[matt52730]

Hello. This may be as hard to understand as it is to explain, so bear with me. My mom has a Dell, 450 mhz running Windows 98 se. She told me she was having problems, & I discovered that she has been running without virus protection for awhile. I installed Norton AV 2002 for her, updated her virus deffinitions and ran a full scan and found the backdoor.berbew trojan. I deleted it and thought that would solve the problem, but now the email scanner keeps popping up (every 10 secs) saying it's sending somthing (what I don't know) and the computer is responding really slow. She uses a constant cable internet connection, and It's usually really fast, and now it is slow or not loading pages at all. I went ahead and installed zonealarm firewall for her, and the firewall is blocking the same IP address over and over and over again. I can usually figure these things out & I'm baffled. I have done a full scan with updated deffinitions a couple of more times & it says there aren't any viruses on the machine. Anyone heard of this? I'm really struggling here. I have found a few things on the symantec site that I might try, but any help here will be appriciated. Thanks!!

 

[matt52730]

Here's the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 1:26:50 PM, on 3/21/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DLLA32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\VOYETRA\TBS MONTEGO\VTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HP PHOTOSMART\PHOTO FINISHING SOFTWARE\HPI_MON.EXE
E:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://209.25.177.187/top/out.cgi?search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchscavenger.com/bar.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchscavenger.com/bar.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://209.25.177.187/top/out.cgi?search
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.1stpagehere.com/s.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\SYSTEM\dlla32.exe
O1 - Hosts: 207.44.240.65 rad.msn.com
O1 - Hosts: 216.93.174.28 view.atdmt.com
O1 - Hosts: 216.93.174.28 ad.doubleclick.net
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ZZZ_HPI_Boot] C:\Program Files\HP PhotoSmart\Photo Finishing Software\HPI_Boot.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ATTRedUpate] C:\PROGRAM FILES\COMMON FILES\MEDIACOM\MIGCFG\PROGRAMS\AutoUpdate.exe
O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\VOYETRA\TBS MONTEGO\VTRAY.EXE /s
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [load32] C:\WINDOWS\SYSTEM\dllx32.exe
O4 - HKLM\..\Run: [Winsdllv32 driver] WINSDRV32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: dllw32.exe
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
O16 - DPF: Talk City EZTalk 3.0 - http://chat.talkcity.com/java/ezmed/ezmed.cab
O16 - DPF: {7AEB674E-4089-11D1-93F0-00A0241763CD} (CouponDown Class) - http://www102.coolsavings.com/download/CouponX.cab
O16 - DPF: {1FA643B0-F90E-11D3-BA0B-00C04F384A92} (HomeTsrCtrl Class) - http://image.excite.com/sputnik/dyn...ationchange.dll
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - http://www.liveupdate.com/controls/getcab2.dll
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/gam...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://yog18.yahoo.com/yog/y/ywq0_x.cab
O16 - DPF: Yahoo! Go Fish - http://yog1.yahoo.com/yog/y/zp4_x.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://128.167.56.50/tools/WONWebLauncherControl.cab
O16 - DPF: Yahoo! Spades - http://yog31.yahoo.com/yog/y/sq1_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/gam...ts/y/pyt1_x.cab
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/gam...s/y/t21t0_x.cab
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/gam...ts/y/blt1_x.cab
O16 - DPF: Yahoo! Dice - http://download.yahoo.com/games/clients/y/dcs0_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks11_x.cab
O16 - DPF: Yahoo! MahJong - http://download.yahoo.com/games/clients/y/os0_x.cab
O16 - DPF: Yahoo! Dominoes - http://yog30.yahoo.com/yog/y/dop2_x.cab
O16 - DPF: Yahoo! Dots - http://yog2.yahoo.com/yog/y/dtp2_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...nts/y/tt0_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog2.games.snv.yahoo.com/yog/y/fs9_x.cab
O16 - DPF: Yahoo! Reversi - http://yog21.yahoo.com/yog/y/rp0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/gam...s/y/mjst3_x.cab
O16 - DPF: Yahoo! Bingo - http://yog3.yahoo.com/yog/y/xp0_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.yahoo.com/games/clients/y/ws1_x.cab
O16 - DPF: Yahoo! Sheepshead - http://us.games2.yimg.com/f/10/31/7...nts/y/dq0_x.cab
O16 - DPF: Word Guess - http://yog22.yahoo.com/yog/y/wgq7_x.cab
O16 - DPF: Yahoo! Pool - http://yog7.yahoo.com/yog/y/plq12_x.cab
O16 - DPF: Spelldown - http://yog9.yahoo.com/yog/y/wgq12_x.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
O16 - DPF: {00CB77FC-0F09-458A-8BE8-9176423305EB} (Loader Control) - https://bigflash.microgaming.com/bigflash/loader.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...director/sw.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadcaster.com/player/MovieNetworks1.exe
O16 - DPF: Video Poker - http://download.games.yahoo.com/gam...ts/y/vpt0_x.cab
O16 - DPF: Akamai Test - http://download.yahoo.com/games/cli...mai_test0_x.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.co...v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab
O16 - DPF: Yahoo! Graffiti - http://download.yahoo.com/games/clients/y/grrq_x.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Yahoo! Go - http://download.yahoo.com/games/clients/y/gs0_x.cab
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/gam...ts/y/tvt0_x.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games...be/wordcube.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v41/sol/sol.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games...ty/tilecity.cab
O16 - DPF: {5EE92643-21CE-4949-903F-39439DCC3944} (Shapetris Control) - http://mirror.worldwinner.com/games/v42/shape/shape.cab
O16 - DPF: {40689DFB-7484-4D82-BCDD-DE2B39F74FD3} (Ttt Control) - http://mirror.worldwinner.com//games/v40/ttt/ttt.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldwinner.com/games...ut/brickout.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games...gsaw/jigsaw.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {90B7E2B3-2E56-4571-9E54-823E33C4B4B4} (TracMan Control) - http://mirror.worldwinner.com/games...man/tracman.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldwinner.com/games/v40/darts/darts.cab
O16 - DPF: {01645AFE-97C0-4D3D-8754-A1FDF8C5FFB5} (Bash Control) - http://mirror.worldwinner.com/games/v40/bash/bash.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/...bin/actxcab.cab
O16 - DPF: Yahoo! Toki Toki Boom - http://download.games.yahoo.com/gam...nts/y/vth_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/gam...s/y/fltt0_x.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games...man/hangman.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/potb_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/gam...ts/y/sdt1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/gam...nts/y/pt0_x.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games...ll/freecell.cab
O16 - DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} (GolfSol Control) - http://mirror.worldwinner.com/games...sol/golfsol.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/syste.../SysProfLCD.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...s/yinst0401.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://mirror.worldwinner.com/games...apit/swapit.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/active...ol_v1-0-3-0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c...8060.3071064815
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.com/games/popcaploader_v5.cab

 

[raybro]

There is a lot going on there. You appear to still have some virus activity or perhaps remnants. There is also indication of spyware. Here is what I recommend.

Run an online virus scan. Go Here and do an online virus scan:

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Reboot your computer

Now download CWShredder. Unzip it. Close all windows, including browser. Launch CWShredder and click the Fix button (NOT Scan). Let it do it's thing.

Reboot your computer

Next, download Spybot S&D. Install Spybot, open it and click the Search for Updates button. When updates are found, put a check mark next to all and click the Download Updates button. Now click the Search & Destroy icon in the left pane, then the Check for problems button at the bottom of the window. When the scan completes, check all the items in RED, then click the Fix Selected Problems button.

Reboot your computer

Next, download AdAware. Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning Engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click Proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose Select All from the drop down menu and click Next)

Reboot your computer.

A preparatory step you should do before using HJT to fix anything, is create a permanent folder for the HJT executable file and move it into that folder. This is where your HJT log files and backups will be stored.

Post a new HJT scan

 

[iaavagent]

Matt52730,??????
How goes it? Did you follow Raybro's instructions?
Please let him know so he will know if problem is solved!
Thanks.