Ceres problem; helping my dad [hijack included]

hi, love the site. i've gotten some very helpful information so far and think it's growing well. i really appreciate what you folks do. frankly, it's remarkable the time, energy and PATIENCE you have for people. it's astounding. anyway, just recently my dad's computer has been having some terrible pop up problems. i put in google toolbar and then switched him to FireFox but now we still have this ceres problem and i thought he had trojans. turns out i was right. any help would be GREATLY appreciated especially considering he can't quite fix it himself.

Pretty experienced computer user. I went through control panel first, then spybot, then adaware, then manually again then rav then hijack. first my RAV log.

~~~~~~~~~~~
Scan started at 6/4/05 9:44:41 PM

Scanning memory...
C:\WINDOWS\FARMMEXT.EXE - TrojanDownloader:Win32/Stubby.C -> Infected
C:\WINDOWS\questmod.dll - Trojan:Win32/Dialer.BI -> Infected
C:\WINDOWS\TEMP\sa32D5.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa12E5.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa2183.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa5251.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa314.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa1351.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saF092.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa52A4.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa6185.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa91F4.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa21A4.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa71B2.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saA1E3.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa71C2.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saA373.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa70C0.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saC322.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saE264.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saC1A0.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa31F1.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saE045.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa1161.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saA044.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa4191.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa80F0.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saE321.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saE004.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saC1A3.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa9200.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saB236.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa30F4.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa3300.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saC244.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saB042.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saB181.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saA111.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa7392.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\saF103.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\sa9294.TMP.exe->(UPXW) - TrojanDownloader:Win32/Small.JZ -> Suspicious
C:\WINDOWS\TEMP\DrTemp\ceres.cab->spike.exe - Trojan:Win32/Agent.BZ -> Infected
C:\WINDOWS\SYSTEM\rfmijifa.exe - Trojan:Win32/Agent.BS -> Infected
C:\WINDOWS\Application Data\taoa.exe - TrojanDownloader:Win32/PurityScan.O -> Infected
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Tue, 19 Jun 2001 22:33:12 -0700 (PDT)"]->(part0003: )->... - Win32/Magistr.A@mm -> Infected
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Wed, 20 Jun 2001 04:25:08 -0700 (PDT)"]->(part0003: )->... - Win32/Magistr.A@mm -> Infected
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Thu, 21 Jun 2001 00:52:13 -0700 (PDT)"]->(part0003: )->... - Win32/Magistr.A@mm -> Infected
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Tue, 19 Jun 2001 22:33:12 -0700 (PDT)"]->(part... - Win32/Magistr.A@mm -> Infected
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Wed, 20 Jun 2001 04:25:08 -0700 (PDT)"]->(part... - Win32/Magistr.A@mm -> Infected
C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Thu, 21 Jun 2001 00:52:13 -0700 (PDT)"]->(part... - Win32/Magistr.A@mm -> Infected
C:\WINDOWS\Downloaded Program Files\QDow_AS2.dll - TrojanDownloader:Win32/Qdown.L -> Infected
C:\WINDOWS\Temporary Internet Files\Content.IE5\BKQJHLT1\ceres[1].cab->spike.exe - Trojan:Win32/Agent.BZ -> Infected

Scanned
============================
Objects: 15440
Directories: 873
Archives: 640
Size(Kb): 1100276
Infected files: 13

Found
============================
Viruses found: 7
Suspicious files: 39
Disinfected files: 0
Mail files: 572

~~~~~~~~~~~~~~~~~~~


Then my HiJackThis:

~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:15:11 PM, on 6/4/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RFMIJIFA.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PACKAGER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\MCALCIZH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOADS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll (file missing)
O2 - BHO: (no name) - {6CD7125C-E61E-1CBF-8753-60550DF12917} - C:\WINDOWS\SYSTEM\GRA.DLL (file missing)
O2 - BHO: (no name) - {BACB78B4-C150-FEF0-2734-CCA9389F5B96} - C:\WINDOWS\SYSTEM\OAJM.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll (file missing)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\MOUSE\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SCANREGV] C:\WINDOWS\SCANREGV.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [rfmijifa] c:\windows\system\rfmijifa.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_21.cab
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Again,thanks in advance. I only have a day so I hope i can get back to you and sort it soon. I see most responses are dealt with very quickly.

~phil

 

Welcome to WindowsBBS noprotein

You should print this out and/or save it to text where you can access it in safe mode.

Download the stand-alone CWShredder 2.15 from here. Save it to the desktop.

Download the DelDomains.inf file to your desktop.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://phoenix.cox.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: (no name) - {6CD7125C-E61E-1CBF-8753-60550DF12917} - C:\WINDOWS\SYSTEM\GRA.DLL (file missing)
O2 - BHO: (no name) - {BACB78B4-C150-FEF0-2734-CCA9389F5B96} - C:\WINDOWS\SYSTEM\OAJM.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [rfmijifa] c:\windows\system\rfmijifa.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: 213.159.117.133 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab


Delete the infected [ "Subject: Returned mail: Cannot send message within 3 days"] emails in Outlook Express inbox. Then empty the deleted items folder.


Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Extract the file to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

c:\windows\system\rfmijifa.exe

Check the box to delete on reboot and click the red X to the right. Click Yes, then NO to the reboot now prompt. Copy the next filepath, paste it in the box, and repeat the above steps. Close when done.

C:\WINDOWS\wupdt.exe
C:\WINDOWS\FARMMEXT.exe
C:\WINDOWS\Application Data\taoa.exe

Reboot to safe mode.

Right-click on the deldomains.inf file and select Install.

You will need to show hidden files and folders.

Open CWShredder and click fix.

Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Applog, select all and delete.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all boxes and click OK. Allow it to complete.

Reboot back into Windows and do another scan with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

alright, crazy day here so i couldn't get back in time and since this is an old system, the scans take FOREVER!

anyway, i did all as instructed except the outlook. i had my dad log in and check but couldn't find any of those files in his inbox, it's actually quite empty. i'm checking now to see if he perhaps used a different account then. all others were completed. Here's the new RAV log and it seems i still have some others hiding.
~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan started at 6/5/05 4:41:40 PM

Scanning memory...
c:\WINDOWS\questmod.dll - Trojan:Win32/Dialer.BI -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Tue, 19 Jun 2001 22:33:12 -0700 (PDT)"]->(part0003->... - Win32/Magistr.A@mm -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Wed, 20 Jun 2001 04:25:08 -0700 (PDT)"]->(part0003->... - Win32/Magistr.A@mm -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Thu, 21 Jun 2001 00:52:13 -0700 (PDT)"]->(part0003->... - Win32/Magistr.A@mm -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Tue, 19 Jun 2001 22:33:12 -0700 (PDT)"]->(part... - Win32/Magistr.A@mm -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Wed, 20 Jun 2001 04:25:08 -0700 (PDT)"]->(part... - Win32/Magistr.A@mm -> Infected
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx->[From: Mail Delivery Subsystem <MAILER-DAEMON@earthlink.net>] [ "Subject: Returned mail: Cannot send message within 3 days"] [ "Date: Thu, 21 Jun 2001 00:52:13 -0700 (PDT)"]->(part... - Win32/Magistr.A@mm -> Infected
c:\WINDOWS\Downloaded Program Files\QDow_AS2.dll - TrojanDownloader:Win32/Qdown.L -> Infected
c:\SIERRA\POWCHESS\SIERRA.INF - IRC/Generic* -> Suspicious

Scanned
============================
Objects: 20830
Directories: 2371
Archives: 828
Size(Kb): -678299
Infected files: 8

Found
============================
Viruses found: 3
Suspicious files: 1
Disinfected files: 0
Mail files: 594

~~~~~~~~~~~~~~~~~~~

Hijack

~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 7:59:38 PM, on 6/5/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: (no name) - {FB153DCE-822E-47ec-8D00-2706E7864B37} - C:\WINDOWS\KB290333.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\MOUSE\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SCANREGV] C:\WINDOWS\SCANREGV.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [rfmijifa] c:\windows\system\rfmijifa.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe "
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_21.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
~~~~~~~~~~~~~~~~~~

Again, any help is appreciated. Thanks.

 

Use the Killbox to delete this file.

c:\WINDOWS\Downloaded Program Files\QDow_AS2.dll


Fix this entry in HijackThis.

O4 - HKLM\..\Run: [rfmijifa] c:\windows\system\rfmijifa.exe

The mbx file extension is for Outlook Express 4. I'm guessing since the computer has SP1, it's now using Outlook Express 6, which uses the dbx extension and those are leftovers. Just in case, make sure there is nothing in the Outlook Express inbox you want to keep (move to another folder if there is) and delete the inbox.mbx and deleted items.mbx files.

c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx
c:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Deleted Items.mbx

They will be recreated if needed.

When done, I also recommend you download Spybot Version 1.4 from my signature, install and update (uninstall the old version). Allow it to load SD Helper. Search for and Download all available updates. Open it up and click immunize in the left pane, then immunize again, this time from above with the green + beside it (always recheck this setting after downloading updates). Then click tools button, then IE tweaks and at least lock the HOSTS file.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

That will give you some added layers of protection against unwanted parasites.

 

wow, thanks a lot man. could you recommend any good virus/firewall software that is unintrusive and runs in background (preferably low ram usage). He's determined to keep this 98 p2 machine for awhile so until he gets a new comp this is all he's going to be using. Like, i obviously can't throw on my Kaspersky

Again though, thank you for everything. seems all better now and he's much safer again. He's not afraid of using internet now lol.

 

AVG AV for free.
There are free firewalls available at the Quicklinks page. However, they no longer fit your criteria, they have added a few things to them. I have a older free version of Kerio 2.1.5 you might like, send me an email and I will send it as an attachment (2.12 mb setup file).