1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need help clearing up Trojan virus on W98

Discussion in 'Virus & Other Malware Removal' started by JDWTX, Oct 7, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. JDWTX

    JDWTX Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    5
    Came upon this site today while researching this problem and want to say first of all, What an awesome site! Been reading lots of great info for hours now. I'm trying to clear up some type of trojan/worm that has infected my system. Since the system started acting up I have installed McAfee Internet Security (w Virus Scan, Firewall, & Internet Security GuardDog). It located some infected files and removed them. After reviewing some post here, I also D/loaded Adaware, Spybot and HiJackThis. Adaware and Spybot identified and cleaned quite a bit of stuff and here is the HiJackThis log. Any help on unnecessary items still on my system will be appreciated:

    Logfile of HijackThis v1.97.2
    Scan saved at 4:47:40 AM, on 10/7/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\TRIDTRAY.EXE
    C:\WINDOWS\MK9805.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://140.99.106.182/tlp/search.php
    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchv.com/1/
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL (file missing)
    O2 - BHO: (no name) - {6D4F4180-ED56-11D7-8C06-00E029617463} - C:\WINDOWS\SYSTEM\VFPFODBC.DLL
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~2\TOOLBAR\PWRSWMDA.DLL (file missing)
    O3 - Toolbar: WhyPPC - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\TOOLBAR.DLL
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
    O4 - HKLM\..\Run: [CHotKey] mk9805.exe
    O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe
    O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\AT&T\REDCON\PROGRAMS\AutoUpdate.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\GpoWx2Xc.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe
    O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [McAfee Guardian] "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck
    O4 - HKLM\..\RunServices: [GuardDogEXE] "C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Startup: sb.hta
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: WhyPPC (HKLM)
    O9 - Extra 'Tools' menuitem: WhyPPC (HKLM)
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.5395138889

    :confused: :confused: :confused:
     
  2. bandit429

    bandit429

    Joined:
    Feb 11, 2002
    Messages:
    4,962
    I didnt have time to get through it all this morning,,but I did notice one thing I had a question about in a quick scan,,,,there is more btw so hang on for the whole bit later,,,,how many versions of Macafee virus scan are working on your computer?
     
  3. JDWTX

    JDWTX Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    5
    As far as I know there is only one version of McAfee virus scan working on my system. The McAfee Internet Security software loaded McAfee VirusScan, McAfee Firewall, and Internet Security GuardDog. I downloaded all of the updates for the software after installing it.
    Hope this answers your question and Thanks for the quick reply to my post!
    I ran Adaware & Spybot again this morning when logging on and neither program found any errors!
    One other thing I noticed this morning. When opening Internet Explorer, the Internet Security GuardDog software is notifying me that an executable file is trying to load from the C\Windows\Temp file. The name is "iic4352.exe". The path is C:\Windows\Temp\iic4352.exe.
    Thanks again for the assistance!
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    First, delete everything in the temp directory.
     
  5. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\GpoWx2Xc.exe

    That's definitely a bad one, and I think this one too:

    O4 - Startup: sb.hta
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    JDWTX

    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://140.99.106.182/tlp/search.php

    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchv.com/1/

    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL (file missing)

    O2 - BHO: (no name) - {6D4F4180-ED56-11D7-8C06-00E029617463} - C:\WINDOWS\SYSTEM\VFPFODBC.DLL

    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~2\TOOLBAR\PWRSWMDA.DLL (file missing)

    O3 - Toolbar: WhyPPC - {92F02779-6D88-4958-8AD3-83C12D86ADC7} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\TOOLBAR.DLL

    O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe

    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\GpoWx2Xc.exe

    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE

    O4 - HKLM\..\Run: [OrbitUpdate] C:\Program Files\Orbit\update.exe

    O4 - HKLM\..\Run: [OrbitView] C:\Program Files\Orbit\view.exe

    O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck

    O4 - Startup: sb.hta

    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

    O9 - Extra button: WhyPPC (HKLM)

    O9 - Extra 'Tools' menuitem: WhyPPC (HKLM)

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode navigate to the folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup and delete:

    The sb.hta file

    While still in safe mode also navigate to and delete the following files and folders:

    The C:\Program Files\Power Scan folder
    The C:\WINDOWS\SYSTEM\GpoWx2Xc.exe file
    The C:\WINDOWS\RUNDLL16.EXE file
    The entire contents of the C:\Windows\Temp folder

    Go here http://housecall.trendmicro.com/ and do an online virus scan.
     
  7. JDWTX

    JDWTX Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    5
    Used HiJack This to remove all of the items listed in the last reply from flrman1. This part went smooth. A little trouble encountered on the 2nd half of the to do list. Went into Safe Mode as instructed, but none of these items were there to delete:

    In Safe Mode navigate to the folder C:\Documents and Settings\All Users\Start Menu\Programs\Startup and delete:
    The sb.hta file

    While still in safe mode also navigate to and delete the following files and folders:
    The C:\Program Files\Power Scan folder
    The C:\WINDOWS\SYSTEM\GpoWx2Xc.exe file
    The C:\WINDOWS\RUNDLL16.EXE file
    The entire contents of the C:\Windows\Temp folder

    Also when I try to use http://housecall.trendmicro.com and do an online virus scan it just locks the system up.

    A few other things that are now occurring:
    1. System showed some type of registry error during a startup and showed it was restoring the bad registry. Now when the system comes up everything that I had previously disabled in the startup folder, when I first started trying to fix this on my own, is once again loading.
    2. When I now attempt to run Ad-Aware and SpyBot the system either locks up at some point and will not function or it shuts itself off and reboots. I cannot get a complete run through on either.

    Here is the current HiJack This log from this morning:

    Logfile of HijackThis v1.97.2
    Scan saved at 11:59:36 AM, on 10/8/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\TRIDTRAY.EXE
    C:\WINDOWS\MK9805.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
    O4 - HKLM\..\Run: [CHotKey] mk9805.exe
    O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\AT&T\REDCON\PROGRAMS\AutoUpdate.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [McAfee Guardian] "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [GuardDogEXE] "C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.5395138889
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab

    Sorry this thread is so long, but want to give you as much information as possible to work with. Here are two of the error messages I am also getting:
    1. IEXPLORE...IEXPLORE cause an invalid page fault in module MSHTML.DLL at 0167:635db96a
    2. EXPLORER...EXPLORER caused an invalid page fault in module <unknown> at 0000:000c777c6

    Thanks again for the continued assistance!!
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    The log looks clean now.

    Have you tried running the registy checker?

    Do this. Go to click Start, click Run, type scanregw.exe in the Open box, and then click OK.

    See if this helps.
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,159
    First Name:
    Derek
    this entry looks suspiciously like the peper.a or c trojan
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\GpoWx2Xc.exe

    But it might have just been a standard LOP parasite, that has similar runkey entries [[email protected]]

    It normally has 2 extra files in running processes but we have only seen them in XP machines so far

    to be safe

    Download TDS-3 from http://www.wilders.org/anti_trojans.htm
    and update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update
    Then enable the real-time protection and run a full system scan.
     
  10. JDWTX

    JDWTX Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    5
    Been almost a month since my last post concerning this problem. Had some family issues to deal with out of state. I've updated and run both Ad-Aware and Spybot, with neither application finding anything. I've downloaded and updated the TDS-3 application. When I run the TDS-3, it does not appear to find any problems as far as I can tell.
    Here are some problems I'm still seeing on the system:
    1. During system bootup, Explorer will hang up on the MultiMedia Hotkey application (keyboard). I have to go to Ctrl+Alt+Del and end task on Explorer far the system to finish loading.

    2. Quite often the system is hanging up and/or locking up during different tasks such as web surfing, accessing files, etc.

    3. Noticed that sometimes when the system is sitting idle (no applications open or running) the system will lock up, hibernate to a black screen, and not respond to mouse movement or keystroke. Have to power the system down and then restart.

    4. McAfee Internet Security is popping up a message quite often regarding Real Player wanting to connect. Is Real Player an application that needs to be updated from an Internet connection quite often??

    Here is the copy of the HiJack This log from today:

    Logfile of HijackThis v1.97.2
    Scan saved at 11:12:56 AM, on 11/5/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\TRIDTRAY.EXE
    C:\WINDOWS\MK9805.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALEVENT.EXE
    C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
    C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T Broadband Internet
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [TridTray] c:\windows\SYSTEM\tridtray.exe
    O4 - HKLM\..\Run: [CHotKey] mk9805.exe
    O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\AT&T\REDCON\PROGRAMS\AutoUpdate.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCAGENT.EXE
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [McAfee Guardian] "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [VirusScanMSC] "C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE" /EMBEDDING
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [GuardDogEXE] "C:\PROGRAM FILES\MCAFEE\MCAFEE INTERNET SECURITY\GUARDDOG.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: WebPatch Check.lnk = C:\Program Files\WebPatchWizard\WebPatch Autostart.exe
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37876.5395138889
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19a2712307574ab33614/netzip/RdxIE601.cab

    Thanks again for all of the assistance!!!!!:)
     
  11. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

    Have hijack this fix that, that should solve real player trying to connect.

    Also, in start, run, msconfig, if you don't use the hotkeys on the keyboard, just uncheck that entry there.

    O4 - HKLM\..\Run: [CHotKey] mk9805.exe


    I'd also think about taking EZCD Creator out of startup.
     
  12. JDWTX

    JDWTX Thread Starter

    Joined:
    Oct 7, 2003
    Messages:
    5
    Completed the 3 items recommended by AcaCandy in the last message.

    Any thoughts on the other two topics I mentioned in my previous thread (#2 and #3) concerning the system performance??

    As always, thanks for the great support you provide on this site!!
    (y) (y)
     
  13. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Since you did all the clean up this is still happening?

    Be sure you post another updated scan log, just in case something came back.

    Do you do normal disk maintenance? Delete temp files, etc.?
     
  14. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    How much ram do you have, by the way?
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170118

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice