1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Please check panda scan

Discussion in 'Virus & Other Malware Removal' started by ozegirl, Sep 8, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    This computer is Win98SE, it has AV running, and weekly checks with Adaware and Spybot. Hijack this file has been checked & is all clean.

    However it still has some freezes, and I ran a Panda scan. Results are below.
    This is my son's computer & I suspect he picks things up from some of the websites he visits.

    Please advise as to whether these files should be deleted or replaced with genuine file versions & best method for this:


    Incident Status Location

    Spyware:spyware/marketscore No disinfected C:\WINDOWS\SYSTEM\osmim.dll
    Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
    Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall6_30.exe
    Spyware:spyware/istbar No disinfected C:\PROGRAM FILES\COMMON FILES\Totem Shared
    Adware:adware/gogotools No disinfected Windows Registry
    Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\SYSTEM\osmim.dll
    Virus:W32/Tobecho.A.worm Disinfected C:\WINDOWS\SYSTEM\cpu.dll
    Adware:Adware/RelatedLinks No disinfected C:\WINDOWS\lbbho.dll
    Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_30.exe
    Adware:Adware/FunWeb No disinfected C:\Program Files\MSN Messenger\riched20.dll
    Adware:Adware/Opensite No disinfected C:\My Documents\Anne\hijackthis\backups\backup-20050303-155332-495.inf
    Adware:Adware/Opensite No disinfected C:\My Documents\Anne\hijackthis\backups\backup-20050303-155332-495.dll
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Hi ozegirl :)

    Can you post the Hijack This log too?
     
  3. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    Logfile of HijackThis v1.99.1
    Scan saved at 12:06:33 PM, on 9/9/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\VET\ISAFE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\VET\VETMSG.EXE
    C:\VET\VETTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOCUMENTS\ANNE\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [Vet Alert] C:\VET\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [CAISafe] C:\Vet\isafe.exe
    O4 - Startup: Shortcut to autodown.exe.lnk = C:\Vet\autodown.exe
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/AU/install.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download KillBox here: http://www.downloads.subratam.org/KillBox.zip
    Save it to your desktop.
    DO NOT run it yet.

    Boot into Safe Mode (start tapping the F8 key at Startup, before the Windows logo screen)

    Double-click on Killbox.exe to run it.
    Now put a tick by Standard File Kill.
    In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file.
    It will ask for confimation to delete the file.
    Click Yes.
    Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\SYSTEM\osmim.dll
    C:\WINDOWS\pcconfig.dat
    C:\WINDOWS\NDNuninstall6_30.exe
    C:\WINDOWS\SYSTEM\cpu.dll
    C:\WINDOWS\lbbho.dll


    Note: It is possible that Killbox will tell you that one or more files do not exist.
    If that happens, just continue on with all the files. Be sure you don't miss any.

    Exit the KillBox.

    Find and delete this folder: C:\PROGRAM FILES\COMMON FILES\Totem Shared

    Also in safe mode navigate to the C:\Windows\Temp folder.
    Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box.
    The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options.
    On the General tab under "Temporary Internet Files" Click "Delete Files".
    Put a check by "Delete Offline Content" and click OK.
    Click on the Programs tab then click the "Reset Web Settings" button.
    Click Apply then OK.

    Empty the Recycle Bin.

    Reboot.

    Get some anti-virus protection.
    I'd recommend AVG (it's free): http://free.grisoft.com/doc/1
     
  5. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    Thanks - I'd already done some of that - will go over it again later and report back.
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
  7. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    OK done it all - below is the new hijack this log file.

    Curious to know how you knew Totem was on the system, as I had already deleted that - it must be associated with one of the other files, is it?

    The cpu.dll file was already gone as Panda had disinfected it
    There was no lbbho.dll file, just a lbbho.inf file - I deleted that already.
    I had also already emptied all the temp folders.

    Did the killbox anyway to be sure. Here is the new log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:13:53 PM, on 9/10/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\VET\ISAFE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\VET\VETMSG.EXE
    C:\VET\VETTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\MY DOCUMENTS\ANNE\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
    O4 - HKLM\..\Run: [Vet Alert] C:\VET\VETMSG.EXE
    O4 - HKLM\..\Run: [VetTray] C:\VET\VETTRAY.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [CAISafe] C:\Vet\isafe.exe
    O4 - Startup: Shortcut to autodown.exe.lnk = C:\Vet\autodown.exe
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/AU/install.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www-3.ibm.com/pc/support/access/aslibmain/content/IbmEgath.cab
    O16 - DPF: {E598AC61-4C6F-4F4D-877F-FAC49CA91FA3} (acpRunner Class) - https://www-3.ibm.com/pc/support/access/aslibmain/content/AcpControl.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab


    I also have another Win98SE computer with similar things picked up by Panda - some identical, some a little different - I assume the same process of using killbox on the things Panda found would be OK?

    When I get a chance I'll post the findings of that computer up here - I think my son might be using it at the moment.

    Thanks greatly for your help :)
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Log looks good. (y) But get AVG! You need AV protection. :D

    Yes it's pretty much the same procedure. KillBoxing the file, but nothing found in the registry or back up files.

    How are things running now?
     
  9. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    I already have AV (mentioned that in the first post - you must have missed it!) I use VET which is a product of Computer Associates.
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Oops my bad. :) I apologize.
     
  11. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    No worries - your advice was good and that's all that matters! Sorry I didn't mention how things are going - have only just done it so don't know yet. Will report back in a day or so - I think the freezes were probably also due to Windows update KB 891711 which I have also removed, after seeing reports on various forums that it caused more problems than it cured.
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Thanks :) It's been a long day.

    Let me know how everything goes.

    If all seems well in a few days, you can mark your thread "Solved" from the Thread Tools drop down menu.
     
  13. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    I hope your long day just got better - I made a donation - been meaning to for a while but thought it was about time. This site rocks!
    (y) to all you great volunteers! :) :)
     
  14. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Thank you very much! :) We're happy to help. Have a great night!
     
  15. ozegirl

    ozegirl Thread Starter

    Joined:
    Jun 21, 2003
    Messages:
    611
    One final question - I did the killbox routine on the other computer & it is cleaned up now too - however I noticed on both computers a new directory on the c drive called !Submit - this directory has the files in it which were deleted from killbox. I'm guessing it's OK now to delete this folder?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/397492

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice