HELP! Virus through Yahoo messenger

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

nuttyboy34

Thread Starter
Joined
Apr 15, 2004
Messages
4
Hi, first, thanks for all your help. Here's what happened....
Last night I was on Yahoo Messenger (not going through the website, just using the messenger llike aim), and another person with the screenname "jemmauk75" started talking to me. She said she knew me, so I asked who she was. She said she would send pictures to see if I recognized her. She sent about 5 or 6 pictures, very quickly, one after the other. I saved them to my desktop and noticed two other files there. One was "sys.dll" and I can't remember what the other was, maybe a .log file or something. After she sent the last picture, I was booted from the messenger. I realized now that something fishy was going on. Now, Netscape 7.1 didn't work, it said the shortcut was missing, and when I restarted my computer, Drivespace 3 started, and it said I was using 0% of my harddrive. I went back on to messenger and talked to this person, and was booted again, as if she could boot me. I was looking through files on my computer (because my "find file" program doesn't work) and found a file called "blindman" and "000.exe". I deleted both of them. I ran Norton Antivirus and it found nothing, spybot and adaware, they found nothing. I had to redownload netscape just to post this thread. I don't know if I just have a virus or this person now has access to my computer. I've deleted quite a few files, and unchecked quite a few things from the startup portion of msconfig, but my computer is pretty unstable and freezes constantly. PLEASE HELP ME!!! I'm afraid to be online because I don't know if someone is still messing with my computer. Thanks again.
 

nuttyboy34

Thread Starter
Joined
Apr 15, 2004
Messages
4
Alright, here are the results of HijackThis. Also, before I got the virus, Internet explorer constantly changed its homepage to porn and added porn to my favorites, and then stopped working altogether. Every time I open it says "illegal operation." It's also kind of weird because my housemate's IE stopped working around the same time. We've got a cable modem and we all go through a router. Anyway, here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 11:57:39 AM, on 4/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\CREATIVE\SHARED FILES\CAMTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\WINH.EXE
C:\WINDOWS\OLEHELP.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\MY DOCUMENTS\DOWNLOAD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.babersucks.com/freegay/start/free_porn.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.babersucks.com/freegay/start/free_porn.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bxunwt.t.muxa.cc/s.php?aid=240 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bigsexvideos.com/s.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bxunwt.t.muxa.cc/s.php?aid=240 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://bxunwt.t.muxa.cc/h.php?aid=240 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.bigsexvideos.com/s.php
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.umich.edu"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.umich.edu"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\6ezezzq3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\6ezezzq3.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSIW\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSIW\MSSEARCH.DLL
O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O2 - BHO: (no name) - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif
O4 - HKLM\..\Run: [RunProgsSI] C:\WINDOWS\SYSTEM\SVCHOSTS.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RunProgsSI] C:\WINDOWS\SYSTEM\SVCHOSTS.EXE
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - HKCU\..\Run: [RunProgsSI] C:\WINDOWS\SYSTEM\SVCHOSTS.EXE
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

I went to that other link to run the virus scan, downloaded it, tried to run it. However, it said I don't have enough memory. I know I've got more than enough. I went into dos and typed "mem" and its output was interesting, so here it is:

C:\My Documents\download>mem

Memory Type Total Used Free
---------------- -------- -------- --------
Conventional 640K 39K 601K
Upper 0K 0K 0K
Reserved 0K 0K 0K
Extended (XMS) 65,535K ? 228,116K
---------------- -------- -------- --------
Total memory 66,175K ? 228,717K

Total under 1 MB 640K 39K 601K

Total Expanded (EMS) 64M (67,108,864 bytes)
Free Expanded (EMS) 16M (16,777,216 bytes)

Largest executable program size 601K (614,928 bytes)
Largest free upper memory block 0K (0 bytes)
MS-DOS is resident in the high memory area.

My computer has 20 Gbytes hard disk space, over half unused, and 128 Mbytes of Ram (I think). I'll keep trying to run that scan while I wait for your reply. Thanks.
 
Joined
Dec 9, 2000
Messages
45,855
The system is very badly compromised with hijacks and trojan/worm wares.

1 -- Go to the site below, obtain the CoolWebShredder, CWShredder.exe, and run it and have it FIX problems. Then reboot.

http://www.spywareinfo.com/~merijn/downloads.html

2 -- After rebooting run HijackThis again and check the all of the following entries that may remain, close the browser, and click "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://find4u.net/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.babersucks.com/freegay/start/free_porn.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.babersucks.com/freegay/start/free_porn.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://bxunwt.t.muxa.cc/s.php?aid=240 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bigsexvideos.com/s.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bxunwt.t.muxa.cc/s.php?aid=240 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://mshp.dll/sp.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://find4u.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find4u.net/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://bxunwt.t.muxa.cc/h.php?aid=240 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.bigsexvideos.com/s.php

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSIW\MSIESH.DLL
O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSIW\MSSEARCH.DLL

O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif
O4 - HKLM\..\Run: [RunProgsSI] C:\WINDOWS\SYSTEM\SVCHOSTS.EXE
O4 - HKCU\..\Run: [olehelp] C:\WINDOWS\olehelp.exe
O4 - HKCU\..\Run: [RunProgsSI] C:\WINDOWS\SYSTEM\SVCHOSTS.EXE
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif

3 -- Reboot again and find and delete the bolded files above

4 -- Install, UPDATE, and run Spybot following the directions below, reboot and post another Scanlog.

http://tomcoyote.org/SPYBOT/index1.php
 

nuttyboy34

Thread Starter
Joined
Apr 15, 2004
Messages
4
I followed all of your steps, but there are still files in the latest hijackthis log that I removed earlier. Also, on step 3, I could only find winh.exe, all of the others were just missing. Here's the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 3:55:01 PM, on 4/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\MY DOCUMENTS\DOWNLOAD\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.umich.edu"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.umich.edu"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\6ezezzq3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\6ezezzq3.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O2 - BHO: (no name) - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RunProgsSI] C:\WINDOWS\SYSTEM\SVCHOSTS.EXE
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/games/clients/y/vpt0_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/games/clients/y/fltt3_x.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab

Also, I was never able to run the virus scan. I even burned it to CD and it still didn't work.
 
Joined
Dec 9, 2000
Messages
45,855
What virus scan did you try to burn to CD? HouseCall is an "online" scanner, you cannot burn that to CD. However, Trend's Micro Damage Cleanup scanner can be downloaded and run of the hard drive; see the link below.

Here's what you need to do for now. Reboot in Safe Mode. This is done by pressing and holding the ctrl key immediately on a reboot and selectiong Safe Mode from the Startup Menu options which should appear.

In Safe Mode run HijackThis and check these entries and "fix" them:

O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif

O4 - HKLM\..\RunServices: [RunProgsSI] C:\WINDOWS\SYSTEM\SVCHOSTS.EXE
O4 - HKCU\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif


>> Next, make sure "show all files" is enabled in Folder Options > View and use Windows Explorer to navigate to the files bolded above and delete them.

Trend's Micro Damage cleaner:

http://www.trendmicro.com/download/tsc.asp

The files which you couldn't find are no longer showing as Running Processes so either they have "morphed" or NAV has found and quarantined or deleted them.

Post another Scanlog after you have followed the first steps, regardless of whether you are able to download and run Trend's AV.
 

nuttyboy34

Thread Starter
Joined
Apr 15, 2004
Messages
4
This time, I was able to delete cscbii.pif but not SVCHOSTS.exe.
Here's the HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 7:32:31 PM, on 4/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\CREATIVE\SHARED FILES\CAMTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\MY DOCUMENTS\DOWNLOAD\HIJACKTHIS.EXE

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.umich.edu"); (C:\Program Files\Netscape\Users\default\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.umich.edu"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\6ezezzq3.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\6ezezzq3.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {77712A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O2 - BHO: (no name) - {09F0F280-FB9A-481B-B69A-CB00DC44D027} - C:\PROGRA~1\ADVANC~1\POPUPJ~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5_2_3_0.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe

I rebooted my computer after running HijackThis for the first time because I couldn't use the internet in safe mode, so this log is the log I received after rebooting.
 
Joined
Dec 9, 2000
Messages
45,855
Well I don't see svchosts.exe there any more but I do see:

O4 - HKLM\..\Run: [MMSystem] C:\WINDOWS\COMMAND\cscbii.pif

It is possible you successfully deleted the file but left the registry entry; in that case though, you should have received a startup error when Windows failed to find it.

Let's try the deletions in Safe Mode this time. If you press and hold the ctrl key promptly on startup you should get a "startup menu" with Safe Mode as an option. If you have problems with this you can run msconfig and enable the startup menu under the "Advanced" tab. This has to be unchecked to boot normally.

In Safe Mode run HijackThis and delete the entry above.

Then open Windows Explorer and delete the cscbii.pif file in the c:\windows\command directory if it is still there.

Also look once again for C:\WINDOWS\SYSTEM\SVCHOSTS.EXE and delete it if you find it.

Reboot and post a new Scanlog. Looks like we are close to wrapping this up.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top