Need help. Computer may have spy-, malware

DavO123 · Aug 29, 2005

I have a problem with our computer and I need help I’m running Win98 SE. I run Mcafee 2005 and Spyware Doctor regularly. We have DSL service.

Symptoms:
1. I, at one point had lexplore (“L” explore) running in TaskManager. It’s not there now, however, I’m not sure if this was taken care of when I ran Spybot. (the wife uses MSN Messenger a lot – the computer may have become infected while she was using Messenger.)
2. While the computer is booting, right at the point where the desktop and icons are visible, a small “Cancel” button flashes momentarily in the upper left-hand of the screen. I know this is not normal.
3. Spyware Doctor won’t boot all the way.
4. Computer resources are very low. At times, I’m having problems logging onto the Internet. Mcafee Privacy Service doesn’t load all the way. I need to log onto this before I can access the Internet.

In the registry, I noticed there is an entry that reads C:\WINDOWS\APPLICATION DATA\CAMP WAIT\FILMEGGS.EXE (file missing). File and folder are not seen in the APPLICATION DATA folder.

I ran the following as indicated. All check out OK except Spybot. Spybot found and fixed various threats.
Ad-Aware SE.
Ad-Aware VX2 Cleaner Plug-In
CCleaner
Spybot
SpywareBlaster
McAfee AVERT Stinger
CWShredder
Kill2me
Bitdefender Online Scan
RavAntivirus Online Scan
Spyware Doctor
Macfaee Online Scan

chaslang · Aug 29, 2005

Please follow the below steps exactly:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

DavO123 · Aug 30, 2005

I have attached the HJT log file. I noticed within the TaskManager box, at the very bottom of the listed running programs, there is an empty space as if there is a running program. This does not appear at first boot, however, it does appear as time goes on. Thank you for your help.

chaslang · Aug 30, 2005

Did you have MS Word running when you did your HJT scan? Why?
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {D5EF3A9C-15CF-55CA-3542-4C52A0092912} - C:\WINDOWS\APPLICATION DATA\CAMP WAIT\FILMEGGS.EXE (file missing)
O4 - HKLM\..\Run: [Rdr Global Mode Upload] C:\WINDOWS\Application Data\amen city rdr global\trustidle.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZBxdm197YYUS
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (if found):
C:\WINDOWS\APPLICATION DATA\CAMP WAIT <--- the whole folder
C:\WINDOWS\Application Data\amen city rdr global <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

DavO123 · Sep 1, 2005

Here is the lastest log file. McAfee Privacy Service was again slow to launch. Within Task Manager there was a program running: wmiexe. Once again there is a blank space in Task Manager.

What is:
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE

chaslang · Sep 1, 2005

C:\WINDOWS\SYSTEM\PSTORES.EXE - Valid Windows process -
See: http://www.liutilities.com/products/wintaskspro/processlibrary/pstores/

C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE - Valid Windows process -
See: http://www.liutilities.com/products/wintaskspro/processlibrary/KB891711/

Can you take a snap shot of Task Manager?

Please realize though that Windows Task Manager has always been rather poor at showing everything that is running. A much better choice is: Process Explorer

Even the Process Manager inside HijackThis is better that Task Manager. As you can see from you log, it even gives the full path the executable file that is running.

I would fix the below O16 line but other than this your log is clean:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/085cc26c8287f7317902/netzip/RdxIE601.cab

Are you having any malware problems?

DavO123 · Sep 1, 2005

Attached is the Task Manager image. Sometimes the computer runs out of resources in which I need to reboot, even though I haven't opened any programs.

chaslang · Sep 2, 2005

How much memory in this PC?
You may be just trying to run too much stuff for a Win98 system. Look at all the stuff from McAfee. Both McAfee and Norton are notorious system resource hogs. And you also have Pest Patrol a Spyware Doctor.

You do not need the below item to always load at startup either:
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

Just in case your not sure what I mean about McAfee, here is a list of what they are loading and running:
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE\SPAMKILLER\MSKSRVR.EXE
C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.EXE
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - C:\PROGRAM FILES\MCAFEE.COM\MPS\POPUPKILLER.DLL
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - C:\PROGRAM FILES\MCAFEE.COM\MPS\MCBRHLPR.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [MPSExe] C:\PROGRA~1\MCAFEE.COM\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.EXE
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\MCAFEE.COM\SHARED\MCAPPINS.EXE /v=3 /cleanup
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE

Now as far as the space at the last line of Task Manager, I have never seen this before. If you actually ran another process would it show after the space or does the space always show on the bottom of the task list?

Since your HJT log show you to be clean, let's try the below:

Generate a StartupList log using HijackThis.
Run HJT and on the first screen, click the button that says "Open the Misc Tools section". In the next window first select "List also minor sections (full)" and then click the button that says "Generate StartupList log". CLick Yes to the Do you want to continue prompt. Now a notepad window will come up with the Startuplist.txt file. It is already saved in the the directory HJT is running from. So just come back here and upload the file as an attachment to your next message.

DavO123 · Sep 8, 2005

If I start a new process, the empty space will alway list at the bottom. Here is the log file you asked for. I uninstalled PestControl. I have 128 MB RAM.

chaslang · Sep 8, 2005

I see no problems in that StartupList either. I would not worry about the space unless your PC is having malware problems and I don't believe you have any (are you?).

DavO123 · Sep 9, 2005

I don't think I do. Computer sometimes freezes which causes me to reboot. I uninstalled Realplayer, see if that helps free up some memory.

chaslang · Sep 9, 2005

Memory problems are always issues with Win9x platforms. Even if you install more memory you will still have problems. Win9x only has a 64k space for user resources. This gets used up real fast as more applications are open and running. Your biggest hog is ,as I pointed out before, McAfee.

Log in or Sign up

Need help. Computer may have spy-, malware

DavO123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

DavO123 Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

DavO123 Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

DavO123 Private E-2

Attached Files:

Task manager.bmp

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

DavO123 Private E-2

Attached Files:

startuplist.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

DavO123 Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member