Hi

I'm at my in-laws', they don't have an antivirus (eek!!) so I did an online scan and it tells me they have Troj AOL PSW.MR in C:\windows\windrive.exe . I've tried cleaning it with a number of online programs but no luck and as they don't speak English and we'll be gone in a week, I don't really want to use a "30-day free trial" because they won't know how to decline!! My question is, can I delete windrive.exe without causing any problems? (windows98 was preinstalled on their computer so I can't even use the recovery disk).

Thanks a lot for your help.

Hi cheryl, There will be 1 or more registry entries that need to be removed first before you can delete the file.

Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.

HijackThis!

There's just 1 registry entry...
Click Start > Run > type msconfig and click OK.
Click the startup tab and uncheck the entry for C:\Windows\windrive.exe. Click apply/ok and reboot.

Delete windrive.exe.

**This is a password stealing trojan, so change all passwords.

Adding to what Tom41 says...
Get a free anti-virus program.
AVG 6 is free from www.grisoft.com
I think version 7 is a paid for version.
Update the definitions and show your parents how to set a scan. You can set it to scan and update automatically but I don't like this as it may kick in when you are installing a program or something.

Thanks a million - I just did the hijack this scan and here's the log ...

Logfile of HijackThis v1.96.0
Scan saved at 10:47:10, on 10/08/03
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ATWMODEM.101\atwmodem.exe
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\PNPCHK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\WINDRIVE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\LOGITECH\IMAGESTUDIO\LOGITRAY.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\AOL 6.0\AOLTRAY.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\AOL 6.0\WAOL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\BUREAU\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer fourni par AOL
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?id1=xknnMYGXNh5&id2=U170btwUq5f&lp=1&nsv=5.0.0.7
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PNPCHK] PNPCHK.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Drivers] C:\WINDOWS\WinDrive.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\RunServices: [Winmodem] C:\WINDOWS\SYSTEM\ATWMODEM.101\atwmodem.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Startup: Icône AOL.lnk = C:\AOL 6.0\aoltray.exe
O4 - Startup: Pense-bête.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O8 - Extra context menu item: Envoyer l'image vers la bibliothèque - file://C:\WINDOWS\Application Data\MGI\PhotoSuite4\Temp\MGI00000.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O10 - Broken Internet access because of LSP provider 'csloa.dll' missing
O11 - Options group: [Accessibilité] Accessibilité
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.fr
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab

I can delete all the yahoo stuff because the yahoo messenger that was installed has long since been deleted. OK, I'm off to play with the registry and download a freebie AV.

Thanks again,
Cheryl

Hi Cheryl,

Run an updated Spybot Search and Destroy ( http://security.kolla.de/ ) and fix all items in RED and reboot. Then after closing all browser windows, fix the items listed below that are remaining using HijackThis and then reboot again.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxycfg.marketscore.com/gencfg.asp?id1=xknnMYGXNh5&id2=U170btwUq5f&lp=1&nsv=5.0.0.7

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL (file missing)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL (file missing)

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab

----------------

Tom41 wrote:

There's just 1 registry entry...
Click Start > Run > type msconfig and click OK.
Click the startup tab and uncheck the entry for C:\Windows\windrive.exe. Click apply/ok and reboot.
Delete windrive.exe.
**This is a password stealing trojan, so change all passwords.

Did you do what Tom suggested? You still have the entry
O4 - HKLM\..\Run: [Drivers] C:\WINDOWS\WinDrive.exe
Trojan “Backdoor.Nibu” See http://www.symantec.com/avcenter/venc/data/backdoor.nibu.html

After following Tom’s instruction, you could also remove the remaining files by using Symantec’s removal instructions.

In addition:
You could also try to remove it using an Anti-Trojan Program. (Since you’re worried about 30-day programs, remove it after you’re done) I recommend either Trojanhunter or TDS-3 (both have thirty day trials). Generally, Anti-Virus programs do have some Trojan detection/removal but they are not in the Anti-Trojan business so it is a good idea to use an Anti-Trojan program.

You really should install an Anti-Virus program. Since you don’t have an Anti-Virus program you could also use the following online AV scanners (in addition to the one you already used)
- Panda ActiveScan http://www.pandasoftware.es/activescan/activescan-com.asp
- Trend Micro Housecall http://housecall.antivirus.com/
Recommend Panda ActiveScan first, Trend HouseCall second, as the two best online scans, in that order.

----------------------

Do not fix this with HijackThis you may lose your internet connection.

O10 - Broken Internet access because of LSP provider 'csloa.dll' missing
‘csloa.dll’ was a file that was installed with the Marketscore. The ‘csloa.dll’ file is loaded by NSCHECK.exe. But since NSCHECK.exe loads from the startup group and is not in your HijackThis logfile it must have already been removed.

If Spybot S&D did not correct this entry (as Spybot S&D does remove Marketscore) What I'd do is download and run LSP-Fix available from http://www.cexx.org/lspfix.htm, it does a good job of fixing corrupted LSP stacks.

---------------------
Now back to Spyware, for the future see: So how did I get infected in the first place? http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051

Four of the most recommended anti-spyware programs are SpywareBlaster and SpywareGuard and Spybot S&D and Ad-aware. If you install all four programs, keep them updated, and scan with Spybot S&D and Ad-aware periodically, you will be fairly well-protected from spyware.

Thought I would mention that SpywareGuard includes a browser hijack stopper (Javacool calls it Browser Hijack Blaster) that protects your system from browser hijackers and spyware that alters your Internet Explorer settings.

Good Luck!