Daughter reports trojan warning with all incoming emails

Shes on HotMail and I use Yahoo's WebMail. Each time I try to email her she reports that her AV shows a "trojan warning" on the receipt....

Did a full update and scan with Ad-Aware, SpyBot, Spyware Blaster and Grisoft AV (PE all) and ran a Hijak Log.

Not smart enuf to know if any of these show anything, but here it be....

Opinions?

Logfile of HijackThis v1.99.1
Scan saved at 7:22:35 AM, on 3/4/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\R-RAM\RRAM.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\EMERGENCY\HIJACKTHIS\HIJACKTHIS.EXE

N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.google.com "); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\3do2clzn.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src "); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\3do2clzn.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CICache] CICache.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00120409-78E1-11D2-B60F-006097C998E7}\misc.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O12 - Plugin for .com/app-bin/crr/servlets/StoryServlet?story_id=34117957&app_code=access&user_type=P&format=pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O16 - DPF: {72770C4F-967D-4517-982B-92D6B9015649} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX.cab?9,0,712,0

Thanks
Vince in Philly

 

Hi pippopottomus

I don't see anything in your log.

It is highly recommended that you upgrade, windows 98 is unsupported by microsoft and you WILL end up with problems and open for attacks.

That said, Lets get a on-line scan.

Please exit AVG and stop Tea Timer to do the on-line scan.
DO NOT surf the web untill you reinable these two programs.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident ".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

After the on-line scan do the above again and recheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
and restart AVG.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Geri

 

Well, six hours more or less and two restarts later we finally got thru the KasperScan.... lost power at about 36% on the second one.... but it got done...

So:

Sunday, March 04, 2007 10:21:21 PM
Operating System: Microsoft Windows 98 SE
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/03/2007
Kaspersky Anti-Virus database records: 275810


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
a:\
c:\
d:\
e:\
f:\
g:\
h:\

Scan Statistics
Total number of scanned objects 120989
Number of viruses found 2
Number of infected objects 3 / 0
Number of suspicious objects 0
Duration of the scan process 04:21:40

Infected Object Name Virus Name Last Action
c:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

c:\WINDOWS\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

c:\WINDOWS\TEMP\~DFCBA7.TMP Object is locked skipped

c:\WINDOWS\WIN386.SWP Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\history.dat Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\Cache\_CACHE_MAP_ Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\Cache\_CACHE_001_ Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\Cache\_CACHE_002_ Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\Cache\_CACHE_003_ Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\cert8.db Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\key3.db Object is locked skipped

c:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\zcuuipnx.default\parent.lock Object is locked skipped

c:\WINDOWS\Application Data\AVG7\Log\emc.log Object is locked skipped

c:\WINDOWS\SchedLog.Txt Object is locked skipped

c:\WINDOWS\Cookies\index.dat Object is locked skipped

c:\WINDOWS\History\History.IE5\index.dat Object is locked skipped

c:\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

c:\WINDOWS\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped

c:\EMERGENCY\HijackTHIS\backups\backup-20070120-145412-738-winupdate.exe Infected: Net-Worm.Win32.Protoride.n skipped

d:\POWERSPEC\POWERSPEC Startups 8-20-04\installers\GetRight v4.5 (Final)\getrt450.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped

d:\POWERSPEC\POWERSPEC Startups 8-20-04\installers\GetRight v4.5 (Final)\getrt450.exe WiseSFX: infected - 1 skipped

Scan process completed



So, who do I have to shoot and how do I shoot 'em?


AVG is turned back on (and updated) and I re-established the resident tea-timer.

Vince

 

Hi

Well there is really nothing showing in that either

c:\EMERGENCY\HijackTHIS\backups\backup-20070120-145412-738-winupdate.exe Infected: Net-Worm.Win32.Protoride.n skipped <<<This is in a HJT back up and not a threat.

d:\POWERSPEC\POWERSPEC Startups 8-20-04\installers\GetRight v4.5 (Final)\getrt450.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped

d:\POWERSPEC\POWERSPEC Startups 8-20-04\installers\GetRight v4.5 (Final)\getrt450.exe WiseSFX: infected - 1 skipped <<< GetRight seems to be a legit program.

The only thing I see is Gator and that is not a trojan. and may have been bundled with GetRight.

Open your Add remove programs and remove anything that has to do with,
Gator or Gain.

I see no trojans in your HJT log or the Kaspersky log.

Geri

 

Sure, and I murtherd GetRite (JIC) as it's a download manager I never use anymore... It's a pretty good manager program but the one in Firefox meets all my present needs.

Nothing in "Add-Remove" showing either "Gain" or "Gator ".


So... what could be causing her AV to freak out? It's a puzzlement to me.

 

Hi
I would have your daughter have her system checked, Could be HotMail and their email scanner?

I will also Have TeMerc look here just to make sure I'm not missing something, But I believe you are OK. Check back in a day or so and I'll let you know what he said.

Geri

 

I have a little graphic I usually post for an excellentjob: "Bravo Zulu" is the Navy flaghoist for "Well Done ".

Consider it hoisted, indeed, consider it two-blocked.

Thank you and I shall check back in on Thursday (eye surgery tomorrow and two days recovery).

 

Hi pippopottomus

TeMerc also said everything is OK.

Thanks and you're welcome.

Geri

 

Thanks again to all.... Pete, lock 'er up.

 

Due to resolution thiis topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.