Please help....home search assistant, shopping wizard, search extender

Unknown

I have not posted on here in a while, since you helped me before. I am trying to fix my sister in laws computer and am having no luck. Any chance you could offer some help? Here is a HJT logfile that I ran.
Many thanks in advance


7:47 PM 6/20/06Logfile of HijackThis v1.99.1
Scan saved at 6:06:32 PM, on 6/20/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ADDSL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\ICONFIG.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TEMP\2192.TMP.EXE
C:\WINDOWS\TEMP\2264.TMP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\ATLXC.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A013F86E-52B5-8D07-3F4C-C462AEAE9290} - C:\WINDOWS\APIIE32.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [2192.TMP] C:\WINDOWS\TEMP\2192.TMP.exe
O4 - HKLM\..\Run: [2264.TMP] C:\WINDOWS\TEMP\2264.TMP.exe
O4 - HKLM\..\Run: [2192.TMP.EXE] C:\WINDOWS\TEMP\2192.TMP.EXE
O4 - HKLM\..\Run: [2264.TMP.EXE] C:\WINDOWS\TEMP\2264.TMP.EXE
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [ATLXC.EXE] C:\WINDOWS\ATLXC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADDSL32.EXE] C:\WINDOWS\SYSTEM\ADDSL32.EXE /s
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll

Shaba

Hi exarmy1

The Fix -

(the reason Wordpad was chosen is that Notepad is often deleted by this variant)

Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available. You must disconnect from the internet totally, as staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening them will reinstall the infection. Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Close Outlook Express and Internet Explorer for the duration of this fix

Please continue with the next steps and if you run into any problems with the current one, just keep going through the list step by step. Just be sure to let us know what the problem was when you finally reply.



Step#1:Make Sure Hidden Files Are Visible

• Please make sure you can view all Hidden Files by choosing the instructions for your Windows OS.

Step#2: Download and Update CWShredder

• Download CWShredder.Do Not Use It Yet
• Save CWShredder.exe to a convenient location.
• make sure it is up to date.

Step#3: Download DllCompare

• Download DLLCompare.Do Not Use It Yet

Step#4: Download About Buster

• Please download About:Buster from here: Do Not Use It Yet
• About Buster.
• extract it to c:\aboutbuster.
• update. to latest definitions

Please disconnect from the Internet and unplug your modem for the duration of this fix



Step#5:Reboot To Safe Mode

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE



Step#6: Use CWShredder

• Open CWShredder.exe.
• Click "Fix ->" and click "OK" at the prompt.
• CWShredder will scan and clean your system of CWS files.
• Click "Next->" and then "Exit".
• REBOOT back into Safe Mode by tapping F8 while booting up.l

Step#7:Use DllCompare

• Open DllCompare.exe to run the program.
• Click "Run Locate.com" and it will scan your system for files.
• Once the scan has finished click "Compare" to compare your files to valid Windows files.
  Files in the upper window have now been verified to "exist", Files in the lower window were not able to be accessed. Very few files should be listed in the lower window when the Compare scan is complete.
• Once it has finished comparing click " Make a Log of what was found".
• Click on each of the listed entries in the lower section to select them. Right-click on the file and use the Option Rescan This will cause Windows Find to see if the file does exist, and then it will be removed from the list (to reduce the number of identified files)
• Click "Yes" at the ‘View Log file’ prompt to view the log.
• Copy and paste the entire log into your next reply after completing all steps.(saved as log.txt in the DllCompare folder)
• Click "Exit".

Step#8: Delete Infected Files

Please boot into Safe Mode and delete the following files:

C:\WINDOWS\TEMP\2192.TMP.EXE C:\WINDOWS\TEMP\2264.TMP.EXE C:\WINDOWS\ATLXC.EXE C:\WINDOWS\iwcvd.dll C:\WINDOWS\APIIE32.DLL C:\WINDOWS\SYSTEM\ADDSL32.EXE

Step#9:Use HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\iwcvd.dll/sp.html#12047%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {A013F86E-52B5-8D07-3F4C-C462AEAE9290} - C:\WINDOWS\APIIE32.DLL
O4 - HKLM\..\Run: [2192.TMP] C:\WINDOWS\TEMP\2192.TMP.exe
O4 - HKLM\..\Run: [2264.TMP] C:\WINDOWS\TEMP\2264.TMP.exe
O4 - HKLM\..\Run: [2192.TMP.EXE] C:\WINDOWS\TEMP\2192.TMP.EXE
O4 - HKLM\..\Run: [2264.TMP.EXE] C:\WINDOWS\TEMP\2264.TMP.EXE
O4 - HKLM\..\Run: [ATLXC.EXE] C:\WINDOWS\ATLXC.EXE
O4 - HKLM\..\RunServices: [ADDSL32.EXE] C:\WINDOWS\SYSTEM\ADDSL32.EXE /s


Step#10:Use About Buster


This is the step where we will use About:Buster that you had downloaded previously.

• Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe
• When the tool is open press the OK button,
• then the Start button, then the OK button, and then finally the Yes button.
• It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.
• Post the log file in your next reply

Step#11:Use Registry File

• Copy the contents of the Quote Box below to Wordpad.
• Name the file as fix.reg
• Change the Save as Type to All Files
• and Save it on the desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Note! Make sure that it's CurrentVersion! If you see any spaces, please correct it

• Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Reboot your computer back to normal mode



Reconnect To The Internet



Step#12:Use HijackThis and Post To Thread In Forum

1. Scan again with HijackThis. We still have a few steps to complete but a log file at this time would be helpful.

2. Post your logs from About Buster, DllCompare and your HijackThis log here in this thread with any questions or problems that you have run into. There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.

Good Luck!

exarmy1

Here is what I have so far....

Logfile of HijackThis v1.99.1
Scan saved at 8:07:09 PM, on 6/21/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\ICONFIG.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {365181BC-9654-9CAA-449A-2C895371E7B6} - C:\WINDOWS\SYSTEM\IPEY.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
O4 - HKLM\..\Run: [SYSNH32.EXE] C:\WINDOWS\SYSTEM\SYSNH32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll


* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

747 items found: 747 files, 0 directories.
Total of file sizes: 123,854,610 bytes 118.11 M

---

End log

---

AboutBuster 6.02
Scan started on [6/21/06] at [7:19:33 PM]

---

Internet Explorer Instances Terminated!
HomeSearch Service stopped if present

---

Streams(ADS) not scanned: System not NTFS

---

Removed File! : C:\WINDOWS\etjmtp.dat
Removed File! : C:\WINDOWS\winap32.dll
Removed File! : C:\WINDOWS\uwwwpm.dat
Removed File! : C:\WINDOWS\ncjjt.dat
Removed File! : C:\WINDOWS\giyxt.dat
Removed File! : C:\WINDOWS\mxgjjo.dat
Removed File! : C:\WINDOWS\exzomy.dat
Removed File! : C:\WINDOWS\ijvbhq.dat
Removed File! : C:\WINDOWS\n_rgnppm.dat
Removed File! : C:\WINDOWS\n_cabmum.dat
Removed File! : C:\WINDOWS\n_fcedxm.txt
Removed File! : C:\WINDOWS\n_aotfwh.txt
Removed File! : C:\WINDOWS\n_zuriyh.dat
Removed File! : C:\WINDOWS\n_ehjoyx.log
Removed File! : C:\WINDOWS\n_kexsuo.log
Removed File! : C:\WINDOWS\n_hgwrmy.txt
Removed File! : C:\WINDOWS\n_kmmwpm.txt
Removed File! : C:\WINDOWS\n_cafwvq.log
Removed File! : C:\WINDOWS\n_ucqzlc.dat
Removed File! : C:\WINDOWS\n_bfvzto.dat
Removed File! : C:\WINDOWS\n_zlosml.txt
Removed File! : C:\WINDOWS\SYSTEM\rarpe.log
Removed File! : C:\WINDOWS\SYSTEM\addsl32.exe

---

Removed Temp Files
Internet Explorer Settings Reset!

---

Scan was COMPLETED SUCCESSFULLY at 7:21:59 PM


AboutBuster 6.02
Scan started on [6/21/06] at [7:22:48 PM]

---

Internet Explorer Instances Terminated!
HomeSearch Service stopped if present

---

Streams(ADS) not scanned: System not NTFS

---

No Files Found!

---

Scan was COMPLETED SUCCESSFULLY at 7:23:02 PM


AboutBuster 6.02
Scan started on [6/21/06] at [7:56:54 PM]

---

Internet Explorer Instances Terminated!
HomeSearch Service stopped if present

---

Streams(ADS) not scanned: System not NTFS

---

No Files Found!

---

Scan was COMPLETED SUCCESSFULLY at 7:57:43 PM


How does it look?

Shaba

Looks a lot better

Fix with HjT (do a system scan only, checkmark these and press fix checked):

O2 - BHO: Class - {365181BC-9654-9CAA-449A-2C895371E7B6} - C:\WINDOWS\SYSTEM\IPEY.DLL (file missing)
O4 - HKLM\..\Run: [SYSNH32.EXE] C:\WINDOWS\SYSTEM\SYSNH32.EXE

If you are having any difficulty with Notepad, please go to Merijn's Files and choose 'Windows Files' from the menu on the left hand side of the page. Then choose 'Notepad' from the list and download it to C:\Windows and C:\Windows\System32

Step#1:Check For Deleted Files

Now we need to see if we need to restore some deleted files:

Please check for the following files using the Windows Search Engine:

• control.exe
  
• rundll32.exe
  
• wmplayer.exe
  
• msconfig.exe
  
• notepad.exe
  
• shell.dll
  
• SDHelper.dll

If any are missing or not working properly then you can download new copies from
Merijn's Files and following the instructions at that site to have them where they belong for your OS.

• Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
  
• This infection often deletes some system files that need to be replaced. The most frequent one it deletes is shell.dll in Win2K or XP. In XP there are two copies of this file, one in Windows (WINNT) and one in Windows\System32. It does not delete the one in Windows\System so it does not affect Win9x/ME. If you find it missing, please copy the shell.dll from c:\windows\system32\dllcache into both \Windows (WINNT) and Windows\System32 .
  
• The other system file which is most frequently deleted is control.exe. Please check to make sure that you have this file and it is the correct size. If not Please check for the existence of this file by going to to Merijn's Files (sdhelper) and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to the information at this website. The control.exe is more often deleted in Win9x/ME.
  
• If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button

Step#2:Use Cleanmgr

• go to Start > All Programs > Accessories > Cleanmgr
• Select each Hard Drive in order and Click OK
• Let it calculate the amount of space that it can clean
• Make sure Temporary Internet Files, Temporary Files and Recycle Bin are selected
• Click OK and allow it to Clean

Step#3:Scan With Online AV Scanner

Run an online antivirus scan at:

Trend Micro Online AV

Reboot


Step#4:Scan With HijackThis and Post In Forum

1. Scan again with HijackThis

2. POST your log file to see if there is anything left to fix.

exarmy1

Here s my latest logfile after running the virus scan. how does it look?


Logfile of HijackThis v1.99.1
Scan saved at 9:48:46 PM, on 6/23/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\COMMON FILES\SCM\ICONFIG.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT HOME PUBLISHING\MHPRMIND.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ICONFIG] C:\PROGRA~1\COMMON~1\SCM\ICONFIG.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Startup: Microsoft Greetings Reminders.lnk = C:\Program Files\Microsoft Home Publishing\MHPRMIND.EXE
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .php: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll

Shaba

It looks good Do you still have any problems?

exarmy1

It doesn't seem like I am having any more problems now. Should I delete everything that I downloaded to fix this or leave it on the system? Thank you very much for all your help.

Shaba

Yes, you can delete cwshredder, dllcompare, hoster and about:buster if you like.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
  
  This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
  
  Instructions for - Spybot S & D and Ad-aware
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!