    AntiVir TR/Spy.Tofger.BI.2 (1.40 seconds taken)
    Avast Win32:Trojano-302 (4.79 seconds taken)
    BitDefender Trojan.Downloader.Agent.BQ (4.11 seconds taken)
    ClamAV Trojan.Spy.Tofger.BI.2 (8.22 seconds taken)
    F-Prot Antivirus W32/Agent.AS (0.39 seconds taken)
    F-Secure Anti-Virus TrojanDownloader.Win32.Agent.bq (5.39 seconds taken)
    Kaspersky Anti-Virus TrojanDownloader.Win32.Agent.bq (4.93 seconds taken)
    Norman Virus Control W32/DLoader.BV (1.75 seconds taken)

    Statistics
    Last piece of malware found was Invol.1401 in 455 Viren (virus virii collection).rar, detected by:

    Scanner Malware name Time taken
    AntiVir X 5.90 seconds
    Avast X 17.00 seconds
    BitDefender Virtool.Sdne7.A 3.28 seconds
    ClamAV X 7.07 seconds
    F-Prot Antivirus X 0.42 seconds
    F-Secure Anti-Virus Invol.1401 4.41 seconds
    Kaspersky Anti-Virus Invol.1401 4.62 seconds
    Norman Virus Control X 1.68 seconds



    Before scanning this file, the scanners used had achieved the following results:

    Scanner Malware Detected Missed Detection ratio Average scan time
    AntiVir 839 298 541 35.52% 1.85 seconds
    Avast 69 22 47 31.88% 5.65 seconds
    BitDefender 839 430 409 51.25% 6.75 seconds
    ClamAV 839 255 584 30.39% 8.70 seconds
    Dr.Web 779 422 357 54.17% 8.77 seconds
    F-Prot Antivirus 837 268 569 32.02% 1.02 seconds
    F-Secure Anti-Virus 837 704 133 84.11% 7.32 seconds
    Kaspersky Anti-Virus 837 717 120 85.66% 6.58 seconds
    Norman Virus Control 837 129 / 256* 708 / 581* 15.41% / 30.59%* 18.35 seconds

    Jotti's malware scan 839 789 50 94.04% 64.99 seconds

    * = with Sandbox

    Service statistics:

    2742 files (2285 of those unique) have been uploaded & scanned since 13/08/2004.
    839 of those 2285 files contained a virus or any other form of malware.
    This page has been visited 7730 times in this time period.
    This service managed to spot 12 pieces of malware no vendor used knew about at the time of uploading.
    The service also warned against 261 suspicious files without any help from scanner results.
    However, 50 files reported to be OK were found out to be malware later (this is checked daily).
    As far as can be told, all this together makes this service 97.81% accurate.
    Most popular malware:

    Rank Malware name Uploaded Last known filename
    1 backdoor.sdbot.gen 52 times xvshost.exe.zip
    2 win32.hllw.mybot 22 times servpack2.exe
    3 backdoor.rbot.gen 20 times rBot.exe
    4 virtool.win32.evader.02 16 times protected.exe
    5 tr/dldr.inservice.c 14 times LOMALKA.RU-OO_Defrag_Professional_Edition_v4.0.472_by_Damn.zip
    6 bds/beastdoor.205.a 14 times server.exe
    7 backdoor.beast.2.0.7 13 times Kopie (6) van serverhexblat.exe
    8 exploit.iframe.vulnerability 8 times riNO5.rar
    9 eicar-test-signatur 8 times e.com
    10 bds/beastdoor.205.d 8 times worm_c.exe
    11 backdoor.agobot.3.gen 7 times agobot3.exe
    12 trojan.downloader.istbar.w 7 times 0006_regular.cab
    13 bds/mosucker.06 7 times fardig.exe
    14 win32.junkcomp.a 7 times file177.exe
    15 win32.p2p-worm 7 times message.pif

    Thanks again!!
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi kmbja711

    You have a variant of CWS that cannot be removed by simply fixing the entries with Hijack This and deleteing the files.

    Please do the following:

    Rescan with Hijack This and post a fresh HJT log.

    Also Click here to download getservice.zip and unzip it to your desktop. Open the Getservice folder and click on the getservices.bat file. A notepad will open up with a long list of Services. Please save that notepad file and attach it to your next reply to this thread. It will be easier to attach it rather than copy and paste because it will be too long to paste in one post.

    After you post the next Hijack This log and the getservice list, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.
     
  5. kmbja711

    kmbja711 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    12
    Ran getservice.zip and dos window said bad command file error and the notepad remained blank. Here is my latest HJT log, what next?

    Thanks,
    Kurt

    Logfile of HijackThis v1.98.2
    Scan saved at 6:23:07 PM, on 9/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MFCDS32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Class - {8D2AADC8-5DBE-E870-1462-5E5624EFD2B6} - C:\WINDOWS\MFCNA32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [MFCDS32.EXE] C:\WINDOWS\SYSTEM\MFCDS32.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm sorry that was my mistake. The getservice.bat file only works on 2k/xp.

    Now please rescan with Hijack This and post a fresh log. I need to be sure nothing has changed before I post the removal directions. I will be on most of the day today so as soon as I get the fresh HJT log I'll post the removal directions.
     
  7. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Flrman1:
    So... what exactly happends on a 95/98 which doesn't have services?
     
  8. kmbja711

    kmbja711 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    12
    Flrman1, Here's my latest HJT log.
    Thanks for your quick responses..

    Kurt

    Logfile of HijackThis v1.98.2
    Scan saved at 4:36:36 PM, on 9/5/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MFCDS32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msnmember.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Class - {8D2AADC8-5DBE-E870-1462-5E5624EFD2B6} - C:\WINDOWS\MFCNA32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - HKLM\..\RunServices: [MFCDS32.EXE] C:\WINDOWS\SYSTEM\MFCDS32.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First copy the contents of the quotebox to notepad. Go to File > Save As and name it Fix.reg (save as type: 'all files' )

    ___________________________________________________________________________

    Click here to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

    ____________________________________________________________________

    Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
    _____________________________________________________________________

    Now go ahead and set your computer to show hidden files like so:

    Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

    ______________________________________________________________________

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
    ______________________________________________________________________

    Restart to safe mode.

    How to start your computer in safe mode


    Perform the following steps in safe mode:

    ____________________________________________________________________

    Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.
    ____________________________________________________________________

    Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

    Put a check by these entries in Hijack This and click the "Fix Checked" button:

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\RunServices: [MFCDS32.EXE] C:\WINDOWS\SYSTEM\MFCDS32.EXE

    Delete this file:

    C:\WINDOWS\SYSTEM\MFCDS32.EXE

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    ________________________________________________________________________

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
    _______________________________________________________________________

    Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
    _______________________________________________________________________

    Boot back into Windows now.

    Go here and do an online virus scan.

    Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.



    This hijacker is known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)


    control.exe may have been deleted.
    See if control.exe is present in C:\windows\system

    If control.exe isn't there, Click here to download control_98.zip.

    Unzip the file and copy the new control.exe file to the C:\Windows\System folder.


    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.
     
  10. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Right click on my attachment, and click save as. unzip it and run the file. An antivirus prompt may come up, but allow the script to run. It will make a text file, copy and paste it here. The script checks for file integrities of files known to be replaced by the CWS trojan.
     

    Attached Files:

  11. kmbja711

    kmbja711 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    12
    Flrman1 and Nok1,

    Did all that I was advised to do. Ran S&D and 6 problems were detected. 4 cookie tracking (Value click, Avenue A inc, DoubleClick, and Mediaplex) and 1 Registry change (DSO Exploit). What to do ? Also below is last HJT log and the anti virus script Nok1 requested.

    Thanks guys !
    kurt

    Logfile of HijackThis v1.98.2
    Scan saved at 11:55:15 PM, on 9/5/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2614.3500)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\MSNIA\TRAYCLNT.EXE
    C:\SIERRA\CARDSTUDIO\PLNRNOTE.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Class - {8D2AADC8-5DBE-E870-1462-5E5624EFD2B6} - C:\WINDOWS\MFCNA32.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SourcePath] c:\cabs\gwreg.exe
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: MSN Internet Access.lnk = C:\Program Files\MSNIA\TRAYCLNT.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\SIERRA\CardStudio\PLNRnote.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

    Anti virus Script

    Starting Scan on 9/6/04 12:03:26 AM
    CWSDetectorScript for Win98

    Found msconfig.exe....with correct file size.

    WARNING: CONTROL.EXE NOT FOUND

    Found rundll32.exe....with correct file size.

    Found notepad.exe....with correct file size.

    Found wmplayer.exe....version 9 found.

    End of scan
     
  12. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Looks like you are missing control.exe.

    Let me quote flrman1:

    For win98se, control.exe goes in C:\Windows as its default I believe...
     
  13. kmbja711

    kmbja711 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    12
    Not sure if I'm doing this correct. I un-zip file and control panel window opens up. Where do I get the control.exe file from this point.

    Thanks
    kurt
     
  14. kmbja711

    kmbja711 Thread Starter

    Joined:
    Aug 13, 2003
    Messages:
    12
    I've also just noticed that I can't access My Messages on hotmail. I click on it and nothing. I can only get junk mail to work. Would this be realited to the ActiveX security settings I changed ?

    Thanks for all your help,

    Kurt
     
  15. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826

    You might have it set to automatically open the file it unzips. When using winzip, change the unzip location to C:\Windows.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269577

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice