Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hercules: HiJackThis Log after possible password compromise

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hercules: HiJackThis Log after possible password compromise

Unread postby KevinR » February 11th, 2009, 11:09 pm

My Machine: Hercules

We've experienced a dodgy change of a VerifiedByVisa password. Eeek!
With several machines in the house I'm trying to prove each is clean and that it wasn't compromised here.

Scanned with:
AVIRA. Clean now (but hated old analogx/proxy - unused for years anyway).
(claimed we had suela-1042 in swapfile - common false positive)
(disliked cgmopenbho.dll - removed)
SuperAntiSpyware. Clean now (Lots cookies ofcourse. Dodgy Netstat/Killtask. )

Checked large chunks with Dr.Web LiveCD but it crashed before end.
Thanks

So here's the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:07:08, on 12/02/09
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WIN98SE\SYSTEM\KERNEL32.DLL
C:\WIN98SE\SYSTEM\MSGSRV32.EXE
C:\WIN98SE\SYSTEM\SPOOL32.EXE
C:\WIN98SE\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT4.EXE
C:\WIN98SE\SYSTEM\NTPTIME.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WIN98SE\SYSTEM\mmtask.tsk
C:\WIN98SE\EXPLORER.EXE
C:\WIN98SE\SYSTEM\RPCSS.EXE
C:\WIN98SE\TASKMON.EXE
C:\WIN98SE\SYSTEM\SYSTRAY.EXE
C:\WIN98SE\SYSTEM\PDESK.EXE
C:\WIN98SE\SOUNDMAN.EXE
C:\PROGRAM FILES\RF WIRELESS MOUSE\CM98.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WIN98SE\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WIN98SE\RunDLL.exe
F:\PROGRAMS\MOZILLA.ORG\SEAMONKEY\SEAMONKEY.EXE
C:\PROGRAM FILES\MSI\PC ALERT 4\PCALERT4.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
F:\PROGRAMS\SAAB\EPC\TOOLBAR\EPSIBAR.EXE
I:\_MAIL_HUB\MERCURY\MERCURY.EXE
C:\WIN98SE\SYSTEM\DDHELP.EXE
C:\WIN98SE\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\WIN98SE\SYSTEM\GRVSA.EXE
C:\WIN98SE\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - F:\PROGRAMS\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98SE\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WIN98SE\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WIN98SE\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WIN98SE\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm98.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WIN98SE\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [Path] C:\Program Files\Common Files\EPSON\EBAPI\SAgent4.exe
O4 - HKLM\..\RunServices: [NTPTime] ntptime.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "F:\Programs\MOZILLA.ORG\SEAMONKEY\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SeaMonkey Quick Launch] "F:\Programs\MOZILLA.ORG\SEAMONKEY\SeaMonkey.exe" -turbo (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui" (User 'Default user')
O4 - .DEFAULT Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe (User 'Default user')
O4 - .DEFAULT Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe (User 'Default user')
O4 - .DEFAULT Startup: EPSI ToolBar.lnk = F:\Programs\SAAB\EPC\TOOLBAR\EPSIBAR.EXE (User 'Default user')
O4 - .DEFAULT Startup: Mercury Mail Hub.lnk = I:\_MAIL_HUB\MERCURY\mercury.exe (User 'Default user')
O4 - .DEFAULT Startup: Sygate Security.lnk = C:\Program Files\Sygate\SPF\Smc.exe (User 'Default user')
O4 - Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Startup: EPSI ToolBar.lnk = F:\Programs\SAAB\EPC\TOOLBAR\EPSIBAR.EXE
O4 - Startup: Mercury Mail Hub.lnk = I:\_MAIL_HUB\MERCURY\mercury.exe
O4 - Startup: Sygate Security.lnk = C:\Program Files\Sygate\SPF\Smc.exe
O8 - Extra context menu item: Download with Star Downloader - F:\PROGRAMS\STAR DOWNLOADER\sdie.htm
O8 - Extra context menu item: Download using FlashGet - D:\TEST_INSTALL\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - D:\TEST_INSTALL\FLASHGET\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN98SE\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN98SE\SYSTEM\MSJAVA.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\TEST_INSTALL\FLASHGET\FLASHGET.EXE (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\TEST_INSTALL\FLASHGET\FLASHGET.EXE (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WIN98SE\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WIN98SE\bdoscandel.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371110.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL

--
End of file - 6804 bytes
KevinR
Active Member
 
Posts: 4
Joined: February 11th, 2009, 10:50 pm
Advertisement
Register to Remove

Re: Hercules: HiJackThis Log after possible password compromise

Unread postby Carolyn » February 23rd, 2009, 11:56 am

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.

I am currently looking at your log now and will be back as soon as possible with your instructions.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Hercules: HiJackThis Log after possible password compromise

Unread postby Carolyn » February 23rd, 2009, 12:45 pm

Hello,

Run SuperAntiSpyware
  • Launch SuperAntiSpyware
  • Click Check for Updates and update to the latest definitions.
  • Click Scan your Computer
    • Check all boxes in the Scan Location box.
    • Check the Complete Scan radio button.
    • Click Scanning Preferences/Control Centre button.
      • Uncheck Ignore files larger than 4MB (recommended)
      • Check Scan Alternate Data Streams.
      • Click Close.
    • Click Next
  • SuperAntiSpyware will now scan your computer for infection. (This could take in excess of an hour depending on the number of files scanned)
  • When finished it will present you with a summary of its findings.
  • Click OK.
  • The Removal Screen will open.
    • Check the items in the list to mark them for Quarantine.
    • Click Next and SAS will Quarantine them.
Please send me the log.
  • Click the Preferences button.
    • Click the Statistics/Logs tab.
      • Logs are listed by date and time, click on the latest one to highlight it (at the top).
      • Click View log.
    • This will open a log page.
    • Copy/Paste the contents in your next post please.
CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

========================

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.

========================

Please post the SuperAntiSpyware log, the Uninstall List and a fresh HijackThis log in your next reply.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Hercules: HiJackThis Log after possible password compromise

Unread postby NonSuch » February 28th, 2009, 4:03 am

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 290 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware