Crunchie, or anyone else who can help,

Further to my earlier post, here is a copy of my scanlog from HJT. I am pretty sure that my machine is totally filled with s**t and I would like to remove as much of it as possible, but mainly this hotoffers lark. Trust you will tell me what to do from here. Cheers.

Logfile of HijackThis v1.99.1
Scan saved at 21:51:18, on 11/04/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\SYSTEM\MSOFFICE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\DRDWS.EXE
C:\PROGRAM FILES\180SOLUTIONS\SAIS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\STOADDR.EXE
C:\PROGRAM FILES\INTERNET\ICC\ICC2000.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\UKQQ\UKQQM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\DESKTOP\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SU1111FKA.EXE
C:\WINDOWS\B218769200\BUILD2.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\PRIVATE-ZONE.EXE
C:\WINDOWS\SYSTEM\DLOAD.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vtmikuxkajyrkhcr.com/kD5c...UJFKrntDyD.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/271/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ulead.com/register/reg.htm
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
F1 - win.ini: load=PTSNOOP.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\msoffice.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\plg0\cxtpls.dll
O2 - BHO: (no name) - {78B07F7C-A43E-B730-88CB-BF820E34BBC9} - C:\WINDOWS\APPLICATION DATA\WAYCAMPERROR\WAVEWIPE.EXE
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Netline User] c:\windows\netchk.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Internet Registration] c:\program files\internet explorer\connection wizard\netcheck.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [websx] C:\PROGRAM FILES\WEBSX\INT113777.EXE -auto
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AutoLoaderosqJ1IKjNIXO] "C:\WINDOWS\SYSTEM\SRWPP.EXE"
O4 - HKLM\..\Run: [oF9f36X] SRWPP.EXE
O4 - HKLM\..\Run: [LinkDumbGreatManager] C:\WINDOWS\Application Data\axis bone link dumb\eachsixth.exe
O4 - HKLM\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [PmwsMhe4] C:\DRDWS.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [gzazinef] C:\WINDOWS\gzazinef.exe
O4 - HKLM\..\Run: [Power Scan] C:\PROGRAM FILES\POWER SCAN\POWERSCAN.EXE
O4 - HKLM\..\Run: [PmwsMh$vùõš/‚²‘ÆßfC:\Program Files\ISTsvc\istsvc.exe] C:\DRDWS.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ZoqpRWbpW] STOADDR.EXE
O4 - HKCU\..\Run: [ford lite] C:\WINDOWS\APPLIC~1\DVDLOCKS\Gram Once.exe
O4 - HKCU\..\Run: [WebRun] C:\WINDOWS\SYSTEM\WEB.EXE
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKCU\..\Run: [ICC2000] C:\PROGRAM FILES\INTERNET\ICC\icc2000.exe
O4 - HKCU\..\Run: [UKQQ] C:\PROGRAM FILES\COMMON FILES\UKQQ\UKQQM.EXE
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\600CU\UNINST.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Desktop\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DLHelperEXE.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm006
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker.exe (file missing)
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.traffic2cash.biz
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.topconverting.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhel...7/dlhelper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mp...CX/FlashAX.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/e...rInstaller.exe
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dbn1742.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Go
Here and Get Trojan-Hunter Fully working trial! and run a full scan
,,,,,,,,,,,,,,,,,,,,,
To remove trojans there is a tool which needs to be downloaded and run.

1. Please download Stinger and save it to your desktop

2. Double-click on the stinger.exe file and open the tool

3. Choose your entire hard drive to scan.

4. Choose Scan Now

5. Stinger will fix anything that it finds

6. Click the File menu and select Save report to file

7. Post the log file results here in this thread.

STINGER

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Reboot to SAFE mode to delete files
How to start computer in safe mode

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan Please do an online scan, 2 would be better,

Micro World http://www.mwti.net/antivirus/free_utilities.asp
Trend Micro http://housecall.trendmicro.com/hous...start_corp.asp

Make sure that you choose "fix" or "clean".

.
,,,,,,,,,,,,,,,,,,,,,,,,,,
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-


http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads...CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from :-
HERE
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
If needed !!!!!!
Reboot and post a new HiJackThis log. You need an updated version of Hijackthis which you can get from HERE

Then post a HJT log as a reply to this topic.

JHC thats a lotta downloading and scanning man! Do I haev a lotta crap on this computer?? What have I got on there?? With a dial up connection that'll take forever to do, however I'll give it a go, thanks for your help dude. BTW if theres a quicker way, I'd be glad to hear it!

Yep, you got a lot of nasties there. The main one being (perhaps) the Bube infection.

Please go here for the instructions on how to remove the Bube.d (aka Win32.Beavis) Removal [isrvs] infection.
Once done, repost a new log here and we will finish off the clean up.

This, so far, is the only available fix.

Thanks again Crunchie, must admit, havn't a clue what a bube infection is but I don't want one!! I'm at work again so I'll give it a go when I get home. I got as far as running and cleaning with Trojan Hunter last night, seemed to pick out and clean quite a lot of nasties so I'm gonna run TH again tonight see what comes up and then try this Bube thingy. Should I post a HJT log after that??

Yes, you need to post another hijackthis log. Try to do as much of what Caperjack advised too.
Don't forget that you need to reboot, then scan with hijackthis.

Please go here and have this file scanned.

C:\WINDOWS\SYSTEM\msoffice.exe

Post the results back please.

Try the Symantec's fix tool to remove the Ist bar.

Should keep you busy :mrgreen:

PS. Oh, get service pack one for Internet Explorer too.

Wohhhhhhhhh, the list gets bigger lol

Thanks, I'll do as much as I can tonight, reboot, and post a HJT log for attention tomorrow.

Guys, heres my log from Jotti's malware, Im about to run the bube remover so fibgers crossed, after that its back to caperjacks extensive list lol, any further suggestions? dare i ask lol

------------------------------------------------------------------

Jotti's malware scan 2.99-TRANSITION_TO_3.00

File to upload & scan:
Service
Service load: 0% 100%

File: msoffice.exe
Status: INFECTED/MALWARE
Packers detected: -
Scanner results
AntiVir Found W32/Bube.K
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found W32.Bube.K
Dr.Web Found Win32.Beavis.5632
F-Prot Antivirus Found nothing
Fortinet Found W32/Bube.K
Kaspersky Anti-Virus Found Virus.Win32.Bube.k
mks_vir Found nothing
NOD32 Found Win32/Bube.K
Norman Virus Control Found Sandbox: W32/Malware; [ General information ]

* Creating several executable files on hard-drive.
* File length: 5632 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\sample.exe.
* Creates file C:\WINDOWS\SYSTEM\msoffice.exe.
* Creates file .\commands.ini.

[ Changes to registry ]
* Creates value "WebRun"="C:\WINDOWS\SYSTEM\sample.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "WebRun"="C:\WINDOWS\SYSTEM\sample.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Modifies value "FirewallDisableNotify"="
" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "UpdatesDisableNotify"="
" in key "HKLM\Software\Microsoft\Security Center".
* Modifies value "AntiVirusDisableNotify"="
" in key "HKLM\Software\Microsoft\Security Center".
* Sets value "Cartman"="1
VBA32 Found Unknown.Win32Virus (probable variant)

OK so ive got a window after downloading the 'hoster' file that wants me to create a hosts file?? I dont know what to do with this!

You should already have a hosts file by default on your pc. Is it asking you to back it up? The Hoster is a legit tool and should do no harm to your pc. I have it on mine. It may be asking to reset your hosts file which will simply restore it to the default. If you are using any form of 3rd party hosts list, you will need to re-input it/them after resetting with the Hoster.