We've experienced a dodgy change of a VerifiedByVisa password. Eeek!
With several machines in the house I'm trying to prove each is clean and that it wasn't compromised here.
Scanned with:
AVIRA. Clean now (but hated old analogx/proxy - unused for years anyway).
(claimed we had suela-1042 in swapfile - common false positive)
(disliked cgmopenbho.dll - removed)
SuperAntiSpyware. Clean now (Lots cookies ofcourse. Dodgy Netstat/Killtask. )
Checked large chunks with Dr.Web LiveCD but it crashed before end.
Thanks
So here's the HiJackThis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:07:08, on 12/02/09
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WIN98SE\SYSTEM\KERNEL32.DLL
C:\WIN98SE\SYSTEM\MSGSRV32.EXE
C:\WIN98SE\SYSTEM\SPOOL32.EXE
C:\WIN98SE\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT4.EXE
C:\WIN98SE\SYSTEM\NTPTIME.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WIN98SE\SYSTEM\mmtask.tsk
C:\WIN98SE\EXPLORER.EXE
C:\WIN98SE\SYSTEM\RPCSS.EXE
C:\WIN98SE\TASKMON.EXE
C:\WIN98SE\SYSTEM\SYSTRAY.EXE
C:\WIN98SE\SYSTEM\PDESK.EXE
C:\WIN98SE\SOUNDMAN.EXE
C:\PROGRAM FILES\RF WIRELESS MOUSE\CM98.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WIN98SE\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WIN98SE\RunDLL.exe
F:\PROGRAMS\MOZILLA.ORG\SEAMONKEY\SEAMONKEY.EXE
C:\PROGRAM FILES\MSI\PC ALERT 4\PCALERT4.EXE
C:\PROGRAM FILES\EPSON\EPSON CARDMONITOR\EPSON CARDMONITOR1.2.EXE
F:\PROGRAMS\SAAB\EPC\TOOLBAR\EPSIBAR.EXE
I:\_MAIL_HUB\MERCURY\MERCURY.EXE
C:\WIN98SE\SYSTEM\DDHELP.EXE
C:\WIN98SE\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\WIN98SE\SYSTEM\GRVSA.EXE
C:\WIN98SE\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - F:\PROGRAMS\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {F156768E-81EF-470C-9057-481BA8380DBA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIN98SE\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WIN98SE\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WIN98SE\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WIN98SE\SYSTEM\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Start RF Wireless Mouse] C:\Program Files\RF Wireless Mouse\cm98.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WIN98SE\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM\..\RunServices: [Path] C:\Program Files\Common Files\EPSON\EBAPI\SAgent4.exe
O4 - HKLM\..\RunServices: [NTPTime] ntptime.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SeaMonkey Quick Launch] "F:\Programs\MOZILLA.ORG\SEAMONKEY\SeaMonkey.exe" -turbo
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SeaMonkey Quick Launch] "F:\Programs\MOZILLA.ORG\SEAMONKEY\SeaMonkey.exe" -turbo (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Start WingMan Profiler] "C:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Program Files\Logitech\WingMan Software\lwemon.exe /noui" (User 'Default user')
O4 - .DEFAULT Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe (User 'Default user')
O4 - .DEFAULT Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe (User 'Default user')
O4 - .DEFAULT Startup: EPSI ToolBar.lnk = F:\Programs\SAAB\EPC\TOOLBAR\EPSIBAR.EXE (User 'Default user')
O4 - .DEFAULT Startup: Mercury Mail Hub.lnk = I:\_MAIL_HUB\MERCURY\mercury.exe (User 'Default user')
O4 - .DEFAULT Startup: Sygate Security.lnk = C:\Program Files\Sygate\SPF\Smc.exe (User 'Default user')
O4 - Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.2.exe
O4 - Startup: EPSI ToolBar.lnk = F:\Programs\SAAB\EPC\TOOLBAR\EPSIBAR.EXE
O4 - Startup: Mercury Mail Hub.lnk = I:\_MAIL_HUB\MERCURY\mercury.exe
O4 - Startup: Sygate Security.lnk = C:\Program Files\Sygate\SPF\Smc.exe
O8 - Extra context menu item: Download with Star Downloader - F:\PROGRAMS\STAR DOWNLOADER\sdie.htm
O8 - Extra context menu item: Download using FlashGet - D:\TEST_INSTALL\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - D:\TEST_INSTALL\FLASHGET\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN98SE\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN98SE\SYSTEM\MSJAVA.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\TEST_INSTALL\FLASHGET\FLASHGET.EXE (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\TEST_INSTALL\FLASHGET\FLASHGET.EXE (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WIN98SE\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WIN98SE\bdoscandel.exe
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... 371110.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\PROGRAM FILES\SUPERANTISPYWARE\SASWINLO.DLL
--
End of file - 6804 bytes