win98 start up problem

Hi all
can anyone help please with my start up problem, i'm not really what u would call pc literate but i try,
the pc is a hp pavillion running windows 98 hp will not offer me any help they dont support win98 now.
when i start the machine it works fine right up to the log in box with user name and pass word, when entered i get a blue screen and flashing egg timer, it wont procede past this stage unless i do the following, press ctr alt del i get the end prog box, if it just has explorer in it i have to cancel and try until i get a code such as "m2xel orf5k4pr4, uib4n, if i highlight this code and end task it lets me continue normally to my desk top.
when i search these file or codes it tells me they are system application files, they are all 201kb and it says they were modified before there creation date ??? i have tried deleting them but seems to make it harder to get in,
recently i had trojan problems but since installin a fire wall and spyware protection im clean i think !!
i have no 98 disc to reinstall hp never gave me one and cant supply me one now .
any one help me please?

 

Welcome to WindowsBBS!

Doesn't sound like you're clean. Scan with both RAV and Housecall. Check the box to autoclean. If anything is found and uncleanable, get a report, copy and paste it here along with a HijackThis log.

 

I moved this over to Security/Virus/Spyware, those file names definitely sound like a virus infection.
You could check to see if you do you have the setup files for 98 copied onto your hard drive. Check this folder, C:\Windows\Options\Cabs. If you have files named Win98xxx and Driversxx, these are it. If you have a CD burner, it would be a good idea to burn this entire folder onto a CD.
When you get the online scans done, please post the names of the trojans and/or virui found, this info may help getting rid of them.

 

And if the good suggestions by noahdfear & markp62 don't have enough detail for you to feel comfortable, just say so. Some folks do better with step-by-step directions but others get offended when you post that amount of detail.

 

Hi all thanks for the help guys as you can see im not as clean as i thought, so much for my anti virus programe, right im totaly confused as to what to do next last time i dabbled in the reg it threw a fit and i had to use my system recovery disc to bring it back,
many thanks esp to noahdfear,
any one tell me what i do next please



Scan started at 13/06/04 18:09:55

Scanning memory...
c:\dialler.exe->(UPXW) - ToolornDialer.gen! -> Suspicious
c:\calsdr.exe - TrojanDropper:Win32/Small.FF -> Infected
c:\WINDOWS\calsdr.exe - TrojanDropper:Win32/Small.FF -> Infected
c:\WINDOWS\update12.js - Trojan:JS/Startpage.A* -> Infected
c:\WINDOWS\restsrv32a.sys - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\calsdr.dll - TrojanDownloader:Win32/Rameh.B -> Infected
c:\WINDOWS\SYSTEM\f5k4pr4.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\tksrv98.exe - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\i66hkfb.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\tmksrvu.exe - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\xplugin.dll - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\fehnjcm.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\5m425u.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\dkin2r9.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\1dqrjh.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\iz0numl.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\8w9uze.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\ejc1nnm.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\biH.exe - PWS:Win32/Bispy -> Infected
c:\WINDOWS\SYSTEM\1p0vin.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\restsrv32a.sys - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\yme2qj.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\uccax.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\SYSTEM\h39n0ff.exe - Trojan:Win32/Delf.CF -> Infected
c:\WINDOWS\TEMP\restsrv32a.sys - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00033021 - TrojanDownloader:Win32/Stubby.A -> Infected
c:\VCOM\MXCYCLE\00033026 - Trojan:Win32/Spy.BiSpy.C -> Infected
c:\VCOM\MXCYCLE\00033377 - Trojan:Win32/Delf.CF -> Infected

Scanned
============================
Objects: 33351
Directories: 2711
Archives: 1045
Size(Kb): -108141
Infected files: 27

Found
============================
Viruses found: 8
Suspicious files: 1
Disinfected files: 0
Mail files: 826





Logfile of HijackThis v1.97.7
Scan saved at 19:35:57, on 13/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\VCOM\FIX-IT\MXTASK.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\REGSVRAC32.EXE
C:\WINDOWS\SYSTEM\REGSVRAC32.EXE
C:\WINDOWS\SYSTEM\REGSVRAC32.EXE
C:\WINDOWS\SYSTEM\REGSVRAC32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\REGSVRAC32.EXE
C:\WINDOWS\SYSTEM\REGSVRAC32.EXE
C:\WINDOWS\TEMP\~~PDTEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ManUFree.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\SYSTEM\regsvrac32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunOnce: [h39n0ff.exe] C:\WINDOWS\SYSTEM\h39n0ff.exe
O4 - Startup: Fix-It.lnk = C:\Program Files\VCOM\Fix-It\mxtask.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...com/opistat/activex/opinstall_en_4.1.0.18.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37874.5391898148
O16 - DPF: {083F2348-989A-4650-A541-6BB9CEE58E5E} (IEUpdateOSR2 Control with Key) - http://client.virgin.net/assets/update.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://instantsupport.europe.hp.com/awebui/jsp/answerweb/applets/ISPEActiveChat.CAB
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

 

Lets start with getting rid if the viruses.

Download the current versions of Spybot V1.3 and Ad-aware build 6.181 from the links in my signature. Install and immediately update both. Run Spybot and delete everything it finds that is prechecked. Configure Ad-aware for a custom full scan, run and delete everything it finds.

Reboot.

Download and run Stinger, A²and SwatIt.

You need to create a new folder outside of a temp folder to place HijackThis.exe in. So one in Local Disk C:, named HJT would be good. This has to be done because I will have you empty the temp folder it's currently in later. Run another HijackThis scan and place a check next to the following remaining entries. Close ALL other windows and click fix.*note that the previously done scans may have removed some of this already


O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000221} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-162207F5090D} - C:\WINDOWS\SYSTEM\regsvrac32.dll
O4 - HKLM\..\RunOnce: [h39n0ff.exe] C:\WINDOWS\SYSTEM\h39n0ff.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (OPInstall Control) - http://a14.g.akamai.net/f/14/7141/1...en_4.1.0.18.cab
O16 - DPF: {083F2348-989A-4650-A541-6BB9CEE58E5E} (IEUpdateOSR2 Control with Key) - http://client.virgin.net/assets/update.cab


Open C:\Windows\Applog, select all and delete. (may already be empty)
Open My Computer, right click on Local Disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Reboot.

Now scan again with RAV (I'm assuming that was a RAV report). Again, get a report if anything found. Post it along with a new HijackThis log and any comments.

 

Hi Dave,
below is another hijack and rav scan as you can see they are still infected,
any more ideas?
Andy



Logfile of HijackThis v1.97.7
Scan saved at 06:36:24, on 15/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\E_S4I0F2.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\PROGRAM FILES\VCOM\FIX-IT\MXTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\~~PDTEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ManUFree.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\SYSTEM\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300 "
O4 - HKLM\..\Run: [EPSON Product Registration Reminder] C:\WINDOWS\Temp\RegModule.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe "
O4 - Startup: Fix-It.lnk = C:\Program Files\VCOM\Fix-It\mxtask.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37874.5391898148
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Rav scan

Scan started at 15/06/04 06:01:40

Scanning memory...
c:\dialler.exe->(UPXW) - ToolornDialer.gen! -> Suspicious
c:\calsdr.exe - TrojanDropper:Win32/Small.FF -> Infected
c:\WINDOWS\calsdr.exe - TrojanDropper:Win32/Small.FF -> Infected
c:\WINDOWS\update12.js - Trojan:JS/Startpage.A* -> Infected
c:\WINDOWS\SYSTEM\calsdr.dll - TrojanDownloader:Win32/Rameh.B -> Infected
c:\WINDOWS\SYSTEM\tksrv98.exe - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\tmksrvu.exe - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\xplugin.dll - TrojanDownloader:Win32/Esepor.Q -> Infected
c:\WINDOWS\SYSTEM\restsrv32a.sys - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00033377 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037688->c:/windows/system/1jare6.exe - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037688->c:/windows/system/bih.exe - PWS:Win32/Bispy -> Infected
c:\VCOM\MXCYCLE\00037691 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037692 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037693 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037694 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037695 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037696 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037697 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037698 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037699 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037700 - PWS:Win32/Bispy -> Infected
c:\VCOM\MXCYCLE\00037701 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037702 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037703 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037704 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037705 - Trojan:Win32/Delf.CF -> Infected
c:\VCOM\MXCYCLE\00037706 - Trojan:Win32/Delf.CF -> Infected

Scanned
============================
Objects: 33898
Directories: 2805
Archives: 1054
Size(Kb): 112525
Infected files: 27

Found
============================
Viruses found: 6
Suspicious files: 1
Disinfected files: 0
Mail files: 844

 

Most of what RAV found is in quarantine by VCOM. They can be deleted from within the program. Do a Ctrl+Alt+Del and verify none of the following are running.

dialler.exe
calsdr.exe
calsdr.exe
update12.js
calsdr.dll
tksrv98.exe
tmksrvu.exe
xplugin.dll
restsrv32a.sys

Then open C: and delete dialler.exe and calsdr.exe.
Open C:\Windows and delete calsdr.exe and update12.js.
Open C:\Windows\SYSTEM and delete calsdr.dll, tksrv98.exe, tmksrvu.exe, xplugin.dll and restsrv32a.sys.

Make sure you can see hidden files.

Empty the recycle bin.

Fix the following with HJT.

R3 - Default URLSearchHook is missing

Reboot and scan again with RAV and HJT, then post the logs.

 

Dave,
i did as instructed and these are the results, Rav found no virus this time and pc starts fine now, only prob i have is when i start i get the option of safe mode or normal , how do i remove this option so i get normal start up. also my user name is there but the pass word section is shaded so anyone can log on to my user name,
can i ask how to prevent getting in this mess again i have v com anti virus ( which told me my pc was clean when obviously it wasn't) and also i have zone alarm pro security system running all the time.
i would just like to say many thanks for your advice and help its greatly appreciated, i'm amazed how you know all this stuff.
once again many thanks,
Fiona +Andy



Logfile of HijackThis v1.97.7
Scan saved at 21:51:00, on 15/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\E_S4I0F2.EXE
C:\PROGRAM FILES\A2\A2GUARD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\VCOM\FIX-IT\MXTASK.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\VCOM\POWERDESK\PDEXPLO.EXE
C:\WINDOWS\TEMP\~~PDTEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ManUFree.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE c:\windows\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE c:\windows\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\SYSTEM\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O7 "EPUSB1:" /M "Stylus Photo R300 "
O4 - HKLM\..\Run: [EPSON Product Registration Reminder] C:\WINDOWS\Temp\RegModule.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [a²] "C:\Program Files\a2\a2guard.exe "
O4 - Startup: Fix-It.lnk = C:\Program Files\VCOM\Fix-It\mxtask.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37874.5391898148
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4321/mcfscan.cab
O16 - DPF: {C56CE781-A6FC-4706-8B32-6EB4622155DF} (MediaConnect Control) - http://plugin.euro-infomedia.com/mpv0.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab




Scan started at 15/06/04 21:16:55

Scanning memory...

Scanned
============================
Objects: 31200
Directories: 2804
Archives: 1037
Size(Kb): -10331
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 830

 

Virus free. Great! Good work!!

For the safe mode startup, go to start>run, msconfig. On the General tab click advanced button and clear the box 'enable start menu', OK out.

Password.....start>find>files, search for *.pwl and delete the one for your username. Log off and you should now be able to type a password. Know this though. It doesn't really matter. Win 98 wasn't much on security. Even with a password set, all one need do is click cancel and they're on.

Must say, I'm not familiar with Vcom AV, and without some research, can't say how good it is or even where it rates among others. I use eTrust, which still has a 1 year free trial on the EZ Armor package, which is AV/firewall. Renewal is about $30. I've never gotten a virus while using it. Doesn't mean I never will, since they're being written everyday and someone has to get it so the AV companies can get the submissions, break it down and issue protection/removal updates. Anyway, here's the link to it. Many folks on this board use and recommend AVG, which is free (they have a paid version too) and NOD32, which I don't know about price.

To further protect against spyware/adware/malware, I'll paste my standard instructions below.

If you have anything else to add/ask, feel free.