help optimizing system / purging malware?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

randoti

Thread Starter
Joined
Aug 4, 2004
Messages
40
Hello folks,

Cookiegal had helped me in the past and wanted to express my appreciation for her patience. My parents, whose system was affected, are also very thankful.

I have questions about another system that is having malware problems as well as general setup problems and inefficiencies...Would someone be able to help me if I post an hijackthis log?

Thanks again.
 
Joined
Jan 17, 2004
Messages
9,600
Malware advice is what this forum is about!. Post your problem, or help your amigo, experts are here to help. >f
 

randoti

Thread Starter
Joined
Aug 4, 2004
Messages
40
Thank you for your reply--

I have some kind of Spyware that is popping up search and ad windows intermittently. They are not appearing at the moment so I can't describe them exactly, but one of them has a green dollar sign as an icon instead of the IE icon.

I do notice when I do a Ctrl+Alt+Del that there are a couple of suspicious programs ("Save" and "Findfast") running.

Any help you can provide is greatly appreciated!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,594
Hi Randoti,

Please post your Hijack This log for review.

:)
 

randoti

Thread Starter
Joined
Aug 4, 2004
Messages
40
Hi Cookie!
I'm once again indebted for your help..

Logfile of HijackThis v1.98.2
Scan saved at 10:51:35 AM, on 9/13/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SAVE\SAVE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\ORINOCO\CLIENT MANAGER\CMLUC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.metacrawler.com"); (C:\Program Files\Netscape\Users\mediaone\prefs.js)
O1 - Hosts: 66.40.21.73 auto.search.msn.com
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVM] C:\WINDOWS\avm.vbs
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\SAVE\Save.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\Shockwave\swinit.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\cmluc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://vivo.real.com/dldv2/vvweb.cab
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,594
Go to this site and download the New.Net removal tool:

http://www.newdotnet.com

Scroll to the bottom of the page to procedure 4 and download and run the New.Net removal tool.

Then, please download and run the following programs:

AD-AWARE

Go here: http://www.lavasoftusa.com/support/download/
and download Ad-Aware SE Personal

Install the program and launch it.

First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.

Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.

Then, deselect Search for negligible risk entries.

To start the scan, click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Restart your computer.

SPYBOT SEARCH & DESTROY

http://majorgeeks.com/download2471.html

Open Spybot Search & Destroy (Click Start, Programs, Spybot S&D (Advanced Mode). Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems'', Then restart your computer.

Then, after rebooting, please post another log and we’ll see what’s left to get rid of.
 

randoti

Thread Starter
Joined
Aug 4, 2004
Messages
40
Cookie,

I went ahead with the NewDotNet removal, and then rebooted.
Unfortunately, my desktop machine will now not connect to the internet. I'm certain it's an issue with the specific computer since my laptop is still able to access the net through the same connection.

I'm having a technician from my ISP come out later today to try to get the desktop connected to the internet again.

My laptop's connection wasn't affected, so I wanted to write to give you an update. I'll complete your instructions once I can get the desktop machine connected.

Thank You
 

randoti

Thread Starter
Joined
Aug 4, 2004
Messages
40
Hello again,

The deskop machine's internet access has been restored, so I proceeded with the ad-aware and spybot instructions. Here's the latest log, thanks Cookie:

Logfile of HijackThis v1.98.2
Scan saved at 4:22:53 PM, on 9/14/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\ORINOCO\CLIENT MANAGER\CMLUC.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.40.21.68/search.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.metacrawler.com"); (C:\Program Files\Netscape\Users\mediaone\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVM] C:\WINDOWS\avm.vbs
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\Shockwave\swinit.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\cmluc.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,594
Rescan with Hijack This, close all browser windows except Hijack This, put a check mark beside these entries and click “fix checked”.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://66.40.21.68/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://66.40.21.68/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://66.40.21.68/search.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://66.40.21.68/search.php

O4 - HKLM\..\Run: [AVM] C:\WINDOWS\avm.vbs

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


Then boot to safe mode (see how below), locate and delete these files and/or folders:

C:\WINDOWS\avm.vbs - file

How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

These files may be hidden so please do this:

Open My Computer.
Select the View menu and click Folder Options.
Select the View Tab.
In the Hidden files section select “show all files”
Click OK

Do a couple of on-line virus scans at these links:

http://housecall.trendmicro.com/ http://www.pandasoftware.com/activescan/

Then reboot and post another log please
 

randoti

Thread Starter
Joined
Aug 4, 2004
Messages
40
Instructions complete, here's the latest log

Logfile of HijackThis v1.98.2
Scan saved at 7:21:31 PM, on 9/15/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\ORINOCO\CLIENT MANAGER\CMLUC.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r2.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.metacrawler.com"); (C:\Program Files\Netscape\Users\mediaone\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Shockwave Init.lnk = C:\WINDOWS\SYSTEM\MACROMED\Shockwave\swinit.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\cmluc.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,594
The log looks good to me now. How's everything running?
 

randoti

Thread Starter
Joined
Aug 4, 2004
Messages
40
Hi Cookie,
Sorry for the delay in getting back to you...
THANKS AGAIN! Everything is working just fine, no complaints whatsoever.
Best Regards!
randoti
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
119,594
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top