HJT fille attd; Am i in right place for a vius?

quick precis:
wIN98SE on verizon DSL via WesteL modem; generic computer w/ 2.4mhz Intel P-IV chip unkn MoBo
Internet thru linksys BEfSX41 4-port router

Sometime this morning I found the lights on the router and the dsl modem going insane, indicating that the computer was accessing, or attempting to access the internet constantly. I was unable to get online at that time and was 9and still) am unable to do a standard shutdown.
ran msconfig to see if any unusual programs had crept in but could find nothing new or odd.
After much futzing about i managed to get back online but at a speed that would embarrass a 9600bau modem... the HDD is still trying to access the internet 9or at least that's how i'm interpreting it) with constant activity on the modem and router lights. Whatever it is is also using almost 100% of CPU capacity and making it very hard to do anything.... getting the following hjT file took nearly a hour and six tries.

What information do you need/can I include here? Suspect a virus or something of the sort.

Logfile of HijackThis v1.99.1
Scan saved at 8:46:59 PM, on 1/20/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\BIN\MAD.EXE
C:\PROGRAM FILES\MOTIVE\ASSTCOMMON\MOTIVEDIRECTORY.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\BIN\MPBTN.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\INCOMING\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe "
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [NvColorInit] RUNDLL32.EXE NVQTWK.DLL,NvColorInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: winupdate.exe
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\PROGRAM FILES\VERIZON ONLINE\CONTROLPAD\Misc\a_menu.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/1freemine_scecab_151.197.56.80.57010553821077266_887683.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://activex.liveupdate.com/controls/cres.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.197.0.39,151.197.0.38,192.168.1.1

Help?

 

Hello and welcome to WindowsBBS Forums.

Yeah I'm seeing an infection here for sure, those Winupdates entries should not be there at all.

First off tho, lets download And Process Explorer. Install it and you may find that there are some 'hidden' IE windows up and running calling out for more nasties.

Lets attack what's there for now, which appears to be easy. This could be a case of running W9x actually saving you some, because most code these days are written for NT and up systems, and W9x boxes don't get hit as hard.


Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\WINDOWS\START MENU\PROGRAMS\STARTUP\WINUPDATE.EXE (all instances)

Enable the 'Show Hidden Folders' option, like this:
Open My Computer.
Select the View menu and click Folder Options.
Select the View Tab.
In the Hidden files section select Show all files.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
WINUPDATE.EXE<<<---this file


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

Default URLSearchHook is missing



O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/1freemi...6_8 87683.cab

O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://activex.liveupdate.com/controls/cres.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe


Reboot post a new HJT log back into this thread please.

I'd also like to get an uninstall list too:
Start HijackThis

• 
  Open HJT, click the [None of the above, just start the program] button.
• Click on the [Config] button
• Click on the[ Misc Tools] button
• Click on the [Open Uninstall Manager] button
• Then click on the [Save list] button and specify where you would like to save this file.
• When you press [Save list] button a notepad will open with the contents of that file.
• Copy and paste the contents of that notepad back into this thread for me to view.

 

Just in case this doesn't work, first let me thank you for your help so far...took almost a full day to finally d/l process explorer 9during which i had do clean the 'c' drive several times;

guilty party seems to be "protoType c2.3.0 by BeyonD aDvanceD TechNoloGies v2.3.0 build 500 "

Process Explorer (caps key is intermittent on this keyboard...sorry) shewed about 15 instances of WinUpdate running and I managed to kill them all:

C>A>Del in Win98 brings up the "Close Program" splash but Winupdate wasn't shewing.

Went to start menu and managed to delete winupdate per instructions.

In process of the above, all my shortcuts seem to have been invalidated so I decided to give you an interim report; am now going to do the registry portion of instructions and will take new HJT and copy of uninstall list ASAP

Again...thanks for the life-preserver! Even if it DiDn'T work (and i hope it has!) it sure buoyed up my spirits!

 

more problems

Dunno if this will sort itself out on a restart, but i seem to have lost a connexion to "Start.exe ": I went to start another Firefox window and this brings up a spash that tells me that Windows cannot find "Start.exe' and invites me to search for it.

Where would i find this or will it "sort itself" on restart?

Don't want to disable things so will wait to hear from you on this before proceeding with the rest of the instructions, which would require a reboot.

Again, much appreciation for the help!

 

This is most likely part of the infection you had.

Lets run a couple of anti-spyware tools to clean up whatever remnants may be present. I do this mostly because a vast majority of our other file searching tools, don't work on 9x machines.

You can safely let both of the following apps, remove\quarantine whatever each find. Both have a 'restore' feature which we can utilize if needed in the unlikely event that they break some other legit software on your machine.


Spybot Search & Destroy v.1.4
AdAware SE Free v1.06r


Run one, then reboot and run the other.

 

have both on computer already but am unable to start any applications....

advise?

 

Downloaded both but am unable to start them.

cannot start any applications... i fear i (messed) things up somehow (not a new experience for me, unfortunately). When I try to start any application, i get what appears to be a momentary flash of a DOS box and no other results. This includes HJT as well as any application i try.

 

Ok first you say you had both, then you say you downloaded them and nothing will run. Which is it?

And when did this problem begin with being unable to open apps? try to back track what steps you did, based on what instructions I gave.

Also, do you have the OEM Windows install CD that came with the PC?

 

Solved the "unable to run" problem.... found an old proggie on the hD which automatically restores the association to START.Exe ( EXEfix08.com ) which did the trick. Problem started immediately after running the Process Explorer and deleting all instances of the WinUpdate problem, but the .com file fixed it. i did have both AdAware and Spybot already on the computer but have d/l anew; should I just update existing and run them?

Here's the new Hijack log and Uninstall log after completing the steps in your first reply- I will run the Adaware and Spybot and let you know the results.

Logfile of HijackThis v1.99.1
Scan saved at 10:02:25 PM, on 1/22/07
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SUPPORTCENTER\SMARTBRIDGE\MOTIVESB.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\INCOMING\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: WaveHelper Class - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VERIZON ONLINE\VISUALIPINSIGHT\IPMon32.exe "
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [NvColorInit] RUNDLL32.EXE NVQTWK.DLL,NvColorInit
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Global Startup: Verizon Online.lnk = C:\Program Files\Verizon Online\VOLSW\Verizon Online.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\WINDOWS\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Control Pad - {28D44DAC-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\PROGRAM FILES\VERIZON ONLINE\CONTROLPAD\Misc\a_menu.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?323
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.197.0.39,151.197.0.38,192.168.1.1





abc2nwc
Absolute Accessories
ACT!
Active Disk
Ad-aware 6 Plus
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe SVG Viewer 3.0
Adobe Type Manager Deluxe 4.1
AVG Free Edition
AZZ Cardfile
Business Card Designer Plus 7.1.1.0
Carbon Utilities
ClarisWorks 4.0
CloneCD
C-Media 3D Audio
Control Pad
Conversions Plus 6.05
Defragmenter Pro Plus
Direct Connect 1.0 Preview Build 9
DivX Codec
DivX Player
Dolet Light for Finale
Drive Rescue 1.9
Easy CD Creator 5 Platinum
EPSON Printer Software
Finale 2003
Forté Agent
Four Winds
GetRight
GoldWave v4.26
Google Toolbar for Internet Explorer
GSview 4.6
GVOX Encore 32 v4.5
HijackThis 1.99.1
hp deskjet 930c series (Remove only)
IomegaWare 4.0.2
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_06
Kazaa Lite v2.1.0 [K++ Edition] [build 3]
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech MouseWare 9.70
Logitech Resource Center
Macromedia Dreamweaver 4
Macromedia Extension Manager
MailWasher Pro
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 Professional
Microsoft Outlook Express 6
Microsoft Web Publishing Wizard 1.6
Monitor Calibration Wizard 1.0
Mozilla Firefox (2.0.0.1)
MyDVD
Nero - Burning ROM
NfoDiz 5.0
Notespad
NoteWorthy Composer
NVIDIA Windows 95/98/ME Display Drivers
PDF reDirect (remove only)
Pdf995
Pegasus Mail
PowerQuest PartitionMagic Pro 7.0
Release RAM Professional
Serials 2000
Shareaza version 2.1.0.0
Shockwave
Sibelius 2
SiSoftware Sandra Professional 2004.SP2b (Win32 x86)
SmartFTP
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SpyBot - Search & Destroy 1.1
Symantec Ghost
TablEdit 2.62
The LangaList Complete Archives 2006.03
Touch Manager (PS/2 Compact Ergonomic Keyboard)
Tweak UI
UltraPlayer
Uninstall
USB2IDE_CF_SSFDC USB Device Driver 2.6
Verizon Online DSL
Verizon Online Support Center
Virtual Pool 3
Visual IP InSight(Verizon Online)
VuePrint
Wacom Tablet Driver
Wacom Tablet Windows 95 Drivers
Winamp (remove only)
WinRAR archiver
WinZip
XVid;-)
Yahoo! Address AutoComplete
Yahoo! Internet Mail
Yahoo! SiteBuilder
ZoneAlarm






UNINSTALL LOG

abc2nwc
Absolute Accessories
ACT!
Active Disk
Ad-aware 6 Plus
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe SVG Viewer 3.0
Adobe Type Manager Deluxe 4.1
AVG Free Edition
AZZ Cardfile
Business Card Designer Plus 7.1.1.0
Carbon Utilities
ClarisWorks 4.0
CloneCD
C-Media 3D Audio
Control Pad
Conversions Plus 6.05
Defragmenter Pro Plus
Direct Connect 1.0 Preview Build 9
DivX Codec
DivX Player
Dolet Light for Finale
Drive Rescue 1.9
Easy CD Creator 5 Platinum
EPSON Printer Software
Finale 2003
Forté Agent
Four Winds
GetRight
GoldWave v4.26
Google Toolbar for Internet Explorer
GSview 4.6
GVOX Encore 32 v4.5
HijackThis 1.99.1
hp deskjet 930c series (Remove only)
IomegaWare 4.0.2
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_06
Kazaa Lite v2.1.0 [K++ Edition] [build 3]
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech MouseWare 9.70
Logitech Resource Center
Macromedia Dreamweaver 4
Macromedia Extension Manager
MailWasher Pro
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 Professional
Microsoft Outlook Express 6
Microsoft Web Publishing Wizard 1.6
Monitor Calibration Wizard 1.0
Mozilla Firefox (2.0.0.1)
MyDVD
Nero - Burning ROM
NfoDiz 5.0
Notespad
NoteWorthy Composer
NVIDIA Windows 95/98/ME Display Drivers
PDF reDirect (remove only)
Pdf995
Pegasus Mail
PowerQuest PartitionMagic Pro 7.0
Release RAM Professional
Serials 2000
Shareaza version 2.1.0.0
Shockwave
Sibelius 2
SiSoftware Sandra Professional 2004.SP2b (Win32 x86)
SmartFTP
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SpyBot - Search & Destroy 1.1
Symantec Ghost
TablEdit 2.62
The LangaList Complete Archives 2006.03
Touch Manager (PS/2 Compact Ergonomic Keyboard)
Tweak UI
UltraPlayer
Uninstall
USB2IDE_CF_SSFDC USB Device Driver 2.6
Verizon Online DSL
Verizon Online Support Center
Virtual Pool 3
Visual IP InSight(Verizon Online)
VuePrint
Wacom Tablet Driver
Wacom Tablet Windows 95 Drivers
Winamp (remove only)
WinRAR archiver
WinZip
XVid;-)
Yahoo! Address AutoComplete
Yahoo! Internet Mail
Yahoo! SiteBuilder
ZoneAlarm



uNINSTALL LOG
abc2nwc
Absolute Accessories
ACT!
Active Disk
Ad-aware 6 Plus
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager (Remove Only)
Adobe Illustrator 10
Adobe Photoshop 7.0
Adobe SVG Viewer 3.0
Adobe Type Manager Deluxe 4.1
AVG Free Edition
AZZ Cardfile
Business Card Designer Plus 7.1.1.0
Carbon Utilities
ClarisWorks 4.0
CloneCD
C-Media 3D Audio
Control Pad
Conversions Plus 6.05
Defragmenter Pro Plus
Direct Connect 1.0 Preview Build 9
DivX Codec
DivX Player
Dolet Light for Finale
Drive Rescue 1.9
Easy CD Creator 5 Platinum
EPSON Printer Software
Finale 2003
Forté Agent
Four Winds
GetRight
GoldWave v4.26
Google Toolbar for Internet Explorer
GSview 4.6
GVOX Encore 32 v4.5
HijackThis 1.99.1
hp deskjet 930c series (Remove only)
IomegaWare 4.0.2
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 2
Java 2 Runtime Environment, SE v1.4.2_06
Kazaa Lite v2.1.0 [K++ Edition] [build 3]
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech MouseWare 9.70
Logitech Resource Center
Macromedia Dreamweaver 4
Macromedia Extension Manager
MailWasher Pro
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 Professional
Microsoft Outlook Express 6
Microsoft Web Publishing Wizard 1.6
Monitor Calibration Wizard 1.0
Mozilla Firefox (2.0.0.1)
MyDVD
Nero - Burning ROM
NfoDiz 5.0
Notespad
NoteWorthy Composer
NVIDIA Windows 95/98/ME Display Drivers
PDF reDirect (remove only)
Pdf995
Pegasus Mail
PowerQuest PartitionMagic Pro 7.0
Release RAM Professional
Serials 2000
Shareaza version 2.1.0.0
Shockwave
Sibelius 2
SiSoftware Sandra Professional 2004.SP2b (Win32 x86)
SmartFTP
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
SpyBot - Search & Destroy 1.1
Symantec Ghost
TablEdit 2.62
The LangaList Complete Archives 2006.03
Touch Manager (PS/2 Compact Ergonomic Keyboard)
Tweak UI
UltraPlayer
Uninstall
USB2IDE_CF_SSFDC USB Device Driver 2.6
Verizon Online DSL
Verizon Online Support Center
Virtual Pool 3
Visual IP InSight(Verizon Online)
VuePrint
Wacom Tablet Driver
Wacom Tablet Windows 95 Drivers
Winamp (remove only)
WinRAR archiver
WinZip
XVid;-)
Yahoo! Address AutoComplete
Yahoo! Internet Mail
Yahoo! SiteBuilder
ZoneAlarm

 

Looking good! Spybot and AdAware found a very few red entries... deleted them and re-scanned with no more results, updated AVG and scanned and it all seems to be back to normal. checked ZoneAlarm for anything and reset all programs to ask for access...

Went downstairs and did all the above to the remote computer (same thing happened with StART.ExE....must be one last little malicious spike from the makers of the virus) and hooked it back up.... both are accessing internet at good speed with no apparent problems.

interesting thing; i noted date on WinUpdate.exE before deleting and saw it was 12/08/06... must have been d/l then and sat quiescent over a month before kicking in?


Well, it looks good....i await your imprimateur of serviceability. incidentally, if you'd like a copy of EXEfix08.com, you can d/l it at reticulated toys homepage.

again, voiciferous and strident thanks for your help in this.... i could not have fixed the problem without your help and windows BBS's existence. i truly appreciate you guys!

 

Ok, everything looks good and I'm glad you have gotten things back to normal.

It's not unusual for infections to lie on a machine unnoticed, just glad we were able to get it removed. And that could also have been a ploy by the malware writers to fool you, it's common.

Out of all the items on your uninstall list, the following need to go:
Ad-aware 6 Plus<<<--old version

Kazaa Lite v2.1.0 [K++ Edition] [build 3] <<<--P2P file sharing............B-A-D

Shareaza version 2.1.0.0 <<<--See Kazaa

SpyBot - Search & Destroy 1.1<<<<---See As-aware6

We have one minor item for fixing with HJT:
R3 - Default URLSearchHook is missing

Reboot after fix, if no longer present, no need for new log.


We have 3 more things to do, mostly maintenance and then our recommendations:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

right, then.... done and done.

Again, thanks for the help!

 

Glad we could be of assistance.

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.