1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Recuperation After A Virus?! Help Please!

Discussion in 'Virus & Other Malware Removal' started by Kikit, Sep 11, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    I've just been through a most devastating situation. Two days ago, some viruses were detected on my computer. I have deleted them successfully. However, some of the problems that were caused by the viruses are still happening now.

    Here is what the symptoms were:

    - Computer was running very slow

    - Pages wouldn't open properly

    - Sometimes Internet pages were blank

    - Scrolling was "chugging" along, barely not scrolling at all

    - Typing was all messed up. When I hit the keyboard letters,
    they did not appear on the screen until seconds later! There was a horrible delay...and then the words would finally appear.

    - On the internet, dropdown menus were blank

    - When I right-clicked, my Command menu was blank

    - The computer "froze" constantly and I had to shut down and start over.-

    - A couple of times, my defragging task started up, but I do not have defragging scheduled for automatic maintainance. It starte up by itself though, like there was a ghost in the computer.

    These are the viruses I had:

    *Exploit-ByteVerify
    *Trojan RSLOCALA
    *Reg/Seeker

    My system has gone back to normal somewhat, but it is not acting like it should COMPLETELY. SOME OF THE THINGS ARE STILL GIVING ME TROUBLE, EVEN AFTER DELETING THE VIRUSES. A LITTLE LESS INTENSE, BUT STILL PROBLEMATIC. tHE TROUBLE IS WORSE ON SOME SITES THAT IT IS ON OTHERS. A FEW SITES WORK PERFECTLY NORMAL.

    (AS YOU CAN SEE, MY TYPING JUST WENT CRAZY BECAUSE I COULDN'T SEE THE LETTERS AS THEY WERE BEING TYPED! -- SORRY FOR THE MESS).

    Still "freezing", still slow scrolling (or no scrolling at all!), still typing troubles occuring, still blank menus on some sites.

    No more ghostly operations starting by themselves anymore though, like the unattended defragging incident.

    My Question is: Can anyone tell me what's going on? With my computer supposedly being "clean" now, why the continued problems?

    Is there a file or something essential that was damaged by the viruses? If so, how do I correct that (and how do I find it first?!)

    What more cleaning or repair do I have to doi to get my machine back to normal?

    What other steps should I do so that the computer can reecuperate from being attacked?

    NOTE: I am not the most computer-literate of persons, so I can't do anything that's too complicated. :)

    I GREATLY APPRECIATE ANY IDEAS ON WHAT THIS SOUNDS LIKE TO YOU, AND ANY HELP YOU CAN GIVE.
     
  2. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    Please forgive the length of my first post.
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    from the sympto,ms it sounds like a cws hijack
    first download & Run CWshredder from
    http://www.spywareinfo.com/~merijn/files/cwshredder.zip

    then to see what other unwanted malware is left on your computer

    go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log somewhere, and please copy & paste its contents to the forum.

    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  4. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    Gracias, Derek. I will try those instructions and return here with any results.
     
  5. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    Here is the CWShredder Log:

    CWShredder v1.13.0 scan only report

    Windows 98 (4.10.1998)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system

    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer,SearchURL
    Infected data: http://www.ewebsearch.net/sp.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
    Infected data: http://www.ewebsearch.net/sp.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
    Infected data: http://www.jethomepage.com/ie/
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    Infected data: http://www.ewebsearch.net/sp.htm
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
    Infected data: http://ie-search.com/srchasst.html
    Infected Registry value:
    HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
    Infected data: http://ie-search.com/srchasst.html
    Infected Registry value:
    HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP
    Infected data: http://www.ewebsearch.net/
    Found Hosts file: C:\WINDOWS\hosts (1077 bytes, A)
    Hosts file: 66.197.100.83 auto.search.msn.com
    #To disable your family filter just delete all the following lines:
    66.197.73.38 www.smutserver.com
    66.197.73.38 www1.smutserver.com
    66.197.73.38 www2.smutserver.com
    66.197.73.38 www3.smutserver.com
    66.197.73.38 www4.smutserver.com
    66.197.73.38 www5.smutserver.com
    66.197.73.38 www6.smutserver.com
    66.197.73.38 www7.smutserver.com
    66.197.73.38 www8.smutserver.com
    66.197.73.38 www9.smutserver.com
    66.197.73.38 www10.smutserver.com
    66.197.73.38 www11.smutserver.com
    66.197.73.38 www12.smutserver.com
    66.197.73.38 www13.smutserver.com
    66.197.73.38 www14.smutserver.com
    66.197.73.38 www15.smutserver.com
    66.197.73.38 www16.smutserver.com
    66.197.73.38 www17.smutserver.com
    66.197.73.38 www18.smutserver.com
    66.197.73.38 www19.smutserver.com
    66.197.73.38 www20.smutserver.com
    66.197.73.38 www21.smutserver.com
    66.197.73.38 www22.smutserver.com
    66.197.73.38 www23.smutserver.com
    66.197.73.38 www24.smutserver.com
    66.197.73.38 www25.smutserver.com
    66.197.73.38 www26.smutserver.com
    66.197.73.38 www27.smutserver.com
    66.197.73.38 www28.smutserver.com

    User stylesheet c:\windows\system.css is active (HKCU)
    Found file: c:\windows\system.css (8126 bytes, A)
    Found Win.ini file: C:\WINDOWS\win.ini (9193 bytes, A)
    Found line in Win.ini: run=C:\SCANNER\EXE16\AM.EXE
    Winshow Registry key found: HKLM\..\BHOs\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}
    Found file: C:\WINDOWS\winshow.dll (90112 bytes, A)

    - END OF REPORT -
     
  6. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    Here is the Hijack This! Log:

    Logfile of HijackThis v1.97.2
    Scan saved at 8:13:54 AM, on 9/12/03
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\SCANNER\EXE16\AM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\CLMPANEL.EXE
    C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\UNZIPPED\CWSHREDDER[1]\CWSHREDDER.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...OL.COM/92671ac527/ac00krtyx_65v/ogsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/5/search.php?qq=%s
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
    F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE
    O1 - Hosts: 66.197.100.83 auto.search.msn.com
    O1 - Hosts: 66.197.73.38 www.smutserver.com
    O1 - Hosts: 66.197.73.38 www1.smutserver.com
    O1 - Hosts: 66.197.73.38 www2.smutserver.com
    O1 - Hosts: 66.197.73.38 www3.smutserver.com
    O1 - Hosts: 66.197.73.38 www4.smutserver.com
    O1 - Hosts: 66.197.73.38 www5.smutserver.com
    O1 - Hosts: 66.197.73.38 www6.smutserver.com
    O1 - Hosts: 66.197.73.38 www7.smutserver.com
    O1 - Hosts: 66.197.73.38 www8.smutserver.com
    O1 - Hosts: 66.197.73.38 www9.smutserver.com
    O1 - Hosts: 66.197.73.38 www10.smutserver.com
    O1 - Hosts: 66.197.73.38 www11.smutserver.com
    O1 - Hosts: 66.197.73.38 www12.smutserver.com
    O1 - Hosts: 66.197.73.38 www13.smutserver.com
    O1 - Hosts: 66.197.73.38 www14.smutserver.com
    O1 - Hosts: 66.197.73.38 www15.smutserver.com
    O1 - Hosts: 66.197.73.38 www16.smutserver.com
    O1 - Hosts: 66.197.73.38 www17.smutserver.com
    O1 - Hosts: 66.197.73.38 www18.smutserver.com
    O1 - Hosts: 66.197.73.38 www19.smutserver.com
    O1 - Hosts: 66.197.73.38 www20.smutserver.com
    O1 - Hosts: 66.197.73.38 www21.smutserver.com
    O1 - Hosts: 66.197.73.38 www22.smutserver.com
    O1 - Hosts: 66.197.73.38 www23.smutserver.com
    O1 - Hosts: 66.197.73.38 www24.smutserver.com
    O1 - Hosts: 66.197.73.38 www25.smutserver.com
    O1 - Hosts: 66.197.73.38 www26.smutserver.com
    O1 - Hosts: 66.197.73.38 www27.smutserver.com
    O1 - Hosts: 66.197.73.38 www28.smutserver.com
    O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
    O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveupdate.com/controls/cres.cab
    O16 - DPF: {4971945A-3BFD-11D1-AC2F-00A0C911103A} - http://www.comicschannel.net/comicclock/comicclock.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/degas/NSupd9x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/313c75cac7a2a28d2522/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37870.2818865741
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O19 - User stylesheet: c:\windows\system.css
     
  7. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    I will wait here for further instructions.
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    run cws & let it remove all the crud it has found
    then post a hijackthis log to see what else needs removing
     
  9. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    Absolutely. I will do that right now. Back soon.
     
  10. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    Hi, I'm back. Here is what happened.

    SECOND HIJACK LOG - AFTER CWS FIX

    Logfile of HijackThis v1.97.2

    Scan saved at 1:05:55 PM, on 9/12/03
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\SCANNER\EXE16\AM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\CLMPANEL.EXE
    C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\UNZIPPED\CWSHREDDER[1]\CWSHREDDER.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...OL.COM/92671ac527/ac00krtyx_65v/ogsearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE
    O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveupdate.com/controls/cres.cab
    O16 - DPF: {4971945A-3BFD-11D1-AC2F-00A0C911103A} - http://www.comicschannel.net/comicclock/comicclock.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/degas/NSupd9x.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/313c75cac7a2a28d2522/netzip/RdxIE601.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37870.2818865741
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  11. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    In case you need to see it, this is what occured when I did the suggested CWShredder removal. It read:

    RESULTS AFTER CWS FIX

    Done!

    - 8 registry values were killed
    - Hostsfile redirection was fixed
    - Bootconf.exe was not present
    - Trusted Zone was OK
    - User stylesheet was disabled and deleted
    - Oemsyspnp.inf was not present
    - Svchost32.exe was not present
    - Msspi.dll Winsock hook was not present
    - Msinfo.exe was not present
    - Winshow.dll BHO was unregistered and deleted

    Windows 98 (4.10.1998)
    CWShredder v1.13.0
    Written by Merijn - [email protected]

    For any additional help with this program or removing CWS, visit
    http://www.spywareinfo.com/forums/
    ____________________________________________________

    NEW (2nd Scan) CWShredder LOG AFTER THE FIX

    CWShredder v1.13.0 scan only report

    Windows 98 (4.10.1998)
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system

    Found Hosts file: C:\WINDOWS\hosts (73 bytes, A)
    Found Win.ini file: C:\WINDOWS\win.ini (9193 bytes, -)
    Found line in Win.ini: run=C:\SCANNER\EXE16\AM.EXE

    - END OF REPORT -
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all

    browser windows & press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...v/ogsearch.html
    O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe

    then reboot & delete the following files or folders
    c:\program files\siteicons\toppornstars\toppornstars.exe ..entire siteicons folder
     
  13. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    run hijackthis again and put a checkmark against these entries....
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...v/ogsearch.html
    O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
    O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
    O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveupdate.com/controls/cres.cab
    O16 - DPF: {4971945A-3BFD-11D1-AC2F-00A0C911103A} - http://www.comicschannel.net/comicclock/comicclock.CAB
    O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/degas/NSupd9x.
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/313c75cac7a2a2...ip/RdxIE601.cab

    re-boot and delete:
    c:\program files\siteicons
    C:\WINDOWS\SYSTEM\COMET

    recuperation hopefully complete

    ;)
     
  14. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    derek(y)
     
  15. Kikit

    Kikit Thread Starter

    Joined:
    Sep 9, 2003
    Messages:
    100
    I'm back again. I took the instructions of both Derek and Steve...and voila! my computer is working again as it should! I can't believe it, this is so stunning!

    I'm not even going to ask where all that porn crap came from (insert frowning face ____ here). Truly tacky.

    Whew, a long process...days of Computer Clean Up, but it was well worth it. Thank you ever so much.

    And now gentlemen, I am on my way over to make a donation to your site.

    The Final Hijack Log:

    Logfile of HijackThis v1.97.2
    Scan saved at 3:35:13 PM, on 9/12/03
    Platform: Windows 98 Gold (Win9x 4.10.1998)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\SCANNER\EXE16\AM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\CLMPANEL.EXE
    C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE
    O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37870.2818865741
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/164164

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice