Computer Hope
Software => Computer viruses and spyware => Topic started by: lovetodance on April 21, 2008, 02:04:45 PM
-
older computer, 386 RAM, ME OPER. SYSTEM. Only when I go online using dialup AOL as ISP, as I retrieve my email, programs start running that slow the system. When i CONT/ALT/DEL to check what is running, there are many "winoldap" programs, plus a program identified only by 9 numbers. When I highlight the 9-number program and click "end task" - very shortly, a different 9-number program comes on. As I keep trying to end the programs by clicking cont/alt/del and end task, the programs start multiplying, more and more 9-digit and even 10-digit number programs show up, and sometimes a program called "lcf", and rarely, a program called <unknown> .
All of these winoldap programs, and the 9-digit programs, and lcf -- quickly use up so much operating memory, that i get a warning window, saying my system is dangerously low on resources, or doesn't have the resources to continue. my only recourse is to restart the computer and start over.
It's as if a hacker out there, or his/her computer slave, has malware that notifies them that I have just gotten online, and sends these harassing programs to use up my operating memory and shut me down.
by the way, sometimes i access the internet through a high-speed connection using an external antenna and program - and it doesn't happen then. Only when i go through my dialup AOL.
I have run spybot which tells me i am clean.
anyone know of this problem, and how to cure????
-
Print these instructions out.
1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/ (http://www.superantispyware.com/)
* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html (http://www.superantispyware.com/definitions.html).)
* Close SUPERAntiSpyware.
Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen
* Open SUPERAntiSpyware.
* Under "Configuration and Preferences", click the Preferences button.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
* Click the "Close" button to leave the control center screen.
* Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under "Complete Scan", choose Perform Complete Scan.
* Click "Next" to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
* Make sure everything has a checkmark next to it and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* If asked if you want to reboot, click "Yes".
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
RESTART COMPUTER!
2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
RESTART COMPUTER!
3. Download HijackThis:
http://www.snapfiles.com/get/hijackthis.html (http://www.snapfiles.com/get/hijackthis.html)
Post HijackThis log.
-
Broni, Thank you for your help. Your reply recommended i download three programs. After many tries for each, I was successful in downloading two of them: Superantispyware, and Hijack this. Each time I tried to install Malwarebytes, i got an error window saying: "Mbam has caused an error in KERNEL32.DLL" i couldn't get past that.
You asked me to post the scan logs, so below are the scanlogs for Superantispyware and Hijack this. I did fix the problems revealed in the Superantispyware scan. thank you again. i presume you will review this and give your expert opinion on further action, if any?
Lovetodance - a newbie
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:54 AM, on 4/26/2008
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMPACT WIRELESS-G USB ADAPTER WIRELESS NETWORK MONITOR\WUSB54GC.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\ICF.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [icf] c:\windows\system\icf.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [WUSB54GC] C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4482/mcfscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {410A8B3C-7CCB-40E8-8B11-28B099E5C488} (Trend Micro Security Services Control) - http://tmss.trendmicro.com/Dashboard/controls/activex_10/TMSSReport.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL
--
End of file - 5328 bytes
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 04/25/2008 at 05:45 PM
Application Version : 4.0.1154
Core Rules Database Version : 3412
Trace Rules Database Version: 1440
Scan type : Complete Scan
Total Scan Time : 02:45:24
Memory items scanned : 78
Memory threats detected : 0
Registry items scanned : 2788
Registry threats detected : 0
File items scanned : 93083
File threats detected : 318
Adware.Tracking Cookie
C:\WINDOWS\Cookies\default@atwola[3].txt
C:\WINDOWS\Cookies\[email protected][3].txt
C:\WINDOWS\Cookies\default@2o7[2].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\default@atdmt[3].txt
C:\WINDOWS\Cookies\default@tacoda[3].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\default@revsci[1].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\default@html[2].txt
C:\WINDOWS\Cookies\[email protected][2].txt
C:\WINDOWS\Cookies\default@questionmarket[2].txt
C:\WINDOWS\Cookies\[email protected][1].txt
C:\WINDOWS\Cookies\default@advertising[3].txt
C:\WINDOWS\Cookies\[email protected][2].txt
c:\WINDOWS\Cookies\[email protected][1].txt
c:\WINDOWS\Cookies\[email protected][1].txt
c:\WINDOWS\Cookies\default@atwola[1].txt
c:\WINDOWS\Cookies\default@atdmt[2].txt
c:\WINDOWS\Cookies\default@2o7[1].txt
c:\WINDOWS\Cookies\default@advertising[1].txt
c:\WINDOWS\Cookies\default@tacoda[2].txt
c:\WINDOWS\Cookies\default@revsci[2].txt
Trojan.Downloader-CounterMeasures
C:\WINDOWS\TEMP\1783461810.EXE
C:\WINDOWS\TEMP\116607120.EXE
C:\WINDOWS\TEMP\497114715.EXE
C:\WINDOWS\TEMP\226565080.EXE
C:\WINDOWS\TEMP\2064817459.EXE
C:\WINDOWS\TEMP\25417723.EXE
C:\WINDOWS\TEMP\1747663756.EXE
C:\WINDOWS\TEMP\857084248.EXE
C:\WINDOWS\TEMP\1753131485.EXE
C:\WINDOWS\TEMP\192667731.EXE
C:\WINDOWS\TEMP\1677266996.EXE
C:\WINDOWS\TEMP\1527001250.EXE
C:\WINDOWS\TEMP\1381021729.EXE
C:\WINDOWS\TEMP\128165402.EXE
C:\WINDOWS\TEMP\248703477.EXE
C:\WINDOWS\TEMP\2031814652.EXE
C:\WINDOWS\TEMP\850056738.EXE
C:\WINDOWS\TEMP\111115232.EXE
C:\WINDOWS\TEMP\243217668.EXE
C:\WINDOWS\TEMP\985131022.EXE
C:\WINDOWS\TEMP\1091753169.EXE
C:\WINDOWS\TEMP\1691555916.EXE
C:\WINDOWS\TEMP\427845405.EXE
C:\WINDOWS\TEMP\808891721.EXE
C:\WINDOWS\TEMP\1033571203.EXE
C:\WINDOWS\TEMP\1871884576.EXE
C:\WINDOWS\TEMP\574680213.EXE
C:\WINDOWS\TEMP\245275572.EXE
C:\WINDOWS\TEMP\185296495.EXE
C:\WINDOWS\TEMP\794643484.EXE
C:\WINDOWS\TEMP\940385718.EXE
C:\WINDOWS\TEMP\1903574919.EXE
C:\WINDOWS\TEMP\566402021.EXE
C:\WINDOWS\TEMP\1592199453.EXE
C:\WINDOWS\TEMP\425656949.EXE
C:\WINDOWS\TEMP\681817648.EXE
C:\WINDOWS\TEMP\463580536.EXE
C:\WINDOWS\TEMP\1652406392.EXE
C:\WINDOWS\TEMP\1557278300.EXE
C:\WINDOWS\TEMP\1104594359.EXE
C:\WINDOWS\TEMP\686226940.EXE
C:\WINDOWS\TEMP\1803777637.EXE
C:\WINDOWS\TEMP\1030396019.EXE
C:\WINDOWS\TEMP\881183940.EXE
C:\WINDOWS\TEMP\1401328552.EXE
C:\WINDOWS\TEMP\1468893358.EXE
C:\WINDOWS\TEMP\1724155919.EXE
C:\WINDOWS\TEMP\224800123.EXE
C:\WINDOWS\TEMP\979177663.EXE
C:\WINDOWS\TEMP\1646385628.EXE
C:\WINDOWS\TEMP\1888443144.EXE
C:\WINDOWS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\8LLVKOD6\N2_21_09_07_0[1].EXE
C:\WINDOWS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\8LLVKOD6\MUN1_26_11_070[1].EXE
C:\WINDOWS\TEMP\883388576.EXE
C:\WINDOWS\TEMP\1995744544.EXE
C:\WINDOWS\TEMP\797888104.EXE
C:\WINDOWS\TEMP\823724944.EXE
C:\WINDOWS\TEMP\1195428889.EXE
C:\WINDOWS\TEMP\351049212.EXE
C:\WINDOWS\TEMP\1929578738.EXE
C:\WINDOWS\TEMP\164029912.EXE
C:\WINDOWS\TEMP\1048552821.EXE
C:\WINDOWS\TEMP\718143316.EXE
C:\WINDOWS\TEMP\149601261.EXE
C:\WINDOWS\TEMP\2015354910.EXE
C:\WINDOWS\TEMP\1651329155.EXE
C:\WINDOWS\TEMP\1705759227.EXE
C:\WINDOWS\TEMP\1034695850.EXE
C:\WINDOWS\TEMP\361810599.EXE
C:\WINDOWS\TEMP\983624423.EXE
C:\WINDOWS\TEMP\995011927.EXE
C:\WINDOWS\TEMP\300535267.EXE
C:\WINDOWS\TEMP\1996309425.EXE
C:\WINDOWS\TEMP\1615837304.EXE
C:\WINDOWS\TEMP\1772834805.EXE
C:\WINDOWS\TEMP\738425988.EXE
C:\WINDOWS\TEMP\1341740041.EXE
C:\WINDOWS\TEMP\386053685.EXE
C:\WINDOWS\TEMP\1295878583.EXE
C:\WINDOWS\TEMP\1783561729.EXE
C:\WINDOWS\TEMP\603101180.EXE
C:\WINDOWS\TEMP\2089265122.EXE
C:\WINDOWS\TEMP\656415497.EXE
C:\WINDOWS\TEMP\1294431606.EXE
C:\WINDOWS\TEMP\240400285.EXE
C:\WINDOWS\TEMP\450701862.EXE
C:\WINDOWS\TEMP\956250694.EXE
C:\WINDOWS\TEMP\1658541624.EXE
C:\WINDOWS\TEMP\2087124551.EXE
C:\WINDOWS\TEMP\677410116.EXE
C:\WINDOWS\TEMP\947328951.EXE
C:\WINDOWS\TEMP\2121376641.EXE
C:\WINDOWS\TEMP\1988165569.EXE
C:\WINDOWS\TEMP\442609994.EXE
C:\WINDOWS\TEMP\1557750878.EXE
C:\WINDOWS\TEMP\1992838175.EXE
C:\WINDOWS\TEMP\2073680032.EXE
C:\WINDOWS\TEMP\1189050570.EXE
C:\WINDOWS\TEMP\852507429.EXE
C:\WINDOWS\TEMP\740539713.EXE
C:\WINDOWS\TEMP\126494284.EXE
C:\WINDOWS\TEMP\2080014793.EXE
C:\WINDOWS\TEMP\541476132.EXE
C:\WINDOWS\TEMP\1591287222.EXE
C:\WINDOWS\TEMP\1727404724.EXE
C:\WINDOWS\TEMP\553978405.EXE
C:\WINDOWS\TEMP\1580214671.EXE
C:\WINDOWS\TEMP\1629932814.EXE
C:\WINDOWS\TEMP\1903848543.EXE
C:\WINDOWS\TEMP\1856011470.EXE
C:\WINDOWS\TEMP\1706184932.EXE
C:\WINDOWS\TEMP\885603543.EXE
C:\WINDOWS\TEMP\2141927667.EXE
C:\WINDOWS\TEMP\1104037648.EXE
C:\WINDOWS\TEMP\2047333949.EXE
C:\WINDOWS\TEMP\1200113612.EXE
C:\WINDOWS\TEMP\873651765.EXE
C:\WINDOWS\TEMP\394041053.EXE
C:\WINDOWS\TEMP\2135144844.EXE
C:\WINDOWS\TEMP\2026810824.EXE
C:\WINDOWS\TEMP\199153595.EXE
C:\WINDOWS\TEMP\353138128.EXE
C:\WINDOWS\TEMP\501352008.EXE
C:\WINDOWS\TEMP\1013563911.EXE
C:\WINDOWS\TEMP\498860695.EXE
C:\WINDOWS\TEMP\796833231.EXE
C:\WINDOWS\TEMP\903272850.EXE
C:\WINDOWS\TEMP\1106438600.EXE
C:\WINDOWS\TEMP\338258924.EXE
C:\WINDOWS\TEMP\1743649742.EXE
C:\WINDOWS\TEMP\1604711391.EXE
C:\WINDOWS\TEMP\1773622609.EXE
C:\WINDOWS\TEMP\36175615.EXE
C:\WINDOWS\TEMP\1021212171.EXE
C:\WINDOWS\TEMP\694580450.EXE
C:\WINDOWS\TEMP\305738688.EXE
C:\WINDOWS\TEMP\727107768.EXE
C:\WINDOWS\TEMP\1062500794.EXE
C:\WINDOWS\TEMP\948000871.EXE
C:\WINDOWS\TEMP\1576227941.EXE
C:\WINDOWS\TEMP\312733638.EXE
C:\WINDOWS\TEMP\192137425.EXE
C:\WINDOWS\TEMP\1307780432.EXE
C:\WINDOWS\TEMP\393872833.EXE
C:\WINDOWS\TEMP\1537071879.EXE
C:\WINDOWS\TEMP\577173495.EXE
C:\WINDOWS\TEMP\1409181888.EXE
C:\WINDOWS\TEMP\1297503350.EXE
C:\WINDOWS\TEMP\1294519278.EXE
C:\WINDOWS\TEMP\374536230.EXE
C:\WINDOWS\TEMP\253275134.EXE
C:\WINDOWS\TEMP\1056901638.EXE
C:\WINDOWS\TEMP\1121155218.EXE
C:\WINDOWS\TEMP\2012915916.EXE
C:\WINDOWS\TEMP\2000342918.EXE
C:\WINDOWS\TEMP\1798261627.EXE
C:\WINDOWS\TEMP\629732237.EXE
C:\WINDOWS\TEMP\141220456.EXE
C:\WINDOWS\TEMP\1277225550.EXE
C:\WINDOWS\TEMP\447830807.EXE
C:\WINDOWS\TEMP\196833965.EXE
C:\WINDOWS\TEMP\467587296.EXE
C:\WINDOWS\TEMP\1663038582.EXE
C:\WINDOWS\TEMP\1454731974.EXE
C:\WINDOWS\TEMP\155730963.EXE
C:\WINDOWS\TEMP\1468874206.EXE
C:\WINDOWS\TEMP\519222298.EXE
C:\WINDOWS\TEMP\1155224580.EXE
C:\WINDOWS\TEMP\902495874.EXE
C:\WINDOWS\TEMP\1548618164.EXE
C:\WINDOWS\TEMP\1879167743.EXE
C:\WINDOWS\TEMP\758582975.EXE
C:\WINDOWS\TEMP\1720065934.EXE
C:\WINDOWS\TEMP\1889635645.EXE
C:\WINDOWS\TEMP\724008402.EXE
C:\WINDOWS\TEMP\1749819921.EXE
C:\WINDOWS\TEMP\559654817.EXE
C:\WINDOWS\TEMP\1548074364.EXE
C:\WINDOWS\TEMP\461000619.EXE
C:\WINDOWS\TEMP\1401304279.EXE
C:\WINDOWS\TEMP\685729430.EXE
C:\WINDOWS\TEMP\1190060941.EXE
C:\WINDOWS\TEMP\925127392.EXE
C:\WINDOWS\TEMP\1244167452.EXE
C:\WINDOWS\TEMP\701747115.EXE
C:\WINDOWS\TEMP\1475097384.EXE
C:\WINDOWS\TEMP\1605222081.EXE
C:\WINDOWS\TEMP\548531169.EXE
C:\WINDOWS\TEMP\179641900.EXE
C:\WINDOWS\TEMP\1117017547.EXE
C:\WINDOWS\TEMP\574251572.EXE
C:\WINDOWS\TEMP\379014259.EXE
C:\WINDOWS\TEMP\341346903.EXE
C:\WINDOWS\TEMP\1232915079.EXE
C:\WINDOWS\TEMP\1944798515.EXE
C:\WINDOWS\TEMP\1324496912.EXE
C:\WINDOWS\TEMP\1700032886.EXE
C:\WINDOWS\TEMP\523321960.EXE
C:\WINDOWS\TEMP\933682476.EXE
C:\WINDOWS\TEMP\1519783249.EXE
C:\WINDOWS\TEMP\1466616894.EXE
C:\WINDOWS\TEMP\868649713.EXE
C:\WINDOWS\TEMP\1041515000.EXE
C:\WINDOWS\TEMP\339595423.EXE
C:\WINDOWS\TEMP\1960428149.EXE
C:\WINDOWS\TEMP\788922347.EXE
C:\WINDOWS\TEMP\931004790.EXE
C:\WINDOWS\TEMP\1065339651.EXE
C:\WINDOWS\TEMP\2127863161.EXE
C:\WINDOWS\TEMP\633369841.EXE
C:\WINDOWS\TEMP\1570446159.EXE
C:\WINDOWS\TEMP\1244276680.EXE
C:\WINDOWS\TEMP\378364822.EXE
C:\WINDOWS\TEMP\634815060.EXE
C:\WINDOWS\TEMP\1240410851.EXE
C:\WINDOWS\TEMP\1657556769.EXE
C:\WINDOWS\TEMP\1452253732.EXE
C:\WINDOWS\TEMP\904252060.EXE
C:\WINDOWS\TEMP\1865761204.EXE
C:\WINDOWS\TEMP\875745760.EXE
C:\WINDOWS\TEMP\1659794345.EXE
C:\WINDOWS\TEMP\1294778947.EXE
C:\WINDOWS\TEMP\583819388.EXE
C:\WINDOWS\TEMP\1607971730.EXE
C:\WINDOWS\TEMP\1332993152.EXE
C:\WINDOWS\TEMP\227065640.EXE
C:\WINDOWS\TEMP\467296176.EXE
C:\WINDOWS\TEMP\1138057378.EXE
C:\WINDOWS\TEMP\1463319338.EXE
C:\WINDOWS\TEMP\2134659209.EXE
C:\WINDOWS\TEMP\1295623186.EXE
C:\WINDOWS\TEMP\1691256261.EXE
C:\WINDOWS\TEMP\1202758815.EXE
C:\WINDOWS\TEMP\1462138988.EXE
C:\WINDOWS\TEMP\386688466.EXE
C:\WINDOWS\TEMP\1403761852.EXE
C:\WINDOWS\TEMP\833091513.EXE
C:\WINDOWS\TEMP\604820707.EXE
C:\WINDOWS\TEMP\1144270734.EXE
C:\WINDOWS\TEMP\1872512701.EXE
C:\WINDOWS\TEMP\796178611.EXE
C:\WINDOWS\TEMP\1803863233.EXE
C:\WINDOWS\TEMP\1767460363.EXE
C:\WINDOWS\TEMP\168824278.EXE
C:\WINDOWS\TEMP\577610588.EXE
C:\WINDOWS\TEMP\145772399.EXE
C:\WINDOWS\TEMP\1591078409.EXE
C:\WINDOWS\TEMP\1276210648.EXE
C:\WINDOWS\TEMP\1547463941.EXE
C:\WINDOWS\TEMP\238429684.EXE
C:\WINDOWS\TEMP\1244279795.EXE
C:\WINDOWS\TEMP\948522789.EXE
C:\WINDOWS\TEMP\461783995.EXE
C:\WINDOWS\TEMP\374010561.EXE
C:\WINDOWS\TEMP\1030921599.EXE
C:\WINDOWS\TEMP\1373336898.EXE
C:\WINDOWS\TEMP\1996429664.EXE
C:\WINDOWS\TEMP\1383957323.EXE
C:\WINDOWS\TEMP\1037419389.EXE
C:\WINDOWS\TEMP\88421448.EXE
C:\WINDOWS\TEMP\687979530.EXE
C:\WINDOWS\TEMP\1514822543.EXE
C:\WINDOWS\TEMP\1257596660.EXE
C:\WINDOWS\TEMP\1900247045.EXE
C:\WINDOWS\TEMP\2039777676.EXE
C:\WINDOWS\TEMP\2010166493.EXE
C:\WINDOWS\TEMP\375852463.EXE
C:\WINDOWS\TEMP\2004408143.EXE
C:\WINDOWS\TEMP\1731702606.EXE
C:\WINDOWS\TEMP\1240417269.EXE
C:\WINDOWS\TEMP\366129353.EXE
C:\WINDOWS\TEMP\5636449.EXE
C:\WINDOWS\TEMP\587472105.EXE
C:\WINDOWS\TEMP\1868004981.EXE
C:\WINDOWS\TEMP\2115581590.EXE
C:\WINDOWS\TEMP\286012072.EXE
C:\WINDOWS\TEMP\1335519833.EXE
C:\WINDOWS\TEMP\1944766562.EXE
C:\WINDOWS\TEMP\430142298.EXE
C:\WINDOWS\TEMP\412195269.EXE
C:\WINDOWS\TEMP\1929699942.EXE
C:\WINDOWS\TEMP\1849685769.EXE
C:\WINDOWS\TEMP\895913854.EXE
C:\WINDOWS\TEMP\2118840552.EXE
C:\WINDOWS\TEMP\813868102.EXE
C:\WINDOWS\TEMP\798787136.EXE
C:\WINDOWS\TEMP\426801159.EXE
C:\WINDOWS\TEMP\749075629.EXE
C:\WINDOWS\TEMP\394188147.EXE
C:\WINDOWS\TEMP\1275496277.EXE
C:\WINDOWS\TEMP\2074726245.EXE
C:\WINDOWS\TEMP\790411404.EXE
C:\WINDOWS\TEMP\1237909462.EXE
C:\WINDOWS\TEMP\50961291.EXE
-
*** You're not using any firewall, which is not good.
Download, and install Jetico Personal Firewall v.1 freeware: http://www.jetico.com/index.htm#/jpfirewall.htm
*** Disable TeaTimer, as it'll interfere with the cleaning process:
Right click Spybot's TeaTimer System Tray Icon.
Click Exit Spybot-S&D Resident.
TeaTimer closes.
1. Print this post out, since you won't have an access to it, at some point.
2. Close all windows, except for HijackThis.
3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):
- *O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
- O4 - HKLM\..\Run: [icf] c:\windows\system\icf.exe
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
- *O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
- *O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL
4. Click on Fix checked button.
5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears)
6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
7. Delete following files/folders (if present):
- icf.exe from c:\windows\system
8. Restart in Normal Mode.
9. Post new HijackThis log.
-
I accomplished all of the above, BUT BIG PROBLEM. Now I cannot get online with my AOL dialup. it hangs up at step 5 - "Talking to Network" and almost everything freezes. Cursor moves, but nothing responds to clicks or keys. when i hit "Contol - alt-delete" even once, it immediately starts rebooting. I have tried many times, cannot get past this. (I am sending this from a friend's computer) help!
-
I am happy to report that I solved this problem. I just uninstalled the Jetico Firewall, and everything seems to work fine now. whew! ... needless to say, i am not a fan of Jetico Firewall.
-
That's the only free firewall available for ME. You can't be safe on the internet without firewall.
I also need fresh HJT log.
-
Here's the fresh HJT log, hot out of the oven (by the way, thanks for your time and expertise. the other actions you recomended cured the other problem.)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:41 AM, on 4/29/2008
Platform: Windows ME (Win9x 4.90.3000A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMPACT WIRELESS-G USB ADAPTER WIRELESS NETWORK MONITOR\WUSB54GC.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.netcenter.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [WUSB54GC] C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4482/mcfscan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {410A8B3C-7CCB-40E8-8B11-28B099E5C488} (Trend Micro Security Services Control) - http://tmss.trendmicro.com/Dashboard/controls/activex_10/TMSSReport.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL
--
End of file - 5171 bytes
-
The log is clean, now.
Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html, and run CCleaner
Turn System Restore off: http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm
Restart computer.
Turn System Restore on.
Try to install Jetico again.
-
Im just wanted to thank Broni VERY much, who solved the problem with the advice in this topic.
-
You're very welcome :)
Thank you for posting back.