Help!!!

Magestrike · #1 March 6th, 2003, 10:58 AM

Greetings. I am hoping someone can help me, because up to this point, I havent found anyone who could elsewhere.

About two weeks ago, when I logged onto the internet, something strange started happening. I would be online for about 30 minutes or so, and graphics would start to not load. Then after a short while, no graphics at all. A few more minutes after that, the webpages would stop loading and I would have to completely reboot my system and start over again. Then, the same thing would happen all over again.

So, to try to fix this problem, I first upgraded my browser to IE 6.0. No affect to my problem.

I cleared my cache of everything, thinking this might be the problem. I have it set to 15 MB and to "Automatically" check. Still no affect on my problem.

It had been a while since I ran Scandisk and Defragged my system, so I did both of them as well a few days ago. Something stranger happened. Now, when I log online, it loads my start page, with no graphics, but if I try to do anything else or go anywhere, the webpages wont load.

So, then I thought maybe I have some weird virus or something, so I went and bought a new virus scanning program. Just got done running it a little while ago, and it did find viruses on my system, so I took care of them. Actually, I was happy to find the viruses, thinking that I finally kicked the problem. No dice. Still doing the same thing when I log on. This is extremely frustrating, as I do a lot of stuff online. Im at a loss and dont know what to do.

I have talked with a few "tech experts" at my ISP, and they pretty much told me the stuff I already did, so they werent any help. Now, Im hoping someone here will hopefully know what to do, so I dont have to use my 7 year old Compaq for very long to get online.

I have an HP Celeron 500 MhZ computer with 191 MB of RAM and a 20 GB HD. Everything is standard stuff that came with the computer, like the modem and graphics card and such. Like I said, it just started about two weeks ago with no warning. I didnt do anything or go anywhere online that I dont go everyday, so nothing out of the ordinary happened to cause this problem. Im lost horribly and dont know what to do.

HELP!!!! Any help or guidance you can provide would be greatly appreciated. Thank you.

Mage

tb525 · #2 March 6th, 2003, 11:39 AM

Hi Magestrike, Welcome to CTH!

Let's see if there is anything left of the virus or any other malware that may be involved. Go here and download, unzip and run StartupList. It will create a log file, copy the log and paste it in a reply.

http://www.lurkhere.com/~nicefiles/index.html

Magestrike · #3 March 6th, 2003, 01:04 PM

Man, that was difficult. I hed to keep going between the two computers, because I have no ability to do anything online with the HP...lol. OK...here it is (it is kinda long, hope you wanted it all):

StartupList report, 3/6/03, 7:59:07 AM
StartupList version: 1.52
Started from : A:\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\TIMESINK\ADGATEWAY\TSADBOT.EXE
C:\WINDOWS\AUSVC.EXE
C:\WINDOWS\BVT.EXE
C:\WINDOWS\ABSR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
A:\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
PowerReg Scheduler.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
USBMMKBD = usbmmkbd.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
CriticalUpdate = c:\windows\SYSTEM\wucrtupd.exe -startup
McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
TimeSink Ad Client = "C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
ausvc = C:\WINDOWS\ausvc.exe
SysScan = C:\WINDOWS\bvt.exe
ABsr = C:\WINDOWS\absr.exe
McAfee Guardian = "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Encompass_ENCMONTR = C:\Program Files\Easy Internet\ENCMONTR.EXE
Hidserv = Hidserv.exe run
SchedulingAgent = mstask.exe
McAfeeVirusScanService = c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
McAfee.InstantUpdate.Monitor = "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 6/3/2003, 1:58:36)

[rename]
NUL=C:\WINDOWS\DELETE.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables;c:\COREL\OFFICE7\SHARED\BARI STA;.;c:\COREL\OFFICE7\SHARED\TRUEDOC
path C:\WINDOWS;C:\WINDOWS\COMMAND
c:\windows\system\setpower.exe
SET LD_LIBRARY_PATH=c:\COREL\OFFICE7\SHARED\TRUEDOC\BI N
SET PATH=%PATH%;c:\COREL\OFFICE7\SHARED\TRUEDOC\BIN
c:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\sca npm.exe c:\
IF ERRORLEVEL 1 PAUSE

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {CD4C3CF0-4B15-11D1-ABED-709549C10000}
(no name) - C:\WINDOWS\SYSTEM\AMCIS.DLL - {EBBFE27C-BDF0-11D2-BBE5-00609419F467}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[ScanCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\UZDETECT.OCX
CODEBASE = http://outpost.zdnet.com/updates/resources/updates.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R...n/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = https://download.macromedia.com/pub/...sh/swflash.cab

[VivoActive Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\VVWEB.OCX
CODEBASE = http://player.vivo.com/ie/vvweb.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\MESSENGER\YACSCOM.DLL
CODEBASE = http://cs6.chat.yahoo.com/v/yacscom.cab

[iWon Slot Machine]
InProcServer32 = C:\PROGRAM FILES\IWON\IWONSLOT\4.BIN\IWONSLOT.DLL
CODEBASE = http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab

[FileAccess Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FILEAC~1.OCX
CODEBASE = http://ifilm.digitalmercury.com/wm/FileAccess.OCX

[Mbayactx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MBAYACTX.OCX
CODEBASE = http://ez.messagebay.com/code1/mbayactx.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[WONWebLauncher Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WONWEBLAUNCHERCONTROL.OCX
CODEBASE = http://128.11.20.135/tools/WONWebLauncherControl.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/s...swdir8d204.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HRTBEAT.OCX
CODEBASE = http://fdl.msn.com/zone/Z4/heartbeat.cab

[iWon Progressive Counter]
InProcServer32 = C:\PROGRAM FILES\IWON\IWONSLOT\5.BIN\IWONSLOT.DLL
CODEBASE = http://download.iwon.com/ct/pm2/iWonPMSetup1,0,2,3.exe

[AV Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PAV.DLL
CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

[Pinger Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PING.OCX
CODEBASE = http://www.pcpitstop.com/internet/Ping.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = file://c:\windows\calc.exe

[IO Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\COOLST~1.OCX
CODEBASE = http://www.online1net.com/kool/coolstuff4.cab

[Brxpdf5 Control]
InProcServer32 = C:\WINDOWS\SYSTEM\BRXPDF5.OCX
CODEBASE = http://a19.g.akamai.net/7/19/7125/12...om/brxpdf5.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.co...681.9069791667

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 9,518 bytes
Report generated in 0.655 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

tb525 · #4 March 6th, 2003, 01:33 PM

Hi Madge, You are still showing a Backdoor.Autoupder infection:

C:\WINDOWS\AUSVC.EXE
C:\WINDOWS\BVT.EXE
C:\WINDOWS\ABSR.EXE

Go here and download the removal tool to a floppy disk. Write protect the floppy and then insert it in your infected machine and run.

http://securityresponse.symantec.com...oval.tool.html

**To make sure you haven't infected your other machine when you transfered StartupList, run the removal tool on both.

Once clean, run StartupList again and post the results, there is also some spyware that you need to remove.

Magestrike · #5 March 6th, 2003, 11:44 PM

Did what you said and here is what you requested. Dang...that sounded like the subject line of a spam email message...lol.

StartupList report, 3/6/03, 4:01:21 PM
StartupList version: 1.52
Started from : A:\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\TIMESINK\ADGATEWAY\TSADBOT.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\PROGRAM FILES\CALLWAVE\IAM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
A:\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
PowerReg Scheduler.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = c:\windows\scanregw.exe /autorun
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
USBMMKBD = usbmmkbd.exe
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
CriticalUpdate = c:\windows\SYSTEM\wucrtupd.exe -startup
McAfeeWebScanX = C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
TimeSink Ad Client = "C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
McAfee Guardian = "c:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Encompass_ENCMONTR = C:\Program Files\Easy Internet\ENCMONTR.EXE
Hidserv = Hidserv.exe run
SchedulingAgent = mstask.exe
McAfeeVirusScanService = c:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
McAfee.InstantUpdate.Monitor = "c:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 6/3/2003, 1:58:36)

[rename]
NUL=C:\WINDOWS\DELETE.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET CLASSPATH=C:\Program Files\PhotoDeluxe 2.0\AdobeConnectables;c:\COREL\OFFICE7\SHARED\BARI STA;.;c:\COREL\OFFICE7\SHARED\TRUEDOC
path C:\WINDOWS;C:\WINDOWS\COMMAND
c:\windows\system\setpower.exe
SET LD_LIBRARY_PATH=c:\COREL\OFFICE7\SHARED\TRUEDOC\BI N
SET PATH=%PATH%;c:\COREL\OFFICE7\SHARED\TRUEDOC\BIN
c:\PROGRA~1\COMMON~1\NETWOR~1\VIRUSS~1\40~1.XX\sca npm.exe c:\
IF ERRORLEVEL 1 PAUSE

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - {CD4C3CF0-4B15-11D1-ABED-709549C10000}
(no name) - C:\WINDOWS\SYSTEM\AMCIS.DLL - {EBBFE27C-BDF0-11D2-BBE5-00609419F467}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Windows Critical Update Notification.job

--------------------------------------------------

Enumerating Download Program Files:

[ScanCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\UZDETECT.OCX
CODEBASE = http://outpost.zdnet.com/updates/resources/updates.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R...n/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = https://download.macromedia.com/pub/...sh/swflash.cab

[VivoActive Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\VVWEB.OCX
CODEBASE = http://player.vivo.com/ie/vvweb.cab

[Yahoo! Audio Conferencing]
InProcServer32 = C:\PROGRAM FILES\YAHOO!\MESSENGER\YACSCOM.DLL
CODEBASE = http://cs6.chat.yahoo.com/v/yacscom.cab

[iWon Slot Machine]
InProcServer32 = C:\PROGRAM FILES\IWON\IWONSLOT\4.BIN\IWONSLOT.DLL
CODEBASE = http://www.iwon.com/ct/in_wn/iwonslot1,0,1,5.cab

[FileAccess Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\FILEAC~1.OCX
CODEBASE = http://ifilm.digitalmercury.com/wm/FileAccess.OCX

[Mbayactx Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MBAYACTX.OCX
CODEBASE = http://ez.messagebay.com/code1/mbayactx.cab

[sys Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PCPITSTOP.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[WONWebLauncher Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\WONWEBLAUNCHERCONTROL.OCX
CODEBASE = http://128.11.20.135/tools/WONWebLauncherControl.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/s...swdir8d204.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HRTBEAT.OCX
CODEBASE = http://fdl.msn.com/zone/Z4/heartbeat.cab

[iWon Progressive Counter]
InProcServer32 = C:\PROGRAM FILES\IWON\IWONSLOT\5.BIN\IWONSLOT.DLL
CODEBASE = http://download.iwon.com/ct/pm2/iWonPMSetup1,0,2,3.exe

[AV Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PAV.DLL
CODEBASE = http://www.pcpitstop.com/antivirus/PCPAV.CAB

[Pinger Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PING.OCX
CODEBASE = http://www.pcpitstop.com/internet/Ping.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLAY365.DLL
CODEBASE = http://www.live365.com/players/play365.cab

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = file://c:\windows\calc.exe

[{BAE85C97-2CD4-45C3-A1ED-E4CEF7C6AA52}]
CODEBASE = http://www.online1net.com/kool/coolstuff4.cab

[Brxpdf5 Control]
InProcServer32 = C:\WINDOWS\SYSTEM\BRXPDF5.OCX
CODEBASE = http://a19.g.akamai.net/7/19/7125/12...om/brxpdf5.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.co...681.9069791667

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 9,346 bytes
Report generated in 0.644 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

tb525 · #6 March 7th, 2003, 07:07 AM

Hi Madge, Have you tried connecting to the internet now that the virus has been removed? Does the problem still occur?

If you can connect, go here and download Spybot-S&D

Download Spybot - Search & Destroy

http://beam.to/spybotsd

After installing, go to the Online tab, and search for and install all updates.

Next, go to the Settings tab > File Sets,and uncheck System Internals, Usage Tracking and Tracks.uti. These settings are not needed at the moment and you can always consult the "Help" files if you want to experiment later on.

Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds. (If the scan has found something, the list will show it.)

There are three basic kinds of results:

Red entries indicate spyware problems that should be fixed to avoid security and/or privacy problems. This is the only kind of problem that is preselected to be fixed.

Black entries are system internals. If you do not know what they mean, I would suggest that you leave these alone and visit the support forum for more information.

Green entries indicate usage tracks. It can do no harm to remove these.

NOTE: SSD will sometimes not be able to remove all active components in the first 'run'. In that case you will get a dialog asking you to run SSD at next start. Click yes and reboot.
SSD will activate before the system puts these components 'in use', and it will then be able to 'fix' the rest.

Also navigate to C:\Windows\Download Program Files and right click on each item in turn and choose 'properties'. If the copyright info doesn't list either Microsoft, Macromedia, Apple, Yahoo or Vivo then delete it.

Magestrike · #7 March 8th, 2003, 02:13 AM

I just went and tried to log online. Everything ran fine as always until I actually made in online, then I get the "Web Page Not Found" screen. I tried a few more, getting the same thing each time. So basicaly no progress yet. I am unable to download the program you posted to the "problem computer", due to ...well, the problem...lol. Would if it work if I downloaded it with the old computer and saved it on a couple of floppies? Sadly, the other computer is a very slow and outdated computer, so I couldnt burn it to a CD. Any other help you can provide is greatly appreciated. Thanks.

**AnnMarie** · #8 March 8th, 2003, 04:50 AM

Hi Magestrike - we may be able to do this manually. Press CTRL-ALT-DEL once to bring up the End Task dialogue. Look for TimeSink Ad Client and End Task it. Now run a search on your Pc for these files (they might not all be present)

tsad.dll
FlexActv.dll
vcpdll.dll
Addon2VB.dll (if found)

and delete them. If you get an error message about the files being in use, we will have to do this from DOS but we will cross that bridge if we have to.

Now go to C:\PROGRAM FILES\ and delete the TIMESINK directory and all its contents.

Finally, here is a small proggie that you can download to floppy BHO Demon and run it on your other PC. Use it to disable the Aureate BHO attached to your browser. See below:

(no name) - C:\WINDOWS\SYSTEM\AMCIS.DLL - {EBBFE27C-BDF0-11D2-BBE5-00609419F467}

Let us know if this helped.

Magestrike · #9 March 8th, 2003, 07:16 AM

TimeSink Ad Client and End Task it.....didnt see it running

tsad.dll ....was currently running, couldn't delete
FlexActv.dll ....didn't find
vcpdll.dll ....found and deleted
Addon2VB.dll (if found) .....found and deleted

Now go to C:\PROGRAM FILES\ and delete the TIMESINK directory and all its contents. ...did this successfully

(no name) - C:\WINDOWS\SYSTEM\AMCIS.DLL - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} did this also successfully

Well, thats where I am on this. As you can see, I couldnt eliminate tsad.dll, because it was being used. Guess we have to do that DOS thing.

I tried to log online after I did all of this and still dice. Still does the same thing.

Thanks.

tb525 · #10 March 8th, 2003, 07:28 AM

Hi Mage,

Quote:

originally posted by Magestrike
So, then I thought maybe I have some weird virus or something, so I went and bought a new virus scanning program. Just got done running it a little while ago, and it did find viruses on my system, so I took care of them.

What were the names of the viruses that McAfee found?

Magestrike · #11 March 9th, 2003, 06:51 AM

Here is the list of things McAfee found that I had to either quarantine or delete. I know...its a long list. Ill never go that long again and not have updated virus protection.mnsvc.exe

win9x[1].htm
nitrous.exitfuel[4].htm
exitpoplight[1].htm
exitpoplight[2].htm
exitpoplight[1].htm
exitpoplight[1].htm
nitrous.exitfuel[8].htm
nitrous.exitfuel[7].htm
js4[1].htm
nitrous.exitfuel[4].htm
nitrous.exitfuel[4].htm
nitrous.exitfuel[4].htm
nitrous.exitfuel[2].htm
exitpoplight[2].htm
exitpoplight[1].htm
nitrous.exitfuel[6].htm
nitrous.exitfuel[5].htm
nitrous.exitfuel[8].htm
nitrous.exitfuel[2].htm
exitpoplight[2].htm
exitpoplight[1].htm
nitrous.exitfuel[5].htm
nitrous.exitfuel[4].htm
nitrous.exitfuel[8].htm
nitrous.exitfuel[7].htm
nitrous.exitfuel[9].htm
exitpoplight[3].htm
exitpoplight[1].htm
exitpoplight[2].htm
nitrous.exitfuel[1].htm
nitrous.exitfuel[1].htm
nitrous.exitfuel[4].htm
exitpoplight[2].htm
nitrous.exitfuel[1].htm
exitpoplight[2].htm
exitpoplight[1].htm
nitrous.exitfuel[2].htm
nitrous.exitfuel[4].htm
js[1].js

also:

auupg.exe
CoolStuff.ocx
exitpop[1].htm
ausvc.exe
absr.exe

Now Im really embarassed. Man that is a long list.

I just checked again to make sure the problem was still there, and it is. I log online, and before the first page can load, I get the "web page not found" page, and nothing will load.

Mage

tb525 · #12 March 9th, 2003, 07:13 AM

Hi Mage, Most of that appears to be one of the JS Exploits, Try this.

Click Start > Shutdown > Restart in MS-DOS mode and click OK
At the C:\Windows> prompt type the following commands and hit [Enter] after each.

smartdrv
deltree /y tempor~1
deltree /y cookies
exit

Once the machine reboots to Windows, Click Start > Settings > Control Panel > Internet Options > Programs tab.
Click the 'Reset Web Settings' button. Try...

Magestrike · #13 March 9th, 2003, 08:54 AM

Try what? Try sliced bread? Try throwing the computer at the wall? Try what?

Mage

tb525 · #14 March 9th, 2003, 09:10 AM

Sorry... try getting online.

Magestrike · #15 March 9th, 2003, 03:04 PM

OK. I did what you said to do. Then I tried to get online. I can still get online, but as soon as the first page tries to load, I get the "webpage not found" screen. I try a few more, and still no dice.

Mage