black screen takes over desktop

Hello. One of my computers at work is being taken over by some sort of virus. The desktop turns black and in the center of the screen is "Warning! Your computer is infected! ". I have run many many anti-virus checkers: hijackthis, adaware, spybot, cwshredder. This is a Dell computer with windows 98. I keep getting MediaAcck.exe on the system and after I try deleting it. . it comes right back. Could this be the problem? Here is hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:23:58 PM, on 6/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SPYCATCHER\DELETESATELLITE.EXE
C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
C:\PROGRAM FILES\SPYCATCHER\SCHEDULER DAEMON.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL
O3 - Toolbar: Super Ad Blocker Toolbar - {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABTB.DLL
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe "
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe" nowait
O4 - HKCU\..\Run: [SuperAdBlocker] C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SADBLOCK.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

 

I just realized that in the log I just posted that the mediaacck.exe file is no longer there. There doesn't seem to be anything wrong in the log. Advise would be appreciated.

thanks.

 

My scanner seems to longer work also. It keeps saying another application is currently running on the scanner and that I need to end it before continuing. Could this have something to do with the virus? I was scanning when I got the virus.

Thanks.

 

Another update. I have the scanner working now. The desktop no longer turns black, but when everything is loading the "warning your computer is infected" sign pops up in the beginning, but then is gone. What kind of problem could there still be? I am posting a new log of hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:02 PM, on 6/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SPYCATCHER\DELETESATELLITE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SPYCATCHER\SCHEDULER DAEMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\MSPUB.EXE
C:\WINDOWS\Twunk_16.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPPADT40.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL (file missing)
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe "
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe" nowait
O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Any info on this would be greatly appreciated. I'm assuming since the warning still shows when the computer is first booting up there is still a problem. It seems to be running fine other than that. Thanks for your help.

 

Hi rrb9hi! Sorry for the delay.

Nothing bad showing in your log, but there are some missing startups that need to be there. We'll address those later. Not sure what we're dealing with here, so we need to do some fishing.

Please click this link to download
SilentRunners

* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done! ", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

 

Thank you for getting back to me. Missing things in the startup is probably my fault. The Hijackthis log I posted is of course not the very first one. I went in and deleted stuff when I first started working on this problem before I posted here. Hopefully I didn't do too much harm.

The silentrunner log is:

"Silent Runners.vbs ", revision 37, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"GhostSurfDelSatellite" = " "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe" " [ "Tenebril Incorporated"]
"HP Lamp" = "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"GhostSurfDelSatellite" = " "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe" nowait" [ "Tenebril Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{00000000-6C30-11D8-9363-000AE6309654}\(Default) = "SuperAdBlockerBHO Class "
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet "
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\Nero\neroshx.dll" [ "ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]


Enabled Active Desktop and Wallpaper:
-------------------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Stimon.exe" -> shortcut to: "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"Scheduler" -> shortcut to: "C:\Program Files\SpyCatcher\Scheduler daemon.exe" [ "Tenebril Incorporated"]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------

 

I cannot get RAV to work. It starts out downloading an upgrade and takes quite some time. Then, it says the upgrade failed. . undefined. . and then it just starts acting like it is downloading again, but it doesn't do anything. I tried it several times.

I ran Spybot Search and Destroy again. . I can't copy the messages but I get an error during the check. "Xuron55 (Datei c:\windows\windows\win.ini kann nicht) . . . .

Then I have:

Admilli Service

n-case

I hope this might help. Is there another software I could possibly try other than RAV?

thanks again.

 

Please download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here. This scanner sometimes takes a very long time to run. Please be patient and allow it to complete!

Please open HijackThis and click 'View the list of backups'. Check everything in the list and click restore. Click the back button, then scan. If everything is back, save the log and post it please. If not, create a new folder on the desktop named HJT. Move HijackThis.exe and the 'backups' folder it created on the desktop to the new folder and try restoring again.

 

Virus Count: 132253

Edit: Whoa! You generated a virus list, which is just a list of the detection databse in the scanner. I needed the results of the scan.

noahdfear

 

continuation of viruslog:


Removed

noahdfear

 

before I continue. . .is this the correct information that you want? The virus list is very, very long! I'm not sure if I am looking at what you want me to look at? If so I can continue list after you post again. . .

thanks.

 

See post #9 You should be able to click 'View Log' in the Log section and scroll down to almost the bottom where you will find Viruses found information. Please copy and post just that part for now.

 

I did the restore to hijackthis and here is the current log:

Logfile of HijackThis v1.99.1
Scan saved at 4:10:06 PM, on 6/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\SPYCATCHER\DELETESATELLITE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\SPYCATCHER\SCHEDULER DAEMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\REGEDIT.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://win-eto.com/sp.htm?id=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/sp.htm?id=31130123321003
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=31130123321003
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://win-eto.com/sp.htm?id=31130123321003
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\PROGRAM FILES\SUPERADBLOCKER.COM\SUPER AD BLOCKER\SABBHO.DLL (file missing)
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\SYSTEM\WFUHCT~1.DLL (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe "
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [pqlsn] C:\WINDOWS\pqlsn.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\SYSTEM\EG95YJFY67P0THD.EXE
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\ZLOADER3.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunOnce: [GhostSurfDelSatellite] "C:\PROGRAM FILES\SPYCATCHER\DeleteSatellite.exe" nowait
O4 - Startup: Stimon.exe.lnk = C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL/CXTSEARCH.HTML
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

 

Ahhhhh.. . .now that I have done the restore the virus is back! the desktop is black again and my homepage is being taken over by a virus. You will make this go away again won't you??

thanks.

 

Ok. sorry for the virus list. I thought that was wrong. When I open up the view log. . .it goes on forever. . .tells me this at end:

Fri Jun 03 15:08:05 2005 => ***** Scanning complete. *****

Fri Jun 03 15:08:05 2005 => Total Objects Scanned: 85453
Fri Jun 03 15:08:05 2005 => Total Virus(es) Found: 17
Fri Jun 03 15:08:05 2005 => Total Disinfected Files: 0
Fri Jun 03 15:08:05 2005 => Total Files Renamed: 0
Fri Jun 03 15:08:05 2005 => Total Deleted Objects: 0
Fri Jun 03 15:08:05 2005 => Total Errors: 86
Fri Jun 03 15:08:05 2005 => Time Elapsed: 00:47:11
Fri Jun 03 15:08:05 2005 => Virus Database Date: 2005/05/29
Fri Jun 03 15:08:05 2005 => Virus Database Count: 132253

but it does not list which viruses. . .it just lists all my files that it checked. this isn't very helpful?? is it?? sorry for not knowing more about this. If I have to. . I will redo tomorrow when I come back to work and try again.

 

This is the very last part of the log:

Fri Jun 03 16:15:04 2005 => **********************************************************
Fri Jun 03 16:15:04 2005 => MicroWorld AntiVirus & Spyware Toolkit Utility.
Fri Jun 03 16:15:04 2005 => Copyright © 2003-2005, MicroWorld Technologies Inc.
Fri Jun 03 16:15:04 2005 => **********************************************************
Fri Jun 03 16:15:04 2005 => Version 6.2.9 (C:\WINDOWS\TEMP\MWAVSCAN.COM)
Fri Jun 03 16:15:04 2005 => Log File: C:\WINDOWS\TEMP\MWAV.LOG
Fri Jun 03 16:15:04 2005 => Last Scan Date and Time: 03.06.2005 14:18:35
Fri Jun 03 16:15:04 2005 => MWAV Registered: FALSE.
Fri Jun 03 16:15:04 2005 => MWAV Mode: Only Scan files.
Fri Jun 03 16:15:04 2005 => Latest Date of files inside MWAV: 29 May 2005 13:10:21.
Fri Jun 03 16:15:06 2005 => AV Library Loaded...
Fri Jun 03 16:15:06 2005 => MWAV doing self scanning...
Fri Jun 03 16:15:06 2005 => Scanning File C:\WINDOWS\TEMP\kavss.exe
Fri Jun 03 16:15:06 2005 => Scanning File C:\WINDOWS\TEMP\Getvlist.exe
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\kavss.dll
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\kavssdi.dll
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\kavssi.dll
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\kavvlg.dll
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\msvlclnt.dll
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\ipc.dll
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\main.avi
Fri Jun 03 16:15:07 2005 => Scanning File C:\WINDOWS\TEMP\virus.avi
Fri Jun 03 16:15:07 2005 => MWAV files are clean.
Fri Jun 03 16:15:09 2005 => Virus Database Date: 2005/05/29
Fri Jun 03 16:15:09 2005 => Virus Database Count: 132253

 

Much better HJT log. Did you have the registry open when you created that log?

 

Wrong section of the MWAV log. It will be similar to below.


Thu May 19 00:15:55 2005 => ***** Scanning complete. *****

Thu May 19 00:15:55 2005 => Total Objects Scanned: 3161
Thu May 19 00:15:55 2005 => Total Virus(es) Found: 12
Thu May 19 00:15:55 2005 => Total Disinfected Files: 0
Thu May 19 00:15:55 2005 => Total Files Renamed: 0
Thu May 19 00:15:55 2005 => Total Deleted Objects: 0
Thu May 19 00:15:55 2005 => Total Errors: 5
Thu May 19 00:15:55 2005 => Time Elapsed: 00:21:37
Thu May 19 00:15:55 2005 => Virus Database Date: 2005/04/13
Thu May 19 00:15:55 2005 => Virus Database Count: 125667

Thu May 19 00:15:55 2005 => Scan Completed.

 

See #15 for the post like this. . .I think I gave you the right section. I'm not sure what you mean by the registry being open when I ran hijackthis log? I'm glad it looks better, but I don't like having all the errors back! Help!

 

I was looking for the section between these two lines.


Thu May 19 00:15:55 2005 => ***** Scanning complete. *****

>>>>>>>>>>>>>>>> information here >>>>>>>>>>>>>>>>>>>>

Thu May 19 00:15:55 2005 => Scan Completed.


I'm working up a proposed fix now. Hang in there!