1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

help optimizing system / purging malware?

Discussion in 'Virus & Other Malware Removal' started by randoti, Sep 11, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. randoti

    randoti Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    40
    Hello folks,

    Cookiegal had helped me in the past and wanted to express my appreciation for her patience. My parents, whose system was affected, are also very thankful.

    I have questions about another system that is having malware problems as well as general setup problems and inefficiencies...Would someone be able to help me if I post an hijackthis log?

    Thanks again.
     
  2. Fidelista

    Fidelista

    Joined:
    Jan 17, 2004
    Messages:
    9,600
    Malware advice is what this forum is about!. Post your problem, or help your amigo, experts are here to help. >f
     
  3. randoti

    randoti Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    40
    Thank you for your reply--

    I have some kind of Spyware that is popping up search and ad windows intermittently. They are not appearing at the moment so I can't describe them exactly, but one of them has a green dollar sign as an icon instead of the IE icon.

    I do notice when I do a Ctrl+Alt+Del that there are a couple of suspicious programs ("Save" and "Findfast") running.

    Any help you can provide is greatly appreciated!
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,886
    Hi Randoti,

    Please post your Hijack This log for review.

    :)
     
  5. randoti

    randoti Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    40
    Hi Cookie!
    I'm once again indebted for your help..

    Logfile of HijackThis v1.98.2
    Scan saved at 10:51:35 AM, on 9/13/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SAVE\SAVE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\ORINOCO\CLIENT MANAGER\CMLUC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.metacrawler.com"); (C:\Program Files\Netscape\Users\mediaone\prefs.js)
    O1 - Hosts: 66.40.21.73 auto.search.msn.com
    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVM] C:\WINDOWS\avm.vbs
    O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\Shockwave\swinit.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\cmluc.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://vivo.real.com/dldv2/vvweb.cab
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,886
    Go to this site and download the New.Net removal tool:

    http://www.newdotnet.com

    Scroll to the bottom of the page to procedure 4 and download and run the New.Net removal tool.

    Then, please download and run the following programs:

    AD-AWARE

    Go here: http://www.lavasoftusa.com/support/download/
    and download Ad-Aware SE Personal

    Install the program and launch it.

    First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

    Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

    Then, deselect Search for negligible risk entries.

    To start the scan, click the Next button.

    When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

    Restart your computer.

    SPYBOT SEARCH & DESTROY

    http://majorgeeks.com/download2471.html

    Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

    Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
     
  7. randoti

    randoti Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    40
    Cookie,

    I went ahead with the NewDotNet removal, and then rebooted.
    Unfortunately, my desktop machine will now not connect to the internet. I'm certain it's an issue with the specific computer since my laptop is still able to access the net through the same connection.

    I'm having a technician from my ISP come out later today to try to get the desktop connected to the internet again.

    My laptop's connection wasn't affected, so I wanted to write to give you an update. I'll complete your instructions once I can get the desktop machine connected.

    Thank You
     
  8. randoti

    randoti Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    40
    Hello again,

    The deskop machine's internet access has been restored, so I proceeded with the ad-aware and spybot instructions. Here's the latest log, thanks Cookie:

    Logfile of HijackThis v1.98.2
    Scan saved at 4:22:53 PM, on 9/14/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\ORINOCO\CLIENT MANAGER\CMLUC.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.40.21.68/search.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.metacrawler.com"); (C:\Program Files\Netscape\Users\mediaone\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVM] C:\WINDOWS\avm.vbs
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\Shockwave\swinit.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\cmluc.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,886
    Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.40.21.68/search.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.40.21.68/search.php

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.40.21.68/search.php

    O4 - HKLM\..\Run: [AVM] C:\WINDOWS\avm.vbs

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


    Then boot to safe mode (see how below), locate and delete these files and/or folders:

    C:\WINDOWS\avm.vbs - file

    How to restart to safe mode:
    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

    These files may be hidden so please do this:

    Open My Computer.
    Select the View menu and click Folder Options.
    Select the View Tab.
    In the Hidden files section select “show all files”
    Click OK

    Do a couple of on-line virus scans at these links:

    http://housecall.trendmicro.com/ http://www.pandasoftware.com/activescan/

    Then reboot and post another log please
     
  10. randoti

    randoti Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    40
    Instructions complete, here's the latest log

    Logfile of HijackThis v1.98.2
    Scan saved at 7:21:31 PM, on 9/15/04
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\ORINOCO\CLIENT MANAGER\CMLUC.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.metacrawler.com"); (C:\Program Files\Netscape\Users\mediaone\prefs.js)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\Shockwave\swinit.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\cmluc.exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,886
    The log looks good to me now. How's everything running?
     
  12. randoti

    randoti Thread Starter

    Joined:
    Aug 4, 2004
    Messages:
    40
    Hi Cookie,
    Sorry for the delay in getting back to you...
    THANKS AGAIN! Everything is working just fine, no complaints whatsoever.
    Best Regards!
    randoti
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,886
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/272949

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice