Jump to content


Photo

Microsoft Critical Update


  • Please log in to reply
10 replies to this topic

#1 Vickie

Vickie

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 08:43 AM

Yesterday, first thing after powering up my PC, I received what I call a "dialogue box" from Microsoft informing me that there was a new critical update. -- Mind you, I'm on my desktop. I've not yet clicked on Internet Explorer or AOL. I am connected to the Internet via a T-1 line, but I had not actually clicked on a browser yet.

Being a typical Monday morning, like a ditz, I clicked on the box to accept the update. Nothing actually happened, the dialog box went away, and I thought nothing more about it.

Small, subtle things begin to happen, and I finally got the hint I was screwed -- While working in a Word document, I needed to access an Excel file at the same time. The Excel file loaded but then froze. I tried to toggle back to Word. Nothing.

I hit "control-alt-delete" ONE time to "end task." Clicked on "end task" and my computer shut down.

grrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr

Anyway, on Friday afternoon, I had updated and scanned my computer with SpyBot - S&D, Ad-Aware, Spyware Blaster and Norton. All my protections were up-to-date Friday when I left for the weekend.

I spent 2-2 1/2 hours on the phone yesterday with Microsoft Techies who proved quite helpful. We had to deal with a power outtage at my end, new updates, rescanning, etc., but things were finally on an upswing. They instructed me to go to housecall.trendmicro.com and use their PC Scan feature. That scan found the following:

VBS PSYME.B
TROJ ONECLICK.A

I opted to delete them. Supposedly that's all that's needed at that site. Poof, everything SHOULD be fine.

Everything's not.

I'm running EXTREMELY slow, program boxes are remaining on my bottom toolbar, etc.

Before I went home last night, I did yet another update of my four protections, and rescanned. Absolutely NOTHING was detected.

Can someone please help?

I'm losing my freakin' mind!

~Vickie

:scratchhead:

*Edited to add my apologies to the admin if I've posted in the wrong forum.*

Edited by Vickie, 27 July 2004 - 08:48 AM.


#2 Vickie

Vickie

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 08:52 AM

I want to add that Microsoft said they NEVER, EVER do anything via "pop-ups" which is what they say I elected. They only communicate via a small bubble box near the bottom right corner of your screen, and then, ONLY if you've elected for them to communicate with you in that manner.

Otherwise, you have to go to their site to get their updates.

<slaps self in head>

:rofl:

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 July 2004 - 09:19 AM

Can you please download HijackThis from this link, install it into C:\HJT. Run it, click on scan, save log and please post your entire log here for analysis.

Thank you.

p.s. Message moved to malware forum.

#4 Vickie

Vickie

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 09:47 AM

Here's the log:

----------------------------------------------------------------------------------------------

Logfile of HijackThis v1.98.0
Scan saved at 10:46:34 AM, on 7/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://p083.ezboard....sageboardfrm189
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.24...va/cfs40301.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-a.mhi...s/custappx2.CAB
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoft...s/AvDetInst.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.253.113.2,209.253.113.18

#5 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 July 2004 - 10:19 AM

  • Double click on "My Computer" to open it. Double click on the local "C-Drive" to open it. Click on "File" => "New Folder" and name it HJT. i.e. The folder will be C:\HJT. Please download HijackThis from this link, install it into C:\HJT. Only run HijackThis from C:\HJT\HijackThis.exe. That way we can ensure that we have the backup files available in the event that they are needed.
  • Run HijackThis (This should, typically, be run from C:\HJT\HijackThis.exe), click on "Scan" and then place a check mark in the following boxes (If they still exist), And click on "Fix Checked":
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://p083.ezboard....sageboardfrm189
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
  • Please reboot into safe mode - How do I boot into "Safe" mode?
  • The following DIRECTORY CONTENTS (But not the directory), DIRECTORIES and FILES, need to be deleted while in safe mode. Make sure your settings allow you to view "Hidden files". Open up any explorer window and click on "Tools" => "Folder Options" => "View" and be sure to check off "Show Hidden Files and Folders". If the files etc listed are not present - Do not worry, just delete those that you can find. If no path is listed, you may need to search for the file(s) - To search, click on "Start" => "Search" => "For Files and Folders" => "All Files and Folders" and type in the file name. You can delete it right from the search results window.
    • DIRECTORY CONTENTS (But not the directory)
      • %windir%\Temp\
      • %temp%\
      • %userprofile%\Local Settings\Temp\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
      • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
      • Click on "Start" => "Settings" => "Control Panel" => "Internet Options". Click on "Delete Files", select "Delete All Offline Content" and click on "OK". <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested. Click on "OK" once more to close the options panel.
      • Right click on "Recycle Bin" and select "Empty Recycle Bin" and respond "Yes" when prompted.
    • DIRECTORIES
      • Nothing to Delete
    • FILES
      • Nothing to Delete
  • Download, install and run Tojan Hunter (Trial)
  • Reboot again and log in normally, repost a new HijackThis log into this message for further review.


#6 Vickie

Vickie

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 01:27 PM

grrrrrrrrrrrrrrrrrrrrrrrrrr

things are slowly getting worse, screens are over-lapping, and taking a very long time to close out -- all since running Trojan Hunter.

Trojan Hunter found one trojan . . . TrojanDropper.Lst.100 and I told it to clean it. I ran Trojan Hunter a second time and it did not locate it. For the record, I was not able to "update" on Trojan Hunter. They required money to update it.

Here is the HijackThis log, per your instructions:

-----------------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 2:23:30 PM, on 7/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\HJT\TROJANHUNTER 3.9\THGUARD.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\KODAK SOFTWARE UPDATER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [THGuard] "C:\HJT\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host6.digicha...s/Client_IE.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.24...va/cfs40301.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://billing-a.mhi...s/custappx2.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...CAB?38131.50625
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoft...s/AvDetInst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 209.253.113.2,209.253.113.18

#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 July 2004 - 01:37 PM

Your log does not show ny sign of infection - Can you follow the steps below and set EACH ONE of the suggestions up - Reboot and let me know if it is okay.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

#8 Vickie

Vickie

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 July 2004 - 02:09 PM

Thank you for all of your help! I will download the items you suggested that I don't already use.

You've been a lifesaver!

#9 Vickie

Vickie

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 July 2004 - 08:46 AM

Here is a list of items in my temporary directory that cannot be deleted. They showed up at the same time I started having problems resulting from the Trojan. Can you assist me in getting rid of them? Are they associated with a problem I still might have?

Thank you in advance for your help!

~Vickie

~DF2487.TMP
~DFBF44.TMP
2yvuaenoyi.ABI
ladHide5.dll
me_fH6SP93tEGaroib
me_hGQnr0Lz5usP8
me_oMLF6ecgPHAWjjk
me_ROuGSnFFo9jzHvq
me_tvtmZ6aRaHxiKFd
me_UwFvqfJGyKbQFfn
me_w5FdUSdJAPuay8V

#10 Vickie

Vickie

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 29 July 2004 - 10:07 AM

Hello? Anyone out there?

#11 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 29 July 2004 - 03:17 PM

Don't be so impaatient...Less than 1 1/2 hours had passed and I am not on-line 24x7.

The ~*.TMP are fine - No worry there. The others need to be deleted. If you select each one individually, are you able to delete? If not, what is the error that you get?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button