Recuperation After A Virus?! Help Please!

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Kikit

Thread Starter
Joined
Sep 9, 2003
Messages
100
I've just been through a most devastating situation. Two days ago, some viruses were detected on my computer. I have deleted them successfully. However, some of the problems that were caused by the viruses are still happening now.

Here is what the symptoms were:

- Computer was running very slow

- Pages wouldn't open properly

- Sometimes Internet pages were blank

- Scrolling was "chugging" along, barely not scrolling at all

- Typing was all messed up. When I hit the keyboard letters,
they did not appear on the screen until seconds later! There was a horrible delay...and then the words would finally appear.

- On the internet, dropdown menus were blank

- When I right-clicked, my Command menu was blank

- The computer "froze" constantly and I had to shut down and start over.-

- A couple of times, my defragging task started up, but I do not have defragging scheduled for automatic maintainance. It starte up by itself though, like there was a ghost in the computer.

These are the viruses I had:

*Exploit-ByteVerify
*Trojan RSLOCALA
*Reg/Seeker

My system has gone back to normal somewhat, but it is not acting like it should COMPLETELY. SOME OF THE THINGS ARE STILL GIVING ME TROUBLE, EVEN AFTER DELETING THE VIRUSES. A LITTLE LESS INTENSE, BUT STILL PROBLEMATIC. tHE TROUBLE IS WORSE ON SOME SITES THAT IT IS ON OTHERS. A FEW SITES WORK PERFECTLY NORMAL.

(AS YOU CAN SEE, MY TYPING JUST WENT CRAZY BECAUSE I COULDN'T SEE THE LETTERS AS THEY WERE BEING TYPED! -- SORRY FOR THE MESS).

Still "freezing", still slow scrolling (or no scrolling at all!), still typing troubles occuring, still blank menus on some sites.

No more ghostly operations starting by themselves anymore though, like the unattended defragging incident.

My Question is: Can anyone tell me what's going on? With my computer supposedly being "clean" now, why the continued problems?

Is there a file or something essential that was damaged by the viruses? If so, how do I correct that (and how do I find it first?!)

What more cleaning or repair do I have to doi to get my machine back to normal?

What other steps should I do so that the computer can reecuperate from being attacked?

NOTE: I am not the most computer-literate of persons, so I can't do anything that's too complicated. :)

I GREATLY APPRECIATE ANY IDEAS ON WHAT THIS SOUNDS LIKE TO YOU, AND ANY HELP YOU CAN GIVE.
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
from the sympto,ms it sounds like a cws hijack
first download & Run CWshredder from
http://www.spywareinfo.com/~merijn/files/cwshredder.zip

then to see what other unwanted malware is left on your computer

go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please copy & paste its contents to the forum.

It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.
 

Kikit

Thread Starter
Joined
Sep 9, 2003
Messages
100
Gracias, Derek. I will try those instructions and return here with any results.
 

Kikit

Thread Starter
Joined
Sep 9, 2003
Messages
100
Here is the CWShredder Log:

CWShredder v1.13.0 scan only report

Windows 98 (4.10.1998)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system

Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer,SearchURL
Infected data: http://www.ewebsearch.net/sp.htm
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
Infected data: http://www.ewebsearch.net/sp.htm
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
Infected data: http://www.jethomepage.com/ie/
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Infected data: http://www.ewebsearch.net/sp.htm
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
Infected data: http://ie-search.com/srchasst.html
Infected Registry value:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar
Infected data: http://ie-search.com/srchasst.html
Infected Registry value:
HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP
Infected data: http://www.ewebsearch.net/
Found Hosts file: C:\WINDOWS\hosts (1077 bytes, A)
Hosts file: 66.197.100.83 auto.search.msn.com
#To disable your family filter just delete all the following lines:
66.197.73.38 www.smutserver.com
66.197.73.38 www1.smutserver.com
66.197.73.38 www2.smutserver.com
66.197.73.38 www3.smutserver.com
66.197.73.38 www4.smutserver.com
66.197.73.38 www5.smutserver.com
66.197.73.38 www6.smutserver.com
66.197.73.38 www7.smutserver.com
66.197.73.38 www8.smutserver.com
66.197.73.38 www9.smutserver.com
66.197.73.38 www10.smutserver.com
66.197.73.38 www11.smutserver.com
66.197.73.38 www12.smutserver.com
66.197.73.38 www13.smutserver.com
66.197.73.38 www14.smutserver.com
66.197.73.38 www15.smutserver.com
66.197.73.38 www16.smutserver.com
66.197.73.38 www17.smutserver.com
66.197.73.38 www18.smutserver.com
66.197.73.38 www19.smutserver.com
66.197.73.38 www20.smutserver.com
66.197.73.38 www21.smutserver.com
66.197.73.38 www22.smutserver.com
66.197.73.38 www23.smutserver.com
66.197.73.38 www24.smutserver.com
66.197.73.38 www25.smutserver.com
66.197.73.38 www26.smutserver.com
66.197.73.38 www27.smutserver.com
66.197.73.38 www28.smutserver.com

User stylesheet c:\windows\system.css is active (HKCU)
Found file: c:\windows\system.css (8126 bytes, A)
Found Win.ini file: C:\WINDOWS\win.ini (9193 bytes, A)
Found line in Win.ini: run=C:\SCANNER\EXE16\AM.EXE
Winshow Registry key found: HKLM\..\BHOs\{6CC1C918-AE8B-4373-A5B4-28BA1851E39A}
Found file: C:\WINDOWS\winshow.dll (90112 bytes, A)

- END OF REPORT -
 

Kikit

Thread Starter
Joined
Sep 9, 2003
Messages
100
Here is the Hijack This! Log:

Logfile of HijackThis v1.97.2
Scan saved at 8:13:54 AM, on 9/12/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\SCANNER\EXE16\AM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\CLMPANEL.EXE
C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\CWSHREDDER[1]\CWSHREDDER.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...OL.COM/92671ac527/ac00krtyx_65v/ogsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.ewebsearch.net/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchv.com/5/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.ewebsearch.net/
F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE
O1 - Hosts: 66.197.100.83 auto.search.msn.com
O1 - Hosts: 66.197.73.38 www.smutserver.com
O1 - Hosts: 66.197.73.38 www1.smutserver.com
O1 - Hosts: 66.197.73.38 www2.smutserver.com
O1 - Hosts: 66.197.73.38 www3.smutserver.com
O1 - Hosts: 66.197.73.38 www4.smutserver.com
O1 - Hosts: 66.197.73.38 www5.smutserver.com
O1 - Hosts: 66.197.73.38 www6.smutserver.com
O1 - Hosts: 66.197.73.38 www7.smutserver.com
O1 - Hosts: 66.197.73.38 www8.smutserver.com
O1 - Hosts: 66.197.73.38 www9.smutserver.com
O1 - Hosts: 66.197.73.38 www10.smutserver.com
O1 - Hosts: 66.197.73.38 www11.smutserver.com
O1 - Hosts: 66.197.73.38 www12.smutserver.com
O1 - Hosts: 66.197.73.38 www13.smutserver.com
O1 - Hosts: 66.197.73.38 www14.smutserver.com
O1 - Hosts: 66.197.73.38 www15.smutserver.com
O1 - Hosts: 66.197.73.38 www16.smutserver.com
O1 - Hosts: 66.197.73.38 www17.smutserver.com
O1 - Hosts: 66.197.73.38 www18.smutserver.com
O1 - Hosts: 66.197.73.38 www19.smutserver.com
O1 - Hosts: 66.197.73.38 www20.smutserver.com
O1 - Hosts: 66.197.73.38 www21.smutserver.com
O1 - Hosts: 66.197.73.38 www22.smutserver.com
O1 - Hosts: 66.197.73.38 www23.smutserver.com
O1 - Hosts: 66.197.73.38 www24.smutserver.com
O1 - Hosts: 66.197.73.38 www25.smutserver.com
O1 - Hosts: 66.197.73.38 www26.smutserver.com
O1 - Hosts: 66.197.73.38 www27.smutserver.com
O1 - Hosts: 66.197.73.38 www28.smutserver.com
O2 - BHO: WinShow module - {6CC1C918-AE8B-4373-A5B4-28BA1851E39A} - C:\WINDOWS\WINSHOW.DLL
O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveupdate.com/controls/cres.cab
O16 - DPF: {4971945A-3BFD-11D1-AC2F-00A0C911103A} - http://www.comicschannel.net/comicclock/comicclock.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/degas/NSupd9x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/313c75cac7a2a28d2522/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37870.2818865741
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O19 - User stylesheet: c:\windows\system.css
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
run cws & let it remove all the crud it has found
then post a hijackthis log to see what else needs removing
 

Kikit

Thread Starter
Joined
Sep 9, 2003
Messages
100
Hi, I'm back. Here is what happened.

SECOND HIJACK LOG - AFTER CWS FIX

Logfile of HijackThis v1.97.2

Scan saved at 1:05:55 PM, on 9/12/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\SCANNER\EXE16\AM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\CLMPANEL.EXE
C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\CWSHREDDER[1]\CWSHREDDER.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...OL.COM/92671ac527/ac00krtyx_65v/ogsearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE
O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveupdate.com/controls/cres.cab
O16 - DPF: {4971945A-3BFD-11D1-AC2F-00A0C911103A} - http://www.comicschannel.net/comicclock/comicclock.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/degas/NSupd9x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/313c75cac7a2a28d2522/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37870.2818865741
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 

Kikit

Thread Starter
Joined
Sep 9, 2003
Messages
100
In case you need to see it, this is what occured when I did the suggested CWShredder removal. It read:

RESULTS AFTER CWS FIX

Done!

- 8 registry values were killed
- Hostsfile redirection was fixed
- Bootconf.exe was not present
- Trusted Zone was OK
- User stylesheet was disabled and deleted
- Oemsyspnp.inf was not present
- Svchost32.exe was not present
- Msspi.dll Winsock hook was not present
- Msinfo.exe was not present
- Winshow.dll BHO was unregistered and deleted

Windows 98 (4.10.1998)
CWShredder v1.13.0
Written by Merijn - [email protected]

For any additional help with this program or removing CWS, visit
http://www.spywareinfo.com/forums/
____________________________________________________

NEW (2nd Scan) CWShredder LOG AFTER THE FIX

CWShredder v1.13.0 scan only report

Windows 98 (4.10.1998)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system

Found Hosts file: C:\WINDOWS\hosts (73 bytes, A)
Found Win.ini file: C:\WINDOWS\win.ini (9193 bytes, -)
Found line in Win.ini: run=C:\SCANNER\EXE16\AM.EXE

- END OF REPORT -
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
run hijackthis, tick all below, doublecheck to make sure you haven't missed any, close all

browser windows & press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...v/ogsearch.html
O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe

then reboot & delete the following files or folders
c:\program files\siteicons\toppornstars\toppornstars.exe ..entire siteicons folder
 
Joined
Oct 9, 2001
Messages
9,396
run hijackthis again and put a checkmark against these entries....
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://0-OL1OIZ-XOLXII1-OXLI10OZL1L...v/ogsearch.html
O3 - Toolbar: Comet Cursor Companion - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\WINDOWS\SYSTEM\COMET\BIN\CSIETB.DLL (file missing)
O4 - HKLM\..\Run: [TopPornStars] c:\program files\siteicons\toppornstars\toppornstars.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://activex.liveupdate.com/controls/cres.cab
O16 - DPF: {4971945A-3BFD-11D1-AC2F-00A0C911103A} - http://www.comicschannel.net/comicclock/comicclock.CAB
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/degas/NSupd9x.
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/313c75cac7a2a2...ip/RdxIE601.cab

re-boot and delete:
c:\program files\siteicons
C:\WINDOWS\SYSTEM\COMET

recuperation hopefully complete

;)
 

Kikit

Thread Starter
Joined
Sep 9, 2003
Messages
100
I'm back again. I took the instructions of both Derek and Steve...and voila! my computer is working again as it should! I can't believe it, this is so stunning!

I'm not even going to ask where all that porn crap came from (insert frowning face ____ here). Truly tacky.

Whew, a long process...days of Computer Clean Up, but it was well worth it. Thank you ever so much.

And now gentlemen, I am on my way over to make a donation to your site.

The Final Hijack Log:

Logfile of HijackThis v1.97.2
Scan saved at 3:35:13 PM, on 9/12/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\SCANNER\EXE16\AM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\CLMPANEL.EXE
C:\PROGRAM FILES\ACCESSRAMP\ARMON32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=C:\SCANNER\EXE16\AM.EXE
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\ACCESSRAMP\ARMon32.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.EXE" /SERVICE
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d196.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {3FC76754-41A5-11D2-9370-00A0C9B1E042} (ColoringCtl Class) - http://www.kiddonet.com/lapware/actmenu/coloring/Coloring.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37870.2818865741
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top