• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 313
  • Last Modified:

possible bho

win98 se with all critical updates
ie 6 sp 1 with all critical updates
hijackthis 1.98.0002
cwshredder 1.13.3 [ run in normal & safe mode ]

spybot 1.3 with latest updates
ad-aware with latest updates

full [ paid for ] version of pest patrol installed today

popup windows keep appearing

scanned with sophos [ native ] & at panda

HJT log  
Logfile of HijackThis v1.98.0002
Scan saved at 9:38:49 PM, on 11/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
C:\WINDOWS\TEMP\ICSUPP95.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PESTPATROL\PPCONTROL.EXE
C:\PROGRAM FILES\PESTPATROL\PPMEMCHECK.EXE
C:\PROGRAM FILES\PESTPATROL\COOKIEPATROL.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\IMONITOR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UTILITIES_ED\HIJACK_THIS\HIJACKTHIS.EXE

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [InterCheckMonitor] "C:\PROGRAM FILES\SOPHOS SWEEP\ICMON.EXE" -minimised
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Sweep95] C:\Program Files\Sophos SWEEP\ICLOAD95.EXE
O4 - HKLM\..\RunServices: [CacheMgr] C:\PROGRAM FILES\SOPHOS\REMOTE UPDATE\CACHEMGR.EXE
O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: Remote Update Monitor.lnk = C:\Program Files\Sophos\Remote Update\imonitor.exe
O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_12_0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38115.3755671296
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = tc.phx.cox.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 68.2.16.30,68.2.16.245,150.135.231.1  

Thanks.  

Ed


0
edx15
Asked:
edx15
  • 4
  • 3
  • 2
1 Solution
 
SheharyaarSaahilCommented:
Hello edx15 =)

>> popup windows keep appearing

Are they from a particular malware website or those random popups which everyone gets ??
I think you should consider getting a popup stopper tool to block these popups :)
like Google Toolbar has a popup blocker to block all such popups >> http://toolbar.google.com/
0
 
edx15Author Commented:
yahoo toolbar with popup blocker installed.  

The sites are similar to those listed in my other post.  No, they are not random.  

This PC is on the same home LAN as the PC in my other post.  Each machine was used by the same male teenager.  When his machine became problematic, he took his surfing habits to the PC of his mother.  

Ed
0
 
SheharyaarSaahilCommented:
then i will advise to use the same tool on this mahcine also as i suggested for the first machine and check what they report in this one ??
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
edx15Author Commented:

At http://forum.aumha.org/viewtopic.php?start=15&t=8730, I found this entry, which notes one of the addresses in the spontaneous window


http://69.20.56.3/normal/yyy12.html. No content in browser window except box about Active X.
0
 
edx15Author Commented:
sheharyaarSaahil

Why the ??

Ed
0
 
ZeropointNRGCommented:
Please copy this page to Notepad and save it to desktop so you can do the steps from safe mode.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Reboot into Safe Mode.

Open HJT again and fix the following (make sure not to miss any):

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL

O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl

O8 - Extra context menu item: &AIM Search - res://C:\PROGRA~1\AIMTOO~1\AIMBAR.DLL/aimsearch.htm

O9 - Extra button: AIM (HKLM)

Then delete the following Folder

C:\PROGRAM FILES\AIM\AIM.EXE

Then, you should empty your temp folder. Delete everything in these folders but not the folders themselves:

C:\Windows\Temp\
C:\Documents and Settings\Your Name\Local Settings\Temp\

Restart your computer back to normal mode, Do a complete virus scan of your computer.

Post a fresh log.

Good Luck.
0
 
ZeropointNRGCommented:
Sorry, thought you had XP...nevermind about cleaning this folder

C:\Documents and Settings\Your Name\Local Settings\Temp\

I don't think this exists on 98..

0
 
SheharyaarSaahilCommented:
>> Why the ??

edx....do you any confusion here ??
0
 
edx15Author Commented:
CetusMOD:

Thanks.  

Ed
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now