?
Solved

Windows98  Hijackthis Log

Posted on 2006-04-28
16
Medium Priority
?
399 Views
Last Modified: 2013-11-12
Got a few spyware I CANNOT seem to ditch using Spybot and Adaware....
Please help.


Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION2\VTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MHZOGFO.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\BRODERBUND\MAVIS BEACON TEACHES TYPING 12 STANDARD\MINIMAVIS.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS02
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION2\VTRAY.EXE /s
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [mhzogfo] c:\windows\system\mhzogfo.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\Nprotect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

0
Comment
Question by:mrchaos101
  • 4
  • 3
  • 3
  • +4
16 Comments
 
LVL 11

Assisted Solution

by:grsteed
grsteed earned 332 total points
ID: 16565300
Copy and paste the logfile from HiJackThis at this website to have it analyzed.

http://www.hijackthis.de/

The copy above is missing the first few lines about the HJT version.

Gary
0
 
LVL 29

Accepted Solution

by:
blue_zee earned 340 total points
ID: 16565984
These entries have been positively identified as malicious programs. In the HijackThis program, place a check mark next to the following entries.

O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - (no file)
(Description: A hidden or missing adware entry.)

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
(Description: VX2 TROJAN variant)

O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
(Description: A blank toolbar entry. Possibly an adware toolbar that was removed by an anti-virus or anti-spyware program.)

O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
(Description: A blank toolbar entry. Possibly an adware toolbar that was removed by an anti-virus or anti-spyware program.)

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
(Description: Virus downloader)

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
(Description: Complete utter waste of space! Part of MS Office - searches disk drives for Office file types and creates an index to make opening them easier. Removing this entry will free up a significant amount of system resources. )

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
(Description: Microsoft Office startup assistant. Not necessary. Removing this entry will free up a significant amount of system resources.)

Now:

1) Press the "Fix checked" button. Then close HijackThis.

2) Then reboot your computer into safe mode.

3) Delete the file C:\WINDOWS\ceres.dll

4) Delete the file C:\WINDOWS\dinst.exe

5) Empty your recycle bin.

6) Run Windows Update and install all critical updates.

7) Make sure your anti-virus program is up to date with the latest patches.

8) Reboot one last time.

Do a full system scan with at least 2 of these online scanners:

Panda ActiveScan
http://www.pandasoftware.com/activescan 

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php 

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp 

Symantec Security Check
http://security.symantec.com/sscv6/ 

Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp 

PcPitstop
http://pcpitstop.com/antivirus/default.asp 

RAV
http://www.ravantivirus.com/scan/ 

Zee
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 29

Expert Comment

by:blue_zee
ID: 16566018

It may be useful running this tool:

http://www.downloads.subratam.org/VX2Finder9x.exe

And/or install Ad-Aware SE Personal:

http://www.lavasoftusa.com/software/adaware/

Install and update.

Download and install now the VX2 Cleaner:

http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml

Use it as described on the a.m. website.

Good luck,

Zee
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 16566140
Did what you said.


Still get a pop up from "THE BEST OFFERS"
=(
0
 
LVL 29

Expert Comment

by:blue_zee
ID: 16566248
Are you sure the HJT log posted above is complete?

It seems to me there are entries missing there...??

You can try this uninstall process, with due care (it's from the creators of the pest!):

http://www.bestoffersnetworks.com/uninstall/

Zee
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 332 total points
ID: 16566315
The VX2 cleaner that Blue_zee suggested should've taken care of the dinst.exe.

Fix these entries:
O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - (no file)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL    
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)  
O3 - Toolbar: (no name) - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - (no file)
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe    
O4 - HKLM\..\Run: [mhzogfo] c:\windows\system\mhzogfo.exe  

Make sure these files are deleted:(dsrfix takes care of dinst.exe)
c:\windows\system\mhzogfo.exe <-- make sure this one is deleted
C:\WINDOWS\CERES.DLL


1. Download DSRFIX onto your Desktop.
http://www.atribune.org/downloads/dsrfix.zip
Unzip and EXTRACT the files to your Desktop.
The program creates and names the new folder to house the files.
Do not run it yet.

2. Download Cleanup.
http://cleanup.stevengould.org/
On your Desktop, click on Cleanup40.exe icon.
Then, click RUN and place a checkmark beside "I Agree"
Then click NEXT followed by START and OK.
A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
Click OK
Do not run it yet.

Close Internet Explorer, if it is open
Open the folder "dsrfix"
Double click on the dsrfix batch file( the one with the little gear in it )
Once dsrfix has completed it will close on its own.

Then, run CleanUp.
0
 
LVL 44

Assisted Solution

by:scrathcyboy
scrathcyboy earned 332 total points
ID: 16567172
Perhaps you need to realize that ALL this adware/spyware can only do one thing, and one thing only -
insert some command in registry to run the program.  So all you have to do is this, follow to letter -
1. open regedit
2. search F3 for RunOnce
3. Just above that is "RUN"
4. look in run -- you will find that all entires are valid, so leave them alone, except 1 or 2 entires.
5.  These will soon become obvious by their names that they are spyware.  Write down their paths.
6. delete those entries from the "RUN" section of the registry.  Make note of their names and paths.
7.  Close regedit, and now go to those directories and wipe out everything in them of spyway nature.
8. Reboot. Now all is gone.

Keep in mind, simple are CAREFUL editing of the registry (only delete what you must) beats any spyware programs cold, because they seem to be unable to identify the problems in logical position, like RUN, and simply remove them.

And make a restore point before you edit registry, in case you not experienced enough yet to get it right first time.
0
 
LVL 3

Assisted Solution

by:rairdonm
rairdonm earned 332 total points
ID: 16567236
Clearing Run & RunOnce by itself works less and less these days...the spyware is just too smart for that....it might work but if it doesn't.

 - You've tried lots of antispyware programs
 - you've tried manual registry edits
 - you've tried specific removal tools.

Now try spysweeper.  This is 70%+ of my income and spysweeper makes it easy.  Roots out the most complex spy/adware.

Just in case you have a virus too...go to antivirus.com and do a FREE online scan.  Trend Micro is better at detecting and cleaning up viruses than Norton.

0
 
LVL 17

Assisted Solution

by:Dushan De Silva
Dushan De Silva earned 332 total points
ID: 16576733
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 16597209
bah

Reformat and istall.   Older computer taking this much time.... seems faster just to reload it =(
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16597365
rairdonm -

It is interesting you say webroot sypsweeper is 70% of your income.  I tried it yesterday for first time, found it very invasive into persons computing habits, slows system start to 3 minutes, cant even install/deinstall programs without this spysweeper perstering you.  So I asked owner if they wanted it, they said NO, and I removed it.  

Then I installed a simple version Adware SE Pro, not invasive, sits in background.  Then I immediately did adAware scan, and it found 15 critical files/keys that spysweeper had missed, just moments before.  This is big surprise (although happy one) to me, many people say that AdAware misses lots of spyware that these "more intrusive" programs like spysweeper catch -- yet here is exact proof of exact opposite.

Can you explain please?
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16602413
SpySweeper vs AdAware SE? well, I'd go for SpySweeper.
SpySweeper can remove Look2Me infection where AdAware can't, not even with its VX2 plugins.

>>I tried it yesterday for first time, found it very invasive into persons computing habits,<<
a lot of programs are invasive to your surfing habits, Your own Windows .dat files keep tracks of your surfing habits, then there's the Realtek AC97 audio also spying on you, etc.

I've tried SpySweeper for a month and I like it, but now i just have AdAware SE because it's free, but if I have to pay for it then it will be SpySweeper.

Just my 2 cents.
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16602483
didnt ask for opinion poll, asked rairdonm a question
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 16602529
I put in my 2 cents because I know that SpySweeper is a very good program.
I can't just not say anything when you rubbish an excellent program that you don't seem to know anything about.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 16605081
I was told that "no one program" can do it all.  Granteed I had the original problem, but people I know in RL where helping to.

They suggestd using Webroot as did this thread.  Then Un install and us Adaware SE then uninstall and use Spybot Search and Destroy 1.4.

Well even doing all 3 of these I could not wipe all of th em out......  and thus the reformat and install... MUCH MUCH faster.

/shrug
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question