Two red circles with X

Question

SebastianMWS 0 Newbie Poster

18 Years Ago

Hello,

Browsing the net I received a present in a form of two red circles with X on my desktop shortcut bar down left (Win98SE). I found a post from 2005 about HijackThis installation and saving a copy of system scan log. I already marked the red X icons line and two lines with web.exe intruders, there might be other "extras" that I don't recognize. My Norton Anti Virus Ver.5 (daily updated) and Spyware Guard remained silent. This is how the system log looks like:

Logfile of HijackThis v1.99.1
Scan saved at 14:28:24, on 26.05.2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKL.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKT.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\ONSPEC\USB DISK\FLASHKSK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\PCSYNC\QDCTRAY.EXE
C:\PROGRAM FILES\PSION\PSIWIN\PSCONSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETGEAR\WG511V2\WLANCFG5.EXE
C:\PROGRAM FILES\PSION\PSIWIN\ELOGERR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\SIOL\ADSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WEB.EXE
C:\WEB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVW32.EXE
C:\BOSTJAN\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Encyclopćdia Britannica, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [Compaq PK Daemon] C:\Program Files\COMPAQ\Programmable Keys 95\CPQKL.EXE
O4 - HKLM\..\Run: [Compaq PK Tray Notification] C:\Program Files\COMPAQ\Programmable Keys 95\cpqkt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [USB Disk] C:\PROGRA~1\ONSPEC\USBDIS~1\FLashKsk.exe
O4 - HKLM\..\Run: [Necutray] LEXAREJ0.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: PC sync Quick Data Copy.lnk = C:\PCSYNC\QDCTRAY.EXE
O4 - Startup: PsiWin 2.3 Connection Server.lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37680.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.189.160.23,193.189.160.13

I'm sending a printscreen in attachment, please advise further actions. Thank you !

Kind regards

Bostjan Kravcar

windows-virus

This attachment is potentially unsafe to open. It may be an executable that is capable of making changes to your file system, or it may require specific software to open. Use caution and only open this attachment if you are comfortable working with msword files.

RedX_Circles-Printscreen.doc (72.5 KB)

2 Contributors
14 Replies
283 Views
1 Week Discussion Span
Latest Post 18 Years Ago Latest Post by Burton1

Burton1 2 Junior Poster in Training

18 Years Ago

Hello SebastianMWS, welcome to DaniWeb. My name is Justin and I will be helping you with your computer today. I will be helping clean all the maleware and spyware problems associated with your computer. Throughout my fix if you have any questions on the programs I am having you use don't be afraid to ask me.

Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

Please download ewido anti-malware it is a free version of the program.

Install ewido anti-malware
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Burton1 2 Junior Poster in Training

18 Years Ago

Lets try this

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

===================================================
Close HiJackThis.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut.

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When the download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt by using Add Reply.
Let us know if any problems persist.

Burton1 2 Junior Poster in Training

18 Years Ago

Well Do you still have the X's on the Bottom right?

Burton1 2 Junior Poster in Training

18 Years Ago

Could you please save the log file and post it on here. I Want to take a look at the Active Scan. Just let it scan all the way through.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

SebastianMWS 0 Newbie Poster · Answer 1 · 2006-05-26T20:21:21+00:00

Hello SebastianMWS, welcome to DaniWeb. My name is Justin and I will be helping you with your computer today. I will be helping clean all the maleware and spyware problems associated with your computer. Throughout my fix if you have any questions on the programs I am having you use don't be afraid to ask me.
Welcome,
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
Please download ewido anti-malware it is a free version of the program.
Install ewido anti-malware

When installing, under "Additional Options" uncheck..
Install background guard

Install scan via context menu

Launch ewido, there should be an icon on your desktop, double-click it.

The program will now open to the main screen.

When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.

Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Once the updates are installed do the following:
Click on scanner

Click on Complete System Scan and the scan will begin.

You will be prompted to clean the first infection.

Select "Perform action on all infections", then proceed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report.

Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Hello Burton,

Thanks for such a fast response. There's a small problem though, Enwido is for Win2000 and XP only, at least that's what is stated on their web site/Enwido download page.

Kind regards

Bostjan Kravcar

SebastianMWS 0 Newbie Poster · Answer 2 · 2006-05-27T00:35:36+00:00

SebastianMWS 0 Newbie Poster

18 Years Ago

A follow up, while humbly waiting for further instructions - like alternative Anti-Malware tool, equally efficient to Ewido and Win98SE compatible (Ewido is available for Win2000 and XP only):

- I ran a freshly updated Norton Anti-Virus in Safe-Mode, nothing found as expected (NAV didn't even twitch when I got those red circles)
- Restarted machine, tried and successfully deleted C:\web.exe, but failed to do the same with C:\winstall.exe, received a message.."cannot delete, Windows is using...", like expected
- I ran completely updated Lavasoft AdawareSE Personal, it found 37 objects, among them Files, one Folder, Registry Values, you name it. I proceeded to Quarantine and Delete step, AdAware stopped in the middle of deleting and halted (not freezed, I could exit by clicking X button).
- I ran AdAware once again (just in case..), it found 36! objects (apparently didn't do much of a job in a first attempt); 13 Registry Values, 22 files, 1 folder (I'm posting this log file in attachment).
- Restarted machine, looks clean now but I'm just not that naive.

I would appreciate further instructions as soon as possible, got piles of work waiting. Thanks in advance !

Oh, one more thing; I have a Spyware Guard from Javacool Software LCC (free download) installed on machine, that thing is supposed to be real-time spyware (does it differ from malware?) guard, it didn't detect one single intrusion since installation, while I had Lavasoft AdAwareSE (no real-time version for free) quite busy. Can anyone tell me if that SG is any good at all or I would be better without it, even more so because it's slowing down the machine.

Kind regards

Bostjan Kravcar

AdAware_Scan_Log.txt (30.63 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

d-Aware SE Build 1.06r1
Logfile Created on:26. maj 2006 19:15:16
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R109 22.05.2006


References detected during the scan:

SpywareNo(TAC index:10):20 total references
Tracking Cookie(TAC index:3):16 total references


Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


26.05.2006 19:15:16 - Scan started. (Full System Scan)

Listing running processes


#:1 [KERNEL32.DLL]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4293878055
    Threads            : 4
    Priority           : High
    FileVersion        : 4.10.2222
    ProductVersion     : 4.10.2222
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Win32 Kernel core component
    InternalName       : KERNEL32
    LegalCopyright     : Copyright (C) Microsoft Corp. 1991-1999
    OriginalFilename   : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294948287
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.2222
    ProductVersion     : 4.10.2222
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows 32-bit VxD Message Server
    InternalName       : MSGSRV32
    LegalCopyright     : Copyright (C) Microsoft Corp. 1992-1998
    OriginalFilename   : MSGSRV32.EXE

#:3 [MPREXE.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294943311
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.1998
    ProductVersion     : 4.10.1998
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : WIN32 Network Interface Service Process
    InternalName       : MPREXE
    LegalCopyright     : Copyright (C) Microsoft Corp. 1993-1998
    OriginalFilename   : MPREXE.EXE

#:4 [mmtask.tsk]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294935863
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.03.1998
    ProductVersion     : 4.03.1998
    ProductName        : Microsoft Windows
    CompanyName        : Microsoft Corporation
    FileDescription    : Multimedia background task support module
    InternalName       : mmtask.tsk
    LegalCopyright     : Copyright  Microsoft Corp. 1991-1998
    OriginalFilename   : mmtask.tsk

#:5 [MSTASK.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294938483
    Threads            : 2
    Priority           : Normal
    FileVersion        : 4.71.1959.1
    ProductVersion     : 4.71.1959.1
    ProductName        : Microsoft Windows Task Scheduler
    CompanyName        : Microsoft Corporation
    FileDescription    : Task Scheduler Engine
    InternalName       : TaskScheduler
    LegalCopyright     : Copyright (C) Microsoft Corp. 1997
    OriginalFilename   : mstask.exe

#:6 [EXPLORER.EXE]
    FilePath           : C:\WINDOWS\
    ProcessID          : 4294838683
    Threads            : 25
    Priority           : Normal
    FileVersion        : 4.72.3110.1
    ProductVersion     : 4.72.3110.1
    ProductName        : Microsoft(R) Windows NT(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : Copyright (C) Microsoft Corp. 1981-1997
    OriginalFilename   : EXPLORER.EXE

#:7 [TASKMON.EXE]
    FilePath           : C:\WINDOWS\
    ProcessID          : 4294784035
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.1998
    ProductVersion     : 4.10.1998
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Task Monitor
    InternalName       : TaskMon
    LegalCopyright     : Copyright (C) Microsoft Corp. 1998
    OriginalFilename   : TASKMON.EXE

#:8 [SYSTRAY.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294781611
    Threads            : 2
    Priority           : Normal
    FileVersion        : 4.10.2222
    ProductVersion     : 4.10.2222
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : System Tray Applet
    InternalName       : SYSTRAY
    LegalCopyright     : Copyright (C) Microsoft Corp. 1993-1998
    OriginalFilename   : SYSTRAY.EXE

#:9 [IRMON.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294795887
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.1998
    ProductVersion     : 4.10.1998
    ProductName        : Microsoft Infrared Support
    CompanyName        : Microsoft Corporation
    FileDescription    : Microsoft Infrared Control Panel
    InternalName       : Infrared
    LegalCopyright     :  1998 Microsoft. Portions  Hewlett-Packard 
    OriginalFilename   : irmon.exe

#:10 [CPQKL.EXE]
    FilePath           : C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\
    ProcessID          : 4294787887
    Threads            : 1
    Priority           : Normal
    FileVersion        : 1.10.A1
    ProductVersion     : 1.10.A1
    ProductName        : Compaq Programmable Keys
    CompanyName        : Compaq Computer Corporation
    FileDescription    : Compaq Programmable Keys Daemon Loader App
    InternalName       : cpqkl
    LegalCopyright     : Copyright  1995,1997 Compaq Computer Corporation
    OriginalFilename   : cpqkl.exe

#:11 [CPQKT.EXE]
    FilePath           : C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\
    ProcessID          : 4294818287
    Threads            : 1
    Priority           : Normal
    FileVersion        : 1.10.D1
    ProductVersion     : 1.10.D1
    ProductName        : Compaq Programmable Keys Taskbar Notification
    CompanyName        : Compaq Computer Corporation
    FileDescription    : Compaq Programmable Keys Taskbar Notification
    InternalName       : CPQKT
    LegalCopyright     : Copyright  1995,1998 Compaq Computer Corporation
    OriginalFilename   : cpqkt.exe
    Comments           : Compaq Programmable Keys Taskbar Notification

#:12 [ATICWD32.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294779919
    Threads            : 2
    Priority           : Normal
    FileVersion        : 4.11.2559
    ProductVersion     : 4.11.2559
    ProductName        : ATI Technologies Inc.
    CompanyName        : ATI Technologies Inc.
    FileDescription    : ATI Common Windows Display Driver Extension
    InternalName       : ATICWD32
    LegalCopyright     : Copyright  ATI Technologies Inc., 1998
    OriginalFilename   : ATICWD32.EXE

#:13 [ATITASK.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294813095
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.11.2315
    ProductVersion     : 4.11.2315
    ProductName        : ATI Technologies, Inc.
    CompanyName        : ATI Technologies, Inc.
    FileDescription    : ATI Task Application
    InternalName       : AtiTask
    LegalCopyright     : Copyright  ATI Technologies Inc. 1998
    OriginalFilename   : AtiTask

#:14 [FPDISP3A.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294804403
    Threads            : 1
    Priority           : Normal
    FileVersion        : 3.60
    ProductVersion     : 3.60
    ProductName        : FinePrint
    CompanyName        : Single Track Software
    FileDescription    : FinePrint
    InternalName       : fpdisp3
    LegalCopyright     : Copyright (c) 1995-1999 Single Track Software0
    OriginalFilename   : fpdisp3.exe

#:15 [FLASHKSK.EXE]
    FilePath           : C:\PROGRAM FILES\ONSPEC\USB DISK\
    ProcessID          : 4294834127
    Threads            : 1
    Priority           : Normal
    FileVersion        : V1.05
    ProductVersion     : V1.05
    ProductName        : FlashKiosk Application
    CompanyName        : CompuApps, Inc.
    FileDescription    : FlashKiosk Application for the Flash Toaster
    InternalName       : FlashKiosk
    LegalCopyright     : Copyright (C) 2000 CompuApps, Inc
    OriginalFilename   : FlashKsk.EXE
    Comments           : FlashKiosk

#:16 [SPOOL32.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294835695
    Threads            : 2
    Priority           : Normal
    FileVersion        : 4.10.1998
    ProductVersion     : 4.10.1998
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler Sub System Process
    InternalName       : spool32
    LegalCopyright     : Copyright (C) Microsoft Corp. 1994 - 1998
    OriginalFilename   : spool32.exe

#:

SebastianMWS 0 Newbie Poster · Answer 3 · 2006-05-27T16:57:04+00:00

OK, here's how it went:

I followed the procedure, downloaded smitrem.exe, copied shortcut to desktop and did the same with Panda Active Scan link. Rebooted machine in Safe-Mode, ran HJT.

- After a thorough check I could not find...

o4 HKCU\..\Run ... C:\winstall

..anymore, aparently a former run of AdAware did some job afterall.

I proceeded to smitrem Folder and ran RunThis.bat, got txt file in C:\ root.

There is no such thing as Security Check in CP/Desktop/Cust. desktop/Web check option on my machine, the only setting for security are in Internet options/Security and Privacy, where level of security can be set (Internet, Intranet, Trusted sites,Restricted Sites)

I rebooted machine again, while windows were starting, that Spyware Guard I mentioned in previous post finally woke up for the first time !!, can you imagine ? First there wa alert about IE settings being changed from..

http://home.microsoft/access/allinone.asp .. to

http://www.microsoft.com/isapi/redir.dll?prd=iear=iesearch

I confirmed new setting and got another alert about IE Search bar being change from..

"NONE" to http://search.msn.com/spbasic.htm

Confirmed the new setting again (what did I know, there was no instruction about that, I just had to turn left or right).

- Next: I started Panda Active Scan and went to bed to proceed next morning. When I checked the results, I noticed scan progress bar stopped in the middle, I could tell by number of files scanned that Panda finished with hard drive C:\ and I could see it moved to D: drive, which is CD drive.

All Panda buttons were freezed, I could not click anything or exit from Panda. Hit CTRL-ALT-DEL to see which process is not responding, it was Wlancfg5. I ended the process, but with no avail to Panda functioning, so I close it down and got "not responding" window in the process. Panda did find 29 Spyware files and 2 Hacking tools, but I could not process disinfection.

I started Panda once again to see where it stops - it scanned the entire hard drive again, found exactly the same number of Spyware, but then it moved again to drive D (CD) and stopped immediately with Error window "Mapisp32 performed illegal operation..". I chose CLOSE and got another window, this time Choose Profile of MS Outlook, which I don't have installed and use Outlook Express as a default e-mail. When I closed this window, got blank blue screen and PC freezed, hitting CTRL-ALT-DEL revealed that no process has stopped responding.

I guess it's pointless to go anyfurther without your smart instructions, I'm including 2/3 files requested, without Panda log, obviously.

I'm confident that the mess will be sorted out, thanks to beautiful people on this forum.

Awaiting further instructions..

Sebastian

SebastianMWS 0 Newbie Poster · Answer 4 · 2006-05-28T01:39:30+00:00

Nope, those are gone, but there's quite a lot of stuff that Active Scan found on the hard drive, so how am I gonna get rid of those if I can't make Active Scan to finish and clean the filth ?

- Any idea how to avoid Active scan trying to use MS Outlook ?
- Any other trick I could try ? I'm afraid that if I give up on Active scan and just run AdAware once again, it won't be the same. Afterall, AdAware failed to search and clean the most subborn filth once already, why should I trust it will do the work this time ?

Any help for final touch in this cleaning session appreciated.

Kind regards

Sebastian

SebastianMWS 0 Newbie Poster · Answer 5 · 2006-05-29T16:43:14+00:00

SebastianMWS 0 Newbie Poster

18 Years Ago

Latest news:

- I ran Active Scan once again to see if I can choose some different settings to avoid automatic Outlook launch. This time instead My computer I chose local disks to scan. The process ran smoothly and finished scanning the disk, Outlook profile window didn't open this time and I could save the log (in attachment).

- Last Active Scan session revealed even more spyware files, so I was curious if AdAware will something this time...nothing at all.

- I ran HijackThis once again, there's still an empty button present...

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

I'd like to know waht it is and if it needs to be deleted ?

- Maybe I should wait for a knowledgable advise, but I searched for Cookies from Active Scan log and deleted them all. Furthermore, there was an iLookup item that I also decided to delete. At first it looked like a no can do job, since Delete command didn't react, but after a while, it was gone...at least I don't see it anymore in Explorer.

Is there any further action that needs to be done ?

Kind regards

Sebastian

Activescan_27_05_06.txt (12.94 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]                                                                                                                                                                                                             
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\WINDOWS\Desktop\smitRem\Process.exe                                                                                                                                                                                                                          
Spyware:Cookie/Preferences                                                      Not disinfected               C:\WINDOWS\Profiles\kravcar\Cookies\kravcar@preferences[2].txt                                                                                                                                                                                                  
Spyware:Cookie/Preferences                                                      Not disinfected               C:\WINDOWS\Profiles\kravcar\Cookies\kravcar@preferences[1].txt                                                                                                                                                                                                  
Spyware:Cookie/Preferences                                                      Not disinfected               C:\WINDOWS\Profiles\vagaja\Cookies\vagaja@preferences[2].txt                                                                                                                                                                                                    
Spyware:Cookie/Preferences                                                      Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\vagajan@preferences[2].txt                                                                                                                                                                                                  
Spyware:Cookie/BurstNet                                                         Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@burstnet[2].txt                                                                                                                                                                                                     
Spyware:Cookie/Com.com                                                          Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@de.uol.com[1].txt                                                                                                                                                                                                   
Spyware:Cookie/Com.com                                                          Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@de.uol.com[2].txt                                                                                                                                                                                                   
Spyware:Cookie/Belnk                                                            Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@dist.belnk[2].txt                                                                                                                                                                                                   
Spyware:Cookie/Belnk                                                            Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@belnk[2].txt                                                                                                                                                                                                        
Spyware:Cookie/Xiti                                                             Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@xiti[1].txt                                                                                                                                                                                                         
Spyware:Cookie/fe.lea.lycos                                                     Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@fe.lea.lycos[1].txt                                                                                                                                                                                                 
Spyware:Cookie/Yadro                                                            Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@yadro[1].txt                                                                                                                                                                                                        
Spyware:Cookie/Advnt                                                            Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@www.advnt01[1].txt                                                                                                                                                                                                  
Spyware:Cookie/Hbmediapro                                                       Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@adopt.hbmediapro[2].txt                                                                                                                                                                                             
Spyware:Cookie/Com.com                                                          Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@uol.com[2].txt                                                                                                                                                                                                      
Spyware:Cookie/Go                                                               Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@go[2].txt                                                                                                                                                                                                           
Spyware:Cookie/Com.com                                                          Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@com[1].txt                                                                                                                                                                                                          
Spyware:Cookie/Com.com                                                          Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@terra.com[1].txt                                                                                                                                                                                                    
Spyware:Cookie/Atwola                                                           Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@atwola[1].txt                                                                                                                                                                                                       
Spyware:Cookie/Searchportal                                                     Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@searchportal.information[1].txt                                                                                                                                                                                     
Spyware:Cookie/YieldManager                                                     Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@ad.yieldmanager[1].txt                                                                                                                                                                                              
Spyware:Cookie/Com.com                                                          Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@uol.com[3].txt                                                                                                                                                                                                      
Spyware:Cookie/BurstNet                                                         Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@burstnet[3].txt                                                                                                                                                                                                     
Spyware:Cookie/adultfriendfinder                                                Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@adultfriendfinder[1].txt                                                                                                                                                                                            
Spyware:Cookie/Xiti                                                             Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@xiti[2].txt

hijackthis_29_05_06.txt (4 KB)

Logfile of HijackThis v1.99.1
Scan saved at 12:19:09, on 29.05.2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKL.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKT.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\ONSPEC\USB DISK\FLASHKSK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\PCSYNC\QDCTRAY.EXE
C:\PROGRAM FILES\PSION\PSIWIN\PSCONSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETGEAR\WG511V2\WLANCFG5.EXE
C:\PROGRAM FILES\PSION\PSIWIN\ELOGERR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\SIOL\ADSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\BOSTJAN\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Encyclopdia Britannica, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [Compaq PK Daemon] C:\Program Files\COMPAQ\Programmable Keys 95\CPQKL.EXE
O4 - HKLM\..\Run: [Compaq PK Tray Notification] C:\Program Files\COMPAQ\Programmable Keys 95\cpqkt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [USB Disk] C:\PROGRA~1\ONSPEC\USBDIS~1\FLashKsk.exe
O4 - HKLM\..\Run: [Necutray] LEXAREJ0.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: PC sync Quick Data Copy.lnk = C:\PCSYNC\QDCTRAY.EXE
O4 - Startup: PsiWin 2.3 Connection Server.lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37680.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.189.160.23,193.189.160.13

Burton1 2 Junior Poster in Training · Answer 6 · 2006-05-29T22:05:10+00:00

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
IS apart of real player.

Please post a HijackThis log.

SebastianMWS 0 Newbie Poster · Answer 7 · 2006-05-29T22:37:48+00:00

It's in attachment of my previous post, but if you prefer to see it in the text, here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:09, on 29.05.2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKL.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKT.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\ONSPEC\USB DISK\FLASHKSK.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\PCSYNC\QDCTRAY.EXE
C:\PROGRAM FILES\PSION\PSIWIN\PSCONSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETGEAR\WG511V2\WLANCFG5.EXE
C:\PROGRAM FILES\PSION\PSIWIN\ELOGERR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\SIOL\ADSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\BOSTJAN\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Encyclopćdia Britannica, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [Compaq PK Daemon] C:\Program Files\COMPAQ\Programmable Keys 95\CPQKL.EXE
O4 - HKLM\..\Run: [Compaq PK Tray Notification] C:\Program Files\COMPAQ\Programmable Keys 95\cpqkt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [USB Disk] C:\PROGRA~1\ONSPEC\USBDIS~1\FLashKsk.exe
O4 - HKLM\..\Run: [Necutray] LEXAREJ0.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: PC sync Quick Data Copy.lnk = C:\PCSYNC\QDCTRAY.EXE
O4 - Startup: PsiWin 2.3 Connection Server.lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37680.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =

One more thing - I'd like to ask again if there's any good to keep the Spyware Guard on my machine ? Latest problems are telling me it's not doing anything useful, barr slowing down the computer.

Kind regards

Sebastian

Burton1 2 Junior Poster in Training · Answer 8 · 2006-05-30T18:33:59+00:00

You should try re-installing it. If it does not work try using SpyWare Blaster.

SebastianMWS 0 Newbie Poster · Answer 9 · 2006-06-04T16:01:13+00:00

SebastianMWS 0 Newbie Poster

18 Years Ago

I guess this particular post is calling for a closure, too many people in distress to spend more time that really needed just for one. I order to be forced to seek help from experts on Dani Web as few times as possible, I would be grateful for some advice on optimum protection possible and available for my computer specifically. If this forum is not the right place to to seek such advice, please re-direct me to right place:

- I run Win98SE on a Pentium II 633 with 192MB RAM
- Internet connection through ADSL AP (PPPoE through Enternet Client), Broadband 1Mbps, WLAN WIFI WEP protected connection to my laptop with Netgear PCMCIA, fixed two DNS servers and dynamic IP provided by ISP
- Licenced Norton Anti-virus 5.02.04, updated through Live-Update
- Lavasoft AdAwareSE Personal, free version - without AdWatch !
- I uninstalled SpywareGuard today, it's done nothing good for me so far
- I have just completed installation of all available up to date Critical Updates for Windows 98SE and IE6 from MS website.

What's missing ? A lot I guess. I'm unemployed for the moment, buying software is not an option, so best free tools will have to do for now, I will compensate for the effort of good souls offering these tools with donations once I get a new job.

Please give me some recommendations, it's no good that all available free tools are listed, since I don't believe picking up just any one from the list yields the same efficiency.

- SW Firewall ?
- Real-time anti spyware ?
- Real-time anti Trojan detection/removal ? NAV seemed to cope with them fine, but now I'm not sure about anything anymore.
- Real time anti malware ?
- Mail protection ?

- Other tools, those real time and others for periodical scans and cleaning ?

Essentially I'm asking for an optimized set, a toolbox if you want, of alert and regulary updated watchdogs to aid my apparently exhausted and outdated NAV. Yesterday was the worst nightmare (barr 2 red circles), with 82 intruders counted by AdAware. Before I ran it, the machine practically stopped to respond (see attachments).

Thank you in advance !

Kind regards

Sebastian

Activescan_04_06_06.txt (1.8 KB)

Incident                                                                        Status                        Location                                                                                                                                                                                                                                                        

Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\WINDOWS\Desktop\smitRem.exe[smitRem/Process.exe]                                                                                                                                                                                                             
Potentially unwanted tool:Application/Processor                                 Not disinfected               C:\WINDOWS\Desktop\smitRem\Process.exe                                                                                                                                                                                                                          
Spyware:Cookie/myaffiliateprogram                                               Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@www.myaffiliateprogram[1].txt                                                                                                                                                                                       
Spyware:Cookie/Falkag                                                           Not disinfected               C:\WINDOWS\Profiles\vagajan\Cookies\anyuser@as-us.falkag[2].txt

AdAware_03_06_06.txt (51.55 KB)

The attachment preview is chopped off after the first 10 KB. Please download the entire file.

Ad-Aware SE Build 1.06r1
Logfile Created on:3. junij 2006 18:48:48
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R110 31.05.2006


References detected during the scan:

MRU List(TAC index:0):12 total references
Tracking Cookie(TAC index:3):82 total references


Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


03.06.2006 18:48:48 - Scan started. (Full System Scan)

 MRU List Object Recognized!
    Location:          : .DEFAULT\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
    Description        : list of recently used files in adobe reader


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\clipart gallery\2.0\mrudescription
    Description        : most recently used description in microsoft clipart gallery


 MRU List Object Recognized!
    Location:          : software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft directdraw


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\internet explorer
    Description        : last download directory used in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\internet explorer\main
    Description        : last save directory used in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\internet explorer\typedurls
    Description        : list of recently entered addresses in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\office\8.0\common\open find\microsoft word\settings\open\file name mru
    Description        : list of recent documents opened by microsoft word


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\office\8.0\common\open find\microsoft word\settings\save as\file name mru
    Description        : list of recent documents saved by microsoft word


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\office\8.0\excel\recent file list
    Description        : list of recent files used by microsoft excel


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
    Description        : list of recent files opened using wordpad


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
    Description        : list of recently used search terms for locating files using the microsoft windows operating system


 MRU List Object Recognized!
    Location:          : .DEFAULT\software\microsoft\windows media\wmsdk\general
    Description        : windows media sdk 


Listing running processes


#:1 [KERNEL32.DLL]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4293856213
    Threads            : 4
    Priority           : High
    FileVersion        : 4.10.2222
    ProductVersion     : 4.10.2222
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Win32 Kernel core component
    InternalName       : KERNEL32
    LegalCopyright     : Copyright (C) Microsoft Corp. 1991-1999
    OriginalFilename   : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294958925
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.2222
    ProductVersion     : 4.10.2222
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows 32-bit VxD Message Server
    InternalName       : MSGSRV32
    LegalCopyright     : Copyright (C) Microsoft Corp. 1992-1998
    OriginalFilename   : MSGSRV32.EXE

#:3 [MPREXE.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294953149
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.1998
    ProductVersion     : 4.10.1998
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : WIN32 Network Interface Service Process
    InternalName       : MPREXE
    LegalCopyright     : Copyright (C) Microsoft Corp. 1993-1998
    OriginalFilename   : MPREXE.EXE

#:4 [mmtask.tsk]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294963141
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.03.1998
    ProductVersion     : 4.03.1998
    ProductName        : Microsoft Windows
    CompanyName        : Microsoft Corporation
    FileDescription    : Multimedia background task support module
    InternalName       : mmtask.tsk
    LegalCopyright     : Copyright  Microsoft Corp. 1991-1998
    OriginalFilename   : mmtask.tsk

#:5 [MSTASK.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294860441
    Threads            : 2
    Priority           : Normal
    FileVersion        : 4.71.1959.1
    ProductVersion     : 4.71.1959.1
    ProductName        : Microsoft Windows Task Scheduler
    CompanyName        : Microsoft Corporation
    FileDescription    : Task Scheduler Engine
    InternalName       : TaskScheduler
    LegalCopyright     : Copyright (C) Microsoft Corp. 1997
    OriginalFilename   : mstask.exe

#:6 [EXPLORER.EXE]
    FilePath           : C:\WINDOWS\
    ProcessID          : 4294941597
    Threads            : 43
    Priority           : Normal
    FileVersion        : 4.72.3110.1
    ProductVersion     : 4.72.3110.1
    ProductName        : Microsoft(R) Windows NT(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : Copyright (C) Microsoft Corp. 1981-1997
    OriginalFilename   : EXPLORER.EXE

#:7 [TASKMON.EXE]
    FilePath           : C:\WINDOWS\
    ProcessID          : 4294885481
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.1998
    ProductVersion     : 4.10.1998
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Task Monitor
    InternalName       : TaskMon
    LegalCopyright     : Copyright (C) Microsoft Corp. 1998
    OriginalFilename   : TASKMON.EXE

#:8 [SYSTRAY.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294901137
    Threads            : 2
    Priority           : Normal
    FileVersion        : 4.10.2222
    ProductVersion     : 4.10.2222
    ProductName        : Microsoft(R) Windows(R) Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : System Tray Applet
    InternalName       : SYSTRAY
    LegalCopyright     : Copyright (C) Microsoft Corp. 1993-1998
    OriginalFilename   : SYSTRAY.EXE

#:9 [IRMON.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294884901
    Threads            : 1
    Priority           : Normal
    FileVersion        : 4.10.1998
    ProductVersion     : 4.10.1998
    ProductName        : Microsoft Infrared Support
    CompanyName        : Microsoft Corporation
    FileDescription    : Microsoft Infrared Control Panel
    InternalName       : Infrared
    LegalCopyright     :  1998 Microsoft. Portions  Hewlett-Packard 
    OriginalFilename   : irmon.exe

#:10 [CPQKL.EXE]
    FilePath           : C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\
    ProcessID          : 4294793645
    Threads            : 1
    Priority           : Normal
    FileVersion        : 1.10.A1
    ProductVersion     : 1.10.A1
    ProductName        : Compaq Programmable Keys
    CompanyName        : Compaq Computer Corporation
    FileDescription    : Compaq Programmable Keys Daemon Loader App
    InternalName       : cpqkl
    LegalCopyright     : Copyright  1995,1997 Compaq Computer Corporation
    OriginalFilename   : cpqkl.exe

#:11 [CPQKT.EXE]
    FilePath           : C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\
    ProcessID          : 4294789817
    Threads            : 1
    Priority           : Normal
    FileVersion        : 1.10.D1
    ProductVersion     : 1.10.D1
    ProductName        : Compaq Programmable Keys Taskbar Notification
    CompanyName        : Compaq Computer Corporation
    FileDescription    : Compaq Programmable Keys Taskbar Notification
    InternalName       : CPQKT
    LegalCopyright     : Copyright  1995,1998 Compaq Computer Corporation
    OriginalFilename   : cpqkt.exe
    Comments           : Compaq Programmable Keys Taskbar Notification

#:12 [ATICWD32.EXE]
    FilePath           : C:\WINDOWS\SYSTEM\
    ProcessID          : 4294798225
    Threads            : 2
    Priority           : Normal
    FileVersion        : 4

hijackthis_04_06_06.txt (4.18 KB)

Logfile of HijackThis v1.99.1
Scan saved at 00:20:55, on 04.06.2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKL.EXE
C:\PROGRAM FILES\COMPAQ\PROGRAMMABLE KEYS 95\CPQKT.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\WINDOWS\SYSTEM\FPDISP3A.EXE
C:\PROGRAM FILES\ONSPEC\USB DISK\FLASHKSK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
C:\PCSYNC\QDCTRAY.EXE
C:\PROGRAM FILES\PSION\PSIWIN\PSCONSV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PSION\PSIWIN\ELOGERR.EXE
C:\PROGRAM FILES\NETGEAR\WG511V2\WLANCFG5.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\CLICKTOCONVERT\C2CMONITOR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\SIOL\ADSL\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
C:\BOSTJAN\SOFTWARE\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Encyclopdia Britannica, Inc.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [Compaq PK Daemon] C:\Program Files\COMPAQ\Programmable Keys 95\CPQKL.EXE
O4 - HKLM\..\Run: [Compaq PK Tray Notification] C:\Program Files\COMPAQ\Programmable Keys 95\cpqkt.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher] C:\WINDOWS\SYSTEM\fpdisp3a.exe
O4 - HKLM\..\Run: [USB Disk] C:\PROGRA~1\ONSPEC\USBDIS~1\FLashKsk.exe
O4 - HKLM\..\Run: [Necutray] LEXAREJ0.EXE
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~3\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Startup: PC sync Quick Data Copy.lnk = C:\PCSYNC\QDCTRAY.EXE
O4 - Startup: PsiWin 2.3 Connection Server.lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Startup: NETGEAR WG511v2 Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG511v2\wlancfg5.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37680.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 193.189.160.23,193.189.160.13

Burton1 2 Junior Poster in Training · Answer 10 · 2006-06-05T18:43:16+00:00

Well you are clean so i will post my speech.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
Firewall<= A firewall is definatley a must have. Two good free versions are Kerio and ZoneLabs.
More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place?