98 - changed icons and programs mess

starrekin61 · Nov 3, 2006

Hi. Any help on this would be much appreciated. Somehow, my icons for zip and rar files have been messed up. zip files now "open" with ie and rar files with Dr. Watson. A lot of people are on this computer and i'm not really sure what happened. haven't checked the rest of my desktop icons yet, either.
Could this be a virus, or spyware?
Anyone know a fix?
Thanx.
PS. what are the best free programs to run to check this out with?

TimW · Nov 3, 2006

Suggest two things ...system restore ....and then an online scan with bit defender:
Bitdefender agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

http://www.bitdefender.com/scan8/ie.html

starrekin61 · Nov 3, 2006

Thank you. Will do.
Question: how do I do system restore?

Here is a Hijack This log. Don't know if it will help figure out the mess.

Logfile of HijackThis v1.99.1
Scan saved at 11:41:04 AM, on 11/3/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\SCHEDM.EXE
C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERLITE\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ANTIVIR PERSONALEDITION CLASSIC\AVGCTRL.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CMOZILLA.ORG%5CMOZILLA%5Csearchplugins%5Cgoogle.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\1jie3dcy.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [avgctrl] "C:\Program Files\AntiVir PersonalEdition Classic\avgctrl.exe" /min
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [schedm] "C:\Program Files\AntiVir PersonalEdition Classic\schedm.exe"
O4 - HKLM\..\RunServices: [TelePath] C:\WINDOWS\SYSTEM\TELEPATH.101\telepath.exe
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Executive Software\DiskeeperLite\DkService.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\PROGRAM FILES\BITTORRENT\BITTORRENT.EXE" --force_start_minimized
O4 - HKCU\..\Run: [Ctrl-Alt-Launch] C:\PROGRAM FILES\CTRL+ALT+LAUNCH\ctrl-alt-launch.exe -hidden
O4 - Startup: HP OfficeJet Series 700 StartUp.lnk = C:\Program Files\HP OfficeJet Series 700\bin\HPOstr03.exe
O4 - Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\PROGRAM FILES\AOL\AOL TOOLBAR 2.0\AOLTB.DLL
O16 - DPF: Win32 Classes - file://C:\WINDOWS\Java\classes\win32ie4.cab

Thanks for all the help.

Matacumbie · Nov 3, 2006

This is about the only thing you can try with W98.

1. Boot while holding the CTRL key to enter the boot menu.

2. Select the COMMAND PROMPT ONLY option and press enter.

3. From the C:\> prompt, type SCANREG /RESTORE and press enter.

4. When the restore screen appears, select a backup dated before this problem occurred and then restart the system. (A properly working registry has the word 'Started' next to the date).

Steve

TimW · Nov 3, 2006

http://support.microsoft.com/kb/187526/

This is assuming you have done a backup at some point ...

Don't know the ins and outs of Hijack this ...but see you have bittorrent ...p2p software? ....never a good sign...

Did you run a bitscan?

starrekin61 · Nov 3, 2006

not yet. will try to back up system. will let u know. thanx.
ps - i have deleted bit torrent - why is it still showing up?

starrekin61 · Nov 3, 2006

have deleted only the bittorrent entry using hijack this. will reboot and see what happens.

theefool · Nov 3, 2006

What the heck is this:

O4 - HKCU\..\Run: [Ctrl-Alt-Launch] C:\PROGRAM FILES\CTRL+ALT+LAUNCH\ctrl-alt-launch.exe -hidden
Click to expand...

In addition, have you tried uninstalling your unzipping (rar) program, and reinstalling it?

TimW · Nov 3, 2006

theefool said:

What the heck is this:

In addition, have you tried uninstalling your unzipping (rar) program, and reinstalling it?
Click to expand...

Caught my eye too .....wish I knew more about the program and its findings ...

Would like to see a bitscan result ....

TimW · Nov 3, 2006

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

Would delete this also .....(again, thanks Theefool!!)

starrekin61 · Nov 3, 2006

Hi guys. OK, to date so far: removed bit torrent using Hijack this. no help.
Did a system reg scan and restore. no help.
ran bit scan on line - it found a trojan - pws.ras.a and removed it.
The what the heck is this was a shortcut key program. it was also removed, but not entirely, it seems.
Will try your suggestions and let you know what happens.

here is the scan log from the online scan:

<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >

<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
BitDefender
Online Scanner
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>
<tr>
<td colspan="3" width="912">
Scan report generated
at: Fri, Nov 03, 2006 - 13:29:29
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
Scan
path: A:\;C:\;D:\;E:\;
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Statistics
</td>
</tr>
<tr>
<td width="57%">
Time
</td>
<td width="43%" align="right">
01:11:59
</td>
</tr>
<tr>
<td width="57%">
Files
</td>
<td width="43%" align="right">
227426
</td>
</tr>
<tr>
<td width="57%">
Folders
</td>
<td width="43%" align="right">
2599
</td>
</tr>
<tr>
<td width="57%">
Boot Sectors
</td>
<td width="43%" align="right">
5
</td>
</tr>
<tr>
<td width="57%">
Archives
</td>
<td width="43%" align="right">
6693
</td>
</tr>
<tr>
<td width="57%">
Packed Files
</td>
<td width="43%" align="right">
9271
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Results
</td>
</tr>
<tr>
<td width="57%">
Identified Viruses 
</td>
<td width="43%" align="right">
1
</td>
</tr>
<tr>
<td width="57%">
Infected Files 
</td>
<td width="43%" align="right">
1
</td>
</tr>
<tr>
<td width="57%">
Suspect Files 
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Warnings
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Disinfected
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Deleted Files
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Engines Info
</td>
</tr>
<tr>
<td width="57%">
Virus Definitions
</td>
<td width="43%" align="right">
312404
</td>
</tr>
<tr>
<td width="57%">
Engine build
</td>
<td width="43%" align="right">
AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
</td>
</tr>
<tr>
<td width="57%">
Scan plugins
</td>
<td width="43%" align="right">
13
</td>
</tr>
<tr>
<td width="57%">
Archive plugins
</td>
<td width="43%" align="right">
38
</td>
</tr>
<tr>
<td width="57%">
Unpack plugins
</td>
<td width="43%" align="right">
5
</td>
</tr>
<tr>
<td width="57%">
E-mail plugins
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
System plugins
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Scan Settings
</td>
</tr>
<tr>
<td width="57%">
First Action
</td>
<td width="43%" align="right">
Disinfect
</td>
</tr>
<tr>
<td width="57%">
Second Action
</td>
<td width="43%" align="right">
Delete
</td>
</tr>
<tr>
<td width="57%">
Heuristics
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Enable Warnings
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scanned Extensions
</td>
<td width="43%" align="right">
*;
</td>
</tr>

<tr>
<td width="57%">
Exclude Extensions
</td>
<td width="43%" align="right">
 
</td>
</tr>
<tr>
<td width="57%">
Scan Emails
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Archives
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Packed
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Files
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Boot
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
Scanned File
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
 Status
</td>
</tr>
<tr>
<td width="57%">
C:\WINDOWS\Desktop\stups\sept\kf151.zip=>keyfinder.exe
</td>
<td width="43%" align="left">
Infected with: Trojan.PWS.Ras.A
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\Desktop\stups\sept\kf151.zip=>keyfinder.exe
</td>
<td width="43%" align="left">
Disinfection failed
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\Desktop\stups\sept\kf151.zip=>keyfinder.exe
</td>
<td width="43%" align="left">
Deleted
</td>
</tr><tr>
<td width="57%">
C:\WINDOWS\Desktop\stups\sept\kf151.zip
</td>
<td width="43%" align="left">
Updated
</td>
</tr>
</table>
</td>

<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

</table>
 

</body>
</html>

Thanx for all the help. I'll be back in a while and let you know what happens.

starrekin61 · Nov 3, 2006

OK - system restarted - no change. have deleted wierd entries found and mentioned in hjt log. no change. will try next uninstalling and reinstalling zip and rar utilities as suggested. will let you know what happens. also, i will try to use tweak ui to rebuild my icons. thanx.

Log in or Sign up

98 - changed icons and programs mess

starrekin61 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

starrekin61 Private E-2

Matacumbie Rocky Top

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

starrekin61 Private E-2

starrekin61 Private E-2

theefool Geekified

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

starrekin61 Private E-2

starrekin61 Private E-2