[solved]Having Spyware Infestation Problems on a Win-98 PC

Need some assistance.

Show all files.
Ran HiJack this in normal mode.

Thanks in advance.

Zonnie
=============================

Here is the log:

Logfile of HijackThis v1.98.0
Scan saved at 6:58:43 PM, on 7/4/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\APPLICATION DATA\UIAS.EXE
C:\WINDOWS\SYSTEM\NDRV.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [Rrpm] C:\WINDOWS\Application Data\uias.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\WINDOWS\AU30TRAY.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {AA2666E0-285D-11D4-A16E-F04552C10000} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {23584D4F-E3F1-11D4-A0B6-0050DACFEC78} (VDLaunch Class) - http://www.catharon.com/download/plugins/ievdl.ocx
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://support.fastaccess.com/sdccommon/download/tgctlpw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

 

Re: Having Spyware Infestation Problems on a Win-98 PC

Hi Zonnie

Download Ad-aware from here: http://www.computercops.biz/downloads-file-292.html
Install by double-clicking on the downloaded file.
After installing but before running, update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to Step 2 below.


Spybot S&D
The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

Install by double-clicking on the downloaded file.
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems".

Close Spybot S&D, reboot your system .

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Now, empty your TEMP Folder / Temporary Internet Files Folder and then empty your "Recycle Bin" and reboot.

run Hijackthis again and pls. post a FRESH log. Thanks.

 

Re: Having Spyware Infestation Problems on a Win-98 PC

Ran the latest version of Ad-aware (build 6.181) Detected 115 spyware components.

Ran the latest version of Spybot-S&D (Version 1.2).

Ran Norton AV 2004 from the CD without installing. No viruses detected.

Deleted Temp Internet files and emptied Recycle bin.

Ran HiJackThis v1.98.0.

Log attached.

Thanks for your assistance again.

Zonnie
=============================================


Logfile of HijackThis v1.98.0
Scan saved at 2:20:31 PM, on 7/5/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\APPLICATION DATA\UIAS.EXE
C:\WINDOWS\SYSTEM\NDRV.EXE
C:\PROGRAM FILES\CLEANMYPC\REGISTRY CLEANER\RCSCHEDULER.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\AUDIOSTATION 32\VTRAY.EXE /s
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunOnce: [%SP_SHORT_TITLE%] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
O4 - HKCU\..\Run: [Rrpm] C:\WINDOWS\Application Data\uias.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: Event Planner Reminders Tray Icon.lnk = C:\WINDOWS\AU30TRAY.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {AA2666E0-285D-11D4-A16E-F04552C10000} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {23584D4F-E3F1-11D4-A0B6-0050DACFEC78} (VDLaunch Class) - http://www.catharon.com/download/plugins/ievdl.ocx
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://support.fastaccess.com/sdccommon/download/tgctlpw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

 

Re: Having Spyware Infestation Problems on a Win-98 PC

Hi Zonnie,

In the meantime the latest version is 1.3 !

Check the following items in HIjackThis - close ALL windows\browsers except HIjackThis and click "Fix checked":

O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe


O4 - HKCU\..\Run: [Rrpm] C:\WINDOWS\Application Data\uias.exe

O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe

NOTE....even in safe mode you may have to open taskmanager and end task on some of them before you can delete them.


Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Then delete the following files\folders IF still present:

c:\windows\SYSTEM\wucrtupd.exe -startup

C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\Application Data\uias.exe
C:\WINDOWS\SYSTEM\NDrv.exe

Then reboot and use AdAware as described :
HERE

This looks like an unfinished install for Windows Media Player:
O4 - HKLM\..\RunOnce: [%SP_SHORT_TITLE%] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP

Now, empty your TEMP Folder / Temporary Internet Files Folder and then empty your "Recycle Bin" and reboot.

Go for free online Virus scans here:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.


All problems gone?

 

Re: Having Spyware Infestation Problems on a Win-98 PC

I followed your instructions and the new log looks good to me.

Two notes of interest:
... I tried to update using the Spybot S&D software package (clicking on the links within); it said "no new update available". So my version remains at 1.2.

... Using MSCONFIG I disabled BROADJUMP\CLIENT FOUNDATION\CFD.EXE because I didn't recognize it. When I ran HJT, it was undetected, although I found the files in Search and deleted. Then I went back to MSCONFIG and reenabled Broadjump and ran HJT again; it was listed and I deleted.

The on-line scan was clean.

Thanks...a lot for your assistance.

Zonnie.
=======================
Logfile of HijackThis v1.98.0
Scan saved at 7:05:48 AM, on 7/6/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\MSWORKS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {AA2666E0-285D-11D4-A16E-F04552C10000} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {23584D4F-E3F1-11D4-A0B6-0050DACFEC78} (VDLaunch Class) - http://www.catharon.com/download/plugins/ievdl.ocx
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://support.fastaccess.com/sdccommon/download/tgctlpw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

 

Re: Having Spyware Infestation Problems on a Win-98 PC

Hi Zonnie

Right - 1.2 will NOT update anymore ! You have to get the NEW Spybot1.3

Get it

HERE

Great job ! Your log looks clean to me !

Please follow the steps to avoid re-infection that was posted HERE

Happy Safe Computing !

 

Marianna,

Not solved yet....We thought it was over.

I tested the PC on-line again this afternoon. I also ran Ad-aware and Spybot. Unfortunately WhenU returned, according to Ad-aware, which detected 20+ files (mostly data miners). Details below.

What do I need to do to remove WhenU from the registry?

I have installed AV software, a firewall and taken all precautions over the course of the day.

Please advise:

Zonnie
=============================================
Adaware Log - Partial

ArchiveData(auto-quarantine- 06-07-2004 17-18-54.bckp)
======================================================

WHENU

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[0]=RegKey : WUSE.1
obj[1]=Folder : c:\program files\Save

CLICKSPRING

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[2]=RegKey : SOFTWARE\ClickSpring
obj[3]=RegKey : Context1.Curl
obj[4]=RegKey : Context1.Curl.1
obj[5]=RegKey : Interface\{20F13844-04BC-4987-9964-2502F0DA54D3}
obj[6]=RegKey : Interface\{3E43040C-73C1-4898-A4F8-E2C9428B1167}
obj[7]=RegKey : Interface\{3E4C3E0B-6BBE-4C94-86CA-6F055A989693}
obj[8]=RegKey : Interface\{81EB72D7-3949-450F-B035-DE599959814F}
obj[32]=File : c:\windows\system\mt-uninstaller.exe

TRACKING COOKIE

¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[9]=File : c:\windows\cookies\default@tripod[1].txt
obj[10]=File : c:\windows\cookies\default@questionmarket[1].txt
obj[11]=File : c:\windows\cookies\default@2o7[1].txt
obj[12]=File : c:\windows\cookies\default@questionmarket[2].txt
obj[13]=File : c:\windows\cookies\default@2o7[3].txt
bj[14]=File : c:\windows\cookies\default@cgi-bin[4].txt

obj[15]=File : c:\windows\cookies\default@questionmarket[3].txt
obj[16]=File : c:\windows\cookies\default@questionmarket[4].txt
obj[17]=File : c:\windows\cookies\default@realmedia[1].txt
obj[18]=File : c:\windows\cookies\default@edge.ru4[1].txt
obj[19]=File : c:\windows\cookies\default@2o7[4].txt
obj[20]=File : c:\windows\cookies\default@06[1].txt
obj[21]=File : c:\windows\cookies\default@cgi-bin[2].txt
obj[22]=File : c:\windows\cookies\default@074[1].txt
obj[23]=File : c:\windows\cookies\default@maxserving[1].txt
obj[24]=File : c:\windows\cookies\default@edge.ru4[3].txt
obj[25]=File : c:\windows\cookies\default@2o7[5].txt
obj[26]=File : c:\windows\cookies\default@realmedia[3].txt
obj[27]=File : c:\windows\cookies\default@tripod[2].txt
obj[28]=File : c:\windows\cookies\default@revenue[1].txt
obj[29]=File : c:\windows\cookies\default@stats1.clicktracks[2].txt
obj[30]=File : c:\windows\cookies\default@cgi-bin[6].txt
obj[31]=File : c:\windows\cookies\default@questionmarket[6].txt

=============================
Here is my HJT log.
=============================
Logfile of HijackThis v1.98.0
Scan saved at 5:25:19 PM, on 7/6/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\WINDOWS\SYSMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {AA2666E0-285D-11D4-A16E-F04552C10000} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {23584D4F-E3F1-11D4-A0B6-0050DACFEC78} (VDLaunch Class) - http://www.catharon.com/download/plugins/ievdl.ocx
O16 - DPF: {9184D21C-9835-42C5-A883-EA8BE7FC048D} (Downloader Class) - http://www.shopintuit.com/Executables/IE/IDA.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {01118D00-3E00-11D2-8470-0060089874ED} (SupportSoft Password Reset Class) - http://support.fastaccess.com/sdccommon/download/tgctlpw.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPUIPROT.DLL

 

Hi Zonnie,

In HJT check:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Dell Home - {AA2666E0-285D-11D4-A16E-F04552C10000} - http://www.dellnet.com/ (file missing) (HKCU)

and click "Fix checked".

Reboot.

Maybe you have a look at this:
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray

WinTasks Process Library



tgcmd - tgcmd.exe - Process Information
Process File: tgcmd or tgcmd.exe
Process Name: Tgcmdprovidersbc
Description: Spyware from SupportSoft provided to manufacturers, such as Sony (Vaio Support Agent) and Toshiba (Virtual Tech), and ISPs, such as Comcast, Cox and Charter (Pipeline Support Agent), that allows them to offer on-line support. This part ensures that software is installed correctly. Regarded as spyware as it has the ability to retrieve user information.
Company: SupportSoft, Inc
......

I can't find anything about this:
O16 - DPF: {23584D4F-E3F1-11D4-A0B6-0050DACFEC78} (VDLaunch Class) - http://www.catharon.com/download/plugins/ievdl.ocx
any ida what this is??

If you do NOT need it - check it also in HJT

...............

Uninstalling Adware.WhenU
Do one of the following:
On the Windows 98 taskbar:
Click Start > Settings > Control Panel.
In the Control Panel window, double-click Add/Remove Programs.

Locate and click any of the following:
WhenUSearch
SaveNow, Save!
WhenUShop

Click Add/Remove, Change/Remove, or Remove (this varies with the operating system). Follow the prompts.

Problems gone?