Hi everyone

My Internet access appears to have been restricted by some nasty viruses. My main worry is lack of access to Windows Update and Hotmail. Unfortunately I couldn't download Superantispyware or Adaware 2007 successfully.

Here is my Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:01:20, on 05/08/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ESB.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\CHTVINIT.EXE
C:\PROGRAM FILES\TRUST\AMI MOUSE 300 CORDLESS DUAL SCROLL\AMOUMAIN.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.weather.yahoo.com/UKXX/UKXX1159/index_c.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\SYSTEM\ESB.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ChrontelInitTV] CHTVINIT.EXE
O4 - HKLM\..\Run: [ActivSurf] C:\apps\ActivSurf\4448364\Program\backweb-4448364.exe
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - .DEFAULT Startup: Testbase Key Stage 3 Science.lnk = C:\Program Files\Testbase32\Testbase32.exe (User 'Default user')
O4 - .DEFAULT Startup: Exif Launcher 2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe (User 'Default user')
O4 - Startup: Testbase Key Stage 3 Science.lnk = C:\Program Files\Testbase32\Testbase32.exe
O4 - Startup: Exif Launcher 2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdb: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab

--
End of file - 6145 bytes

Here is my Panda scan:

Incident Status Location

Adware:adware/windowenhancer Not disinfected c:\windows\system\SBUtils
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Cookies\kirsty@atdmt[2].txt
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\kirsty@yadro[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\kirsty@serving-sys[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Cookies\kirsty@bs.serving-sys[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Cookies\kirsty@realmedia[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Cookies\kirsty@questionmarket[1].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Cookies\kirsty@overture[1].txt
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Cookies\kirsty@2o7[2].txt
Adware:Adware/CWS.Aboutblank Not disinfected C:\My Documents\Kirsty\AS\SFPU\backups\backup-20050309-175855-499.dll
Adware:Adware/CWS.Aboutblank Not disinfected C:\My Documents\Kirsty\AS\SFPU\backups\backup-20050311-175756-159.dll
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Program Files\%systemdrive%\ComboFix\nircmd.exe
Spyware:Cookie/Serving-sys Not disinfected C:\FILE008B.CHK
Spyware:Cookie/Yadro Not disinfected C:\FILE008F.CHK
Spyware:Cookie/Ccbill Not disinfected C:\FILE00BE.CHK
Spyware:Cookie/cs.sexcounter Not disinfected C:\FILE00CA.CHK
Spyware:Cookie/Statcounter Not disinfected C:\FILE00DC.CHK
Here is my Kaspersky scan:

KASPERSKY ONLINE SCANNER REPORT
Sunday, August 05, 2007 12:15:25 PM
Operating System: Microsoft Windows Millennium Edition
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/08/2007
Kaspersky Anti-Virus database records: 373014


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
a:\
c:\
q:\

Scan Statistics
Total number of scanned objects 67761
Number of viruses found 5
Number of infected objects 11 / 0
Number of suspicious objects 2
Duration of the scan process 01:28:36

Infected Object Name Virus Name Last Action
c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbd Object is locked skipped

c:\WINDOWS\SYSTEM\CatRoot\SYSMAST.cbk Object is locked skipped

c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbd Object is locked skipped

c:\WINDOWS\SYSTEM\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\CATMAST.cbk Object is locked skipped

c:\WINDOWS\WIN386.SWP Object is locked skipped

c:\WINDOWS\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

c:\WINDOWS\Sti_Trace.log Object is locked skipped

c:\WINDOWS\Sti_Event.log Object is locked skipped

c:\WINDOWS\wiaservc.log Object is locked skipped

c:\WINDOWS\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

c:\WINDOWS\Temporary Internet Files\Content.IE5\8HIRGT6R\wbk31E3.TMP Infected: Trojan-Spy.HTML.Paylap.aa skipped

c:\WINDOWS\Cookies\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\MSHist012007080520070806\index.dat Object is locked skipped

c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DivagoSurfairy1.zip/uninstall.exe Suspicious: Password-protected-EXE skipped

c:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Recovery\DivagoSurfairy1.zip ZIP: suspicious - 1 skipped

c:\WINDOWS\UserData\index.dat Object is locked skipped

c:\Recycled\Q330995.exe Infected: Trojan-Downloader.Win32.Small.amb skipped

c:\_RESTORE\TEMP\REGSNAPSHOT.LOG Object is locked skipped

c:\_RESTORE\ARCHIVE\FS41.CAB/A0001478.CPY Infected: Trojan.Win32.StartPage.qr skipped

c:\_RESTORE\ARCHIVE\FS41.CAB CAB: infected - 1 skipped

c:\_RESTORE\ARCHIVE\FS1415.CAB/A0130040.CPY/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

c:\_RESTORE\ARCHIVE\FS1415.CAB/A0130040.CPY/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

c:\_RESTORE\ARCHIVE\FS1415.CAB/A0130040.CPY Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

c:\_RESTORE\ARCHIVE\FS1415.CAB CAB: infected - 3 skipped

c:\_RESTORE\ARCHIVE\FS1416.CAB/A0130047.CPY Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

c:\_RESTORE\ARCHIVE\FS1416.CAB CAB: infected - 1 skipped

c:\_RESTORE\LOGS\vxdsfp.log Object is locked skipped

c:\_RESTORE\LOGS\vxdalt1.log Object is locked skipped

c:\My Documents\Kirsty\AS\SFPU\backups\backup-20050311-175756-159.dll Infected: Trojan.Win32.StartPage.qr skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped

c:\Program Files\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped

Scan process completed.

Thanks for your help.

LPH

Hi leepeterhudson

And wellcome to icrontic.

Sorry delay :(

Download ATF-Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Please clean your system restore, :

First turn system restore off

instructions (http://www.pchell.com/virus/systemrestore.shtml)

Reboot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Then emptier that folder and all subfolders:

c:\_RESTORE\

(we make a new restore files to there later)

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
DEselect Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware report.

Boot to normal mode and put system restore on and reboot .

Then send asked report and a fresh hijackthis log

Hi Nuppi

Thanks for your help.

I have run ATF cleaner, then I downloaded AVG Antispyware but when I tried to install it a message box came up telling me that I need Windows 2000 (at least) to run it. My system runs Windows ME, so I don't know why it shouldn't install.

Hope you can help with this. Thanks in advance.

Lee

Hi,

Please run Kaspersky online scan and send its result

Hi Nuppi

Thanks for your speedy response.

Unfortunately, my internet access hardly seems to work at all now. I can get onto the Google search engine, and thats about it (I am using another PC to contact this forum).

So I can't run an online scan. Any advice?

Thanks in advance

Lee

Hi,

Please download

Escan "Mvav.exe" (http://www.spywareinfo.dk/download/mwav.exe)
Update program to Escan "Mvav.bat" (http://koti.mbnet.fi/pattaya1/lataus/Mwav.bat)

Save both to the desktop

Run Mvav.exe first in this comp what use now. It'll instal program to

C:\Kaspersky

Run Mvav.bat, Allow to kavupd.exe to go internet.

It makes to directory

C:\Bases
C:\Downloads

When updating is ready opens Escan.

Now close Escan.

Copy next to infected comp :

Mvav.exe
C:\Kaspersky
C:\Bases
C:\Downloads

Assemble (run) Mvav.exe.

Paste those folders to infected comp

C:\Bases
C:\Downloads

And paste all files copied C:\Kaspersky to infected comps C:\Kaspersky

If appears question allow all

Now you have escan in infected comp.

Goto C:\Kaspersky and run there mwavscan.com or mwavscan.exe

Here is instructions with pictures eScan (http://koti.mbnet.fi/pattaya1/escanmwav.htm), unfortunately it's in finnish :D

When scanning is ready, copy lower boxes result and send those to reply.

Hi Nuppi

Thanks for your help so far. I successfully ran eScan on all Drives and all files, but I couldn't cut and paste the 4 viruses which showed up in the lower box. A file called mwXface.txt was saved in C:\Kaspersky so I have provided it below:

[0x00000c7c] 20/08/2007 20:16:41:140 :[msvLclnt.dll]ModuleName = C:\Kaspersky\mwavscan.com
[0x00000c7c] 20/08/2007 20:16:41:140 :[msvLclnt.dll]WARNING!!! "Autokey" Not Found
[0x00000c7c] 20/08/2007 20:16:43:031 :[msvLclnt.dll]Options Set by External applications mwavscan.com are 9896960 (0x970400):
[0x00000c7c] 20/08/2007 20:16:43:031 :[msvLclnt.dll]Mode :PACKED,ARCHIVED,CA,WARNINGS,MAILPLAIN
[0x00000c7c] 20/08/2007 20:16:43:031 :[msvLclnt.dll]TimeOut : ffffffff
[0x00000c7c] 20/08/2007 20:16:43:031 :[msvLclnt.dll]Priority : NORMAL
[0x00000c7c] 20/08/2007 20:16:43:437 :[msvLclnt.dll]VirusCount = 318294 Latest Date = 2007/05/13
[0xfad132a1] 20/08/2007 20:34:13:400 :[msvLclnt.dll]ModuleName = C:\KASPERSKY\MWAVSCAN.COM
[0xfad132a1] 20/08/2007 20:34:13:400 :[msvLclnt.dll]Registry Key Deleted Properly!!!
[0xfad132a1] 20/08/2007 20:34:16:810 :[msvLclnt.dll]Options Set by External applications MWAVSCAN.COM are 9896960 (0x970400):
[0xfad132a1] 20/08/2007 20:34:16:810 :[msvLclnt.dll]Mode :PACKED,ARCHIVED,CA,WARNINGS,MAILPLAIN
[0xfad132a1] 20/08/2007 20:34:16:810 :[msvLclnt.dll]TimeOut : ffffffff
[0xfad132a1] 20/08/2007 20:34:16:810 :[msvLclnt.dll]Priority : NORMAL
[0xfad132a1] 20/08/2007 20:34:17:960 :[msvLclnt.dll]VirusCount = 386220 Latest Date = 2007/08/20
[0xfad15581] 20/08/2007 21:31:14:930 :[msvLclnt.dll][00000001] File C:\Recycled\Q330995.exe infected by Trojan-Downloader.Win32.Small.amb
[0xfad15581] 20/08/2007 21:31:15:370 :[msvLclnt.dll][00000001] File C:\Recycled\Q330995.exe infected by Trojan-Downloader.Win32.Small.amb
[0xfad15581] 20/08/2007 21:31:21:080 :[msvLclnt.dll][00000001] File C:\_RESTORE\TEMP\A0002472.CPY infected by Trojan-Downloader.Win32.Small.amb
[0xfad15581] 20/08/2007 21:31:21:250 :[msvLclnt.dll][00000001] File C:\_RESTORE\TEMP\A0002472.CPY infected by Trojan-Downloader.Win32.Small.amb
[0xfad15581] 20/08/2007 21:53:15:060 :[msvLclnt.dll][00000001] File C:\My Documents\Kirsty\AS\SFPU\backups\backup-20050311-175756-159.dll infected by Trojan.Win32.StartPage.qr
[0xfad15581] 20/08/2007 21:53:15:450 :[msvLclnt.dll][00000001] File C:\My Documents\Kirsty\AS\SFPU\backups\backup-20050311-175756-159.dll infected by Trojan.Win32.StartPage.qr
[0xfad15581] 20/08/2007 23:00:01:440 :[msvLclnt.dll]VirusCount = 386220 Latest Date = 2007/08/20
[0xfad132a1] 21/08/2007 06:52:29:200 :[msvLclnt.dll]VirusCount = 386220 Latest Date = 2007/08/20

Hope this is useful. Thanks again.

Lee

Hi,

Please emty folder :

C:\Recycled\

Delete file :
C:\My Documents\Kirsty\AS\SFPU\backups\backup-20050311-175756-159.dll

Lets clean system restore: First disable system restore:
PC Hell: Disabling System Restore on Windows Me, Windows XP, and ... (http://www.pchell.com/virus/systemrestore.shtml)

Boot comp.

Delete file :
C:\_RESTORE\TEMP\A0002472.CPY

Please send a fresh Hijackthis log

Hi Nuppi

Thanks for your advice. I carried out your instructions, but under C:\_RESTORE there was no TEMP folder at all so I couldn't delete A0002472.CPY.

Here is my fresh Hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:26:33, on 21/08/2007
Platform: Windows ME (Win9x 4.90.3000)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4SS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL 4\KPF4GUI.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ESB.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CHTVINIT.EXE
C:\PROGRAM FILES\THOMSON\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\SPYWARE\HIJACKTHIS_V2.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [ESB] C:\WINDOWS\SYSTEM\ESB.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ChrontelInitTV] CHTVINIT.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KPF4] C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O4 - .DEFAULT Startup: Testbase Key Stage 3 Science.lnk = C:\Program Files\Testbase32\Testbase32.exe (User 'Default user')
O4 - .DEFAULT Startup: Exif Launcher 2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe (User 'Default user')
O4 - Startup: Testbase Key Stage 3 Science.lnk = C:\Program Files\Testbase32\Testbase32.exe
O4 - Startup: Exif Launcher 2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\WANADOO\WSBAR\WSBAR.DLL/VSearch.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdb: C:\PROGRA~1\INTERN~1\PLUGINS\NPCHIME.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_ansi.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\SYSTEM\BROWSEUI.DLL

--
End of file - 6405 bytes

Thanks in advance for your reply

Lee

Hi,

Put hidden files to visible How to Show System Files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html).

Try then delete that file :D

Hi Nuppi

Thanks again.

The only hidden files under C:\_RESTORE\TEMP are:

A0000001.CPY
A0000002.CPY
A0000005.CPY
A0000008.CPY
A0000011.CPY
REGSNAPSHOT.LOG

Regards
Lee

Hi,

Ok,

How comp is working now?

Hi Nuppi

I'm still getting "page cannot be displayed" errors when I try and access Windows update and Windows Hotmail (and most other sites).

Thanks in advance
Lee

HI,


Please dowload HostsXpert (http://www.funkytoad.com/download/HostsXpert.zip)
Unzip hoster to an own folder, eg C:\HostsXpert
Start Hoster.exe,
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Original Hosts and then click OK.
Click the X to exit the program.
If you were using a custom Hosts file you will need to replace any of those entries yourself.

Hi Nuppi

Thanks for your help. I ran HostsXpert successfully, but I'm still getting page not displayed errors. Google maps works fine though!

Thanks
Lee

Hi

Check that:

Open IE, click tools, settings and go every page one by one. Check that there is cookies allowed :D

Hi Nuppi

I've allowed all cookies on IE, still no access to most websites.

Finland looks like a nice country, I'd like to go there sometime. :)

Thanks in advance
Lee

I'll need more information from you. Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop.

What DSS will do:
* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review.
* DSS automatically runs HijackThis 1.99.1 for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Please attach extra.txt to your post.

Hi Nuppi

I downloaded DSS onto a flash drive, then tried to run it on the infected PC but it didn't run. No messages appeared, nothing.

Hope you can help, thanks.

Lee

Hi

Did you assemble Deckards first to comp before start ?

Hi Nuppi

I downloaded Deckards onto the uninfected PCs desktop. I didn't run it or anything (a green icon just appeared which I then copied to the flashdrive in order to move it over to my infected PC).

Hope you can set me straight.
Thanks
Lee

Hi,

Sorry i forget that Deckards do not work in ME :(

Can you try to reinstall windows without formatting ?

Hi Nuppi

I can't reinstall windows as I have no windows ME CD ROM to load it back onto the PC.

Thanks
Lee

Hi

I'm sorry, but I don't know to keys what helps in this situation :(

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan (http://icrontic.com/forum/private.php?do=newpm&u=2703) with a link to your thread.

If you are not the user who started this thread, you must start your own Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead :)
_______________________________

Have we helped you with any issues you have had with your PC's or other items? If so you can now help us by Joining Team 93 and fold for a cure.