Read & Run Me Complete - Hijack This Log Ready

I'm working on a fairly well infected notebook running Windows 98 SE on a dial-up connection. Here are the results from the recommended steps prior to posting a Hijack This log.

AVG Free
Found and deleted
Trojan horse Startpage.13.L in c:\windows\load.exe
Trojan horse Clicker.4.B in c:\windows\system\trkfig.exe
Torjan horse Dropper.Small.12.S in c:\windows\NcasePackage.exe

SpyBot S&D
Found and deleted 143 items

CCleaner
Ran ok. Cleaned about 12MB of files.

AD-Aware SE
Found and deleted 47 objects

Stinger
Found nothing

CWShreader
Found nothing

Trend Micro Housecall - Online
Found and deleted
Troj.Haring.Gen in c:\windows\load.exe
Troj.Haring.Gen in c:\windows\loadnew.exe

Bitdefender - Online
Found several items in c:\temp
This folder has been deleted in safe mode

Scans by spybot and Ad-Aware and AVG Free in safe mode are now clean.

This system uses the Juno e-mail program and a Juno subscription for Internet access. The Juno softward launches but when the E-Mail or Web button is clicked (to initiate Internet dial-up) the Windows Illegal Operation dialog box pops up and the program is shut down. I have not tried to reinstall until the Hijack This log shows the system is in pretty good shape.

I would appreciate the opportunity to post a Hijack This log for review. There's probably some lingering stuff to clean up. I'm concerned that c:windows\load.exe and c:\windows\loadnew.exe are around. I can't find them is Safe Mode with show all files active.

With your ok, I have a log using HIjack this 1.99.1 ready to attach and upload.

 

Post a HijackThis log as an ATTACHMENT.

 

Attached as requested. Thanks.

 

Scan with HijackThis and fix the following:

Please run Panda Online Scan. After the scan attach the log to your next post. Also please follow the below:

1 - Please EXTRACT all files from Qoologic Tool to its own folder - C:\Program Files\QoologicFinder . Then, DoubleClick Find-Qoologic.bat to run the tool. It should produce a log - Please attach that with your next post!

2 - Please EXTRACT all the files form RKFiles Tool to its own folder named C:\Program Files\RKTOOL. Then, Please boot to SAFE MODE and DoubleClick rkfiles.bat to run the tool. Let it run and then, when it finishes, look for a log at C:\Log.txt and please attach that log.

Now come back here and post all three logs as attachments

 

Ok ... here we go. A new hijack this log and the Panda Activescan log are attached.

 

And here's the Qoologic Log and the RKFiles Log.

Thanks.

 

Download
- Pocket Killbox

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner.

REBOOT to Normal Mode.

ownload WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Ok ... got it.

Pocket Killbox
There was no confirmation for deletion request on any of the listed files. I assume that means none are present.

Safe Mode Delete
The only items found were Windows TaskAD and SearchRelevant in C:\Program Files. These were both empty folders.

WinPFind
Ran fine. The log is attached along with a fresh Hijack This log.

Thanks very much ... you're really helping me dig.

 

Add-on to the previous post. The CCleaner run deleted about 10.9MB. Forgot to mention that in the update message.

 

Recent scans with AVG Free, Spybot S&D, Ad-Aware, and CWShreader are clean. Are there any additional clean-up steps indicated in the previously posted logs? A current Hijack This log is attached.

Thanks very much.

 

Run REGEDIT navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run- and DELETE it, that is not a legitimate Windows registry key and is used by viruses. Be careful here DO NOT delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run this is a valid Windows registry key.

Reboot to Safe Mode.

Open Windows Explorer navigate to and delete the following:

Your HijackThis log is clean.

Reboot the Normal Mode. How is your computer running?

 

The registry item was removed ok.

In Safe Mode, I did not find these two items by searching manually or by doing a Start > Find search.

C:\Program Files\DownloadWare
C:\WINDOWS\FVProtect.exe

The system seems to be running fine. A current hijack this log is attached for a final check. I really appreciate your help in this clean-up operation.

 

Your log is clean.

 

Great! Thanks again.