Warning

 

Close

Confirm Action

Are you sure you wish to do this?

Confirm Cancel
Member Login
Site Notices
Posted: 9/23/2004 10:01:41 AM EST
[Last Edit: 9/23/2004 10:32:13 AM EST by MrsGungho]
Well obviously not mine, but our daughters has been. She was on line yesterday morning and things were fine. After she returned from school, she couldn't log on to anything. Also had a wide array of windows pop up telling her this or that is missing. The main problem I have been able to figure out is Idctup20 was installed on her computer at 6:33am yesterday. My search of this file has led me to believe this is way over my head on fixing it. Has anyone had any experience in solving this and can a novice fix it or should said novice take it out somewhere.?
Her system is running windows 98 and we do NOT have a back up disc for W98. It was destroyed by a small child named lilgungho.

Logfile of HijackThis v1.97.7
Scan saved at 2:26:31 PM, on 9/23/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SA3DSRV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\INTERNET\CISRVR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE
C:\WINDOWS\EXPLORER.EXE
E:\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\TAFQX5MO.EXE
C:\WINDOWS\SYSTEM\YWBV.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c99&lc=0409&s=search&i=enu
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://presario.my.yahoo.com/"); (C:\Program Files\Netscape\Users\default\prefs.js)
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {87E4D460-0C09-11D9-BD2E-00045A6A3C8E} - C:\WINDOWS\SYSTEM\NNHTU.DLL
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe
O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN
O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSECOMR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe
O4 - HKLM\..\Run: [ICSDCLT] c:\windows\rundll32.exe c:\windows\SYSTEM\icsdclt.dll,ICSClient
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [9l3] C:\WINDOWS\TEMP\9L3.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [mmmdsjjmwzeho] C:\WINDOWS\SYSTEM\fomlrz.exe
O4 - HKLM\..\Run: [56QNF6M4W47LZL] C:\WINDOWS\SYSTEM\YwbV.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
O4 - HKLM\..\Run: [nnhtuc] C:\WINDOWS\SYSTEM\nnhtuc.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\SYSTEM\idctup20.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe
O4 - HKLM\..\RunServices: [ConfigServices] C:\CPQS\TOOLS\CONFIG.EXE
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Download Plus.lnk = C:\WINDOWS\Application Data\DownloadPlus.exe
O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home
O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search
O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: SideFind (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.4866943359375&file=stamps.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_1.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37620.808912037
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

Link Posted: 9/23/2004 10:05:00 AM EST
Google Idctup20.
You will more than likely need a WIN 98 disk to fix your problem.
Link Posted: 9/23/2004 10:09:49 AM EST
[Last Edit: 9/23/2004 10:10:08 AM EST by ColonelKlink]
Link Posted: 9/23/2004 10:20:30 AM EST
If you are all on a wireless network in the house or on a hub together, you really need to unplug her from your network. You should unplug her from the internet anyway because the machine is basically "owned" by someone else now and who knows what they are using it for.

One or both of two things happened - either someone clicked on a popup or e-mail spam that installed MalWare or you installed things like Kazaa (Gator, GAIN) or other shitware; they contain licensing agreements that allow them to install anything they want, whenever they want, without your knowledge.

You'll probably wind up reinstalling the machine - a "repair" install or full operating system upgrade would be best to save any data on the machine. If there is no data you're worried about, like documents or pictures or old e-mails, then do a full reinstall, including a re-format of the drive.

If you can, pull down service packs and patches from the web on a different machine and burn them to CD, then put them on your child's PC. Install anti-virus, SpyBot, AdAware and a firewall like ZoneAlarm the same way. Then, and only then, connect to the machine to the internet.
Link Posted: 9/23/2004 10:35:36 AM EST

Originally Posted By BayEagle:
If you are all on a wireless network in the house or on a hub together, you really need to unplug her from your network. You should unplug her from the internet anyway because the machine is basically "owned" by someone else now and who knows what they are using it for.

One or both of two things happened - either someone clicked on a popup or e-mail spam that installed MalWare or you installed things like Kazaa (Gator, GAIN) or other shitware; they contain licensing agreements that allow them to install anything they want, whenever they want, without your knowledge.

You'll probably wind up reinstalling the machine - a "repair" install or full operating system upgrade would be best to save any data on the machine. If there is no data you're worried about, like documents or pictures or old e-mails, then do a full reinstall, including a re-format of the drive.

If you can, pull down service packs and patches from the web on a different machine and burn them to CD, then put them on your child's PC. Install anti-virus, SpyBot, AdAware and a firewall like ZoneAlarm the same way. Then, and only then, connect to the machine to the internet.



It is on a hub, it was unplugged yesterday when we realized the error. We've had no problems with our pc.
We have adaware and spybot search and destroy on her machine now, adaware runs, deletes stuff but still no worky pc. Spybot is missing something for it to run. My guess is the little trojan at work there since it worked before.
No data on the machine that we are worried about. We just don't have a disc to reinstall from.
Link Posted: 9/23/2004 11:05:54 AM EST
Link Posted: 9/23/2004 11:13:46 AM EST
Link Posted: 9/23/2004 11:23:37 AM EST
Link Posted: 9/23/2004 12:06:34 PM EST

Originally Posted By JarheadChiro:
This really helped me.
forums.majorgeeks.com/showthread.php?t=35407



tagged for review later
Top Top