jennie171 Posted March 29, 2005 Report Share Posted March 29, 2005 I tinkered a little too much three days ago and created havock on my computer. So I overwrote the image of the drive from a ghost file not realizing it was a back up full of spyware and crap. Ive run NoAdware, AdAware SE, & Spysweeper. I have spywareguard, and spyware blaster running in the backround. I ran all of the scans in safe mode , including my antivirus fully updated. My computer is still lagging and freezing. I am also having problems with shut down. When my aol tries to recognize my modems it freezes. Thanks in advance, Jennie Logfile of HijackThis v1.99.1Scan saved at 6:36:18 PM, on 3/29/05Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\MSTASK.EXED:\DISKEEPER\DKSERVICE.EXED:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4SS.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\SYSTEM\RPCSS.EXED:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4GUI.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\ptsnoop.exeC:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXEC:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXED:\LUKE FILEWALKER\AVGCTRL.EXED:\SPYWAREGUARD\SPYWAREGUARD\SGMAIN.EXEC:\WINDOWS\SYSTEM\LEXBCES.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\WINDOWS\SYSTEM\LEXPPS.EXED:\MICROSOFT OFFICE INSTALLED\OFFICE\1033\MSOFFICE.EXED:\SPYWAREGUARD\SPYWAREGUARD\SGBHP.EXEC:\WINDOWS\SYSTEM\PSTORES.EXEC:\WINDOWS\SYSTEM\DDHELP.EXED:\HIJACKTHIS\HIJACKTHIS.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTMR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTMF1 - win.ini: run=hpfschedO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SPYWAREGUARD\SPYWAREGUARD\DLPROTECT.DLLO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLLO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exeO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXEO4 - HKLM\..\Run: [AVGCtrl] D:\LUKE FILEWALKER\AVGCTRL.EXE /minO4 - HKLM\..\Run: [LexStart] Lexstart.exeO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [DkService] D:\Diskeeper\DkService.exeO4 - HKLM\..\RunServices: [KPF4] D:\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exeO4 - Startup: Microsoft Office.lnk = D:\Microsoft office installed\Office\OSA9.EXEO4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\SpywareGuard\sgmain.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTMLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dllO9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLLO9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AOL INSTANT MESSENGER\AIM.EXEO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CABO17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net Link to post Share on other sites
Canoeingkidd Posted March 30, 2005 Report Share Posted March 30, 2005 Hello jennie, First of all, I wouldn't trust NoAdware myself. Please see http://www.spywarewarrior.com/rogue_anti-s...re.htm#naw_noteRun HijackThis, do a scan, and place a check next to the following items to be fixed:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTMR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\SYSTEM\OOBE\BLANK.HTMO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)These are optional, they are not malware but removing them may improve the performance of your computer. These entries are just startups, the actual files will remain where they are if you fix them:O4 - HKLM\..\Run: [CountrySelection] pctptt.exeCountry selection for a PCtel HSP56 based modem. Often found in OEM (DellCompaq HP etc) systems for their modems included on the motherboard or as a separate card. Once you 've set the modem up to the chosen country it 's not requiredO4 - Startup: Microsoft Office.lnk = D:\Microsoft office installed\Office\OSA9.EXEApplication which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog and some users claim there's no difference with or without it but it usually isn't required - Note: if you make use of the Microsoft Office Shortcut Bar outside an office program this application will need to be enabled for it to show.Close all browsers and windows except HijackThis and click "Fix checked".Reboot your computer at this point.Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.Also, post a new HijackThis log in a reply to this topic. Link to post Share on other sites
jennie171 Posted March 31, 2005 Author Report Share Posted March 31, 2005 I actually did read the article you gave me about NoAdware a while back. Unfortunately it was a program I wound up buying before I knew better. I still run it in the gauntlet of regular spyware scans. Thanks again, jennie eScan's resultsFile System Found infected by "180Solutions Spyware/Adware" Virus. Action Taken: No Action Taken.File System Found infected by "VX2 Spyware/Adware" Virus. Action Taken: No Action Taken.File C:\WINDOWS\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.File C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.File C:\WINDOWS\wt\wtvh.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.File C:\Program Files\Common Files\aolback\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.File C:\Program Files\Online Services\AT&T\ATTSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.File C:\Program Files\Broderbund\The Print Shop\Unlock\SSD\SS4DlxDl.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.File D:\Downloaded Programs\mirc.exe tagged as not-a-virus:RiskWare.mIRC.6.16. No Action Taken.File D:\AOL\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.New HijackThis log Logfile of HijackThis v1.99.1Scan saved at 7:35:58 PM, on 3/30/05Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\MSTASK.EXED:\DISKEEPER\DKSERVICE.EXED:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4SS.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\SYSTEM\RPCSS.EXED:\KERIO PERSONAL FIREWALL\PERSONAL FIREWALL 4\KPF4GUI.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\WINDOWS\ptsnoop.exeC:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXEC:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXED:\LUKE FILEWALKER\AVGCTRL.EXEC:\WINDOWS\RUNDLL32.EXED:\SPYWAREGUARD\SPYWAREGUARD\SGMAIN.EXEC:\WINDOWS\SYSTEM\LEXBCES.EXEC:\WINDOWS\SYSTEM\LEXPPS.EXEC:\WINDOWS\SYSTEM\WMIEXE.EXED:\MICROSOFT OFFICE INSTALLED\OFFICE\1033\MSOFFICE.EXED:\SPYWAREGUARD\SPYWAREGUARD\SGBHP.EXEC:\WINDOWS\SYSTEM\DDHELP.EXEC:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXED:\HIJACKTHIS\HIJACKTHIS.EXEF1 - win.ini: run=C:\WINDOWS\hpfsched.exeO2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SPYWAREGUARD\SPYWAREGUARD\DLPROTECT.DLLO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCXO3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLLO4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exeO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exeO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXEO4 - HKLM\..\Run: [AVGCtrl] D:\LUKE FILEWALKER\AVGCTRL.EXE /minO4 - HKLM\..\Run: [LexStart] Lexstart.exeO4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMainO4 - HKLM\..\Run: [CountrySelection] pctptt.exeO4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrSchemeO4 - HKLM\..\RunServices: [schedulingAgent] mstask.exeO4 - HKLM\..\RunServices: [DkService] D:\Diskeeper\DkService.exeO4 - HKLM\..\RunServices: [KPF4] D:\Kerio Personal Firewall\Personal Firewall 4\kpf4ss.exeO4 - Startup: Microsoft Office.lnk = D:\Microsoft office installed\Office\OSA9.EXEO4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\SpywareGuard\sgmain.exeO8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTMLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dllO9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLLO9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLLO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\AOL INSTANT MESSENGER\AIM.EXEO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CABO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cabO17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net Link to post Share on other sites
Canoeingkidd Posted April 1, 2005 Report Share Posted April 1, 2005 Only thing I notice here is you have Wildtangent on your system which some think is bad. Not serious just borderline malware. It can be removed via Add/Remove Programs in the Control Panel. I'm pretty sure that this problem isn't malware related. The problem could be almost anything considering you overwrote your hard drive from a backup. Something just went wrong somewhere I guess. The best suggestion I have is for you to backup any files you want to save, then do a reformat and reinstall. Sorry, I don't have any better ideas...You need to prevent infection. I strongly recommend you take the following steps because infections are likely to reoccur unless you are protected (I post the same speech for everyone so you may have already taken some of these steps):Disable then re-enable System Restore. This will delete your old restore points. Malware could get backed up in System Restore. To do so in Windows XP see this tutorial. To do so in Windows ME see this tutorial. (If you are using a different Operating System skip this step).Keep up-to-date with the latest security patches from Microsoft. This step is VERY important. Please visit http://www.windowsupdate.com in Internet Explorer and if it asks to install software, let it. Start the scan for updates needed for your computer. Install all critical updates. When it prompts you to reboot, do so. Then repeat this process again until there are no more critical updates listed.You can also access the Windows Update site at any time by going to "Tools" > "Windows Update" in Internet Explorer. Please check for updates frequently.Install Antivirus software. It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Two popular programs are AVG and Avast. Both have free versions for home users. Do not have more than one active antivirus at a time.Install a Firewall. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Please see Understanding and Using Firewalls. Do not use more than one firewall. If you are using Windows XP SP2 the rather poor Windows Firewall is enabled by default and you will need to disable it before installing another one.Install Ad-aware and Spybot-S&D and scan with them regularly. They will each catch items the other may miss and can clean some of the leftovers off since you have just been cleansed of an infection. Spybot-S&D also has some good prevention features. See these links:Using Spybot - Search & Destroy to remove Spyware , Malware, and HijackersUsing Ad-aware to remove Spyware, Malware, & Hijackers from Your ComputerInstall SpywareBlaster. SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. See the link below:Using SpywareBlaster to protect your computer from Spyware and MalwareInstall IE-SPYADS. This script will place an enormous number of web sites known to be abusive into Internet Explorer's "Restricted Zone". Any site in that list will be unable to run javascripts, java applets, set or read cookies or use ActiveX scripting. You still will be able to visit those sites but they will be very limited in what they can do.Download it from HERE. Read the "ReadMe.txt" included with the download for help installing it. You will need to download new versions occasionally and uninstall the old version.Keep these programs updated. If you do not they will not help you very much.Read the doxdesk prevention article at http://www.doxdesk.com/parasite/prevention.html for some more tips to prevent infection. Link to post Share on other sites
jennie171 Posted April 1, 2005 Author Report Share Posted April 1, 2005 Thank you for all of your help. I notice the lagging subsided some so that may have been my isp, but I still freeze when aol tries to detect my modem. I really dont use aol I pay for it for my daughter she seems to like it and its new user friendly. I also like the parental controls for her. I appreciate you taking time to look through my logs, hopefully some fiddling will help me work out some of the buggs, I would like to make a clean back up without all of the scum ware. Should I buy eScan's mwav application? What about the things that it found? I may just reformat and go back to using ME but Im still not totally sold on the idea. forever inquisitive, Jennie Link to post Share on other sites
Canoeingkidd Posted April 1, 2005 Report Share Posted April 1, 2005 I wouldn't actually buy eScan...some of the things listed were actually false positives... Link to post Share on other sites
jennie171 Posted April 1, 2005 Author Report Share Posted April 1, 2005 ok! phew..........I thought for a minute I was loaded with stuff. LOL Thank you again for all of your help. Jennie Link to post Share on other sites
Recommended Posts