Sign in to follow this  
cwwllcadaware

Browser Hijacked

Recommended Posts

Hello,

 

I followed all the steps noted in the forum with no success. I spent this entire afternoon running Ad-Aware, deleting the target families, and restarting. The final step as per the forum instructions was to download HijackThis and post the log. I deleted a couple of obvious ones through HijackThis. Following is the latest log:

 

 

Thank you in advance!!

 

------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 9:55:21 AM, on 06/15/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\VERITAS SOFTWARE\UPDATE MANAGER\SGTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\DEFENDER26.EXE

C:\NEWNAME25.EXE

C:\WINDOWS\AWISAM.EXE

C:\WINDOWS\SYSTEM\OWINLQEZ.EXE

C:\MY DOCUMENTS2\TSBO\MSHTA.EXE

C:\PROGRAM FILES\DIWI\SJKVKIIH.EXE

C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFA.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {2681CEC7-C251-43B6-B1F7-CD83A00A97C9} - \

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

O4 - HKLM\..\Run: [newname] C:\\NEWNAME25.exe

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM\OWINLQEZ.EXE GID003

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU\..\Run: [iscu] "C:\My Documents2\tsbo\mshta.exe" -vt yazr

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\owinlqez.exe

O4 - Startup: sfutg.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Share this post


Link to post
Share on other sites

By the way, following is the original HijackThis Log before I deleted some obvious files:

 

----------------------

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:30:13 PM, on 06/14/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\DEFENDER26.EXE

C:\WINDOWS\SYSTEM\DWDSREGT.EXE

C:\WINDOWS\AWISAM.EXE

C:\MY DOCUMENTS2\TSBO\MSHTA.EXE

C:\PROGRAM FILES\DIWI\SJKVKIIH.EXE

C:\WINDOWS\SYSTEM\OWINLQEZ.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\QHYXY.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

O4 - HKLM\..\Run: [newname] C:\\NEWNAME25.exe

O4 - HKLM\..\Run: [{11-16-6F-F2-ZN}] C:\WINDOWS\SYSTEM\DWDSREGT.EXE GID003

O4 - HKLM\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM\OWINLQEZ.EXE GID003

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU\..\Run: [iscu] "C:\My Documents2\tsbo\mshta.exe" -vt yazr

O4 - HKCU\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O4 - Startup: Z_Start.lnk = ?

O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\owinlqez.exe

O4 - Startup: sfutg.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Share this post


Link to post
Share on other sites

Ugh! That's the lastest Alcra/Alcan worm which is a downloader of all the worst kinds of malware and the hardest to remove. Is your Norton a current version and up to date?

 

I have fix tools for this but only for Win2k and XP. I can ask around what is being recommended for Win98. It's such an assortment of nasties that I'm not sure we can repair all the damage done. You do need to get this PC off the internet ASAP as will continue to download more malware. My best recommendation at the moment is to backup all your important data and reformat/reinstall, if that is easy enough for you to do. It could take many days of cleaning and even then I can't assure you the damage can be repaired. I'll try though if you have no other option.

 

For starters, be sure to uninstall NewdotNet through this procedure only:

http://www.newdotnet.com/removal.html

 

These two utilities may help:

 

There is this free Utility from Dr. Web

FREE Dr.Web CureIt! Curing Utility

http://download.drweb.com/drweb+cureit/

(follow the directions given on that page)

 

And you probably need an AntiTrojan

a-squared has a free edition and will run on Windows98

http://www.emsisoft.com/en/software/free/

 

Follow up with updating Ad-aware with today's latest update and a full system scan in SAFE MODE

Share this post


Link to post
Share on other sites

Thank you so much for your reply. I appreciate it very much!

 

I immediately took my pc off the internet. Furthemore, I performed the following:

 

- Uninstalled NewdoNet.

- Ran Dr. Web CureIt but did not find anything.

- Ran a-squared and deleted 5 Adwares

- Ran a full system scan with Ad-Aware with yesterday's update (because my pc is off the internet) in Safe Mode.

- Rebooted the system to normal mode and re-ran Ad-Aware (w/ yesterday's update) and found/deleted 1 file (Win32.Trojan.Downloader), which was located in C:\WINDOWS\bcgbkrm.exe

 

However, whenever I open Windows Explorer, I get an ACCESS DENIED message from Norton Antivirus for the following two files:

 

- C:\comscore.exe

- C:\webnexmk.exe

 

Also, while attempting to Delete a file named Startup: sfutg.exe through HijackThis I got a message stating "Unable to Delete" and to use a process killer like "ProcView" to shutdown the program and Run HijackThis again to delete the file. So far, I installed ProcView but I'm not sure if I should use it.

 

Should I have connected to the internet and downloaded today's Ad-Aware updates? Would it have made a big difference? What about the vulrenability issue?

 

Following is the latest HijackThis log:

 

-------------------------------

 

 

Logfile of HijackThis v1.99.1

Scan saved at 7:42:40 PM, on 06/15/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\WINDOWS\AWISAM.EXE

C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O4 - Startup: sfutg.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Share this post


Link to post
Share on other sites

I'm not sure the latest updates for Adaware are going to make a big difference but you can download the updates manually. This is explained in the Help menu of Adaware SE under "Manual Updates"

1. Close Ad-Aware

 

2. Download the latest definition file in a ZIP file from Lavasoft's website*

http://www.lavasoftusa.com/support/download/

3. Save it to a temporary location (put a copy onto removable media and transfer to the affected computer)

 

4. When complete, unzip the contents of the file, either through your favorite ZIP utility or through built-in support in Windows, to the installation directory of Ad-Aware, which is usually C:\Program Files\Lavasoft\Ad-Aware SE Personal\

 

 

5. Open Ad-Aware

 

You can then confirm the latest definition file is installed by looking at the Initialization Status on the main Status screen.

.................................................................

You need to run the full system scan in SAFE MODE:

 

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

...............................

I need to know what version of Norton Antivirus you are running and the latest update you have for it. Your antivirus program is the other key to this infection.

Share this post


Link to post
Share on other sites

I am running Norton Antivirus 2003 with the latest updates, as of this past Wed.

 

I ran it in safe mode and it found and deleted Win32.Trojan.Downloader. I then ran Ad-Aware (w/ the original updates) and found and deleted the following:

 

- Win32.Trojan.Downloader in the C:\WINDOWS\qhyxy.exe

 

- MRU list - winzip recently used archives - HKEY_USERS:.DEFAULT\SOFTWARE\Nico Mak Computing\winzip\filemenu\

 

- MRU list - mrulist for items opened in start run - HKEY_USERS:.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\RUNMRU\

 

-----------------

 

Following is the latest HijackThis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:49:35 AM, on 06/16/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O4 - Startup: sfutg.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Share this post


Link to post
Share on other sites

Do you know if this type of malware infects data such as MS Office files (excel, word, etc.)? You had mentioned backing up important files. Would transfering them to another computer put the other computer at risk? Thanks.

Share this post


Link to post
Share on other sites

I need an additional report.

 

Could you please Open HijackThis and instead of scan choose *Open Misc. Tools Section*

Next choose *Open Uninstall Manager*

It will make a list. When it finishes, press the *save list* button. Copy the results of that report back here please.

 

...........................

Norton 2003 is a bit obsolete for today's malware.

 

If your PC meets the system requirements, please download the free edition of BitDefender8

Then get the updates for it and shuttle to the affected computer. Install the program and BOTH updates

(cumulative and the daily). Links provided below:

 

http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html

 

System requirements:

 

* Pentium MMX 200 Mhz or higher processor

* Minimum 64MB of RAM Memory (128MB recommended)

* Minimum 40MB available hard disk space

 

 

Operating platform: Windows 98/NT-SP6/Me/2000/XP IE 4.0(+)

 

Download BitDefender8 and install

http://www.bitdefender.com/site/Download/d...oadFile/340/EN/

....................................................

Windows 98, Windows Millenium

 

Follow these steps to update the virus definitions:

 

1. Download the appropriate update (get both of these).

ftp://80.86.106.20/pub/updates/bitdefender_v8/cumulative.zip

ftp://80.86.106.20/pub/updates/bitdefender_v8/daily.zip

 

Save the archive to the disk instead of opening it from the web.

 

2. Extract the archive content.

 

Start with cumulative.zip when both update archives are available. Extract the content in the folder

C:Program FilesCommon FilesSoftwinBitDefender Scan ServerPlugins

and accept overwriting existing files.

 

3. Restart the computer.

 

After installing and updating do a full system scan with Bit defender and let it remove or repair any infected files found. Please make a copy of the log at the end and post the results back here.

Share this post


Link to post
Share on other sites

You can install and apply the updates in normal mode, but the scanning should be done in safe mode to give it the best chance of being able to delete any infected files found.

 

And to the other question, yes Word documents, etc. can be infected but just transferring them to store on another computer won't infect it. However, you should scan all transferred data files to be sure none are infected before opening any of them. If infected, that could launch a malware.

Share this post


Link to post
Share on other sites

Don't mind at all.

 

First, please go to your Control Panel and look in Add/Remove programs

 

Highlight each of these and press *remove* one by one.

 

(Those versions of Sun Java are out of date and a security vulnerability if left on your system).

Snowball Wars is a PurityScan variant and best removed via Add/Remove Program in the control Panel

 

Remove each of these:

 

J2SE Runtime Environment 5.0 Update 6

 

Java 2 Runtime Environment, SE v1.4.1

 

Java Web Start

 

Snowball Wars by OIN

 

You can get the latest up to date version of Sun Java here to replace the old vulnerable ones here:

http://www.java.com/en/download/manual.jsp

 

Here's why removing old versions of Sun Java is important:

Potential Vulnerability with Sun Java auto update

http://www.dslreports.com/forum/remark,14738046

 

After removing those programs and the BitDefender scan, and you are back in normal mode, then please scan with Hijackthis and post a fresh log. I need the HijackThis log from normal mode to see what is left

Share this post


Link to post
Share on other sites

I tried to run BitDefender in safe mode and got the following error message:

 

"Failed to start the virus shield. Please launch the program again. If the problem persists, contact the developer."

 

However, when I installed it in normal mode, the program started scannig on its own.

 

Any recommendations?

Share this post


Link to post
Share on other sites

In normal mode, scan with HijackThis and checkmark these entries, then press the *fix checked* button:

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - Startup: sfutg.exe

 

Delete these files (if found and if possible to delete)

C:\\KEYBOARD25.exe

 

C:\\DEFENDER26.exe

 

C:\WINDOWS\awisam.exe

 

C:\Program Files\Diwi\sjkvkiih.exe

 

C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

 

sfutg.exe

 

Close HijackThis

 

Immediately, go ahead and run the full system scan with BitDefender in normal mode then :)

 

You were able to install both updates to the program?

Share this post


Link to post
Share on other sites

I couldn't remove the following through HijackThis:

 

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - Startup: sfutg.exe

 

 

I, however, couldn't find the following:

 

O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

 

 

I did install both updates and currently running a complete scan through BitDefender in normal mode as follows:

 

- Local Drives

- Network Drives

- Removable Drives

- All Entries

 

It seems to be taking some time to scan. Will you be responding to postings over the weekend? You've just been so great and I feel hopeful because of your kind help.

Share this post


Link to post
Share on other sites

I'll be here. Get a scan log from Bit Defender and post the results. After cleaning with Bit Defender, reboot your PC and scan again with Hijack and post a fresh log from it too please.

Share this post


Link to post
Share on other sites

I am experiencing some problems running BitDefender in normal mode. At 63% I received an Illegal Operation Message. Since then, the scan has stopped in its tracks. So far it found 12 identified viruses. I am in communication with BitDefender's tech support about trying to run it in Safe Mode instead. They sent me the following link but it seems a bit confusing to follow. I'm not able to find the command prompt as per their instructions. The instructions says to enter the Command Prompt by clicking:

 

Start>All Programs>Accessories>Command Prompt.

 

However, after I reach Accessories I cannot locate Command Prompt. I am using Win98 SE.

 

In Safe Mode, they recommend to scan using the command prompt.

More information about the scan commands are available at the article:

 

http://kb.bitdefender.com/site/viewArticle...and_Prompt.html

 

 

Also, have you heard of AVG? A friend recommended this program.

Share this post


Link to post
Share on other sites

Oh, right. This worm damages certain processes from running may be the problem.

 

Ok, let's try this fix, I think it works in Windows98.

 

Download AlcanShorty from here.

http://www.geekstogo.com/forum/index.php?a...details&f_id=13

 

* Click the *download* button near the bottom and agree to download the fix.

* Download Alcanshorty to your desktop.

* DoubleClick alcanshorty_en.exe and click install

* This will create a new folder on your desktop called alcanshorty_en

* Open that folder and doubleclick Run.bat

* Once the fix starts, your icons and desktop will disappear, this is normal.

 

Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,

because alcanshorty needs to download some additional files to let the tool run properly.

 

* Wait for the complete script execution box to popup and press OK.

* Press exit to terminate the BFU program.

 

Reboot your computer, then see if Bit Defender will run in normal mode.

Share this post


Link to post
Share on other sites

I was able to perform a full scan of BitDefender in normal mode afterall. I then rebooted in normal mode and ran HijackThis. Following are both logs. However, after the BitDefender scan I noticed 29 new files on my desktop. Do you know what they represent?

 

1 File:

x_dtrace.log

 

28 Files:

00F9D630_kds

00F9D050_kds

00F9D..._kds

etc..

 

--------------------

 

BitDefender Log:

 

 

//-----------------------------------------------------------------

//

// Product: BitDefender 8 Free Edition

// Version: 8.0

//

// Created on: 17/06/2006 15:11:07

//

//-----------------------------------------------------------------

 

 

Statistics

 

Scan path : A:\

C:\

D:\

Folders : 11544

Files : 867595

Archives : 133185

Packed files : 108036

Identified viruses : 11

Infected files : 29

Warnings : 0

Suspect files : 0

Disinfected files : 0

Deleted files : 11

Copied files : 0

Moved files : 16

Renamed files : 0

I/O errors : 4

Scan time : 07:33:08

Scan speed (files/sec) : 31

 

Virus definitions : 388423

Scan plugins : 13

Archive plugins : 38

Unpack plugins : 5

Mail plugins : 6

System plugins : 1

 

Scan options

 

Detection

[X] Scan boot sectors

[X] Scan archives

[X] Scan packed files

[X] Scan email

 

File mask

[ ] Programs

[X] All files

[ ] User defined extensions:

[ ] Exclude extensions: ;

 

Action

 

Infected objects

[ ] Ignore

[X] Disinfect

[ ] Delete

[ ] Copy to quarantine

[ ] Move to quarantine

[ ] Rename

[ ] Prompt user

 

Second action

[ ] Ignore

[ ] Delete

[ ] Copy to quarantine

[X] Move to quarantine

[ ] Rename

[ ] Prompt user

 

Scan options

[X] Enable warnings

[X] Enable heuristics

[ ] Show all files in log

[X] Report file: vscan.log

[ ] Append to existing report

 

Summary:

 

C:\WINDOWS\SYSTEM\dmonwv.dll Infected Trojan.Downloader.Qoologic.BC

C:\WINDOWS\SYSTEM\dmonwv.dll Disinfection failed

C:\WINDOWS\SYSTEM\dmonwv.dll Moved

C:\WINDOWS\SYSTEM\pkdsregk.exe Infected Trojan.Downloader.Agent.KK

C:\WINDOWS\SYSTEM\pkdsregk.exe Disinfection failed

C:\WINDOWS\SYSTEM\pkdsregk.exe Moved

C:\WINDOWS\bcgbkrm.exe Infected Trojan.Downloader.Qoologic.BC

C:\WINDOWS\bcgbkrm.exe Disinfection failed

C:\WINDOWS\bcgbkrm.exe Moved

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Infected [email protected]

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Disinfection failed

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Move failed

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected [email protected]

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected [email protected]

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected [email protected]

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected [email protected]

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733) Update

C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected [email protected]

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732) Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx Update failed

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected [email protected]

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733) Update

C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx Update failed

C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Infected Trojan.Downloader.Qoologic.BC

C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Disinfection failed

C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Moved

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Infected [email protected]

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Deleted

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf) Update failed

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Infected [email protected]

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Deleted

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf) Update failed

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf)=>(JAVASCRIPT 1) Infected [email protected]

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf)=>(JAVASCRIPT 1) Deleted

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf) Update

C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body) Update failed

C:\WINDOWS\qhyxy.exe Infected Trojan.Downloader.Qoologic.BC

C:\WINDOWS\qhyxy.exe Disinfection failed

C:\WINDOWS\qhyxy.exe Moved

C:\WINDOWS\awisam.exe Infected Trojan.Downloader.Qoologic.BC

C:\WINDOWS\awisam.exe Disinfection failed

C:\WINDOWS\awisam.exe Moved

C:\WINDOWS\guwwl.dat Infected Trojan.Downloader.Qoologic.BC

C:\WINDOWS\guwwl.dat Disinfection failed

C:\WINDOWS\guwwl.dat Moved

C:\WINDOWS\unwn.exe Infected Trojan.Downloader.Qoologic.BC

C:\WINDOWS\unwn.exe Disinfection failed

C:\WINDOWS\unwn.exe Moved

C:\WINDOWS\geitqux.dll Infected Trojan.Downloader.Qoologic.BJ

C:\WINDOWS\geitqux.dll Deleted

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Infected Trojan.Downloader.Qoologic.BC

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Disinfection failed

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Moved

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Infected Trojan.Downloader.Qoologic.BC

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Disinfection failed

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Moved

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Infected Trojan.Downloader.Qoologic.BC

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Disinfection failed

C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Moved

C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Infected [email protected]

C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Disinfection failed

C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Move failed

C:\command.exe Infected Trojan.Dropper.Delf.EV

C:\command.exe Disinfection failed

C:\command.exe Moved

C:\ZIGID003.exe Infected Trojan.Downloader.Agent.KK

C:\ZIGID003.exe Disinfection failed

C:\ZIGID003.exe Moved

C:\visfx500.exe Infected MemScan:Trojan.Dropper.Agent.AIE

C:\visfx500.exe Disinfection failed

C:\visfx500.exe Moved

C:\NNSCAA638.EXE Detected: Application.Adware.NewDotNet.B.Dropper

C:\NNSCAA638.EXE Deleted

C:\installerwnus.exe Infected Trojan.Downloader.Qoologic.BC

C:\installerwnus.exe Disinfection failed

C:\installerwnus.exe Moved

C:\526_620.exe Infected Dropped:Trojan.Clicker.VB.BX

C:\526_620.exe Disinfection failed

C:\526_620.exe Moved

 

 

---------------------------------------------------------------------

---------------------------------------------------------------------

 

Hijack This Log:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 11:33:12 PM, on 06/17/2006

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE

C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\VERITAS SOFTWARE\UPDATE MANAGER\SGTRAY.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\TPPALDR.EXE

C:\WINDOWS\STARTER.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE

C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXE

C:\WINDOWS\AWISAM.EXE

C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\QHYXY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNEWS.EXE

C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

 

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

O4 - HKLM\..\RunServices: [bitDefender Communicator] "C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe"

O4 - HKLM\..\RunServices: [bitDefender Scan Server] "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe"

O4 - HKLM\..\RunServices: [bitDefender Live! Init] "C:\Program Files\Softwin\BitDefender8\bdinit.exe"

O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

O4 - Startup: sfutg.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

Share this post


Link to post
Share on other sites

The 29 files on the desktop is probably something BitDefender did. I'll need to take a look at them

 

Please make a new folder on your desktop and name it BitDefenderFiles

Drag and drop each of those 29 files into the folder.

Put the folder into a zip file.

Upload the zip folder here

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from at LS ),

fill in a short message & then press the browse button and then navigate to & select the file on your desktop named BitDefenderFiles.zip. Highlight it and press *open*. Then you will see the file name in the white box for attachments. Press the *post* button to upload the file and your message. I can get it from there.

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them

..........................................................

Qoologic troan is proving to be a problem, as I expected.

 

Please do this next:

Try the Kaspersky free online scanner.

http://www.kaspersky.com/virusscanner

 

Copy the report at the end and post the results back here.

It will not remove anything found, but I just want to see the log results.

Share this post


Link to post
Share on other sites

So I must connect to the internet in normal mode to perform the online kaspersky scan. Should I be taking any precautionairy measures to protect my system from further virus duplication? Also, is it safe to run an online scan? would they have access to any of my files?

Share this post


Link to post
Share on other sites

I really just need a log to see what is left. You can download this free tool as an alternative (it uses the kaspersky engine so should be close in results to KAV). It does not need any updates (already included)

 

MicroWorld AntiVirus Toolkit Utility (MWAV)

http://www.mwti.net/products/mwav/mwav.asp

(Please note that the FREE version will only scan your computer and NOT clean any infection that it finds.) <---which is OK for now, I just want to see the log. It will be rather long and probably too big to post here.

Upload a copy of the log here:

Go here to upload the log as an attachment

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from cwwllc at LS ),

fill in a short message & then press the browse button and then navigate to & select the log file on your computer, press the *Post* button to upload the file. I can collect it from there.

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them

Share this post


Link to post
Share on other sites

I got the files. All are 0 bytes and I haven't a clue why BitDefender put them on your desktop, but they don't look like anything you need to keep, so I would just delete that folder.

Share this post


Link to post
Share on other sites

MWAV is currently scanning, in normal mode (I forgot to use safe mode - I hope it won't make much of a difference). Thus far, it has found 21 critical objects of which the majority is TrojanDownloader.Win32.Qoologic.bj as follows:

 

TrojanDownloader.Win32.Qoologic.bj

Smitfraud Browser Hijacker

Precision Popup Spyware/Adware

 

I'll upload the log at the link you provided when it finishes.

Share this post


Link to post
Share on other sites
Sign in to follow this