please help (RESOLVED)
-
please help (RESOLVED)
i get pop-up ads intermittently from www.*.com/normal/yyy34.html.
in the temp folder the address is like this yyy34.html.
The * stands for number of sites that comes with the above address.
I have used spware S&D, Lavasoft adware, ie spyads and also hijackthis yet this problem does not get removed. After closing the browser I cleans the temp internet files folder and also history.
My Hijackthis.log file is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 1:51:50 PM, on 27/10/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL\BINN\SQLSERVR.EXE
C:\PROGRAM FILES\ABBYY FINEREADER 6.0\FINEREADER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptechindia.com/ptech.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PrintServer] C:\Program Files\Forum\Forum - MicroERP\PrintServer.exe
O4 - HKLM\..\Run: [FineReader6NewsReaderCE] C:\PROGRAM FILES\ABBYY FINEREADER 6.0\ABBYYNEWSREADER.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\PROGRAM FILES\SPYSPOTTER3\Defender.exe -startup
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: VSStat.lnk = C:\Program Files\Network Associates\VirusScan\VSStat.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: SQL Server.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.maalaimalar.com/wfplayer/tdserver.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.149.208.92,201.149.208.11
Please help
-
Welcome to DAL,
Are you running mcafee or did you have it at one time, I see an entry that says that.
show hidden files/folders you can rehide them again after you are clean
Open My Computer.
2. Select the View menu and click Folder Options.
3. Select the View Tab.
4. In the Hidden files section select Show all files.
5. Click OK.
Go into add/remove program and remove:(IF FOUND)
spyspotter3---this is a bad program and needs to be removed
Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:
[b]O4 - HKLM\..\Run: [SpySpotter System Defender] C:\PROGRAM FILES\SPYSPOTTER3\Defender.exe -startup
Again make sure all browser windows are closed and click FIX
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Now go into PROGRAM FILES and delete this folder
C:\PROGRAM FILES\SPYSPOTTER3 < folder
Then run some scans and let's see what shows up.
Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm
Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html
These scans will take more than an hour to complete, so make sure you have time to let them run thru. Save the Panda scan log and the BitDefender log and post them back here please with a new Hijackthis log.
Thanks.
-
thanks for the reply, I have deleted Spyspotter3 defender #.exe from the system and also its folder also scanned with S&D, AVG7.0, bit defender, Lavasoft; yet the spyware could not be removed. It now comes in a new version ie www.*.com/normal/yyy102.html and www.*.com/normal/XBRCINST.html. I am sending the logfile of bit defender and also hijackthis
Please help me out,
Logfile of HijackThis v1.99.1
Scan saved at 10:39:57 AM, on 28/10/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL\BINN\SQLSERVR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ABBYY FINEREADER 6.0\FINEREADER.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptechindia.com/ptech.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PrintServer] C:\Program Files\Forum\Forum - MicroERP\PrintServer.exe
O4 - HKLM\..\Run: [FineReader6NewsReaderCE] C:\PROGRAM FILES\ABBYY FINEREADER 6.0\ABBYYNEWSREADER.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: VSStat.lnk = C:\Program Files\Network Associates\VirusScan\VSStat.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: SQL Server.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.maalaimalar.com/wfplayer/tdserver.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.149.208.92,201.149.208.11
my bit defender log is like this
BitDefender Online Scanner
Scan report generated at: Sat, Oct 29, 2005 - 11:57:32
Scan path: A:\;C:\;D:\;
Statistics
Time
02:03:09
Files
244290
Folders
5077
Boot Sectors
1
Archives
2945
Packed Files
44814
Results
Identified Viruses
1
Infected Files
3
Suspect Files
1
Warnings
0
Disinfected
0
Deleted Files
4
Engines Info
Virus Definitions
231358
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
38
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics
Yes
Enable Warnings
Yes
Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;cl ass;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xl a;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp ;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cm d;bas;
Exclude Extensions
Scan Emails
Yes
Scan Archives
Yes
Scan Packed
Yes
Scan Files
Yes
Scan Boot
Yes
Scanned File
Status
c:\=>Master Boot Record 80
Suspected of: Trojan.OpaKill.C
c:\=>Master Boot Record 80
Disinfection failed
c:\=>Master Boot Record 80
Deleted
C:\WINDOWS\FONTS\lol.exe
Infected with: Trojan.Downloader.Small.ARI
C:\WINDOWS\FONTS\lol.exe
Disinfection failed
C:\WINDOWS\FONTS\lol.exe
Deleted
C:\WINDOWS\TEMP\svchst.exe
Infected with: Trojan.Downloader.Small.ARI
C:\WINDOWS\TEMP\svchst.exe
Disinfection failed
C:\WINDOWS\TEMP\svchst.exe
Deleted
C:\WINDOWS\4l3g0yn1.exe
Infected with: Trojan.Downloader.Small.ARI
C:\WINDOWS\4l3g0yn1.exe
Disinfection failed
C:\WINDOWS\4l3g0yn1.exe
Deleted
-
Welcome back,
Please do the Panda scan I really need to see that log Panda makes ok.
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Please download Webroot SpySweeper from here: SpySweeper
Click the Free Trial link under to "SpySweeper" to download the program.
Install it.
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.
Also post a new hijackthis log and let me know how your computer is running after scanning with Panda and spysweeper. Thanks
-
Thank you very much for ur prompt and well advised reply. The pop-up ads has stopped after i installed spysweeper and did the scan. After that, I did a pandasoftware online Activescan it first found a trojan and disinfected and in the second scan it found nothing, and did not gave any report.
As per ur advice i am sending the spy sweeper logfile and Hijackthis log file.
1:14 PM: | Start of Session, Thursday, November 03, 2005 |
1:14 PM: Spy Sweeper started
1:14 PM: Sweep initiated using definitions version 564
1:14 PM: Starting Memory Sweep
1:16 PM: Found Adware: look2me
1:16 PM: Detected running threat: C:\WINDOWS\SYSTEM\VQAR332.DLL (ID = 163642)
1:16 PM: Detected running threat: C:\WINDOWS\SYSTEM\WNI.DLL (ID = 163642)
1:20 PM: Memory Sweep Complete, Elapsed Time: 00:05:53
1:20 PM: Starting Registry Sweep
1:21 PM: Registry Sweep Complete, Elapsed Time:00:01:49
1:21 PM: Starting Cookie Sweep
1:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
1:22 PM: Starting File Sweep
1:22 PM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
1:23 PM: tbpi.dll (ID = 163642)
1:24 PM: mgconf.dll (ID = 163642)
1:24 PM: mqawt.dll (ID = 163642)
1:24 PM: jbt.dll (ID = 163642)
1:24 PM: phfmgr.dll (ID = 163642)
1:24 PM: iwm32.dll (ID = 163642)
1:24 PM: qpsname.dll (ID = 163642)
1:24 PM: gahand.dll (ID = 163642)
1:24 PM: ahv08w9x.dll (ID = 163642)
1:24 PM: ixdkcs32.dll (ID = 163642)
1:24 PM: cpusalgo.dll (ID = 163642)
1:24 PM: murecr40.dll (ID = 163642)
1:24 PM: cecfg32.dll (ID = 163642)
1:24 PM: vqar332.dll (ID = 163642)
1:24 PM: qvut.dll (ID = 163642)
1:24 PM: vip6renu.dll (ID = 163642)
1:24 PM: idircl.dll (ID = 163642)
1:24 PM: eflate32.dll (ID = 163642)
1:24 PM: sxcsdk80.dll (ID = 163642)
1:24 PM: qasname.dll (ID = 163642)
1:24 PM: xknroll.dll (ID = 163642)
1:24 PM: mxdemui.dll (ID = 163642)
1:24 PM: scnscfg.dll (ID = 163642)
1:24 PM: iafxeud.dll (ID = 163642)
1:24 PM: diiman32.dll (ID = 163642)
1:24 PM: dykapi32.dll (ID = 163642)
1:24 PM: ombccp32.dll (ID = 163642)
1:24 PM: qgv.dll (ID = 163642)
1:24 PM: dqstyle.dll (ID = 163642)
1:24 PM: snbapi.dll (ID = 163642)
1:24 PM: mkdart.dll (ID = 163642)
1:24 PM: mpc30.dll (ID = 163642)
1:24 PM: mwsystem.dll (ID = 163642)
1:24 PM: dywsock.dll (ID = 163642)
1:24 PM: gnhand.dll (ID = 163642)
1:24 PM: mkvcrt2x.dll (ID = 163642)
1:24 PM: uql.dll (ID = 163642)
1:24 PM: ajkrnl32.dll (ID = 163642)
1:24 PM: racns4.dll (ID = 163642)
1:24 PM: mjawt.dll (ID = 163642)
1:24 PM: jieg1x32.dll (ID = 163642)
1:24 PM: myjint35.dll (ID = 163642)
1:24 PM: wjlp32t.dll (ID = 163642)
1:24 PM: wni.dll (ID = 163642)
1:24 PM: soem0409.dll (ID = 163642)
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecb3-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecb4-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecb5-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecb6-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecb7-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecb8-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecb9-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecba-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecbb-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecbc-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecbd-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecbe-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecbf-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecc0-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:26 PM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscs8b49ecc1-4c60-11da-b7b0-000b2b11cd90.tmp". The process cannot access the file because
it is being used by another process
1:34 PM: Warning: Failed to open file "c:\program files\microsoft sql server\mssql\data\master.mdf". The process cannot access the file because
it is being used by another process
1:34 PM: Warning: Failed to open file "c:\program files\microsoft sql server\mssql\data\mastlog.ldf". The process cannot access the file because
it is being used by another process
1:34 PM: Warning: Failed to open file "c:\program files\microsoft sql server\mssql\data\model.mdf". The process cannot access the file because
it is being used by another process
1:34 PM: Warning: Failed to open file "c:\program files\microsoft sql server\mssql\data\modellog.ldf". The process cannot access the file because
it is being used by another process
1:34 PM: Warning: Failed to open file "c:\program files\microsoft sql server\mssql\data\tempdb.mdf". The process cannot access the file because
it is being used by another process
1:34 PM: Warning: Failed to open file "c:\program files\microsoft sql server\mssql\data\templog.ldf". The process cannot access the file because
it is being used by another process
2:00 PM: File Sweep Complete, Elapsed Time: 00:38:11
2:00 PM: Full Sweep has completed. Elapsed time 00:46:07
2:00 PM: Traces Found: 47
2:00 PM: Removal process initiated
2:01 PM: Quarantining All Traces: look2me
2:02 PM: Warning: Launched explorer.exe
2:02 PM: Warning: Quarantine process could not restart Explorer.
2:03 PM: Preparing to restart your computer. Please wait...
2:03 PM: Removal process completed. Elapsed time 00:02:33
********
My Hijackthis log file:
Logfile of HijackThis v1.99.1
Scan saved at 2:47:48 PM, on 04/11/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSDTCW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
C:\WINDOWS\SYSTEM\HKCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT SQL SERVER\MSSQL\BINN\SQLSERVR.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ABBYY FINEREADER 6.0\FINEREADER.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ptechindia.com/ptech.html
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PrintServer] C:\Program Files\Forum\Forum - MicroERP\PrintServer.exe
O4 - HKLM\..\Run: [FineReader6NewsReaderCE] C:\PROGRAM FILES\ABBYY FINEREADER 6.0\ABBYYNEWSREADER.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: VSStat.lnk = C:\Program Files\Network Associates\VirusScan\VSStat.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: IPMSG for Win32.lnk = C:\Program Files\IPMsg\ipmsg.exe
O4 - Startup: SQL Server.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\scm.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.maalaimalar.com/wfplayer/tdserver.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 202.149.208.92,201.149.208.11
I am also sending my uninstall list
ABBYY FineReader 6.0 Corporate Edition
Adaptec Easy CD Creator 4
Ad-Aware SE Personal
Adobe Photoshop 5.5
AVG Free Edition
Exodus Jabber Client (remove only)
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel® 810 Chipset Graphic Driver End User Diagnostics Software
Internet Explorer Q896688
IP Messenger for Win
ISM Office 3.04
Macromedia Dreamweaver 3
Macromedia Flash 4
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 Premium
Microsoft Outlook Express 6
Microsoft SQL Server Desktop Engine
Microsoft Web Publishing Wizard 1.6
MSDE
Nero - Burning ROM
Outlook Express Q837009
RealPlayer
Spy Sweeper
Spybot - Search & Destroy 1.4
Ulead GIF Animator 4.0 Full Version
Windows 98 KB891711 Update
Windows 98 KB896358 Update
Windows 98 Q823559 Update
Windows 98 Q888113 Update
-
Hi,
Your log is clean.
How is your computer behaving?
If all is well I will have some free programs for you to install if you so choose to help keep your computer happy and healthy.
Let me know.
-
hi
My computer is now behaving as before the virus attack invaded my computer. but i have a problem that my avg antivirus is not updating as it gives update unsuccessful.
I will be grateful for you to give me the free programs
thanks
-
I had the same problem one time, I just kept trying and finaly got it. I believe you can go directly to the website and get the latest updates. Or you can uninstall and re-install that should do some good also.
thanks for stopping by. This problem has been solved and will now be locked.
If you are no longer having any more trouble here is some preventative measures for you.
Here are some preventive measures you can take to keep your computer from getting infected again. also keep all these and Ad-awareSE and SpybotS&D updated.
http://forums.thatcomputerguy.us/ind...showtopic=1190
Flush your restore points in ME and XP, by turning System Restore off and then back on.
This will create a fresh restore point.
Explained here:
Windows XP: service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
Microsoft ME:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam
RegProtect
This small registry protection tool will save you hours of heartache by notifying you when some program good or bad is trying to access your registry.
You have the option of allowing(good) items or blocking(bad)items.
http://www.diamondcs.com.au/index.php?page=regprot
To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupdate.microsoft.co....aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
MS Antispyware beta: http://www.microsoft.com/athome/secu...e/default.mspx
4. Consider using a free firewall if you are not already using one. Some good free ones are:
Sygate: http://smb.sygate.com/products/spf_standard.htm
OutPost Personal Firewall:
Outpost
5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: www.mozilla.org/products/firefox/
6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking Thousands of known malware sites by adding them to IE's restricted sites zone. Download it here:
http://www.javacoolsoftware.com/spywareblaster.html
If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis. It's Free
Last edited by Neal; 07-11-2005 at 09:28 PM.
