Will Someone Help Me ?


Recommended Posts

I tinkered a little too much three days ago and created havock on my computer. So I overwrote the image of the drive from a ghost file not realizing it was a back up full of spyware and crap. Ive run NoAdware, AdAware SE, & Spysweeper. I have spywareguard, and spyware blaster running in the backround. I ran all of the scans in safe mode , including my antivirus fully updated. My computer is still lagging and freezing. I am also having problems with shut down. When my aol tries to recognize my modems it freezes.

Thanks in advance,

Jennie :(

Logfile of HijackThis v1.99.1

Scan saved at 6:36:18 PM, on 3/29/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

D:\DISKEEPER\DKSERVICE.EXE

D:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4SS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

D:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4GUI.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

D:\LUKE FILEWALKER\AVGCTRL.EXE

D:\SPYWAREGUARD\SPYWAREGUARD\SGMAIN.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\LEXPPS.EXE

D:\MICROSOFT OFFICE INSTALLED\OFFICE\1033\MSOFFICE.EXE

D:\SPYWAREGUARD\SPYWAREGUARD\SGBHP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

D:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

F1 - win.ini: run=hpfsched

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SPYWAREGUARD\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [AVGCtrl] D:\LUKE FILEWALKER\AVGCTRL.EXE /min

O4 - HKLM\..\Run: [LexStart] Lexstart.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [DkService] D:\Diskeeper\DkService.exe

O4 - HKLM\..\RunServices: [KPF4] D:\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exe

O4 - Startup: Microsoft Office.lnk = D:\Microsoft office installed\Office\OSA9.EXE

O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AOL INSTANT MESSENGER\AIM.EXE

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Link to post
Share on other sites

Hello jennie, :)

First of all, I wouldn't trust NoAdware myself. Please see http://www.spywarewarrior.com/rogue_anti-s...re.htm#naw_note

Run HijackThis, do a scan, and place a check next to the following items to be fixed:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTM

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

These are optional, they are not malware but removing them may improve the performance of your computer. These entries are just startups, the actual files will remain where they are if you fix them:

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

Country selection for a PCtel HSP56 based modem. Often found in OEM (DellCompaq HP etc) systems for their modems included on the motherboard or as a separate card. Once you 've set the modem up to the chosen country it 's not required

O4 - Startup: Microsoft Office.lnk = D:\Microsoft office installed\Office\OSA9.EXE

Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog and some users claim there's no difference with or without it but it usually isn't required - Note: if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.

Close all browsers and windows except HijackThis and click "Fix checked".

Reboot your computer at this point.

Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

Also, post a new HijackThis log in a reply to this topic.

Link to post
Share on other sites

I actually did read the article you gave me about NoAdware a while back. Unfortunately it was a program I wound up buying before I knew better. I still run it in the gauntlet of regular spyware scans.

Thanks again,

jennie :D

eScan's results

File System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Online Services\AT&T\ATTSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Broderbund\The Print Shop\Unlock\SSD\SS4DlxDl.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File D:\Downloaded Programs\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.

File D:\AOL\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

New HijackThis log

Logfile of HijackThis v1.99.1

Scan saved at 7:35:58 PM, on 3/30/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

D:\DISKEEPER\DKSERVICE.EXE

D:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4SS.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

D:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4GUI.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\ptsnoop.exe

C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

D:\LUKE FILEWALKER\AVGCTRL.EXE

C:\WINDOWS\RUNDLL32.EXE

D:\SPYWAREGUARD\SPYWAREGUARD\SGMAIN.EXE

C:\WINDOWS\SYSTEM\LEXBCES.EXE

C:\WINDOWS\SYSTEM\LEXPPS.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

D:\MICROSOFT OFFICE INSTALLED\OFFICE\1033\MSOFFICE.EXE

D:\SPYWAREGUARD\SPYWAREGUARD\SGBHP.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

D:\HIJACKTHIS\HIJACKTHIS.EXE

F1 - win.ini: run=C:\WINDOWS\hpfsched.exe

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SPYWAREGUARD\SPYWAREGUARD\DLPROTECT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [AVGCtrl] D:\LUKE FILEWALKER\AVGCTRL.EXE /min

O4 - HKLM\..\Run: [LexStart] Lexstart.exe

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain

O4 - HKLM\..\Run: [CountrySelection] pctptt.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [DkService] D:\Diskeeper\DkService.exe

O4 - HKLM\..\RunServices: [KPF4] D:\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exe

O4 - Startup: Microsoft Office.lnk = D:\Microsoft office installed\Office\OSA9.EXE

O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\SpywareGuard\sgmain.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL

O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AOL INSTANT MESSENGER\AIM.EXE

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Link to post
Share on other sites

Only thing I notice here is you have Wildtangent on your system which some think is bad. Not serious just borderline malware. It can be removed via Add/Remove Programs in the Control Panel.

:(

I'm pretty sure that this problem isn't malware related. The problem could be almost anything considering you overwrote your hard drive from a backup. Something just went wrong somewhere I guess. The best suggestion I have is for you to backup any files you want to save, then do a reformat and reinstall. Sorry, I don't have any better ideas...

You need to prevent infection. I strongly recommend you take the following steps because infections are likely to reoccur unless you are protected (I post the same speech for everyone so you may have already taken some of these steps):

  • Disable then re-enable System Restore. This will delete your old restore points. Malware could get backed up in System Restore. To do so in Windows XP see this tutorial. To do so in Windows ME see this tutorial. (If you are using a different Operating System skip this step).
  • Keep up-to-date with the latest security patches from Microsoft. This step is VERY important. Please visit http://www.windowsupdate.com in Internet Explorer and if it asks to install software, let it. Start the scan for updates needed for your computer. Install all critical updates. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.
    You can also access the Windows Update site at any time by going to "Tools" > "Windows Update" in Internet Explorer. Please check for updates frequently.
  • Install Antivirus software. It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Two popular programs are AVG and Avast. Both have free versions for home users. Do not have more than one active antivirus at a time.
  • Install a Firewall. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Please see Understanding and Using Firewalls. Do not use more than one firewall. If you are using Windows XP SP2 the rather poor Windows Firewall is enabled by default and you will need to disable it before installing another one.
  • Install Ad-aware and Spybot-S&D and scan with them regularly. They will each catch items the other may miss and can clean some of the leftovers off since you have just been cleansed of an infection. Spybot-S&D also has some good prevention features. See these links:
    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  • Install SpywareBlaster. SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. See the link below:
    Using SpywareBlaster to protect your computer from Spyware and Malware
  • Install IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer's "Restricted Zone". Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.
    Download it from HERE. Read the "ReadMe.txt" included with the download for help installing it. You will need to download new versions occasionally and uninstall the old version.
  • Keep these programs updated. If you do not they will not help you very much.
  • Read the doxdesk prevention article at http://www.doxdesk.com/parasite/prevention.html for some more tips to prevent infection.

Link to post
Share on other sites

Thank you for all of your help. I notice the lagging subsided some so that may have been my isp, but I still freeze when aol tries to detect my modem. I really dont use aol I pay for it for my daughter she seems to like it and its new user friendly. I also like the parental controls for her. I appreciate you taking time to look through my logs, hopefully some fiddling will help me work out some of the buggs, I would like to make a clean back up without all of the scum ware. Should I buy eScan's mwav application? What about the things that it found? I may just reformat and go back to using ME but Im still not totally sold on the idea.

forever inquisitive,

Jennie :D

Link to post
Share on other sites
Guest
This topic is now closed to further replies.