Got a friends PC to try and fix, main problem was the "antivirus gold" malware. I used Killbox and Hijack this to remove it and I thought I was good to go. But the PC ,or Exporer to be precise, is riddled with something that I can't work out. It's the "about blank" hijacker along with some obnoxious tray and box popup that says something along the lines of "your antivirus has failed, spyware activity detected - press here to find out more..........."

The os is Windows 98se with all relevant updates (bar dx9 and media player 9/10). I have used a bootCD scan of NAV2005, the pc has AVG as it's antivirus program. Adaware SE and adware both failed to fix it. The cool shredder didn't detect anything.

Can anyone advise ? Thanks

Here is the Hijack this log -

Logfile of HijackThis v1.99.1
Scan saved at 11:48:32, on 08/07/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPER\DKSERVICE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKJOBS.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\OPLIMIT\OCRAWARE.EXE
C:\OPLIMIT\OCRAWR32.EXE
C:\PROGRAM FILES\SAMSUNG\DIGIMAX VIEWER 2.0\STIMGBROWSER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKSLAPI.EXE
C:\PROGRAM FILES\CAERE\PAGEKEEPER30\SYSTEM\PKTOPASS.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE
C:\WINDOWS\D3SH32.EXE
C:\WINDOWS\APIQA.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\zoewl.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\zoewl.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {88C2CD25-74FA-F38B-0123-D36D8516B291} - C:\WINDOWS\SYSTEM\APPNE.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [APIQA.EXE] C:\WINDOWS\APIQA.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [D3SH32.EXE] C:\WINDOWS\D3SH32.EXE /s
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\Diskeeper\DkService.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [Oasis] regsvr32 /s "c:\Program Files\Oasis\oasis.dll"
O4 - HKCU\..\Run: [AWMON] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PLUS\AD-WATCH.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: PageKeeper Jobs.lnk = C:\Program Files\Caere\PageKeeper30\system\PKJobs.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: OCRAWARE.lnk = C:\OPLIMIT\OCRAWARE.EXE
O4 - Startup: Digimax Viewer 2.0.lnk = C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~7\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Freeserve - {3EB817C0-3BF7-11D4-A398-80B5C4E47E31} - http://www.freeserve.net/packard-bell/ (file missing) (HKCU)
O9 - Extra button: PB Home - {3EB817C1-3BF7-11D4-A398-80B5C4E47E31} - http://www.packardbell-europe.com/ (file missing) (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/fil...ivePreQual.cab
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://69.31.79.102/searchinfoxyz.ch...rchinfoxyz.exe
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B23E0CD} - http://direct.data-line.us/gbn278.exe
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.powerurl.de/InstallationsAssistent.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

In addition to CWShredder, download and run these "about:blank"-related removal tools (read any instructions given before downloading):

about:buster
HSRemove
Se.html-Sp.dll Hijack Fix


Post a new HiajckThis log once you've done the above; I think there will be more to remove.

Thanks DMR,

I got that along with HSremove. I "think" I got it licked.

The problem was the 2 files "apiqa" and "d3sh32". When I uploaded them and got them scanned at an av website (the one with the multiple av engines) , both had trojan.downloader variants. Weird that AVG and Norton antivirus missed them.

Each was linked in a registry key that had a weird hex section in a subfolder.

I went into safe mode, deleted these files, ran CW, about buster and HSremove. Deleted all temp files (there were over a thousand small temp files in the WIndows folder). Emptied the bin and rebooted.

I got a warning message from Ad aware's live monitor - that the apiqa and d3sh32 were trying to do something again (though the files weren' there). So I went back into safe mode, deleted the registry keys that mentioned them. I also reran Hijack and "fixed" all the sectioins that linked to web addresses.

Rebooted and no warning from Ad watch. Fired up explorer and no bad things. Browsed for 20 minutes with no nonsense

Ran a a couple of scans (AV and spyware) with nothing showing.

I must say that this site and the people who post help are a godsend. I am actually an IT worker and I consider myself "capable" of mainitaing a PC etc - but the newer forms of spyware really do bring one down with a bump. I'm not decrying the makers of AV and antispy products - but these new forms are worse than virii in my book.

It was an eye opener for someone who has been lucky enough to avoid such problems - mainly because I have a hardware and software firewall and don't use explorer at all.

Once again, thanks to everyone at this site - my friend has his PC back, though how long it stays working once his kids get on it is another matter

mj

Absolutely, but C:\WINDOWS\SYSTEM\APPNE.DLL is one I'd question as well.

The variants mutate and evolve too rapidly; that's why we have to resort to doing scans with multiple tools.


Good call.


Aww, come on now... you'll make us :o:o



No kidding. Not only do I see that here, but although most of my "real-life" work is supposed to revolve around systems installation and support, I usually end up spending the bulk of time running around in some silly-looking Spyware Warrior cape. :mrgreen:



You're welcome; glad we help you banish the Gremlins. And good luck with that kid thing- it usually takes my residential clients' kids a hot 20 minutes to muck things up again, even with all protecive measures put in place.

BTW:

Can you please post another (and hopefully final) HJT log to review? I'd like to give it a review before marking this one as "Solved".


Thanks.

Hi DMR,

I will post a new Hijack log in the next couple of days, as I have to go and set up his new mail accounts. Ideally I could have reinstalled the OS and started afresh, but alas his PC is an older P-Bell with integrated board and he has no CD's around. So it would have been a driver hunt and a hunt for what might be considered "personal" files. At least 2000/XP make some attempt at steering users towards a structured storage model -but in a Win98 PC thats about 6 years old................ lets just say that the root had about 50 folders, ProgFiles (2 instances of) had about 100 each. Bit of a shambles really. I have advised him to move all his important stuff to a backup folder from which I will dump the contents to my portable and do a clean install in the next month or so. He just needed it back asap and the damage done by these new "spyware's" really knocked me for six.

Once again, sincerest thanks and regards to you and the other members of the "league of spyware warriors" :lol:

mj

OK, post the log if and/or when you can.

I definitely understand what you're saying about the state of the machine and what a hassle it would be to to do a fresh install. I've got quite a few clients who are still using old P-IIIs running 98, have no install/driver disks, and haven't done a backup in years. Rescuing/restoring those machines is always Big Fun. :eek:

When you do get around to rebuilding the machine, here are a couple of suggestions:

1. After verifying that the current drive is malware-free, buy a new drive, do a clean install to that drive, and install the existing drive as a slave drive. That way, you'll have all of the original data intact, and in the same locations that the person was used to having it in.

2. Secure the machine immediately after the install. Previous estimates were that an unpatched and unprotected computer could be infected withinabout 30 minutes of connecting to the Internet (which I've personally seen happen), but the massive increase in malware has brought that time down to less than 15 minutes according to more recent studies and surveys.

Here are some things you should do before "releasing the computer into the wild":

1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm, Sygate Personal Firewall, or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every two or three days.


Just to be on the safe (paranoid?) side, aside from going online to get the most current Microsoft security patches and bug fixes, I would install all other preventative utilities offline. That is, keep the newly-rebuilt computer disconnected from the Internet, download any utilities you want onto a protected/patched machine, burn them to CD, and install them on the new machine that way.