UnSpy Scanner and Hijacked(?!)

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kawa

Thread Starter
Joined
Aug 27, 2003
Messages
26
Hi, my notebook's OS is Win98.

Was attacked by UnSpy PC scanner. Was unable to remove it. I've went into safe mode and has deleted it. Somehow, my desktop appeared with a "desktop recovery" message and some big icons, I would assume to be some toolbar installed appeared. For example, links to pharmacy, gambling, porn sites, dating, etc.

Scanned with AdAware and the "toolbar" did not appear anymore. However, desktop still in "desktop recovery" view.


I've tried searching in the forum and wasn't able to find any similar problems. Please help, my IE doesn't even seem to be able to go online anymore and I'm connected by router.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:56:52 AM, on 12/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezfastsearch.com/index2.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sex.sexonfly.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sex.sexonfly.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {D34DEB0E-E25B-B2B0-56A7-DB466D573647} - MNTP.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [THotkey] THotkey.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [forces_elite] UserSp1.exe
O4 - HKLM\..\Run: [barint] ssweeper.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\SYSTEM\IDEMLOG.EXE
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [srbho] forces_elite.exe
O4 - HKCU\..\Run: [sound64] MON76234.exe
O4 - HKCU\..\Run: [browsebar] 321102.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Search for buddyPhone 2 Update.lnk = C:\Program Files\buddyPhone\WiseUpdt.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.90,85.255.112.125

Thank you in advance!
 
Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.


Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, Hijack This will launch. Close Hijack This, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.


Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php



*Download Cleanup from Here

http://www.stevengould.org/software/cleanup/download.html



* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
*run cleanup


* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezfastsearch.com/index2.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://sex.sexonfly.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sex.sexonfly.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {D34DEB0E-E25B-B2B0-56A7-DB466D573647} - MNTP.dll (file missing)
O4 - HKLM\..\Run: [forces_elite] UserSp1.exe
O4 - HKLM\..\Run: [barint] ssweeper.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\SYSTEM\IDEMLOG.EXE
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [srbho] forces_elite.exe
O4 - HKCU\..\Run: [sound64] MON76234.exe
O4 - HKCU\..\Run: [browsebar] 321102.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.115.90,85.255.112.125



Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\WINDOWS\SYSTEM\ssweeper.exe
C:\WINDOWS\SYSTEM\UserSp1.exe
C:\WINDOWS\SYSTEM\MON76234.exe
C:\WINDOWS\SYSTEM\321102.exe
C:\WINDOWS\SYSTEM\IDEMLOG.EXE
C:\Program Files\UnSpyPC\UnSpyPC.exe



* Go to Control Panel. - If you are using Windows XP's Category View, select
the Network and Internet Connections category. If you are in Classic View,
go to the next step .

* Double-click the Network Connections icon
* Right-click the Local Area Connection icon and select Properties.
* Hilight Internet Protocol (TCP/IP) and click the Properties button.
* Be sure Obtain DNS server address automatically is selected.
* OK your way out.



* Restart your computer.


* Got to Start > Run and type in cmd.
Click OK.
Type this line in the command window:

ipconfig /flushdns

Hit Enter.



reboot to normal mode and run a few online scans!


Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!


Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!


post another hijack this log the kaspersky and active scan logs
 

kawa

Thread Starter
Joined
Aug 27, 2003
Messages
26
I can't seem to get fixwareout to work properly. I think somehow whatever has attacked my laptop has rendered it unable to connect to the net.

Everytime I run fixwareout, it would prompt download bfu.zip and it just stops there. I've searched on the net for the file and have copied it into "C:\fixwareout\SUB".

After that, I ran fixwareout again and the result is the same. Do I need to unzip BFU.zip?? Did I even get the correct file?

Thanks again!
 
Joined
Feb 15, 2004
Messages
12,302
it's just an exe file just doublr click it to run it, boot to safe mide and try and run it! If it still doesn't work then run all the other suggestions and then try it? If it still doesn't work then just post abck with the logs and we'll use the manual method !
 
Joined
Feb 15, 2004
Messages
12,302
try these for the internet.

Download the Hoster from: http://members.aol.com/toadbee/hoster.zip. UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

www.funkytoad.com/download/hoster.zip



Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.


if that doesn't work then try this tool!

winsock repair

http://subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41


Close every other program, then open winsockxpfix and click reg backup.
Save the reg backup somewhere.

After that is done, click the fix button of winsockxpfix
 

kawa

Thread Starter
Joined
Aug 27, 2003
Messages
26
Hi, your first post seems to have got rid of the problem. The online scans are taking too long. So, I"ll just post the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:37:07 AM, on 12/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [THotkey] THotkey.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Search for buddyPhone 2 Update.lnk = C:\Program Files\buddyPhone\WiseUpdt.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab

Thanks. Internet connection seems to be ok now.
 
Joined
Feb 15, 2004
Messages
12,302
ok, we really need to run a anti virus scan to make sure your clean, so download Mwav and update it and run it, it can take a few hours but you can let it run while your sleeping or whatever!


you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below!

Filseclab Personal Firewall Professional Edition

http://www.filseclab.com/eng/download/downloads.htm

http://www.wilderssecurity.com/showthread.php?t=92710





go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again


With CWshredder close all browsers and programmes and select the FIX button.



All tools can be downloaded at the link below and found on that page!


. Trend micro CWShredder
. SpyBot search and destroy
. AdAware SE personal


http://www.majorgeeks.com/downloads31.html

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL (file missing)



Note: this is a stand alone, it doesn't install to start/programmes.

Download Mwav, double click on it and it will extract to C:\kaspersky. Click
on the kaspersky folder and click on Kavupd, a black dos window will open
and it will update the programme for you, be patient it will take 5-10
minutes to download the new definitions. Once it's updated, click on mwavscan
to launch the programme.

Use the defaults of:

Memory
startup folders
Registry
system folders
services

Choose drive , all drives and, click scan all files
and then click scan/clean. After it finishes scanning and cleaning post
the log here with a new hijack this log.

Note: this is a very thorough scanner, it might take anything up to an hour
or more, depending on how many drives you have and how badly infected your
pc is.

http://www.spywareinfo.dk/download/mwav.exe


http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=7592



post another log and attache the Mwav log!
 

kawa

Thread Starter
Joined
Aug 27, 2003
Messages
26
I'm seriously getting screwed here.

Earlier when everything seems to look fine, I downloaded the latest spybot SND and fix everything that it listed. Especially DSO Exploit.

Right after that, I reboot the laptop and upon start up, it would display error messages like loadqm or exlporer error in module wininet.dll. I tried to turn on IE and it would display Iexplorer error in module wininet.dll. Can't get on the net with the laptop again.

I've tried scanning with Adaware with the latest definitions, but it just stops at c:\program files\celanup! folder for about an hour.

I've scanned with CWS shredder and there's no infection detected.

Here's the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:31 PM, on 12/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [THotkey] THotkey.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Search for buddyPhone 2 Update.lnk = C:\Program Files\buddyPhone\WiseUpdt.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab



I've fixed
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL (file missing)

But still no luck.

I'm planning to download and burn mwav.exe and copied it to the laptop to scan, can i download the definitions files cumul.zip, weekly.zip and daily.zip from www.kaspersky.com\download for the mwav.exe?
 
Joined
Feb 15, 2004
Messages
12,302
* Click here to download smitRem.zip. You can fit this on your floppy and transfet it to the laptop!


http://noahdfear.geekstogo.com/click counter/click.php?id=1



* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.



* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:



* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


post another hijack this log, and contents of smitfiles.txt from the smitRem folder


ok hopefully that will clena the wininet.dll which is neded by your computer.


If that doesn't work you can try this method below!


For Wininet.dll WIn 98


Please read these instructions carefully and print them out because you will not be able to connect to the internet during most of this fix! Be sure to follow ALL instructions!

Click Start then Run and Type command and click Ok

In the DOS Window, type:

copy c:\windows\system\wininet.dll c:\windows\desktop

Close the DOS Window and reboot.
______________________________

Scan the Desktop Folder (c:\windows\desktop) with eTrust Web Scanner. When done, make sure the box is checked for wininet.dll and click cure.

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

______________________________

Reboot your computer in Command prompt only.

* If the computer is running, shut down Windows, and then turn off the power.
* Wait 30 seconds, and then turn the computer on.
* As the computer starts, press and hold down the F8 key until the 98/ME Startup Menu appears.
* Ensure that the Command prompt only option is selected.
* Press Enter.

Type the following lines at the prompt, and hit Enter after each line you type:

del c:\windows\system\wininet.dll

del c:\windows\system\oleext.dll

copy c:\windows\desktop\wininet.dll c:\windows\system

If you get a prompt asking you if you really want to delete a file, confirm deletion. If you get a prompt asking you if you want to replace wininet.dll, confirm replacement.

Reboot your computer in Safe Mode


We need to check the file C:\Windows\System\wininet.dll to see if it got cleaned up. Go to Jotti's malware scan at http://virusscan.jotti.org/ and upload the file for scanning. Let me know the results. (Highlight the results, select copy and paste them in your reply.)

Note: If you have trouble reaching Jotti's, upload the file at Virus Total and save the results.
http://www.virustotal.com

Post a new HijackThis log.
 

kawa

Thread Starter
Joined
Aug 27, 2003
Messages
26
After trying the smitRem method, rebooting into normal mode would keep prompting explorer error message. And still no net connection. There was also an error message on kernel32.dll.

Attempting the second method, but since I do not have net connection, can i copy the WININET.DLL file into a floppy and transfer it to another pc to do the online scanning?

However, when at http://www3.ca.com/securityadvisor/virusinfo/scan.aspx , the signature files did not load. It displayed as:

"Starting signature update. Please wait...
Connectiing to FTP Server: connected.
Updating vete.dll (728k): failed to create file."

I tried clicking on start scan button and it told me to wait for the signature update to finish. And nothing new has been appearing on the scanner text box screen.

What can I do next?

My PC/desktop is also running on Win98. Can I just copy and replace the WININET.DLL on my laptop's?
 

kawa

Thread Starter
Joined
Aug 27, 2003
Messages
26
Ok. I've copied wininet.dll onto my desktop and did the two online scanning. At http://www3.ca.com/securityadvisor/virusinfo/scan.aspx , it shows:

Scan Results: Scan Completed. 376 files scanned. No viruses found.

File Infection Status Path
- No Infections


At Jotti's:

Service load: 0% 100%

File: WININET.DLL
Status: OK
MD5 a632f824282a1f84bd1e3798978030c7
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Could wininet.dll be corrupted?
 
Joined
Feb 15, 2004
Messages
12,302
yes, this file gets corrupted by this infection and we're trying to clean it. post naother log please. Can you get connected to the internet? Copy the file back from the desktop to it's location! c:\windows\system
 
Joined
Feb 15, 2004
Messages
12,302
If that doesn't work i'm attaching a copy of wininet.ddl for Windows 98, hopefully this will fix it. Unzip it and drop it into c:\windows\system
 

Attachments

kawa

Thread Starter
Joined
Aug 27, 2003
Messages
26
Only when replacing your copy of wininet.dll works! I'm posting from the laptop now.

Here's my latest HJT log:Logfile of HijackThis v1.99.1
Scan saved at 10:54:39 PM, on 1/1/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\TCDPLAY.DRV
C:\WINDOWS\SYSTEM\TWBROWSE.DRV
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\WINDOWS\SYSTEM\PWRTRAY.EXE
C:\WINDOWS\SYSTEM\PSPCCARD.EXE
C:\WINDOWS\SYSTEM\TESCKEY.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [THotkey] THotkey.exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [PowerTray] PwrTray.EXE
O4 - HKLM\..\Run: [PsPCCard] PsPCCard.EXE
O4 - HKLM\..\Run: [TEscKey] TEscKey.exe
O4 - HKLM\..\Run: [TFunckey] TFuncKey.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [dmicz.exe] C:\WINDOWS\SYSTEM\dmicz.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TCDPlay] TCDPlay.drv
O4 - HKLM\..\RunServices: [TWBrowse] TWBrowse.drv
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] c:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] c:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] c:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Search for buddyPhone 2 Update.lnk = C:\Program Files\buddyPhone\WiseUpdt.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_ansi.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
 
Joined
Feb 15, 2004
Messages
12,302
how's the computer running now any better?



you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below!


Filseclab Personal Firewall Professional Edition


http://www.filseclab.com/eng/download/downloads.htm


http://www.wilderssecurity.com/showthread.php?t=92710





have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O4 - HKLM\..\Run: [dmicz.exe] C:\WINDOWS\SYSTEM\dmicz.exe
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)


Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


C:\WINDOWS\SYSTEM\dmicz.exe


reboot back to normal mode

See now if you can run a kaspersky and panda scan because you had alot of infections there!




Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!



Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the kaspersky and active scan logs
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top