Skip to main content

Browser Hijacked

Comments

74 comments

  • Support

    Ugh! That's the lastest Alcra/Alcan worm which is a downloader of all the worst kinds of malware and the hardest to remove. Is your Norton a current version and up to date?

     

    I have fix tools for this but only for Win2k and XP. I can ask around what is being recommended for Win98. It's such an assortment of nasties that I'm not sure we can repair all the damage done. You do need to get this PC off the internet ASAP as will continue to download more malware. My best recommendation at the moment is to backup all your important data and reformat/reinstall, if that is easy enough for you to do. It could take many days of cleaning and even then I can't assure you the damage can be repaired. I'll try though if you have no other option.

     

    For starters, be sure to uninstall NewdotNet through this procedure only:

    http://www.newdotnet.com/removal.html

     

    These two utilities may help:

     

    There is this free Utility from Dr. Web

    FREE Dr.Web CureIt! Curing Utility

    http://download.drweb.com/drweb+cureit/

    (follow the directions given on that page)

     

    And you probably need an AntiTrojan

    a-squared has a free edition and will run on Windows98

    http://www.emsisoft.com/en/software/free/

     

    Follow up with updating Ad-aware with today's latest update and a full system scan in SAFE MODE

    0
  • Customer

    By the way, following is the original HijackThis Log before I deleted some obvious files:

     

    ----------------------

     

     

    Logfile of HijackThis v1.99.1

    Scan saved at 8:30:13 PM, on 06/14/2006

    Platform: Windows 98 SE (Win9x 4.10.2222A)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

     

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL

    C:\WINDOWS\SYSTEM\MSGSRV32.EXE

    C:\WINDOWS\SYSTEM\SPOOL32.EXE

    C:\WINDOWS\SYSTEM\MPREXE.EXE

    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

    C:\WINDOWS\SYSTEM\MSTASK.EXE

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

    C:\WINDOWS\SYSTEM\MDM.EXE

    C:\WINDOWS\SYSTEM\RPCSS.EXE

    C:\WINDOWS\SYSTEM\mmtask.tsk

    C:\WINDOWS\EXPLORER.EXE

    C:\WINDOWS\TASKMON.EXE

    C:\WINDOWS\SYSTEM\SYSTRAY.EXE

    C:\WINDOWS\SYSTEM\STIMON.EXE

    C:\WINDOWS\TPPALDR.EXE

    C:\WINDOWS\STARTER.EXE

    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

    C:\DEFENDER26.EXE

    C:\WINDOWS\SYSTEM\DWDSREGT.EXE

    C:\WINDOWS\AWISAM.EXE

    C:\MY DOCUMENTS2\TSBO\MSHTA.EXE

    C:\PROGRAM FILES\DIWI\SJKVKIIH.EXE

    C:\WINDOWS\SYSTEM\OWINLQEZ.EXE

    C:\WINDOWS\SYSTEM\WMIEXE.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\SYSTEM\PSTORES.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\WINDOWS\SYSTEM\TAPISRV.EXE

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    C:\WINDOWS\SYSTEM\DDHELP.EXE

    C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

     

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

    O4 - HKLM\..\Run: [systemTray] SysTray.Exe

    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

    O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

    O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

    O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

    O4 - HKLM\..\Run: [newname] C:\\NEWNAME25.exe

    O4 - HKLM\..\Run: [{11-16-6F-F2-ZN}] C:\WINDOWS\SYSTEM\DWDSREGT.EXE GID003

    O4 - HKLM\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

    O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

    O4 - HKLM\..\Run: [browserUpdateSched] C:\WINDOWS\SYSTEM\OWINLQEZ.EXE GID003

    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

    O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

    O4 - HKCU\..\Run: [iscu] "C:\My Documents2\tsbo\mshta.exe" -vt yazr

    O4 - HKCU\..\Run: [surfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe

    O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

    O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

    O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

    O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

    O4 - Startup: Z_Start.lnk = ?

    O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM\owinlqez.exe

    O4 - Startup: sfutg.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

    O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

    O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O10 - Hijacked Internet access by New.Net

    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    0
  • Customer

    Thank you so much for your reply. I appreciate it very much!

     

    I immediately took my pc off the internet. Furthemore, I performed the following:

     

    - Uninstalled NewdoNet.

    - Ran Dr. Web CureIt but did not find anything.

    - Ran a-squared and deleted 5 Adwares

    - Ran a full system scan with Ad-Aware with yesterday's update (because my pc is off the internet) in Safe Mode.

    - Rebooted the system to normal mode and re-ran Ad-Aware (w/ yesterday's update) and found/deleted 1 file (Win32.Trojan.Downloader), which was located in C:\WINDOWS\bcgbkrm.exe

     

    However, whenever I open Windows Explorer, I get an ACCESS DENIED message from Norton Antivirus for the following two files:

     

    - C:\comscore.exe

    - C:\webnexmk.exe

     

    Also, while attempting to Delete a file named Startup: sfutg.exe through HijackThis I got a message stating "Unable to Delete" and to use a process killer like "ProcView" to shutdown the program and Run HijackThis again to delete the file. So far, I installed ProcView but I'm not sure if I should use it.

     

    Should I have connected to the internet and downloaded today's Ad-Aware updates? Would it have made a big difference? What about the vulrenability issue?

     

    Following is the latest HijackThis log:

     

    -------------------------------

     

     

    Logfile of HijackThis v1.99.1

    Scan saved at 7:42:40 PM, on 06/15/2006

    Platform: Windows 98 SE (Win9x 4.10.2222A)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

     

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL

    C:\WINDOWS\SYSTEM\MSGSRV32.EXE

    C:\WINDOWS\SYSTEM\MPREXE.EXE

    C:\WINDOWS\SYSTEM\SPOOL32.EXE

    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

    C:\WINDOWS\SYSTEM\MSTASK.EXE

    C:\WINDOWS\SYSTEM\mmtask.tsk

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

    C:\WINDOWS\SYSTEM\MDM.EXE

    C:\WINDOWS\SYSTEM\RPCSS.EXE

    C:\WINDOWS\EXPLORER.EXE

    C:\WINDOWS\TASKMON.EXE

    C:\WINDOWS\SYSTEM\SYSTRAY.EXE

    C:\WINDOWS\SYSTEM\STIMON.EXE

    C:\WINDOWS\TPPALDR.EXE

    C:\WINDOWS\STARTER.EXE

    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

    C:\WINDOWS\AWISAM.EXE

    C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

    C:\WINDOWS\SYSTEM\WMIEXE.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\SYSTEM\TAPISRV.EXE

    C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

    C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

    O4 - HKLM\..\Run: [systemTray] SysTray.Exe

    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

    O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

    O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

    O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

    O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

    O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

    O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

    O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

    O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

    O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

    O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

    O4 - Startup: sfutg.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

    O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

    O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    0
  • Support

    I'm not sure the latest updates for Adaware are going to make a big difference but you can download the updates manually. This is explained in the Help menu of Adaware SE under "Manual Updates"

    1. Close Ad-Aware

     

    2. Download the latest definition file in a ZIP file from Lavasoft's website*

    http://www.lavasoftusa.com/support/download/

    3. Save it to a temporary location (put a copy onto removable media and transfer to the affected computer)

     

    4. When complete, unzip the contents of the file, either through your favorite ZIP utility or through built-in support in Windows, to the installation directory of Ad-Aware, which is usually C:\Program Files\Lavasoft\Ad-Aware SE Personal\

     

     

    5. Open Ad-Aware

     

    You can then confirm the latest definition file is installed by looking at the Initialization Status on the main Status screen.

    .................................................................

    You need to run the full system scan in SAFE MODE:

     

    You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

     

    How to start the computer in Safe mode

    http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

    ...............................

    I need to know what version of Norton Antivirus you are running and the latest update you have for it. Your antivirus program is the other key to this infection.

    0
  • Customer

    I am running Norton Antivirus 2003 with the latest updates, as of this past Wed.

     

    I ran it in safe mode and it found and deleted Win32.Trojan.Downloader. I then ran Ad-Aware (w/ the original updates) and found and deleted the following:

     

    - Win32.Trojan.Downloader in the C:\WINDOWS\qhyxy.exe

     

    - MRU list - winzip recently used archives - HKEY_USERS:.DEFAULT\SOFTWARE\Nico Mak Computing\winzip\filemenu\

     

    - MRU list - mrulist for items opened in start run - HKEY_USERS:.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\RUNMRU\

     

    -----------------

     

    Following is the latest HijackThis log:

     

    Logfile of HijackThis v1.99.1

    Scan saved at 9:49:35 AM, on 06/16/2006

    Platform: Windows 98 SE (Win9x 4.10.2222A)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

     

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL

    C:\WINDOWS\SYSTEM\MSGSRV32.EXE

    C:\WINDOWS\SYSTEM\MPREXE.EXE

    C:\WINDOWS\EXPLORER.EXE

    C:\WINDOWS\SYSTEM\RPCSS.EXE

    C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

    O4 - HKLM\..\Run: [systemTray] SysTray.Exe

    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

    O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

    O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

    O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

    O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

    O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

    O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

    O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

    O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

    O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

    O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

    O4 - Startup: sfutg.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

    O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL

    O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    0
  • Customer

    Do you know if this type of malware infects data such as MS Office files (excel, word, etc.)? You had mentioned backing up important files. Would transfering them to another computer put the other computer at risk? Thanks.

    0
  • Customer

    Should I install and scan Bit Defender in Safe Mode or Regular Mode? Thanks.

    0
  • Support

    I need an additional report.

     

    Could you please Open HijackThis and instead of scan choose *Open Misc. Tools Section*

    Next choose *Open Uninstall Manager*

    It will make a list. When it finishes, press the *save list* button. Copy the results of that report back here please.

     

    ...........................

    Norton 2003 is a bit obsolete for today's malware.

     

    If your PC meets the system requirements, please download the free edition of BitDefender8

    Then get the updates for it and shuttle to the affected computer. Install the program and BOTH updates

    (cumulative and the daily). Links provided below:

     

    http://www.bitdefender.com/PRODUCT-14-en--...ee-Edition.html

     

    System requirements:

     

    * Pentium MMX 200 Mhz or higher processor

    * Minimum 64MB of RAM Memory (128MB recommended)

    * Minimum 40MB available hard disk space

     

     

    Operating platform: Windows 98/NT-SP6/Me/2000/XP IE 4.0(+)

     

    Download BitDefender8 and install

    http://www.bitdefender.com/site/Download/d...oadFile/340/EN/

    ....................................................

    Windows 98, Windows Millenium

     

    Follow these steps to update the virus definitions:

     

    1. Download the appropriate update (get both of these).

    ftp://80.86.106.20/pub/updates/bitdefender_v8/cumulative.zip

    ftp://80.86.106.20/pub/updates/bitdefender_v8/daily.zip

     

    Save the archive to the disk instead of opening it from the web.

     

    2. Extract the archive content.

     

    Start with cumulative.zip when both update archives are available. Extract the content in the folder

    C:Program FilesCommon FilesSoftwinBitDefender Scan ServerPlugins

    and accept overwriting existing files.

     

    3. Restart the computer.

     

    After installing and updating do a full system scan with Bit defender and let it remove or repair any infected files found. Please make a copy of the log at the end and post the results back here.

    0
  • Customer

    I just sent you the HijackThis Uninstall Manager list in a PM as I would like to keep the data private. Thank you. I hope you don't mind. Thanks.

    0
  • Support

    You can install and apply the updates in normal mode, but the scanning should be done in safe mode to give it the best chance of being able to delete any infected files found.

     

    And to the other question, yes Word documents, etc. can be infected but just transferring them to store on another computer won't infect it. However, you should scan all transferred data files to be sure none are infected before opening any of them. If infected, that could launch a malware.

    0
  • Customer

    I tried to run BitDefender in safe mode and got the following error message:

     

    "Failed to start the virus shield. Please launch the program again. If the problem persists, contact the developer."

     

    However, when I installed it in normal mode, the program started scannig on its own.

     

    Any recommendations?

    0
  • Support

    Don't mind at all.

     

    First, please go to your Control Panel and look in Add/Remove programs

     

    Highlight each of these and press *remove* one by one.

     

    (Those versions of Sun Java are out of date and a security vulnerability if left on your system).

    Snowball Wars is a PurityScan variant and best removed via Add/Remove Program in the control Panel

     

    Remove each of these:

     

    J2SE Runtime Environment 5.0 Update 6

     

    Java 2 Runtime Environment, SE v1.4.1

     

    Java Web Start

     

    Snowball Wars by OIN

     

    You can get the latest up to date version of Sun Java here to replace the old vulnerable ones here:

    http://www.java.com/en/download/manual.jsp

     

    Here's why removing old versions of Sun Java is important:

    Potential Vulnerability with Sun Java auto update

    http://www.dslreports.com/forum/remark,14738046

     

    After removing those programs and the BitDefender scan, and you are back in normal mode, then please scan with Hijackthis and post a fresh log. I need the HijackThis log from normal mode to see what is left

    0
  • Customer

    I couldn't remove the following through HijackThis:

     

    O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

    O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

    O4 - Startup: sfutg.exe

     

     

    I, however, couldn't find the following:

     

    O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

     

     

    I did install both updates and currently running a complete scan through BitDefender in normal mode as follows:

     

    - Local Drives

    - Network Drives

    - Removable Drives

    - All Entries

     

    It seems to be taking some time to scan. Will you be responding to postings over the weekend? You've just been so great and I feel hopeful because of your kind help.

    0
  • Support

    In normal mode, scan with HijackThis and checkmark these entries, then press the *fix checked* button:

     

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD25.exe

    O4 - HKLM\..\Run: [defender] C:\\DEFENDER26.exe

    O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

    O4 - HKCU\..\Run: [Gkvofej] C:\Program Files\Diwi\sjkvkiih.exe

    O4 - HKCU\..\Run: [WIMF] C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

    O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

    O4 - Startup: sfutg.exe

     

    Delete these files (if found and if possible to delete)

    C:\\KEYBOARD25.exe

     

    C:\\DEFENDER26.exe

     

    C:\WINDOWS\awisam.exe

     

    C:\Program Files\Diwi\sjkvkiih.exe

     

    C:\PROGRAM FILES\COMMON FILES\WIMF\WIMFM.EXE

     

    sfutg.exe

     

    Close HijackThis

     

    Immediately, go ahead and run the full system scan with BitDefender in normal mode then

     

    You were able to install both updates to the program?

    0
  • Support

    I'll be here. Get a scan log from Bit Defender and post the results. After cleaning with Bit Defender, reboot your PC and scan again with Hijack and post a fresh log from it too please.

    0
  • Customer

    I am experiencing some problems running BitDefender in normal mode. At 63% I received an Illegal Operation Message. Since then, the scan has stopped in its tracks. So far it found 12 identified viruses. I am in communication with BitDefender's tech support about trying to run it in Safe Mode instead. They sent me the following link but it seems a bit confusing to follow. I'm not able to find the command prompt as per their instructions. The instructions says to enter the Command Prompt by clicking:

     

    Start>All Programs>Accessories>Command Prompt.

     

    However, after I reach Accessories I cannot locate Command Prompt. I am using Win98 SE.

     

    In Safe Mode, they recommend to scan using the command prompt.

    More information about the scan commands are available at the article:

     

    http://kb.bitdefender.com/site/viewArticle...and_Prompt.html

     

     

    Also, have you heard of AVG? A friend recommended this program.

    0
  • Support

    Oh, right. This worm damages certain processes from running may be the problem.

     

    Ok, let's try this fix, I think it works in Windows98.

     

    Download AlcanShorty from here.

    http://www.geekstogo.com/forum/index.php?a...details&f_id=13

     

    * Click the *download* button near the bottom and agree to download the fix.

    * Download Alcanshorty to your desktop.

    * DoubleClick alcanshorty_en.exe and click install

    * This will create a new folder on your desktop called alcanshorty_en

    * Open that folder and doubleclick Run.bat

    * Once the fix starts, your icons and desktop will disappear, this is normal.

     

    Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,

    because alcanshorty needs to download some additional files to let the tool run properly.

     

    * Wait for the complete script execution box to popup and press OK.

    * Press exit to terminate the BFU program.

     

    Reboot your computer, then see if Bit Defender will run in normal mode.

    0
  • Customer

    I was able to perform a full scan of BitDefender in normal mode afterall. I then rebooted in normal mode and ran HijackThis. Following are both logs. However, after the BitDefender scan I noticed 29 new files on my desktop. Do you know what they represent?

     

    1 File:

    x_dtrace.log

     

    28 Files:

    00F9D630_kds

    00F9D050_kds

    00F9D..._kds

    etc..

     

    --------------------

     

    BitDefender Log:

     

     

    //-----------------------------------------------------------------

    //

    // Product: BitDefender 8 Free Edition

    // Version: 8.0

    //

    // Created on: 17/06/2006 15:11:07

    //

    //-----------------------------------------------------------------

     

     

    Statistics

     

    Scan path : A:\

    C:\

    D:\

    Folders : 11544

    Files : 867595

    Archives : 133185

    Packed files : 108036

    Identified viruses : 11

    Infected files : 29

    Warnings : 0

    Suspect files : 0

    Disinfected files : 0

    Deleted files : 11

    Copied files : 0

    Moved files : 16

    Renamed files : 0

    I/O errors : 4

    Scan time : 07:33:08

    Scan speed (files/sec) : 31

     

    Virus definitions : 388423

    Scan plugins : 13

    Archive plugins : 38

    Unpack plugins : 5

    Mail plugins : 6

    System plugins : 1

     

    Scan options

     

    Detection

    [X] Scan boot sectors

    [X] Scan archives

    [X] Scan packed files

    [X] Scan email

     

    File mask

    [ ] Programs

    [X] All files

    [ ] User defined extensions:

    [ ] Exclude extensions: ;

     

    Action

     

    Infected objects

    [ ] Ignore

    [X] Disinfect

    [ ] Delete

    [ ] Copy to quarantine

    [ ] Move to quarantine

    [ ] Rename

    [ ] Prompt user

     

    Second action

    [ ] Ignore

    [ ] Delete

    [ ] Copy to quarantine

    [X] Move to quarantine

    [ ] Rename

    [ ] Prompt user

     

    Scan options

    [X] Enable warnings

    [X] Enable heuristics

    [ ] Show all files in log

    [X] Report file: vscan.log

    [ ] Append to existing report

     

    Summary:

     

    C:\WINDOWS\SYSTEM\dmonwv.dll Infected Trojan.Downloader.Qoologic.BC

    C:\WINDOWS\SYSTEM\dmonwv.dll Disinfection failed

    C:\WINDOWS\SYSTEM\dmonwv.dll Moved

    C:\WINDOWS\SYSTEM\pkdsregk.exe Infected Trojan.Downloader.Agent.KK

    C:\WINDOWS\SYSTEM\pkdsregk.exe Disinfection failed

    C:\WINDOWS\SYSTEM\pkdsregk.exe Moved

    C:\WINDOWS\bcgbkrm.exe Infected Trojan.Downloader.Qoologic.BC

    C:\WINDOWS\bcgbkrm.exe Disinfection failed

    C:\WINDOWS\bcgbkrm.exe Moved

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Infected Win32.Sober.Y@mm

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Disinfection failed

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 552)=>(base64) Move failed

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10587) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 10588) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11732) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx=>(message 11733) Update

    C:\WINDOWS\Application Data\Identities\{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}\Microsoft\Outlook Express\A- Archive - Inbox.dbx Update failed

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip=>pucvwsoge.exe Deleted

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part)=>Document.zip Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:14 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part)=>(message) Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732)=>[subject: Delivery Status Notification (Failure)][Date: Wed, 3 Mar 2004 08:18:43 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 732) Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx Update failed

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Infected Win32.Bagle.J@mm

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip=>pucvwsoge.exe Deleted

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part)=>MoreInfo.zip Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733)=>[subject: Important notify about your e-mail acc][Date: Wed, 03 Mar 2004 08:15:11 -0500]=>(MIME part) Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx=>(message 733) Update

    C:\WINDOWS\Application Data\Identities\{66308FCE-0639-4DA7-AED3-9700A8CD8D92}\Microsoft\Outlook Express\Inbox.dbx Update failed

    C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Infected Trojan.Downloader.Qoologic.BC

    C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Disinfection failed

    C:\WINDOWS\Start Menu\Programs\StartUp\sfutg.exe Moved

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Infected JS.Kak.Gen@mm

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Deleted

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Information][From: Patrick Kariuki]=>(body)=>(Compressed Rtf) Update failed

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Infected JS.Kak.Gen@mm

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf)=>(Rtf2Html) Deleted

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Request][From: The Josephites Society, Iperu-Remo, Nigeria]=>(body)=>(Compressed Rtf) Update failed

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf)=>(JAVASCRIPT 1) Infected JS.Kak.G@mm

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf)=>(JAVASCRIPT 1) Deleted

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body)=>(Compressed Rtf) Update

    C:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst=>[subject: Fw: status of agreement][From: USO Kuwait]=>(body) Update failed

    C:\WINDOWS\qhyxy.exe Infected Trojan.Downloader.Qoologic.BC

    C:\WINDOWS\qhyxy.exe Disinfection failed

    C:\WINDOWS\qhyxy.exe Moved

    C:\WINDOWS\awisam.exe Infected Trojan.Downloader.Qoologic.BC

    C:\WINDOWS\awisam.exe Disinfection failed

    C:\WINDOWS\awisam.exe Moved

    C:\WINDOWS\guwwl.dat Infected Trojan.Downloader.Qoologic.BC

    C:\WINDOWS\guwwl.dat Disinfection failed

    C:\WINDOWS\guwwl.dat Moved

    C:\WINDOWS\unwn.exe Infected Trojan.Downloader.Qoologic.BC

    C:\WINDOWS\unwn.exe Disinfection failed

    C:\WINDOWS\unwn.exe Moved

    C:\WINDOWS\geitqux.dll Infected Trojan.Downloader.Qoologic.BJ

    C:\WINDOWS\geitqux.dll Deleted

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Infected Trojan.Downloader.Qoologic.BC

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Disinfection failed

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060615-183241-344-sfutg.exe Moved

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Infected Trojan.Downloader.Qoologic.BC

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Disinfection failed

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181426-388-sfutg.exe Moved

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Infected Trojan.Downloader.Qoologic.BC

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Disinfection failed

    C:\My Documents\IomegaVaioBackup\America Online 4.0b\download\Hijacking\HijackThis Log Files\backups\backup-20060616-181921-424-sfutg.exe Moved

    C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Infected Win32.Sober.Y@mm

    C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Disinfection failed

    C:\Program Files\Outlook Express Backup Wizard\Backups\OEBackup03-24-2006.oeb=>{CDEE4B40-5890-11D7-B2C6-AA300FDD523B}/Inbox.dbx=>(message 2098)=>(base64) Move failed

    C:\command.exe Infected Trojan.Dropper.Delf.EV

    C:\command.exe Disinfection failed

    C:\command.exe Moved

    C:\ZIGID003.exe Infected Trojan.Downloader.Agent.KK

    C:\ZIGID003.exe Disinfection failed

    C:\ZIGID003.exe Moved

    C:\visfx500.exe Infected MemScan:Trojan.Dropper.Agent.AIE

    C:\visfx500.exe Disinfection failed

    C:\visfx500.exe Moved

    C:\NNSCAA638.EXE Detected: Application.Adware.NewDotNet.B.Dropper

    C:\NNSCAA638.EXE Deleted

    C:\installerwnus.exe Infected Trojan.Downloader.Qoologic.BC

    C:\installerwnus.exe Disinfection failed

    C:\installerwnus.exe Moved

    C:\526_620.exe Infected Dropped:Trojan.Clicker.VB.BX

    C:\526_620.exe Disinfection failed

    C:\526_620.exe Moved

     

     

    ---------------------------------------------------------------------

    ---------------------------------------------------------------------

     

    Hijack This Log:

     

     

    Logfile of HijackThis v1.99.1

    Scan saved at 11:33:12 PM, on 06/17/2006

    Platform: Windows 98 SE (Win9x 4.10.2222A)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

     

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL

    C:\WINDOWS\SYSTEM\MSGSRV32.EXE

    C:\WINDOWS\SYSTEM\SPOOL32.EXE

    C:\WINDOWS\SYSTEM\MPREXE.EXE

    C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe

    C:\WINDOWS\SYSTEM\MSTASK.EXE

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

    C:\WINDOWS\SYSTEM\MDM.EXE

    C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE

    C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE

    C:\WINDOWS\SYSTEM\RPCSS.EXE

    C:\WINDOWS\SYSTEM\mmtask.tsk

    C:\WINDOWS\EXPLORER.EXE

    C:\WINDOWS\TASKMON.EXE

    C:\WINDOWS\SYSTEM\SYSTRAY.EXE

    C:\PROGRAM FILES\VERITAS SOFTWARE\UPDATE MANAGER\SGTRAY.EXE

    C:\WINDOWS\SYSTEM\STIMON.EXE

    C:\WINDOWS\TPPALDR.EXE

    C:\WINDOWS\STARTER.EXE

    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

    C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE

    C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXE

    C:\WINDOWS\AWISAM.EXE

    C:\PROGRAM FILES\WINFAX\WFXCTL32.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\QHYXY.EXE

    C:\WINDOWS\SYSTEM\WMIEXE.EXE

    C:\WINDOWS\SYSTEM\TAPISRV.EXE

    C:\PROGRAM FILES\WINFAX\WFXMOD32.EXE

    C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNEWS.EXE

    C:\MY DOCUMENTS\IOMEGAVAIOBACKUP\AMERICA ONLINE 4.0B\DOWNLOAD\HIJACKING\HIJACKTHIS LOG FILES\HIJACKTHIS.EXE

     

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHELPER.DLL

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [scanRegistry] c:\windows\scanregw.exe /autorun

    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe

    O4 - HKLM\..\Run: [systemTray] SysTray.Exe

    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

    O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE

    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe

    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

    O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

    O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"

    O4 - HKLM\..\Run: [bDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"

    O4 - HKLM\..\Run: [aomkyk] C:\WINDOWS\awisam.exe reg_run

    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe

    O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

    O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

    O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE

    O4 - HKLM\..\RunServices: [bitDefender Communicator] "C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe"

    O4 - HKLM\..\RunServices: [bitDefender Scan Server] "C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe"

    O4 - HKLM\..\RunServices: [bitDefender Live! Init] "C:\Program Files\Softwin\BitDefender8\bdinit.exe"

    O4 - HKCU\..\Run: [vltmb] C:\WINDOWS\awisam.exe reg_run

    O4 - Startup: Status Monitor.lnk = C:\Program Files\XEROX_XD\ENGSS.EXE

    O4 - Startup: Controller.LNK = C:\Program Files\WinFax\WFXCTL32.EXE

    O4 - Startup: sfutg.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: Advanced Email Extractor - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html

    O8 - Extra context menu item: Scan link with AEE - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/link.html

    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html

    O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html

    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html

    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html

    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html

    O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

    O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - res://C:\PROGRAM%20FILES\ADVANCED%20EMAIL%20EXTRACTOR%20PRO\AEEPMSIE.DLL/page.html (file missing) (HKCU)

    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -

    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1) -

    0
  • Support

    The 29 files on the desktop is probably something BitDefender did. I'll need to take a look at them

     

    Please make a new folder on your desktop and name it BitDefenderFiles

    Drag and drop each of those 29 files into the folder.

    Put the folder into a zip file.

    Upload the zip folder here

    http://www.thespykiller.co.uk/forum/index.php?board=1.0

    Just press new topic (Make the subject: For CalamityJane from at LS ),

    fill in a short message & then press the browse button and then navigate to & select the file on your desktop named BitDefenderFiles.zip. Highlight it and press *open*. Then you will see the file name in the white box for attachments. Press the *post* button to upload the file and your message. I can get it from there.

     

    (Do not post HJT logs there as they will not get dealt with)

     

    You DO NOT need to be a member to upload, anybody can upload the files

     

    You will not see the files that have been uploaded as they only show to the authorized users who can download them

    ..........................................................

    Qoologic troan is proving to be a problem, as I expected.

     

    Please do this next:

    Try the Kaspersky free online scanner.

    http://www.kaspersky.com/virusscanner

     

    Copy the report at the end and post the results back here.

    It will not remove anything found, but I just want to see the log results.

    0
  • Customer

    So I must connect to the internet in normal mode to perform the online kaspersky scan. Should I be taking any precautionairy measures to protect my system from further virus duplication? Also, is it safe to run an online scan? would they have access to any of my files?

    0
  • Customer

    I just uploaded the 29 files (BitDefenderFiles) at the link you provided. I am in the process of installing and scaning MWAV.

    0
  • Support

    I really just need a log to see what is left. You can download this free tool as an alternative (it uses the kaspersky engine so should be close in results to KAV). It does not need any updates (already included)

     

    MicroWorld AntiVirus Toolkit Utility (MWAV)

    http://www.mwti.net/products/mwav/mwav.asp

    (Please note that the FREE version will only scan your computer and NOT clean any infection that it finds.) <---which is OK for now, I just want to see the log. It will be rather long and probably too big to post here.

    Upload a copy of the log here:

    Go here to upload the log as an attachment

    http://www.thespykiller.co.uk/forum/index.php?board=1.0

    Just press new topic (Make the subject: For CalamityJane from cwwllc at LS ),

    fill in a short message & then press the browse button and then navigate to & select the log file on your computer, press the *Post* button to upload the file. I can collect it from there.

     

    You DO NOT need to be a member to upload, anybody can upload the files

     

    You will not see the files that have been uploaded as they only show to the authorized users who can download them

    0
  • Support

    I got the files. All are 0 bytes and I haven't a clue why BitDefender put them on your desktop, but they don't look like anything you need to keep, so I would just delete that folder.

    0
  • Support

    Ok, I figured it was the Qoo infection.

     

    It's ok for this scan to do in normal mode only because I just need the log (and we aren't cleaning with that tool) But, I thought you said you couldn't get into safe mode? I guess you can now get into safe mode? Was the Bit Defender scan in safe mode?

    0
  • Customer

    MWAV is currently scanning, in normal mode (I forgot to use safe mode - I hope it won't make much of a difference). Thus far, it has found 21 critical objects of which the majority is TrojanDownloader.Win32.Qoologic.bj as follows:

     

    TrojanDownloader.Win32.Qoologic.bj

    Smitfraud Browser Hijacker

    Precision Popup Spyware/Adware

     

    I'll upload the log at the link you provided when it finishes.

    0
  • Customer

    I can get into Safe Mode fine. My problem was starting BitDefender in safe mode. Their support team told me that it must be started using the command prompt, which was confusing (see instructions link: http://kb.bitdefender.com/site/viewArticle...nd_Prompt.html). That is why I ran BitDefender in normal mode. The only mode I could get it to start in.

     

    The scan is still running.

    0
  • Support

    No, I can't tell from the logs we've seen.

    0
  • Customer

    So far, with all the logs that I've posted do you think any of my MS Office files have been corrupted/compromised? Would opening any of them infect them or compromise them, etc..

    0
  • Customer

    MWAV finished scanning. However, I am unable to open the log file. It is too large for Notepad and when it attempts to open it in WordPad it freezes. I'm not sure what to do next. If I click OK and close the program will it save a log onto the harddrive? I'm not sure if it does.

     

    It found the following:

     

    Ttl Critical Objects: 41

    Ttl Errors: 67

    0
  • Support

    Arrrgh, I wish I could remember with Windows98. Go ahead and click ok and see if a log was saved. If so, instead of opening try to upload to here:

    http://www.thespykiller.co.uk/forum/index.php?topic=1909.0

    (press reply and attach the log)

     

    I'm feeling awful at my ineptness with Windows98 and trying to help you. I'll try to find someone who is more up to speed on Win98 than I am to step in here.

    0

Please sign in to leave a comment.