You've got the new password stealer Trojan...I can see it in an entry and knew it instantly as I built my dropper file webpage today with new viruses/worms and your filename stuck in my mind. I'm swamped with other logs, and just glanced at yours (you have other problems...but we'll deal with them later).

Since you have Norton follow that link's instructions exactly and kill that worm, then post back a new log. Stay in this thread.

Texruss  

Hi Texruss,

I ran te Norton Antivirus but it didn't dtect any virus. I than ran Housecall by trendmicro and it detected two trojan virus files which I cleaned/deleted.

I have rerun the Hijackthis and attaching a fresh log below as suggested by you.

I appreciate your help.

Logfile of HijackThis v1.97.7
Scan saved at 11:23:36 PM, on 5/16/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS G\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://zoosecret.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: plus1ante - {9F517ED5-8BD4-4E57-C8E9-C79A4E59B35E} - C:\PROGRAM FILES\SOAP BAT\NURB NAME.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE
O4 - HKLM\..\Run: [Necutray] NECUTRAY.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\INSTALLER.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O15 - Trusted Zone: http://www.kazaa.com
O15 - Trusted Zone: http://ftp.newaol.com
O15 - Trusted Zone: http://www.ibsnetaccess.com
O15 - Trusted Zone: http://www.citicards.com
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_1.cab
O16 - DPF: {528B6917-4DED-43F1-B56C-35A1519129CA} (MSIMMessageView Class) - http://activex.microsoft.com/activex/controls/exim/msimrt.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.54.188.201/activex/AxisCamControl.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125fa88aba58500b5906/netzip/RdxIE6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37948.4450347222
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

 

 

Time to run spybot,cwshredder and spyblaster and then repost the log ;)

1a. Download spybot 1.3!!
http://kujoe.com/freeware/spybot.php
http://majorgeeks.com/download2471.html

1b.Download and run cwshredder
http://www.spywareinfo.com/~merijn/downloads.html

 
Tutorial to remove CoolWebSearch with CoolWeb Shredder
http://www.bleepingcomputer.com/forums/index.php?showtutorial=47

1c
 SpywareBlaster download it here http://www.javacoolsoftware.com/sbdownload.html

can help keep your system spyware-free and secure, without interfering with the "good side" of the web.
Spyware, adware, browser hijackers, and dialers are some of the fastest-growing threats on the Internet today.
By simply browsing to a web page, you could find your computer to be the brand-new host of one of these unwanted fiends!

 >ran the Norton Antivirus but it didn't detect any virus. I than ran Housecall by trendmicro and it detected two trojan virus files which I cleaned/deleted.

OK...I missed the boat anyway...it wasn't the Trojan I suspected on further reflection...wrong extension and wrong folder (hmmm...two mistakes...must be a sign of fatique *;-). But I'm glad you found some others and cleaned them with TrendMicro. I would keep a close look at this line entry...probably just messed up from the CWS stuff that Navin has you now correctly on the road to repair:

C:\WINDOWS\RUNDLL32.EXE  (this is the one I thought was the new Trojan, but it would have to be rundll32.dll and in the System subfolder on your 98 machine, System 32 in XP\W2K) 

This file is legit, but rarely appears persistently in the Windows startup list (which Hijackthis displays). When it does then you must eliminate any possibility of it being a virus overwritten file (it happens from several viruses). Running Norton full scan in Safe Mode would be the best way to assure that it is not hostile and just being buggy (maybe from the CWS hijacks).

Follow the cleanup instructions from Navin and post back a new log in this thread.

All the best,

Texruss

Texruss,

Thanks. Not a problem, you are always a big help. I understand what Fatigue can do.

I will follow further instructions from you and Navin and post the logs again.

 

Thanks and Regards.

Nand

Hi Navin,

Thanks for your suggestions.

I have downloaded and run Spybotsd1.3, CWShredder and also dowmloaded and run Spyblaster as suggested by you. I am attaching below the Hijackthis log after performing above three opeartions. I hope you can help.

 

Regards,

Nand

Logfile of HijackThis v1.97.7
Scan saved at 11:42:42 PM, on 5/17/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS G\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://zoosecret.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: plus1ante - {9F517ED5-8BD4-4E57-C8E9-C79A4E59B35E} - C:\PROGRAM FILES\SOAP BAT\NURB NAME.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE
O4 - HKLM\..\Run: [Necutray] NECUTRAY.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\INSTALLER.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O15 - Trusted Zone: http://www.kazaa.com
O15 - Trusted Zone: http://ftp.newaol.com
O15 - Trusted Zone: http://www.ibsnetaccess.com
O15 - Trusted Zone: http://www.citicards.com
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_1.cab
O16 - DPF: {528B6917-4DED-43F1-B56C-35A1519129CA} (MSIMMessageView Class) - http://activex.microsoft.com/activex/controls/exim/msimrt.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.54.188.201/activex/AxisCamControl.ocx
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125fa88aba58500b5906/netzip/RdxIE6.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37948.4450347222
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

 

 

Check these in hijackthis, AND WITH ALL OTHER WINDOWS CLOSED, fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://zoosecret.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
These 015's unless set by you
O15 - Trusted Zone: http://www.kazaa.com
O15 - Trusted Zone: http://ftp.newaol.com
O15 - Trusted Zone: http://www.ibsnetaccess.com
O15 - Trusted Zone: http://www.citicards.com
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/125fa88aba58500b5906/netzip/RdxIE6.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/BM2/BM2.cab

The following have randomly named file names, and as such are normally malware, UNLESS you know what they are, and they are from a safe source, please check for removal.

O3 - Toolbar: plus1ante - {9F517ED5-8BD4-4E57-C8E9-C79A4E59B35E} - C:\PROGRAM FILES\SOAP BAT\NURB NAME.DLL
O4 - HKLM\..\RunServices: [Installer] C:\WINDOWS\SYSTEM\INSTALLER.EXE

The following activeX controls will reinstall when(and if) you revisit that website, UNLESS you know they are from a safe source, check to remove.

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://128.54.188.201/activex/AxisCamControl.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} (DivX Player) - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {E4DFABBD-F5F6-11D3-8421-0080C6F79C42} (SpeechControl Class) - http://www.directxtras.com/speaksforitself/download/speechplugin.cab
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab

Then Reboot to safe mode (F8 on boot) and delete the following files/folders:-

File > > C:\WINDOWS\SYSTEM\INSTALLER.EXE

Then Reboot and post a fresh log for me to check.

Hi Chris,

Thanks for your help. I understand you are in U.K and will be patient to hear back from you.

I have done everything you suggested except when I booted up in the normal mode I didn't see any installer.exe file under windows/system directory. All I saw was installer.cfg under the windows/system directory, which I did not delete.

I have attached below a fresh log for your analysis and further asistance.

Regards,

Nand

Logfile of HijackThis v1.97.7
Scan saved at 11:59:37 AM, on 5/18/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\SYMPROXYSVC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\SYSTEM\ATI2PLAB.EXE
C:\WINDOWS\SYSTEM\ATIPTAAB.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS G\AIRPLUS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [AtiGart] c:\Ati\Gart\AtiGart.exe
O4 - HKLM\..\Run: [ATIPOLAB] ati2plab.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaab.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\TEMP\RECOVE~1.EXE
O4 - HKLM\..\Run: [Necutray] NECUTRAY.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Internet Security\NISSERV.EXE
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: D-Link AirPlus G Configuration Utility.lnk = C:\Program Files\D-Link AirPlus G\AirPlus.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~1\OFFICE\1033\PHDINTL.DLL/phdContext.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O15 - Trusted Zone: http://www.ibsnetaccess.com
O15 - Trusted Zone: http://www.citicards.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_1.cab
O16 - DPF: {528B6917-4DED-43F1-B56C-35A1519129CA} (MSIMMessageView Class) - http://activex.microsoft.com/activex/controls/exim/msimrt.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37948.4450347222
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

 

This is my normal post for when you are clear - which you now are:-
------------------------
How on earth did I get infected with all that spyware in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051
Also available from here :- http://www.computercops.biz/postlite7736-.html or http://boards.cexx.org/viewtopic.php?t=957
--------------
Look at the info on my website regarding malware (Link below). Some things you can do to stop getting infected again:-

Spybot S&D, Ad-aware Run weekly - or after a heavy internet session.
Spybot S&D v1.3 also have a run time module that runs in the background.

Spywareblaster & Spywareguard, first sets kill bits to stop known bad activeX controls installing, second acts like your AV to stop browser hijacks and installing of known badies.

Also ie-spyad (Link on my site), puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentaly getting sent to a bad site, it has optional list of "bad" adult sites to install as well.

All those with links from my site. Do remember just like Anti-Virus they need to be updated regularly, I do mine weekly, Anti-Virus hourly.

Another good program winpatrol from here.

With these and a firewall in place I have to try various bad sites when checking peoples hijackthis logs looking to sort bad from good, and I have not yet been infected. Still time for it to happen LOL.

HI Chris,

Thanks for all your help.

I am still getting the same rundll32 error on boot up and if I close the error message the system freezes up. This was the same original complaint as stated in the subject box above.

If I leave the error message alone and run other applications, then within a short time the system freezes up and I have to do a hard boot again. Can you help me with this issue

Regards,

Nand

Your log is clean and has no entries that are calling on rundll32 to activate them.

Can you use start - run - sysedit.exe

That will bring up a window with smaller windows inside of the older running files that may be used at startup.

Look through those and see if any contain any commands using rundll32 - if so copy and paste that file here with a note of the files name.

Also - in hijackthis - config - misc tools - check the two boxes below and then run the startup log - that will be big, will take a few messages to post here.

Hi Chris,

I ran sysedit and didn't see any command with rundll32.

I have run the HijackThis again after checking the two boxes in - config - misc tools. The resulting log is rather large and is more than 20,000 characters(which is a limit for posting the info here) . It actually has 22437 characters. Can you please suggest how do I post the information here.

I am still experiencing the Rundll32 error on boot up and also frequent system freeze ups.

Thanks,

Nand

A startup list then - hijackthis - config - misc tools - check the two boxes below then click the strutup list button - the log will be large - please post as a reply here.

I talked with Chris and suggested we might have you replace your rundll32.exe file to see if that helps. Easy thing to try and it might help:

http://www.spywareinfo.com/~merijn/files/windows/rundll32_98.zip

Download, unzip and then copy to and overwrite the original file either in Safe Mode or in regular mode and stop the process (press Control-Alt-Delete and stop the file running). Location: C:\Windows\Rundll32.exe

Reboot and see if it improves.

Or you can extract the file from your Windows CDR:

from http://support.microsoft.com/default.aspx?scid=kb;en-us;q129605

KB 129605 How to Extract Original Compressed Windows Files in 98, ME, 95
Respectively:

Windows 98 and Windows 98 Second Edition

In Windows

To extract files in Windows 98 or Windows 98 Second Edition, use the System
File Checker tool. To do this, follow these steps:
  1.. Click Start, and then click Run.
  2.. Type sfc, and then press ENTER.
  3.. Click Extract one file from installation disk.
  4.. In the Specify the system file you would like to restore box, type
drive:\windows\path\file (where drive is the drive on which the Windows
folder is installed, generally drive C, path is the location in the Windows
folder is the destination of the file that you are extracting, and file is
the file that you want to extract). Note from Russell: path for your file is:

C:\Windows\Rundll32.exe

5.. Click Start. Next to the Restore from box, click Browse, and then
locate the Windows installation files. If you are using an OEM version of
Windows 98 or Windows 98 Second Edition, the installation files are on the
hard disk in C:\Cabs, by default. If you are using a retail full version or
upgrade version, you can also insert the Windows installation CD-ROM into
the CD-ROM drive or DVD-ROM drive, and then locate the Windows installation
files.  (Note from Russell...don't know where MS got their info...but the 9X CAB files inserted from main PC vendors in my experience are usually stored in C:\Windows\Options\Cabs).

6.. Click OK, and then follow the on-screen instructions.

HTH,

Texruss