Hello,

Browsing the net I received a present in a form of two red circles with X on my desktop shortcut bar down left (Win98SE). I found a post from 2005 about HijackThis installation and saving a copy of system scan log. I already marked the red X icons line and two lines with web.exe intruders, there might be other "extras" that I don't recognize. My Norton Anti Virus Ver.5 (daily updated) and Spyware Guard remained silent. This is how the system log looks like:

Logfile of HijackThis v1.99.1
Scan saved at 14:28:24, on 26.05.2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKL.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKT.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\ONSPEC\USB DISK\FLASHKSK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\PCSYNC\QDCTRAY.EXE
C:\PROGRAM FILES\PSION\PSIWIN\PSCONSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETGEAR\WG511V2\WLANCFG5.EXE
C:\PROGRAM FILES\PSION\PSIWIN\ELOGERR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\SIOL\ADSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WEB.EXE
C:\WEB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVW32.EXE
C:\BOSTJAN\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Encyclopćdia Britannica, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [Compaq PK Daemon] C:\Program Files\COMPAQ\Programmable Keys 95\CPQKL.EXE
O4 - HKLM\..\Run: [Compaq PK Tray Notification] C:\Program Files\COMPAQ\Programmable Keys 95\cpqkt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [USB Disk] C:\PROGRA~1\ONSPEC\USBDIS~1\FLashKsk.exe
O4 - HKLM\..\Run: [Necutray] LEXAREJ0.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: PC sync Quick Data Copy.lnk = C:\PCSYNC\QDCTRAY.EXE
O4 - Startup: PsiWin 2.3 Connection Server.lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37680.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.189.160.23,193.189.160.13

I'm sending a printscreen in attachment, please advise further actions. Thank you !

Kind regards

Bostjan Kravcar

Hello SebastianMWS, welcome to DaniWeb. My name is Justin and I will be helping you with your computer today. I will be helping clean all the maleware and spyware problems associated with your computer. Throughout my fix if you have any questions on the programs I am having you use don't be afraid to ask me.

Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti-malware it is a free version of the program.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
   
6. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Hello Burton,

Thanks for such a fast response. There's a small problem though, Enwido is for Win2000 and XP only, at least that's what is stated on their web site/Enwido download page.

Kind regards

Bostjan Kravcar

A follow up, while humbly waiting for further instructions - like alternative Anti-Malware tool, equally efficient to Ewido and Win98SE compatible (Ewido is available for Win2000 and XP only):

- I ran a freshly updated Norton Anti-Virus in Safe-Mode, nothing found as expected (NAV didn't even twitch when I got those red circles)
- Restarted machine, tried and successfully deleted C:\web.exe, but failed to do the same with C:\winstall.exe, received a message.."cannot delete, Windows is using...", like expected
- I ran completely updated Lavasoft AdawareSE Personal, it found 37 objects, among them Files, one Folder, Registry Values, you name it. I proceeded to Quarantine and Delete step, AdAware stopped in the middle of deleting and halted (not freezed, I could exit by clicking X button).
- I ran AdAware once again (just in case..), it found 36! objects (apparently didn't do much of a job in a first attempt); 13 Registry Values, 22 files, 1 folder (I'm posting this log file in attachment).
- Restarted machine, looks clean now but I'm just not that naive.

I would appreciate further instructions as soon as possible, got piles of work waiting. Thanks in advance !

Oh, one more thing; I have a Spyware Guard from Javacool Software LCC (free download) installed on machine, that thing is supposed to be real-time spyware (does it differ from malware?) guard, it didn't detect one single intrusion since installation, while I had Lavasoft AdAwareSE (no real-time version for free) quite busy. Can anyone tell me if that SG is any good at all or I would be better without it, even more so because it's slowing down the machine.

Kind regards

Bostjan Kravcar

Lets try this


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

===================================================
Close HiJackThis.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut.

• Once you are on the Panda site click the Scan your PC button.
• A new window will open...click the Check Now button.
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When the download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt by using Add Reply.
Let us know if any problems persist.

OK, here's how it went:

I followed the procedure, downloaded smitrem.exe, copied shortcut to desktop and did the same with Panda Active Scan link. Rebooted machine in Safe-Mode, ran HJT.

- After a thorough check I could not find...

o4 HKCU\..\Run ... C:\winstall

..anymore, aparently a former run of AdAware did some job afterall.

I proceeded to smitrem Folder and ran RunThis.bat, got txt file in C:\ root.

There is no such thing as Security Check in CP/Desktop/Cust. desktop/Web check option on my machine, the only setting for security are in Internet options/Security and Privacy, where level of security can be set (Internet, Intranet, Trusted sites,Restricted Sites)


I rebooted machine again, while windows were starting, that Spyware Guard I mentioned in previous post finally woke up for the first time !!, can you imagine ? First there wa alert about IE settings being changed from..

http://home.microsoft/access/allinone.asp .. to

http://www.microsoft.com/isapi/redir...=iear=iesearch

I confirmed new setting and got another alert about IE Search bar being change from..

"NONE" to http://search.msn.com/spbasic.htm

Confirmed the new setting again (what did I know, there was no instruction about that, I just had to turn left or right).

- Next: I started Panda Active Scan and went to bed to proceed next morning. When I checked the results, I noticed scan progress bar stopped in the middle, I could tell by number of files scanned that Panda finished with hard drive C:\ and I could see it moved to D: drive, which is CD drive.

All Panda buttons were freezed, I could not click anything or exit from Panda. Hit CTRL-ALT-DEL to see which process is not responding, it was Wlancfg5. I ended the process, but with no avail to Panda functioning, so I close it down and got "not responding" window in the process. Panda did find 29 Spyware files and 2 Hacking tools, but I could not process disinfection.

I started Panda once again to see where it stops - it scanned the entire hard drive again, found exactly the same number of Spyware, but then it moved again to drive D (CD) and stopped immediately with Error window "Mapisp32 performed illegal operation..". I chose CLOSE and got another window, this time Choose Profile of MS Outlook, which I don't have installed and use Outlook Express as a default e-mail. When I closed this window, got blank blue screen and PC freezed, hitting CTRL-ALT-DEL revealed that no process has stopped responding.

I guess it's pointless to go anyfurther without your smart instructions, I'm including 2/3 files requested, without Panda log, obviously.

I'm confident that the mess will be sorted out, thanks to beautiful people on this forum.

Awaiting further instructions..

Sebastian

Well Do you still have the X's on the Bottom right?

Nope, those are gone, but there's quite a lot of stuff that Active Scan found on the hard drive, so how am I gonna get rid of those if I can't make Active Scan to finish and clean the filth ?

- Any idea how to avoid Active scan trying to use MS Outlook ?
- Any other trick I could try ? I'm afraid that if I give up on Active scan and just run AdAware once again, it won't be the same. Afterall, AdAware failed to search and clean the most subborn filth once already, why should I trust it will do the work this time ?

Any help for final touch in this cleaning session appreciated.

Kind regards

Sebastian

Could you please save the log file and post it on here. I Want to take a look at the Active Scan. Just let it scan all the way through.

Latest news:

- I ran Active Scan once again to see if I can choose some different settings to avoid automatic Outlook launch. This time instead My computer I chose local disks to scan. The process ran smoothly and finished scanning the disk, Outlook profile window didn't open this time and I could save the log (in attachment).

- Last Active Scan session revealed even more spyware files, so I was curious if AdAware will something this time...nothing at all.

- I ran HijackThis once again, there's still an empty button present...

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

I'd like to know waht it is and if it needs to be deleted ?

- Maybe I should wait for a knowledgable advise, but I searched for Cookies from Active Scan log and deleted them all. Furthermore, there was an iLookup item that I also decided to delete. At first it looked like a no can do job, since Delete command didn't react, but after a while, it was gone...at least I don't see it anymore in Explorer.

Is there any further action that needs to be done ?

Kind regards

Sebastian