Have been running multiple antispyware programs. One hurried misclick landed me on a site which seemed to instantly load a ratsnest of serious spyware, including possibly CoolWebSearch.
Now "about:blank" is the default browser page. The Start button menu has minimized itself to a useless vertical blue bar with "Windows 98".
When searching with my Google toolbar, I get a message that the program has performed an illegal operation and will be shut down. Then IE locks up. If I re-open IE and enter an address, I can go the site I want.
Spybot S&D tried to protect against changes to registry, but was not completely effective.
Have made a HiJack This log and saved it to a folder on hard drive, but am unable to open the HJT log.
When I try to open it from grey File Download prompt card, it gives another prompt card until I click Save or Cancel. Is this an indicator of my limited skills (probably) or spyware protecting itself?
Appreciative for any help you can give,
henna_hannah
Full Version: Multiple infections
Hi................Find the log that HijackThis made and right click and choose "Copy"
Then right click the desktop and choose "Paste"
Now double click the desktop copy you just made if the log opens ok right click the page and choose "Select all".....Right click again,choose "Copy" and Paste the log in your next reply here.
;)
Then right click the desktop and choose "Paste"
Now double click the desktop copy you just made if the log opens ok right click the page and choose "Select all".....Right click again,choose "Copy" and Paste the log in your next reply here.
;)
Thanks $teve!
The actual log that HJT created does not respond to a right click anywhere except the title bar, which does not offer copy or paste.
I located the file stored on my C drive, then copied and pasted it to my Desktop.
When I double click on the Desktop icon for hijackthis.log, I get the grey File Download message to Open, Save or Cancel. Same for a right click and Open. Either approach starts the circular pattern described in the original post: one grey File Download card after another when I click Open until I finally hit Cancel.
As an experiment, I tried copying and pasting from the Desktop icon to a new email and to a new WordPad document.
Nothing showed on the email. In WordPad, the icon pasted but no copy will come up.
Is there anything else I can try?
Thanks,
henna_hannah
The actual log that HJT created does not respond to a right click anywhere except the title bar, which does not offer copy or paste.
I located the file stored on my C drive, then copied and pasted it to my Desktop.
When I double click on the Desktop icon for hijackthis.log, I get the grey File Download message to Open, Save or Cancel. Same for a right click and Open. Either approach starts the circular pattern described in the original post: one grey File Download card after another when I click Open until I finally hit Cancel.
As an experiment, I tried copying and pasting from the Desktop icon to a new email and to a new WordPad document.
Nothing showed on the email. In WordPad, the icon pasted but no copy will come up.
Is there anything else I can try?
Thanks,
henna_hannah
Go to your C:\windows folder.
Find notepad.exe
Right click on notepad.exe and click on copy
Open your
C:\windows\system32 folder
right click on an empty space in the system32 folder and choose Paste from the menu. If asked if you want to replace or overwrite the current files, say yes.
Now you should have a legitimate Notepad.exe in the System32 folder.
Go back and see if the log will now open.
If not, run hijackthis again. Save the log but do not close it. Copy and paste the contents into your next reply here.
Find notepad.exe
Right click on notepad.exe and click on copy
Open your
C:\windows\system32 folder
right click on an empty space in the system32 folder and choose Paste from the menu. If asked if you want to replace or overwrite the current files, say yes.
Now you should have a legitimate Notepad.exe in the System32 folder.
Go back and see if the log will now open.
If not, run hijackthis again. Save the log but do not close it. Copy and paste the contents into your next reply here.
Thanks for the help!
Followed instructions ( i.e. Notepad and System 32 folder) - log will still not open from desktop. ( Notepad is now showing in System 32 folder.)
Ran "Hijack This" again - it will not let me select so I can copy - only select one line item at a time.
When I click on "info", I do get other information - which i can select and paste.
Will this help ?
henna_hanna
Followed instructions ( i.e. Notepad and System 32 folder) - log will still not open from desktop. ( Notepad is now showing in System 32 folder.)
Ran "Hijack This" again - it will not let me select so I can copy - only select one line item at a time.
When I click on "info", I do get other information - which i can select and paste.
Will this help ?
henna_hanna
Let's check a few things. Right click on the log and select open with. Open it with notepad. Does that work?
Are you able to run Hijackthis now and get it to show you a new log? If so, that would be good.
Are you able to run Hijackthis now and get it to show you a new log? If so, that would be good.
As Mosaic says try to open it with the right click..but if you do not see the open with ability there...first left click on the note pad once so that it is hightlighted..then holding down your shift key and at the same time then doing a right click..you will then be able to see the open with.
You can also try to do it all in the safe mode..and your note pad might work.
You can also try to do it all in the safe mode..and your note pad might work.
Hi Hunter,
Good catch. Windows 98 was mentioned. I missed that. That copy of notepad in system32 is not going to do much. It's a backup. As I remember, log doesn't have an automatic file association and so you need to create it. Then the log should open.
Mo
Good catch. Windows 98 was mentioned. I missed that. That copy of notepad in system32 is not going to do much. It's a backup. As I remember, log doesn't have an automatic file association and so you need to create it. Then the log should open.
Mo
As I remember, log doesn't have an automatic file association and so you need to create it. Then the log should open
Yes.. :thumb:
I was also wondering if he could do that start >run then type in msconfig then start up tab..and tell us what things have a check mark in it..and /or do that control+alt+del..and then end task on all processes from running except explorer and systray to find out if that would help him..sounds like he has one of those CWS thingies that also steals or gives him one of those fake notepads that is really part of an exploit...that loads more junk from the net when he tries to use it.
Yes.. :thumb:
I was also wondering if he could do that start >run then type in msconfig then start up tab..and tell us what things have a check mark in it..and /or do that control+alt+del..and then end task on all processes from running except explorer and systray to find out if that would help him..sounds like he has one of those CWS thingies that also steals or gives him one of those fake notepads that is really part of an exploit...that loads more junk from the net when he tries to use it.
since your start menu seems to be that useless bar just displaying the windows 98 vertical thingie :( ..I wonder if you can get that PC into the safe mode and then you can see the stuff that is usually there..
These are some of the ways to get into safe mode with win 98..
http://forum.gladiator-antivirus.com/index...t=0&#entry92346
also I am assuming that then the only way you have been shutting down is hittin that old off button..is that right ?
These are some of the ways to get into safe mode with win 98..
http://forum.gladiator-antivirus.com/index...t=0&#entry92346
also I am assuming that then the only way you have been shutting down is hittin that old off button..is that right ?
You guys are great!!
Following Hunter's suggestion of clicking left, then holding down the Shift key while clicking right, I'm able to show you the HJT and Ad-AwareSE logs:
Logfile of HijackThis v1.99.1
Scan saved at 1:28:14 AM, on 4/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\IENN32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\WINDOWS\SYSTEM\ATLVA32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASESCH~1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\PROGRAM FILES\ALURIA SECURITY CENTER\SECURITYCENTER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airmail.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {04E055AE-D319-DC99-2F97-5098BC94CC0B} - C:\WINDOWS\SYSTEM\APPBM32.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Ad-Aware SE Build 1.05
Logfile Created on:Monday, April 18, 2005 2:06:06 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R38 11.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):21 total references
MRU List(TAC index:0):13 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
Tracking Cookie(TAC index:3):11 total references
VX2(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
4-18-05 2:06:06 AM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : .DEFAULT\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : .DEFAULT\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom
MRU List Object Recognized!
Location: : .DEFAULT\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : .DEFAULT\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279227827
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL
#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294934799
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE
#:3 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294936887
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe
#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294864779
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE
#:5 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294844363
Threads : 2
Priority : Normal
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe
#:6 [KB891711.EXE]
FilePath : C:\WINDOWS\SYSTEM\KB891711\
ProcessID : 4294896707
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE
#:7 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294842339
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk
#:8 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294799467
Threads : 17
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE
#:9 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294829251
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE
#:10 [GCASSERV.EXE]
FilePath : C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\
ProcessID : 4294824459
Threads : 5
Priority : Idle
FileVersion : 1.00.0349
ProductVersion : 1.00.0349
ProductName : GIANT AntiSpyware Service
CompanyName : GIANT Company Software inc.
FileDescription : GIANT AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc.
OriginalFilename : gcasServ.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.
#:11 [SUNASDTSERV.EXE]
FilePath : C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\
ProcessID : 4294817487
Threads : 7
Priority : Normal
FileVersion : 1.00.0121
ProductVersion : 1.00.0121
ProductName : CounterSpy
CompanyName : Sunbelt Software Inc.
FileDescription : CounterSpy Data Service
InternalName : sunasDtServ
LegalCopyright : Copyright © 2004, Sunbelt Software Inc. All rights reserved.
OriginalFilename : sunasDtServ.exe
#:12 [SUNASSERV.EXE]
FilePath : C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\
ProcessID : 4294812251
Threads : 5
Priority : Idle
FileVersion : 1.00.0054
ProductVersion : 1.00.0054
ProductName : CounterSpy
CompanyName : Sunbelt Software Inc.
FileDescription : CounterSpy AntiSpyware Service
InternalName : sunasServ
LegalCopyright : Copyright © 2004, Sunbelt Software Inc. All rights reserved.
OriginalFilename : sunasServ.exe
#:13 [TEATIMER.EXE]
FilePath : C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\
ProcessID : 4294808399
Threads : 3
Priority : Idle
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2004 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.
#:14 [HPOSTART.EXE]
FilePath : C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\
ProcessID : 4294723215
Threads : 1
Priority : Normal
FileVersion : 01.00.00
ProductVersion : A.04.00.07
ProductName : HP OfficeJet Series 600
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Series 600 Main Executable
InternalName : HPOSTART
LegalCopyright : Copyright © Hewlett-Packard Co. 1997
OriginalFilename : HPOSTART.EXE
Comments : Main executable to load HP OfficeJet Series 600 software.
#:15 [ASESCH~1.EXE]
FilePath : C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\
ProcessID : 4294722999
Threads : 3
Priority : Normal
FileVersion : 3.00.0029
ProductVersion : 3.00.0029
ProductName : Aluria's Scheduler
CompanyName : Aluria Software, LLC
FileDescription : Aluria's Scheduler
InternalName : ASE Scheduler
LegalCopyright : Aluria Software, LLC
LegalTrademarks : Aluria Software, LLC
OriginalFilename : ASE Scheduler.exe
Comments : Aluria Software, LLC
#:16 [WZQKPICK.EXE]
FilePath : C:\PROGRAM FILES\WINZIP\
ProcessID : 4294726903
Threads : 1
Priority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2001 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English
#:17 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294698183
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe
#:18 [HPOJVDIX.EXE]
FilePath : C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\
ProcessID : 4294600363
Threads : 1
Priority : Normal
FileVersion : 01.04.23
ProductVersion : A.04.00.07
ProductName : HP OfficeJet Series 600
CompanyName : Hewlett-Packard Co.
FileDescription : OfficeJet Series 600 VDI Manager
InternalName : HPOJVDIX
LegalCopyright : Copyright © Hewlett-Packard Co. 1997
OriginalFilename : HPOJVDIX.EXE
#:19 [HPOMLCH.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294890827
Threads : 1
Priority : Normal
FileVersion : 3.00.12
ProductVersion : A.04.00.07
ProductName : HP OfficeJet Series 600
CompanyName : Hewlett-Packard Co.
FileDescription : OfficeJet Series 500 MLC/PML Control Application
InternalName : HPOMLCH
LegalCopyright : Copyright © Hewlett-Packard Co. 1997
OriginalFilename : HPOMLCH.EXE
Comments : MLC/PML Control Application
#:20 [SECURITYCENTER.EXE]
FilePath : C:\PROGRAM FILES\ALURIA SECURITY CENTER\
ProcessID : 4294688795
Threads : 2
Priority : Normal
FileVersion : 1.00.0016
ProductVersion : 1.00.0016
ProductName : SecurityCenter
CompanyName : Aluria
InternalName : SecurityCenter 016
OriginalFilename : SecurityCenter 016.exe
#:21 [NOTEPAD.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294203235
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Notepad application file
InternalName : Notepad
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : NOTEPAD.EXE
#:22 [PSTORES.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294433947
Threads : 4
Priority : Normal
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : Protected storage server
#:23 [MSIMN.EXE]
FilePath : C:\PROGRAM FILES\OUTLOOK EXPRESS\
ProcessID : 4294280635
Threads : 7
Priority : Normal
FileVersion : 6.00.2800.1123
ProductVersion : 6.00.2800.1123
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSIMN.EXE
#:24 [RNAAPP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294874863
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE
#:25 [TAPISRV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294190775
Threads : 6
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE
#:26 [IEXPLORE.EXE]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294233747
Threads : 6
Priority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:27 [IENN32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294138023
Threads : 1
Priority : Normal
VX2 Object Recognized!
Type : Process
Data : IENN32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\
Warning! VX2 Object found in memory(C:\WINDOWS\IENN32.EXE)
"C:\WINDOWS\IENN32.EXE"Process terminated successfully
#:28 [ATLVA32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294137643
Threads : 4
Priority : Normal
#:29 [GIANTANTISPYWAREMAIN.EXE]
FilePath : C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\
ProcessID : 4294075459
Threads : 5
Priority : Idle
FileVersion : 1.00.0301
ProductVersion : 1.00.0301
ProductName : GIANT AntiSpyware
CompanyName : GIANT Company Software, inc.
FileDescription : GIANT AntiSpyware
InternalName : GIANTAntiSpywareMain
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc. All rights reserved.
OriginalFilename : GIANTAntiSpywareMain.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.
#:30 [GCASDTSERV.EXE]
FilePath : C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\
ProcessID : 4294547179
Threads : 6
Priority : Idle
FileVersion : 1.00.0411
ProductVersion : 1.00.0411
ProductName : GIANT AntiSpyware
CompanyName : GIANT Company Software inc.
FileDescription : GIANT AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc.
OriginalFilename : gcasDtServ.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.
#:31 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294403855
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 14
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@tribalfusion[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:a@tribalfusion.com/
Expires : 12-31-37 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@bluestreak[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:a@bluestreak.com/
Expires : 4-15-15 12:42:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@casalemedia[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@casalemedia.com/
Expires : 4-5-06 4:57:52 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@ads.pointroll[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:a@ads.pointroll.com/
Expires : 12-31-09 7:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@edge.ru4[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@edge.ru4.com/
Expires : 4-8-35 12:37:26 AM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@findwhat[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@findwhat.com/
Expires : 12-31-19 7:00:00 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@z1.adserver[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@z1.adserver.com/
Expires : 4-15-06 6:40:46 AM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@serving-sys[2].txt
Category : Data Miner
Comment : Hits:8
Value : Cookie:a@serving-sys.com/
Expires : 1-1-38 3:00:00 AM
LastSync : Hits:8
UseCount : 0
Hits : 8
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@247realmedia[2].txt
Category : Data Miner
Comment : Hits:14
Value : Cookie:a@247realmedia.com/
Expires : 4-15-06 12:38:12 AM
LastSync : Hits:14
UseCount : 0
Hits : 14
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@bs.serving-sys[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:a@bs.serving-sys.com/
Expires : 1-1-38 3:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 24
Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@findwhat[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\a@findwhat[1].txt
CoolWebSearch Object Recognized!
Type : File
Data : prpzi.txt
Category : Malware
Comment :
Object : c:\WINDOWS\
CoolWebSearch Object Recognized!
Type : File
Data : dtggcz.txt
Category : Malware
Comment :
Object : c:\WINDOWS\
Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Deep scanning and examining files (d:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for d:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\WINDOWS\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Only -- The nicest hobby on Earth ;) -- website.url
Category : Misc
Comment : Problematic URL discovered: http://www.only-- The nicest hobby on Earth ;) --.ws/
Object : C:\WINDOWS\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free porn.url
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/
Object : C:\WINDOWS\Favorites\
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}
VX2 Object Recognized!
Type : File
Data : WININIT.INI
Category : Malware
Comment :
Object : C:\WINDOWS\
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {04E055AE-D319-DC99-2F97-5098BC94CC0B}
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set
CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no
CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no
CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 21
Objects found so far: 51
2:36:17 AM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:30:10.620
Objects scanned:81679
Objects identified:38
Objects ignored:0
New critical objects:38
A Giant scan showed I have: ()
I say to remove it, but it is ignored.
Aluria shows:
008 remote keylogger
I suspect it is Desaware's Spyworks 6 Windows Hook Control
DWSHK36.OCX
version 7.0.0.1
I've got CLSID info on this too
Comet Cursor
I've been trying to get rid of this for awhile.
You're right about the useless blue vertical above the Start button! For a time I had to just push the Big Button to shut down. That improved and the menu returned.
Yesterday, it got worse again: Pushing the Big Button didn't work. Windows tried to shut down all night, but was still trying when I woke up, so I had to just yank the plug out of the wall!
Now that's better. There's a normal Start menu and rebooting (while frequent) is more routine.
Looking forward to your recommendations,
Appreciatively,
henna_hannah
Following Hunter's suggestion of clicking left, then holding down the Shift key while clicking right, I'm able to show you the HJT and Ad-AwareSE logs:
Logfile of HijackThis v1.99.1
Scan saved at 1:28:14 AM, on 4/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\IENN32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\WINDOWS\SYSTEM\ATLVA32.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASESCH~1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\PROGRAM FILES\ALURIA SECURITY CENTER\SECURITYCENTER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.airmail.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\quyqy.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {04E055AE-D319-DC99-2F97-5098BC94CC0B} - C:\WINDOWS\SYSTEM\APPBM32.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Ad-Aware SE Build 1.05
Logfile Created on:Monday, April 18, 2005 2:06:06 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R38 11.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
CoolWebSearch(TAC index:10):21 total references
MRU List(TAC index:0):13 total references
Possible Browser Hijack attempt(TAC index:3):3 total references
Tracking Cookie(TAC index:3):11 total references
VX2(TAC index:10):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
4-18-05 2:06:06 AM - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : .DEFAULT\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : .DEFAULT\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom
MRU List Object Recognized!
Location: : .DEFAULT\software\google\navclient\1.1\history
Description : list of recently used search terms in the google toolbar
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : .DEFAULT\software\adobe\acrobat reader\5.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\doc find spec mru
Description : list of recently used search terms for locating files using the microsoft windows operating system
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279227827
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL
#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294934799
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE
#:3 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294936887
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright © Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe
#:4 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294864779
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE
#:5 [MSTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294844363
Threads : 2
Priority : Normal
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
ProductName : Microsoft® Windows® Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright © Microsoft Corp. 2000
OriginalFilename : mstask.exe
#:6 [KB891711.EXE]
FilePath : C:\WINDOWS\SYSTEM\KB891711\
ProcessID : 4294896707
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows KB891711 component
InternalName : KB891711
LegalCopyright : Copyright © Microsoft Corp. 1991-2005
OriginalFilename : KB891711.EXE
#:7 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294842339
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk
#:8 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294799467
Threads : 17
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE
#:9 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294829251
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright © Microsoft Corp. 1993-1998
OriginalFilename : SYSTRAY.EXE
#:10 [GCASSERV.EXE]
FilePath : C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\
ProcessID : 4294824459
Threads : 5
Priority : Idle
FileVersion : 1.00.0349
ProductVersion : 1.00.0349
ProductName : GIANT AntiSpyware Service
CompanyName : GIANT Company Software inc.
FileDescription : GIANT AntiSpyware Service
InternalName : gcasServ
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc.
OriginalFilename : gcasServ.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.
#:11 [SUNASDTSERV.EXE]
FilePath : C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\
ProcessID : 4294817487
Threads : 7
Priority : Normal
FileVersion : 1.00.0121
ProductVersion : 1.00.0121
ProductName : CounterSpy
CompanyName : Sunbelt Software Inc.
FileDescription : CounterSpy Data Service
InternalName : sunasDtServ
LegalCopyright : Copyright © 2004, Sunbelt Software Inc. All rights reserved.
OriginalFilename : sunasDtServ.exe
#:12 [SUNASSERV.EXE]
FilePath : C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\
ProcessID : 4294812251
Threads : 5
Priority : Idle
FileVersion : 1.00.0054
ProductVersion : 1.00.0054
ProductName : CounterSpy
CompanyName : Sunbelt Software Inc.
FileDescription : CounterSpy AntiSpyware Service
InternalName : sunasServ
LegalCopyright : Copyright © 2004, Sunbelt Software Inc. All rights reserved.
OriginalFilename : sunasServ.exe
#:13 [TEATIMER.EXE]
FilePath : C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\
ProcessID : 4294808399
Threads : 3
Priority : Idle
FileVersion : 1, 3, 0, 12
ProductVersion : 1, 3, 0, 12
ProductName : Spybot - Search & Destroy
CompanyName : Safer Networking Limited
FileDescription : System settings protector
InternalName : TeaTimer
LegalCopyright : © 2000-2004 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : TeaTimer.exe
Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.
#:14 [HPOSTART.EXE]
FilePath : C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\
ProcessID : 4294723215
Threads : 1
Priority : Normal
FileVersion : 01.00.00
ProductVersion : A.04.00.07
ProductName : HP OfficeJet Series 600
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Series 600 Main Executable
InternalName : HPOSTART
LegalCopyright : Copyright © Hewlett-Packard Co. 1997
OriginalFilename : HPOSTART.EXE
Comments : Main executable to load HP OfficeJet Series 600 software.
#:15 [ASESCH~1.EXE]
FilePath : C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\
ProcessID : 4294722999
Threads : 3
Priority : Normal
FileVersion : 3.00.0029
ProductVersion : 3.00.0029
ProductName : Aluria's Scheduler
CompanyName : Aluria Software, LLC
FileDescription : Aluria's Scheduler
InternalName : ASE Scheduler
LegalCopyright : Aluria Software, LLC
LegalTrademarks : Aluria Software, LLC
OriginalFilename : ASE Scheduler.exe
Comments : Aluria Software, LLC
#:16 [WZQKPICK.EXE]
FilePath : C:\PROGRAM FILES\WINZIP\
ProcessID : 4294726903
Threads : 1
Priority : Normal
FileVersion : 1.0 (32-bit)
ProductVersion : 8.1 (4319)
ProductName : WinZip
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
LegalCopyright : Copyright © WinZip Computing, Inc. 1991-2001 - All Rights Reserved
LegalTrademarks : WinZip is a registered trademark of WinZip Computing, Inc
OriginalFilename : WZQKPICK.EXE
Comments : StringFileInfo: U.S. English
#:17 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294698183
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe
#:18 [HPOJVDIX.EXE]
FilePath : C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\
ProcessID : 4294600363
Threads : 1
Priority : Normal
FileVersion : 01.04.23
ProductVersion : A.04.00.07
ProductName : HP OfficeJet Series 600
CompanyName : Hewlett-Packard Co.
FileDescription : OfficeJet Series 600 VDI Manager
InternalName : HPOJVDIX
LegalCopyright : Copyright © Hewlett-Packard Co. 1997
OriginalFilename : HPOJVDIX.EXE
#:19 [HPOMLCH.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294890827
Threads : 1
Priority : Normal
FileVersion : 3.00.12
ProductVersion : A.04.00.07
ProductName : HP OfficeJet Series 600
CompanyName : Hewlett-Packard Co.
FileDescription : OfficeJet Series 500 MLC/PML Control Application
InternalName : HPOMLCH
LegalCopyright : Copyright © Hewlett-Packard Co. 1997
OriginalFilename : HPOMLCH.EXE
Comments : MLC/PML Control Application
#:20 [SECURITYCENTER.EXE]
FilePath : C:\PROGRAM FILES\ALURIA SECURITY CENTER\
ProcessID : 4294688795
Threads : 2
Priority : Normal
FileVersion : 1.00.0016
ProductVersion : 1.00.0016
ProductName : SecurityCenter
CompanyName : Aluria
InternalName : SecurityCenter 016
OriginalFilename : SecurityCenter 016.exe
#:21 [NOTEPAD.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294203235
Threads : 1
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Notepad application file
InternalName : Notepad
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : NOTEPAD.EXE
#:22 [PSTORES.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294433947
Threads : 4
Priority : Normal
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
ProductName : Microsoft® Windows NT® Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright © Microsoft Corp. 1981-1998
OriginalFilename : Protected storage server
#:23 [MSIMN.EXE]
FilePath : C:\PROGRAM FILES\OUTLOOK EXPRESS\
ProcessID : 4294280635
Threads : 7
Priority : Normal
FileVersion : 6.00.2800.1123
ProductVersion : 6.00.2800.1123
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Outlook Express
InternalName : MSIMN
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSIMN.EXE
#:24 [RNAAPP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294874863
Threads : 3
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright © Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE
#:25 [TAPISRV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294190775
Threads : 6
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows™ Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright © Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE
#:26 [IEXPLORE.EXE]
FilePath : C:\PROGRAM FILES\INTERNET EXPLORER\
ProcessID : 4294233747
Threads : 6
Priority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
#:27 [IENN32.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294138023
Threads : 1
Priority : Normal
VX2 Object Recognized!
Type : Process
Data : IENN32.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\
Warning! VX2 Object found in memory(C:\WINDOWS\IENN32.EXE)
"C:\WINDOWS\IENN32.EXE"Process terminated successfully
#:28 [ATLVA32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294137643
Threads : 4
Priority : Normal
#:29 [GIANTANTISPYWAREMAIN.EXE]
FilePath : C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\
ProcessID : 4294075459
Threads : 5
Priority : Idle
FileVersion : 1.00.0301
ProductVersion : 1.00.0301
ProductName : GIANT AntiSpyware
CompanyName : GIANT Company Software, inc.
FileDescription : GIANT AntiSpyware
InternalName : GIANTAntiSpywareMain
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc. All rights reserved.
OriginalFilename : GIANTAntiSpywareMain.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.
#:30 [GCASDTSERV.EXE]
FilePath : C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\
ProcessID : 4294547179
Threads : 6
Priority : Idle
FileVersion : 1.00.0411
ProductVersion : 1.00.0411
ProductName : GIANT AntiSpyware
CompanyName : GIANT Company Software inc.
FileDescription : GIANT AntiSpyware Data Service
InternalName : gcasDtServ
LegalCopyright : Copyright © 2001-2004, GIANT Company Software Inc. All rights reserved.
LegalTrademarks : GIANT Company, GIANT Company Software, GIANT AntiSpyware, SpyNet are trademarks of GIANT Company Software inc.
OriginalFilename : gcasDtServ.exe
Comments : GIANT AntiSpyware created by GIANT Company Software inc.
#:31 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294403855
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 14
Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 14
Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@tribalfusion[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:a@tribalfusion.com/
Expires : 12-31-37 7:00:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@bluestreak[2].txt
Category : Data Miner
Comment : Hits:2
Value : Cookie:a@bluestreak.com/
Expires : 4-15-15 12:42:00 PM
LastSync : Hits:2
UseCount : 0
Hits : 2
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@casalemedia[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@casalemedia.com/
Expires : 4-5-06 4:57:52 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@ads.pointroll[2].txt
Category : Data Miner
Comment : Hits:4
Value : Cookie:a@ads.pointroll.com/
Expires : 12-31-09 7:00:00 PM
LastSync : Hits:4
UseCount : 0
Hits : 4
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@edge.ru4[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@edge.ru4.com/
Expires : 4-8-35 12:37:26 AM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@findwhat[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@findwhat.com/
Expires : 12-31-19 7:00:00 PM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@z1.adserver[1].txt
Category : Data Miner
Comment : Hits:3
Value : Cookie:a@z1.adserver.com/
Expires : 4-15-06 6:40:46 AM
LastSync : Hits:3
UseCount : 0
Hits : 3
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@serving-sys[2].txt
Category : Data Miner
Comment : Hits:8
Value : Cookie:a@serving-sys.com/
Expires : 1-1-38 3:00:00 AM
LastSync : Hits:8
UseCount : 0
Hits : 8
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@247realmedia[2].txt
Category : Data Miner
Comment : Hits:14
Value : Cookie:a@247realmedia.com/
Expires : 4-15-06 12:38:12 AM
LastSync : Hits:14
UseCount : 0
Hits : 14
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@bs.serving-sys[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:a@bs.serving-sys.com/
Expires : 1-1-38 3:00:00 AM
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 10
Objects found so far: 24
Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : a@findwhat[1].txt
Category : Data Miner
Comment :
Value : c:\WINDOWS\Cookies\a@findwhat[1].txt
CoolWebSearch Object Recognized!
Type : File
Data : prpzi.txt
Category : Malware
Comment :
Object : c:\WINDOWS\
CoolWebSearch Object Recognized!
Type : File
Data : dtggcz.txt
Category : Malware
Comment :
Object : c:\WINDOWS\
Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Deep scanning and examining files (d:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Disk Scan Result for d:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 27
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\WINDOWS\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Only -- The nicest hobby on Earth ;) -- website.url
Category : Misc
Comment : Problematic URL discovered: http://www.only-- The nicest hobby on Earth ;) --.ws/
Object : C:\WINDOWS\Favorites\
Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free porn.url
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/
Object : C:\WINDOWS\Favorites\
Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}
VX2 Object Recognized!
Type : File
Data : WININIT.INI
Category : Malware
Comment :
Object : C:\WINDOWS\
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString
CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\urlsearchhooks
Value : {04E055AE-D319-DC99-2F97-5098BC94CC0B}
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Custom Search URL
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set
CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no
CoolWebSearch Object Recognized!
Type : RegData
Data : no
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Use Search Asst
Data : no
CoolWebSearch Object Recognized!
Type : RegData
Data : about:blank
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Start Page
Data : about:blank
Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 21
Objects found so far: 51
2:36:17 AM Scan Complete
Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:30:10.620
Objects scanned:81679
Objects identified:38
Objects ignored:0
New critical objects:38
A Giant scan showed I have: ()
I say to remove it, but it is ignored.
Aluria shows:
008 remote keylogger
I suspect it is Desaware's Spyworks 6 Windows Hook Control
DWSHK36.OCX
version 7.0.0.1
I've got CLSID info on this too
Comet Cursor
I've been trying to get rid of this for awhile.
You're right about the useless blue vertical above the Start button! For a time I had to just push the Big Button to shut down. That improved and the menu returned.
Yesterday, it got worse again: Pushing the Big Button didn't work. Windows tried to shut down all night, but was still trying when I woke up, so I had to just yank the plug out of the wall!
Now that's better. There's a normal Start menu and rebooting (while frequent) is more routine.
Looking forward to your recommendations,
Appreciatively,
henna_hannah
Hi,
We haven't forgotten about you. I have done many of these, but it's been a while since I did one on Windows 98. It is a little different. Let me go over to another forum and review the procedure and then I'll be back later with some help for you.
If you have restarted the computer in the meantime, please post a new Hoijackthis log and keep windows running until you hear back. A reboot can change the filenames this thing uses.
Mo
We haven't forgotten about you. I have done many of these, but it's been a while since I did one on Windows 98. It is a little different. Let me go over to another forum and review the procedure and then I'll be back later with some help for you.
If you have restarted the computer in the meantime, please post a new Hoijackthis log and keep windows running until you hear back. A reboot can change the filenames this thing uses.
Mo
Let's get you started with the downloads you'll need. Once you have installed and updated the tools, do a restart if they require it and then run hijackthis. Post the new log.
You will be restarting into Safe mode later.
Go here for directions if you need help:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406
---------
Download CWShredder from this page:
http://www.intermute.com/spysubtract/cwshr...r_download.html
Don't run it yet.
-------
Download AboutBuster created by Rubber Ducky.
http://www.downloads.subratam.org/AboutBuster.zip
Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit". We don't want you to run it yet. Only get the updates so it is ready to run later in safe mode.
-----------------------------------------
Be sure you check for an update to your AD-Aware.
------------------
Copy the contents of the Quote Box to Notepad.
Name the file as fix.reg
Save as Type: All Files
****Save on the desktop
You will be restarting into Safe mode later.
Go here for directions if you need help:
http://service1.symantec.com/SUPPORT/tsgen...001052409420406
---------
Download CWShredder from this page:
http://www.intermute.com/spysubtract/cwshr...r_download.html
Don't run it yet.
-------
Download AboutBuster created by Rubber Ducky.
http://www.downloads.subratam.org/AboutBuster.zip
Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit". We don't want you to run it yet. Only get the updates so it is ready to run later in safe mode.
-----------------------------------------
Be sure you check for an update to your AD-Aware.
------------------
Copy the contents of the Quote Box to Notepad.
Name the file as fix.reg
Save as Type: All Files
****Save on the desktop
QUOTE
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]
I got a Message from henna_hannah earlier that she will be away for a few days. She'll be back after a vacation and will continue. In the meantime the computer is off and the Modem unplugged.
We'll be here when you get back. Have a good vacation.
We'll be here when you get back. Have a good vacation.
Back from my trip and ready to get to work!
I've downloaded CW Shredder and AboutBuster. AboutBuster is also updated.
Ad-Aware is updated and the contents of the Quote Box have been copied to Notepad and saved on the Desktop.
Registry Editor asked if I wanted to add the information in C:\windows\desktop\fix.reg to the registry . Always cautious about anything related to the registry, I said "no".
Here is the latest HiJack This log:
gfile of HijackThis v1.99.1
Scan saved at 11:39:33 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASESCH~1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\NETUG32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SDKRL.EXE
C:\WINDOWS\SDKRL.EXE
C:\WINDOWS\SYSTEM\IEYW.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {83ADA2D7-30D9-F180-8B07-61C750D80457} - C:\WINDOWS\ATLPR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Standing by ...<grin>
henna_hannah
I've downloaded CW Shredder and AboutBuster. AboutBuster is also updated.
Ad-Aware is updated and the contents of the Quote Box have been copied to Notepad and saved on the Desktop.
Registry Editor asked if I wanted to add the information in C:\windows\desktop\fix.reg to the registry . Always cautious about anything related to the registry, I said "no".
Here is the latest HiJack This log:
gfile of HijackThis v1.99.1
Scan saved at 11:39:33 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASESCH~1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\NETUG32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SDKRL.EXE
C:\WINDOWS\SDKRL.EXE
C:\WINDOWS\SYSTEM\IEYW.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {83ADA2D7-30D9-F180-8B07-61C750D80457} - C:\WINDOWS\ATLPR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Standing by ...<grin>
henna_hannah
You have several Anti Spyware scanners running in the background. they can conflict with each other and cause a resource drain as well. Please disable all of them during this removal. They may interfere with the changes otherwise. Afterwards, make a decision on which one you want to run in the background. The rule is one AV. one Anti Spyware and one Firewall at a time.
----------------
Restart into Safe Mode.
On the desktop, double click on fix.reg to run it.
---------------------
Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!
Select these items and press the fix checked button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
** Also look for any Runonce , Run or Runservies entries this may have added and fix those. These are the 04's. Fix those. This can add things after you restart. Keep this log and compare. Anything added is suspect.
-------------------------
Delete these files:
C:\WINDOWS\IENN32.EXE
C:\WINDOWS\NETUG32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\IEYW.EXE
C:\WINDOWS\system\lrgpg.dll
C:\WINDOWS\SDKRL.EXE
-------------------------
Run About Buster.
Run Cwshredder and click the fix button to clean.
Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.
Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.
Restart into Regular Windows.
-------------------------
Go to this link and run the free AV scan to clean up the residual files:
http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------
If you were using a Hosts File it was deleted.
Download the Hoster from the link below. Click Restore Original Hosts. Click OK.
www.funkytoad.com/download/hoster.zip
--------
control.exe may have been deleted.
Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----
Check C:\windows\System to be sure you have a file named Shell.dll
------
Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html
Run HijackThis again and post the new log in your next reply in this same topic.
Also, post the log About Buster creates.
Let me know how you did.
----------------
Restart into Safe Mode.
On the desktop, double click on fix.reg to run it.
---------------------
Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!
Select these items and press the fix checked button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
** Also look for any Runonce , Run or Runservies entries this may have added and fix those. These are the 04's. Fix those. This can add things after you restart. Keep this log and compare. Anything added is suspect.
-------------------------
Delete these files:
C:\WINDOWS\IENN32.EXE
C:\WINDOWS\NETUG32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\IEYW.EXE
C:\WINDOWS\system\lrgpg.dll
C:\WINDOWS\SDKRL.EXE
-------------------------
Run About Buster.
Run Cwshredder and click the fix button to clean.
Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.
Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.
Restart into Regular Windows.
-------------------------
Go to this link and run the free AV scan to clean up the residual files:
http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------
If you were using a Hosts File it was deleted.
Download the Hoster from the link below. Click Restore Original Hosts. Click OK.
www.funkytoad.com/download/hoster.zip
--------
control.exe may have been deleted.
Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----
Check C:\windows\System to be sure you have a file named Shell.dll
------
Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html
Run HijackThis again and post the new log in your next reply in this same topic.
Also, post the log About Buster creates.
Let me know how you did.
Started in Safe Mode and double clicked on fix.reg.
It asked me if I was sure I wanted to add the information in C:\Windows\Desktop\fix.reg to the registry.
I clicked "Yes".
Then it confirmed that the info was added to the registry.
Is this what I should expect when running fix.reg?
No other fix items attempted thus far.
Many thanks,
henna_hannah
It asked me if I was sure I wanted to add the information in C:\Windows\Desktop\fix.reg to the registry.
I clicked "Yes".
Then it confirmed that the info was added to the registry.
Is this what I should expect when running fix.reg?
No other fix items attempted thus far.
Many thanks,
henna_hannah
Tes. But now we have to start all over again. You MUST do everything all at once or this will not work. You have to disconnect and reboot to safe mode and follow all instructions.
Post a new Hijackthis log and I'll redo your directions.
Post a new Hijackthis log and I'll redo your directions.
Had a feeling that would be the case, but hated to go through the whole process if the fix.reg wasn't responding correctly.
Here's the latest log. You'll see some new items have added themselves since the previous log:
Logfile of HijackThis v1.99.1
Scan saved at 4:10:57 PM, on 4/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\ATLNK32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\ATLKV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\WINFA32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSME.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spchs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spchs.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {60FEB1AE-2DB3-705C-B291-2477388C9629} - C:\WINDOWS\ADDYV32.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O4 - HKLM\..\RunServices: [MFCHN.EXE] C:\WINDOWS\MFCHN.EXE /s
O4 - HKLM\..\RunServices: [IERM32.EXE] C:\WINDOWS\IERM32.EXE /s
O4 - HKLM\..\RunServices: [JAVAQI32.EXE] C:\WINDOWS\JAVAQI32.EXE /s
O4 - HKLM\..\RunServices: [JAVAEX32.EXE] C:\WINDOWS\SYSTEM\JAVAEX32.EXE /s
O4 - HKLM\..\RunServices: [WINFA32.EXE] C:\WINDOWS\WINFA32.EXE /s
O4 - HKLM\..\RunServices: [IEQH.EXE] C:\WINDOWS\SYSTEM\IEQH.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
With many thanks,
henna_hannah
Here's the latest log. You'll see some new items have added themselves since the previous log:
Logfile of HijackThis v1.99.1
Scan saved at 4:10:57 PM, on 4/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\ATLNK32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\ATLKV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\WINFA32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
C:\WINDOWS\SYSME.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spchs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spchs.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Class - {60FEB1AE-2DB3-705C-B291-2477388C9629} - C:\WINDOWS\ADDYV32.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O4 - HKLM\..\RunServices: [MFCHN.EXE] C:\WINDOWS\MFCHN.EXE /s
O4 - HKLM\..\RunServices: [IERM32.EXE] C:\WINDOWS\IERM32.EXE /s
O4 - HKLM\..\RunServices: [JAVAQI32.EXE] C:\WINDOWS\JAVAQI32.EXE /s
O4 - HKLM\..\RunServices: [JAVAEX32.EXE] C:\WINDOWS\SYSTEM\JAVAEX32.EXE /s
O4 - HKLM\..\RunServices: [WINFA32.EXE] C:\WINDOWS\WINFA32.EXE /s
O4 - HKLM\..\RunServices: [IEQH.EXE] C:\WINDOWS\SYSTEM\IEQH.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
With many thanks,
henna_hannah
Please follow all of these instructions. Eaxh time you restart, more entries will be added and the log will get longer and longer if this is not cleaned up.
You have several Anti Spyware scanners running in the background. they can conflict with each other and cause a resource drain as well. Please disable all of them during this removal. They may interfere with the changes otherwise. Afterwards, make a decision on which one you want to run in the background. The rule is one AV. one Anti Spyware and one Firewall at a time.
----------------
Restart into Safe Mode.
On the desktop, double click on fix.reg and say yes to the prompt to enter into the registry.
---------------------
Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!
Select these items and press the fix checked button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spchs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spchs.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {60FEB1AE-2DB3-705C-B291-2477388C9629} - C:\WINDOWS\ADDYV32.DLL
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O4 - HKLM\..\RunServices: [MFCHN.EXE] C:\WINDOWS\MFCHN.EXE /s
O4 - HKLM\..\RunServices: [IERM32.EXE] C:\WINDOWS\IERM32.EXE /s
O4 - HKLM\..\RunServices: [JAVAQI32.EXE] C:\WINDOWS\JAVAQI32.EXE /s
O4 - HKLM\..\RunServices: [JAVAEX32.EXE] C:\WINDOWS\SYSTEM\JAVAEX32.EXE /s
O4 - HKLM\..\RunServices: [WINFA32.EXE] C:\WINDOWS\WINFA32.EXE /s
O4 - HKLM\..\RunServices: [IEQH.EXE] C:\WINDOWS\SYSTEM\IEQH.EXE /s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
** Also look for any Runonce , Run or Runservies entries this may have added and fix those. These are the 04's. Fix those. This can add things after you restart. Keep this log and compare. Anything added is suspect.
-------------------------
Delete these files:
C:\WINDOWS\IENN32.EXE
C:\WINDOWS\NETUG32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\IEYW.EXE
C:\WINDOWS\system\lrgpg.dll
C:\WINDOWS\SDKRL.EXE
C:\WINDOWS\spchs.dll
C:\WINDOWS\MFCHN.EXE
C:\WINDOWS\IERM32.EXE
C:\WINDOWS\JAVAQI32.EXE
C:\WINDOWS\SYSTEM\JAVAEX32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
-------------------------
Run About Buster
Run Cwshredder and click the fix button to clean.
Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.
Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.
Restart into Regular Windows.
-------------------------
Go to this link and run the free AV scan to clean up the residual files:
http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------
If you were using a Hosts File it was deleted.
Download the Hoster from the link below. Click Restore Original Hosts. Click OK.
www.funkytoad.com/download/hoster.zip
--------
control.exe may have been deleted.
Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----
Check C:\windows\System to be sure you have a file named Shell.dll
------
Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html
Run HijackThis again and post the new log in your next reply in this same topic.
Also, post the log About Buster creates.
Let me know how you did.
You have several Anti Spyware scanners running in the background. they can conflict with each other and cause a resource drain as well. Please disable all of them during this removal. They may interfere with the changes otherwise. Afterwards, make a decision on which one you want to run in the background. The rule is one AV. one Anti Spyware and one Firewall at a time.
----------------
Restart into Safe Mode.
On the desktop, double click on fix.reg and say yes to the prompt to enter into the registry.
---------------------
Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!
Select these items and press the fix checked button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\spchs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\lrgpg.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\spchs.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {60FEB1AE-2DB3-705C-B291-2477388C9629} - C:\WINDOWS\ADDYV32.DLL
O4 - HKLM\..\Run: [ATLVA32.EXE] C:\WINDOWS\SYSTEM\ATLVA32.EXE
O4 - HKLM\..\RunServices: [IENN32.EXE] C:\WINDOWS\IENN32.EXE /s
O4 - HKLM\..\RunServices: [NETUG32.EXE] C:\WINDOWS\NETUG32.EXE /s
O4 - HKLM\..\RunServices: [SYSBW32.EXE] C:\WINDOWS\SYSTEM\SYSBW32.EXE /s
O4 - HKLM\..\RunServices: [IEYW.EXE] C:\WINDOWS\SYSTEM\IEYW.EXE /s
O4 - HKLM\..\RunServices: [MFCHN.EXE] C:\WINDOWS\MFCHN.EXE /s
O4 - HKLM\..\RunServices: [IERM32.EXE] C:\WINDOWS\IERM32.EXE /s
O4 - HKLM\..\RunServices: [JAVAQI32.EXE] C:\WINDOWS\JAVAQI32.EXE /s
O4 - HKLM\..\RunServices: [JAVAEX32.EXE] C:\WINDOWS\SYSTEM\JAVAEX32.EXE /s
O4 - HKLM\..\RunServices: [WINFA32.EXE] C:\WINDOWS\WINFA32.EXE /s
O4 - HKLM\..\RunServices: [IEQH.EXE] C:\WINDOWS\SYSTEM\IEQH.EXE /s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.doxdesk.com
O15 - Trusted Zone: www.dbti.com
** Also look for any Runonce , Run or Runservies entries this may have added and fix those. These are the 04's. Fix those. This can add things after you restart. Keep this log and compare. Anything added is suspect.
-------------------------
Delete these files:
C:\WINDOWS\IENN32.EXE
C:\WINDOWS\NETUG32.EXE
C:\WINDOWS\SYSTEM\SYSBW32.EXE
C:\WINDOWS\SYSTEM\IEYW.EXE
C:\WINDOWS\system\lrgpg.dll
C:\WINDOWS\SDKRL.EXE
C:\WINDOWS\spchs.dll
C:\WINDOWS\MFCHN.EXE
C:\WINDOWS\IERM32.EXE
C:\WINDOWS\JAVAQI32.EXE
C:\WINDOWS\SYSTEM\JAVAEX32.EXE
C:\WINDOWS\WINFA32.EXE
C:\WINDOWS\SYSTEM\IEQH.EXE
-------------------------
Run About Buster
Run Cwshredder and click the fix button to clean.
Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.
Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.
Restart into Regular Windows.
-------------------------
Go to this link and run the free AV scan to clean up the residual files:
http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------
If you were using a Hosts File it was deleted.
Download the Hoster from the link below. Click Restore Original Hosts. Click OK.
www.funkytoad.com/download/hoster.zip
--------
control.exe may have been deleted.
Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----
Check C:\windows\System to be sure you have a file named Shell.dll
------
Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html
Run HijackThis again and post the new log in your next reply in this same topic.
Also, post the log About Buster creates.
Let me know how you did.
Hey Mosaic1-
More than ever, I'm certain you're a genius!
The latest Hijack This log is below, as is the About Buster CW Shredder report.
Housecall found and deleted 50 items, mostly TROJ _DLOADER.GE, TROJ_ WINSHOW.T, and TROJ_MITGLIDER.K.
On latest reboot, Spybot showed Sysme.exe was trying to attach itself. That may or may not be anything valid.
Also, in Favorites, I notice the porn links established by CWS (or whichever) are still showing. Can they be deleted now?
Your excellent instructions made the process very do-able.
ogfile of HijackThis v1.99.1
Scan saved at 12:36:00 AM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASESCH~1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSME.EXE] C:\WINDOWS\SYSME.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
About Buster CW Shredder report:
*** Run Keys ****
RUN: [SystemTray] SysTray.Exe
RUN: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
RUN: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
RUN: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
RUN: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
RUN: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
**** Browser Helper Objects ****
BHO: []
BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar2.dll
BHO: [c:\program files\google\googletoolbar2.dll] c:\program files\google\googletoolbar2.dll
**** IE Toolbars ****
TOOLBAR: [&Google] c:\program files\google\googletoolbar2.dll
TOOLBAR: [&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX
**** IE Extensions ****
IEExt: []
**** Hosts File Entries ****
**** IE Settings ****
Default Page: about:blank
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: C:\WINDOWS\SYSTEM\blank.htm
Search Bar: http://www.google.com/ie
Search Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
**** IE Context Menu (Right click) ****
IEContext: [&Google Search] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
IEContext: [Cached Snapshot of Page] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
IEContext: [Similar Pages] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
IEContext: [Backward Links] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
IEContext: [Translate into English] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
IEContext: [Cac&hed Snapshot of Page]
IEContext: [Si&milar Pages]
IEContext: [Backward &Links]
**** Layered Service Providers ****
LSP: MS.w95.spi.tcp
LSP: MS.w95.spi.udp
LSP: MS.w95.spi.rsvptcp
LSP: MS.w95.spi.rsvpudp
**** Blocked Control Panel Items ****
BLOCKED: []
**** Downloaded Program Files ****
Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso4.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
**** Custom IE Search Items ****
SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Please let me know if there is anything else I should do.
Thanks again,
henna_hannah
(who is busy clearing out extraneous anti-spyware software)
More than ever, I'm certain you're a genius!
The latest Hijack This log is below, as is the About Buster CW Shredder report.
Housecall found and deleted 50 items, mostly TROJ _DLOADER.GE, TROJ_ WINSHOW.T, and TROJ_MITGLIDER.K.
On latest reboot, Spybot showed Sysme.exe was trying to attach itself. That may or may not be anything valid.
Also, in Favorites, I notice the porn links established by CWS (or whichever) are still showing. Can they be deleted now?
Your excellent instructions made the process very do-able.
ogfile of HijackThis v1.99.1
Scan saved at 12:36:00 AM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASESCH~1.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\GIANT COMPANY SOFTWARE\GIANT ANTISPYWARE\GCASDTSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [SYSME.EXE] C:\WINDOWS\SYSME.EXE /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASESCH~1.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
About Buster CW Shredder report:
*** Run Keys ****
RUN: [SystemTray] SysTray.Exe
RUN: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
RUN: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
RUN: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
RUN: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
RUN: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
**** Browser Helper Objects ****
BHO: []
BHO: [Google Toolbar Helper] c:\program files\google\googletoolbar2.dll
BHO: [c:\program files\google\googletoolbar2.dll] c:\program files\google\googletoolbar2.dll
**** IE Toolbars ****
TOOLBAR: [&Google] c:\program files\google\googletoolbar2.dll
TOOLBAR: [&Radio] C:\WINDOWS\SYSTEM\MSDXM.OCX
**** IE Extensions ****
IEExt: []
**** Hosts File Entries ****
**** IE Settings ****
Default Page: about:blank
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: C:\WINDOWS\SYSTEM\blank.htm
Search Bar: http://www.google.com/ie
Search Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
**** IE Context Menu (Right click) ****
IEContext: [&Google Search] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
IEContext: [Cached Snapshot of Page] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
IEContext: [Similar Pages] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
IEContext: [Backward Links] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
IEContext: [Translate into English] res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
IEContext: [Cac&hed Snapshot of Page]
IEContext: [Si&milar Pages]
IEContext: [Backward &Links]
**** Layered Service Providers ****
LSP: MS.w95.spi.tcp
LSP: MS.w95.spi.udp
LSP: MS.w95.spi.rsvptcp
LSP: MS.w95.spi.rsvpudp
**** Blocked Control Panel Items ****
BLOCKED: []
**** Downloaded Program Files ****
Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso4.cab]
DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
**** Custom IE Search Items ****
SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Please let me know if there is anything else I should do.
Thanks again,
henna_hannah
(who is busy clearing out extraneous anti-spyware software)
Thanks for the compliment. This fix was developed by many poeple who installed and tested it on their systems.
You are running multiple Anti Spyware programs.
Counter Spy
Aluria
Giant
Tea Timer
Doing that is a drain on resources, especially on 98. Plus they interfere with each other and can interfere with cleanup efforts and changes you make in this process. One of them just did protect you though.
Run 1 AV
1 firewall
1 Anti Spyware program.
Fix these and if they cannot be fixed in regular mode, try it in Safe Mode.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\RunServices: [SYSME.EXE] C:\WINDOWS\SYSME.EXE /s
Delete C:\WINDOWS\SYSME.EXE
Restart.
Run hijackthis and post the new log.
Sure, delete the favorites you found.
You are running multiple Anti Spyware programs.
Counter Spy
Aluria
Giant
Tea Timer
Doing that is a drain on resources, especially on 98. Plus they interfere with each other and can interfere with cleanup efforts and changes you make in this process. One of them just did protect you though.
Run 1 AV
1 firewall
1 Anti Spyware program.
Fix these and if they cannot be fixed in regular mode, try it in Safe Mode.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - HKLM\..\RunServices: [SYSME.EXE] C:\WINDOWS\SYSME.EXE /s
Delete C:\WINDOWS\SYSME.EXE
Restart.
Run hijackthis and post the new log.
Sure, delete the favorites you found.
I appreciate the help from everyone who developed this fix.
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:56:40 PM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
The offensive favorites were deleted by the cleaning process.
As you can see, I removed several Anti Spyware programs. I plan to keep just one, as you suggested. I'll also install a firewall and an AV. (Had Norton, then McAfee previously. Hated them both and ripped them out.)
Let me know if this looks clean to you.
Appreciatively,
henna_hannah
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:56:40 PM, on 4/27/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
The offensive favorites were deleted by the cleaning process.
As you can see, I removed several Anti Spyware programs. I plan to keep just one, as you suggested. I'll also install a firewall and an AV. (Had Norton, then McAfee previously. Hated them both and ripped them out.)
Let me know if this looks clean to you.
Appreciatively,
henna_hannah
You can keep as many anti spyware programs as you like. but run only one at a time in the background. And when you perform a scan, be sure to disable the other.
One thing I do not see in your startups is scanregw and that is a serious omission.
On the first successful start of each day, it creates a backup of your registry. It stores 5 days worth of backups and if you are ever stuck it is possible to restore a previous registry. It also checks your registry to be sure it is ok.
Have a look in msconfig startup tab and see if it has been unchecked.
Zone Alarm offers a free firewall and AVG offers free Anti Virus.
http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5
http://www.zonelabs.com/store/content/comp...reeDownload.jsp
These two can be fixed. Other than that, the log looks great.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html
One thing I do not see in your startups is scanregw and that is a serious omission.
On the first successful start of each day, it creates a backup of your registry. It stores 5 days worth of backups and if you are ever stuck it is possible to restore a previous registry. It also checks your registry to be sure it is ok.
Have a look in msconfig startup tab and see if it has been unchecked.
Zone Alarm offers a free firewall and AVG offers free Anti Virus.
http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5
http://www.zonelabs.com/store/content/comp...reeDownload.jsp
These two can be fixed. Other than that, the log looks great.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html
Checking the misconfig startup tab, all the available options were checked. Scanregw was not listed as an option. Characteristic of (the dinosaur) Win98?
Thanks for the suggestions of AVG and Zone Alarm. As you will see in the following HJT log, I have added them. The 2 items you recommended removing seem to be gone.
OK to remove Symantec items shown as 016 in HJT log?
Couldn't choose between Spybot and CounterSpy, but now run them one at a time.
re: AVG
After the initial AVG scan and deletion of 58 items, (mostly Trojanhorse Dropper.Small.17.BV) Spybot showed System Startup User Entry, Value Deleted for AVG7_Run. Is this problematic?
Logfile of HijackThis v1.99.1
Scan saved at 11:20:16 AM, on 4/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Many many thanks for your help,
henna_hannah
Thanks for the suggestions of AVG and Zone Alarm. As you will see in the following HJT log, I have added them. The 2 items you recommended removing seem to be gone.
OK to remove Symantec items shown as 016 in HJT log?
Couldn't choose between Spybot and CounterSpy, but now run them one at a time.
re: AVG
After the initial AVG scan and deletion of 58 items, (mostly Trojanhorse Dropper.Small.17.BV) Spybot showed System Startup User Entry, Value Deleted for AVG7_Run. Is this problematic?
Logfile of HijackThis v1.99.1
Scan saved at 11:20:16 AM, on 4/28/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Many many thanks for your help,
henna_hannah
The first priority is to get scanreg back into your startups.
Copy the contents of the quote box to notepad.
Name the file scanreg.reg
Save as Type : All files
Double click on scanreg.reg and say yes to the prompt to enter into the registry.
Let's get you a backup.
go to start >Run and type scanreg
Press enter
This will crate a registry backup for today.
You have AVG showing as running. I run AVG and have no entry for the Current User. But that's on XP. I do see you have the entries to start it on Local Machine like I do. I am not sure if there should be runservices entries there. If in doubt, you can reinstall if you like and then update the program. That may be overkill. Have you restrted since running to see if everything is in good shape?
You still show these startups for CounterSpy but it isn't running.
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
------------
Yes. These can be fixed too:
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
Copy the contents of the quote box to notepad.
Name the file scanreg.reg
Save as Type : All files
Double click on scanreg.reg and say yes to the prompt to enter into the registry.
QUOTE
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="c:\\windows\\scanregw.exe /autorun"
Let's get you a backup.
go to start >Run and type scanreg
Press enter
This will crate a registry backup for today.
You have AVG showing as running. I run AVG and have no entry for the Current User. But that's on XP. I do see you have the entries to start it on Local Machine like I do. I am not sure if there should be runservices entries there. If in doubt, you can reinstall if you like and then update the program. That may be overkill. Have you restrted since running to see if everything is in good shape?
You still show these startups for CounterSpy but it isn't running.
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
------------
Yes. These can be fixed too:
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} -
Scanreg.reg seems to be in place now.
re: AVG
I have restarted a time or two and things seem to be OK.
Installing it originally was a bit rocky. It shut down everything and opened in a weird Safe Mode, but since restarting from that, everything seems smooth and operating. The HJT log you saw on my previous post was long after the weird stuff.
Perhaps that weird install episode is grounds for re-installation and watching for the runservices entries?
I created AVG rescue disks as directed. Do I need to make a new set now that scanreg.reg is in place?
CounterSpy is disabled while I let SpyBot run.
You'll see the 016's you mentioned are now cleared out.
2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
More thanks-
henna_hannah
re: AVG
I have restarted a time or two and things seem to be OK.
Installing it originally was a bit rocky. It shut down everything and opened in a weird Safe Mode, but since restarting from that, everything seems smooth and operating. The HJT log you saw on my previous post was long after the weird stuff.
Perhaps that weird install episode is grounds for re-installation and watching for the runservices entries?
I created AVG rescue disks as directed. Do I need to make a new set now that scanreg.reg is in place?
CounterSpy is disabled while I let SpyBot run.
You'll see the 016's you mentioned are now cleared out.
2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
More thanks-
henna_hannah
I wonder what happened after that install. I can't tell from your description. Did it restart windows?
I need to see an entire log including the Running Processes.
I went to have a look at other logs with AVG using Google and found that there is and entry in runservices:
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
Although you also have this file in your Run key and it shows as running, I would like to be certain AVG is installed correctly.
It's your choice. We could add the runservices key. Or you might download AVG again in the event you had a bad download.
Then sign off, Uninstall old AVG.
Restart and install the new copy.
Let me know. I tend to err on the side of caution.
I went to have a look at other logs with AVG using Google and found that there is and entry in runservices:
O4 - HKLM\..\RunServices: [avgamsvr.exe] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
Although you also have this file in your Run key and it shows as running, I would like to be certain AVG is installed correctly.
It's your choice. We could add the runservices key. Or you might download AVG again in the event you had a bad download.
Then sign off, Uninstall old AVG.
Restart and install the new copy.
Let me know. I tend to err on the side of caution.
Sorry for the garbled account...:sorry:
As AVG was installing, things seemed to become unstable. Everything shut down by itself- "no synch" showed on my screen.
I restarted and instead of getting regular Windows, the startup went to
SafeMode all by itself.
The SafeMode it went to was different than I am used to: it wanted me to choose whether I wanted 16 colors in my monitor display. I could also select other monitor settings.
I opted for 16 colors. After a cautionary notice about display settings to be displayed in regular Windows, it went to a more normal SafeMode. That's when I opted for Restart.
Restart went normally and I was able to load AVG.
Although I've taken lots of notes during the cleaning process, I confess I didn't take notes while this was happening, so I could've forgotten something that occurred.
Hope this description is more useful.
Your idea to reinstall AVG sounds like a good one. I should be able to do that Friday night and then send you another log.
For now, my system seems to be running in blissful harmony after the pernicious decay and drama of the last month. Many thanks!
Another log coming soon-
henna_hannah
As AVG was installing, things seemed to become unstable. Everything shut down by itself- "no synch" showed on my screen.
I restarted and instead of getting regular Windows, the startup went to
SafeMode all by itself.
The SafeMode it went to was different than I am used to: it wanted me to choose whether I wanted 16 colors in my monitor display. I could also select other monitor settings.
I opted for 16 colors. After a cautionary notice about display settings to be displayed in regular Windows, it went to a more normal SafeMode. That's when I opted for Restart.
Restart went normally and I was able to load AVG.
Although I've taken lots of notes during the cleaning process, I confess I didn't take notes while this was happening, so I could've forgotten something that occurred.
Hope this description is more useful.
Your idea to reinstall AVG sounds like a good one. I should be able to do that Friday night and then send you another log.
For now, my system seems to be running in blissful harmony after the pernicious decay and drama of the last month. Many thanks!
Another log coming soon-
henna_hannah
That sounds like a plan. I'll hear from you later. Something seems to have gone wrong with possibly your video. If this happens again, you may need to reinstall or upgrade your drivers if there is one available. Often, with these older machines ,they have stopped writing new Device drivers.
AVG has been re -installed. Perhaps installed is more accurate: before I had installed AVG Pro (trial version). What you'll see below is the AVG Free you originally recommended.
ACG Pro seems to show up as AVG7 while AVG Free shows as AVG Fre.
Interestingly, on installation of the AVG Free and the immediate reboot, there were no viruses found on the Bootup Scan, but after that display, the screen went black and everything shut down all by itself, as it did in the episode described previously.
There was no automatic restart.
AFter pushing the button to start it, it went to SafeMode on its own, asking me to make selections about Display Properties (as before). Selected 16 colors again and again got a color announcement about the display settings.
I must restart before new settings will take effect. Did I want to restart? Yes.
On Reboot: initialized AVG Bootup Scanner. No viruses.
Normal start after that, except settings now look like SafeMode while in regular Windows. While opting for the 16 color display, I deliberately neglected the other display options, knowing I could change them later.
(Never having spent this much time in what looks like SafeMode, the presecription on these glasses feel like they need an update!)
An AVG virus scan (Complete Test) was clear. In the report after the scan, AVG referred to my system as Windows NT rather than 98. Does that matter?
Could be useful: After installing AVG Free, SpyBot was showing the changes made from the old AVG to AVG Free.
All seemed in order except for one notice: the System Startup User Entry for AVG7_Run was shown as a Value Deleted.
It showed the old as C:\Progra~1\GRISOFT\AVGFRE~1\AVGW
Perhaps this is normal, but I denied the change/deletion.
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:48:35 PM, on 4/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE /RUNONCE
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Thanks,
henna_hannah
ACG Pro seems to show up as AVG7 while AVG Free shows as AVG Fre.
Interestingly, on installation of the AVG Free and the immediate reboot, there were no viruses found on the Bootup Scan, but after that display, the screen went black and everything shut down all by itself, as it did in the episode described previously.
There was no automatic restart.
AFter pushing the button to start it, it went to SafeMode on its own, asking me to make selections about Display Properties (as before). Selected 16 colors again and again got a color announcement about the display settings.
I must restart before new settings will take effect. Did I want to restart? Yes.
On Reboot: initialized AVG Bootup Scanner. No viruses.
Normal start after that, except settings now look like SafeMode while in regular Windows. While opting for the 16 color display, I deliberately neglected the other display options, knowing I could change them later.
(Never having spent this much time in what looks like SafeMode, the presecription on these glasses feel like they need an update!)
An AVG virus scan (Complete Test) was clear. In the report after the scan, AVG referred to my system as Windows NT rather than 98. Does that matter?
Could be useful: After installing AVG Free, SpyBot was showing the changes made from the old AVG to AVG Free.
All seemed in order except for one notice: the System Startup User Entry for AVG7_Run was shown as a Value Deleted.
It showed the old as C:\Progra~1\GRISOFT\AVGFRE~1\AVGW
Perhaps this is normal, but I denied the change/deletion.
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 11:48:35 PM, on 4/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGW.EXE /RUNONCE
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM
FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Thanks,
henna_hannah
There is only one dowanload for AVG so farvas I know. I don;'t like this. I haven't used 98 in a while and still haven't upgradede AVG over there so can't compare.
Video. It sounds like the install has caused a video driver problem. When there is a problem like that, windows often boots right to safe mode.
It looks like VGA? (safe mode video) Right click on the desktop and then click properties on the menu. Again, I have been away from 98 a long time. But I think you then click the settings tab.
You'll see the adjustment for color and screen resolution.
Is the slider set to the lowest Screen resolution?> Are you able to move it up to 600 x 800?
Or are you really using the vga drivers? If there is no way to reset , then we'll have to reinstall them.
I am not sure about your AVG install. They do have a help forum, but you have to register your AVG to ask questions there.
Video. It sounds like the install has caused a video driver problem. When there is a problem like that, windows often boots right to safe mode.
It looks like VGA? (safe mode video) Right click on the desktop and then click properties on the menu. Again, I have been away from 98 a long time. But I think you then click the settings tab.
You'll see the adjustment for color and screen resolution.
Is the slider set to the lowest Screen resolution?> Are you able to move it up to 600 x 800?
Or are you really using the vga drivers? If there is no way to reset , then we'll have to reinstall them.
I am not sure about your AVG install. They do have a help forum, but you have to register your AVG to ask questions there.
I was able to reset the display settings from VGA by using Control Panel/Display/Settings.
Now I have 256 colors and 1024 x 768 pixels. Things seem stable and consistent through multiple shutdowns and reboots.
AVG, CounterSpy and SpyBot scans have been clean.
As for the different version of AVG initially downloaded, it comes from here:
http://www.grisoft.com/doc/38/lng/ww
The link you provided to AVG has boldface near the bottom the page that says "Trial Version". It goes to this page. Seems I was stumbling around a bit at that point and fell into an alternate offer.
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:15:19 PM, on 5/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
So far it seems you've done a great job restoring my system for me. :applause:
Does this log resemble a fairly normal setup to you?
Appreciatively,
henna_hannah
Now I have 256 colors and 1024 x 768 pixels. Things seem stable and consistent through multiple shutdowns and reboots.
AVG, CounterSpy and SpyBot scans have been clean.
As for the different version of AVG initially downloaded, it comes from here:
http://www.grisoft.com/doc/38/lng/ww
The link you provided to AVG has boldface near the bottom the page that says "Trial Version". It goes to this page. Seems I was stumbling around a bit at that point and fell into an alternate offer.
Here's the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:15:19 PM, on 5/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
So far it seems you've done a great job restoring my system for me. :applause:
Does this log resemble a fairly normal setup to you?
Appreciatively,
henna_hannah
Your log does look good. But I still am not happy about the AVG.
This is the correct link to download Free AVG: (it was a bit further down the original page)
http://free.grisoft.com/softw/70free/setup...ree_308a468.exe
I would uninstall the other and try this one.
This is the correct link to download Free AVG: (it was a bit further down the original page)
http://free.grisoft.com/softw/70free/setup...ree_308a468.exe
I would uninstall the other and try this one.
AVG has been uninstalled and reinstalled from the link in your last post.
Obtaining Updates and creating Rescue Disks went smoothly. A virus scan was negative.
The system seems to be running better. Before this installation of AVG, the system seemed "undecided" about whether to go to VGA display settings or not. Even in regular Windows, the cursor would flicker back and forth from VGA to current settings while displaying the hourglass. That has now stopped.
Here's the latest log:
Logfile of HijackThis v1.99.1
Scan saved at 10:39:35 PM, on 5/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Thanks for suggesting the reinstall of AVG Free. It seems to be helping.
Let me know if there's anything else you think I should do.
henna_hannah
Obtaining Updates and creating Rescue Disks went smoothly. A virus scan was negative.
The system seems to be running better. Before this installation of AVG, the system seemed "undecided" about whether to go to VGA display settings or not. Even in regular Windows, the cursor would flicker back and forth from VGA to current settings while displaying the hourglass. That has now stopped.
Here's the latest log:
Logfile of HijackThis v1.99.1
Scan saved at 10:39:35 PM, on 5/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.EXE
C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASSERV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOSTART.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HP OFFICEJET SERIES 600\BIN\HPOJVDIX.EXE
C:\WINDOWS\SYSTEM\HPOMLCH.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SUNASDTSERV] C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY CLIENT\SUNASDTSERV.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HP OfficeJet Series 600 StartUp.lnk = C:\Program Files\HP OfficeJet Series 600\bin\HPOstart.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = swbell.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 151.164.1.8,151.164.1.7
Thanks for suggesting the reinstall of AVG Free. It seems to be helping.
Let me know if there's anything else you think I should do.
henna_hannah
That's great! The AVG / video problem is definitely not something you wanted to leave unresolved. Your log looks good now.
I do have one observation.
From CounterSpy
You are running Spybot's Tea Timer as well. This could cause a hit on your resources and cause conflicts between the two utilities. I would run only one of these in the background.
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html
I do have one observation.
From CounterSpy
QUOTE
CounterSpy detects, deletes and protects!
What is Active Protection? Dozens of "checkpoints" that are monitored in real-time for attempts to install spyware. A very high percentage will be blocked by CounterSpy. Apart from the PC World BEST BUY Award, the World's largest PC Manufacturer has also decided for CounterSpy. Read this: "Dell has tested and recommends CounterSpy by Sunbelt Software. CounterSpy can identify third-party software that has been downloaded on your system and allows you to choose which applications you want to keep."
What is Active Protection? Dozens of "checkpoints" that are monitored in real-time for attempts to install spyware. A very high percentage will be blocked by CounterSpy. Apart from the PC World BEST BUY Award, the World's largest PC Manufacturer has also decided for CounterSpy. Read this: "Dell has tested and recommends CounterSpy by Sunbelt Software. CounterSpy can identify third-party software that has been downloaded on your system and allows you to choose which applications you want to keep."
You are running Spybot's Tea Timer as well. This could cause a hit on your resources and cause conflicts between the two utilities. I would run only one of these in the background.
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html
Thanks for that reminder. For the future, I'll run only one at a time. (Had the impression they both needed to be running for you to see them in the log.)
Looking at the ComputerCops site, I took the Browser Security Test and made changes as recommended.
Your patient guidance has been the best! :applause:
Is there any way I can show my appreciation by making a donation to the cause ?
With many thanks,
henna_hannah
Looking at the ComputerCops site, I took the Browser Security Test and made changes as recommended.
Your patient guidance has been the best! :applause:
Is there any way I can show my appreciation by making a donation to the cause ?
With many thanks,
henna_hannah
henna_hannah,
Thank you for the compliment.
You're very welcome. It's always nice to see a problem repaired. Your offer of a donation is very much appreciated. At this time, however, Gladiator doesn't accept donations. So I have to decline.
Enjoy the internet and be careful. There are a lot of Predators out there.
I'll close this topic now. If you need it re-opend in the near future, OM and Admin or Moderator to help you.
Anyone else, please start your own topic and someone will help.
Mosaic1
Thank you for the compliment.
You're very welcome. It's always nice to see a problem repaired. Your offer of a donation is very much appreciated. At this time, however, Gladiator doesn't accept donations. So I have to decline.
Enjoy the internet and be careful. There are a lot of Predators out there.
I'll close this topic now. If you need it re-opend in the near future, OM and Admin or Moderator to help you.
Anyone else, please start your own topic and someone will help.
Mosaic1
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.