Jump to content


Photo

CWS Please Help


  • Please log in to reply
36 replies to this topic

#1 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 27 June 2004 - 12:58 PM

CWS and SaveNow on my machine can be found but not removed by CWShredder, Ad-aware, Spybot, and Xoft.


Logfile of HijackThis v1.97.7
Scan saved at 3:37:21 AM, on 6/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1
O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2
O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2
O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt
O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt
O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt
O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9
O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt
O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a
O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b
O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax
O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh
O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup
O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a
O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora
O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1
O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1
O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2
O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1
O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2
O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3
O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4
O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5
O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6
O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7
O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur
O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb
O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1
O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2
O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3
O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4
O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5
O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6
O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur
O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb
O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1
O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2
O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3
O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4
O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5
O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6
O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7
O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8
O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9
O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10
O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11
O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12
O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13
O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14
O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur
O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb
O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1
O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2
O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3
O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4
O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5
O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6
O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7
O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8
O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9
O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10
O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11
O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12
O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13
O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14
O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15
O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16
O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17
O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18
O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19
O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20
O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21
O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22
O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23
O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24
O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25
O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26
O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27
O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28
O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29
O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30
O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31
O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32
O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33
O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34
O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35
O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36
O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37
O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38
O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39
O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40
O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41
O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42
O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43
O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44
O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45
O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur
O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb
O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1
O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2
O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: www.mt-download.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab

#2 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 27 June 2004 - 07:13 PM

I tweaked Ad-aware as per instructions to Sherre in a post here and found some 70 problems, including several registry entries for CWS. Here is the new HijackThis log:
Logfile of HijackThis v1.97.7
Scan saved at 7:09:46 PM, on 6/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://c:\windows\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:\windows\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://c:\windows\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1
O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2
O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2
O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt
O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt
O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt
O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9
O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt
O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a
O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b
O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax
O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh
O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup
O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a
O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora
O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1
O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1
O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2
O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1
O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2
O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3
O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4
O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5
O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6
O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7
O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur
O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb
O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1
O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2
O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3
O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4
O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5
O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6
O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur
O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb
O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1
O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2
O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3
O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4
O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5
O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6
O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7
O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8
O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9
O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10
O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11
O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12
O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13
O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14
O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur
O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb
O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1
O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2
O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3
O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4
O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5
O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6
O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7
O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8
O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9
O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10
O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11
O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12
O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13
O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14
O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15
O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16
O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17
O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18
O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19
O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20
O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21
O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22
O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23
O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24
O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25
O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26
O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27
O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28
O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29
O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30
O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31
O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32
O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33
O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34
O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35
O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36
O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37
O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38
O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39
O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40
O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41
O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42
O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43
O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44
O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45
O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur
O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb
O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1
O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2
O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL
O2 - BHO: (no name) - {3D9FC8C2-C86A-11D8-A1EC-001086B98B0B} - C:\WINDOWS\SYSTEM\BBLPGAA.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab

Thanks for any assistance.

#3 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 09:53 PM

THis is last log posted in wrong thread:

I posted my first HJT log on 6-25 re CWS. Since then I believe that I have 95% eliminated the thing with the BobO method. However, I would really like to have someone take a quik look at my post clean-up log, particularly suspicious entries R1 HomeOlsSP, the 02s, and 03 shdocv.dll (that I think is Tiny Bar; if, so how do I deal with that?). I don't mean to complain about waiting, but I feel that I am close to a solution and just need a couple of minutes. this is a terrific board. Thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 8:27:27 PM, on 6/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1
O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2
O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2
O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt
O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt
O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt
O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9
O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt
O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a
O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b
O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax
O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh
O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup
O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a
O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora
O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1
O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1
O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2
O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1
O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2
O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3
O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4
O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5
O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6
O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7
O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur
O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb
O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1
O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2
O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3
O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4
O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5
O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6
O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur
O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb
O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1
O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2
O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3
O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4
O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5
O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6
O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7
O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8
O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9
O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10
O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11
O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12
O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13
O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14
O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur
O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb
O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1
O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2
O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3
O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4
O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5
O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6
O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7
O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8
O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9
O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10
O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11
O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12
O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13
O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14
O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15
O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16
O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17
O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18
O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19
O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20
O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21
O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22
O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23
O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24
O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25
O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26
O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27
O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28
O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29
O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30
O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31
O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32
O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33
O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34
O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35
O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36
O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37
O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38
O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39
O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40
O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41
O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42
O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43
O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44
O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45
O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur
O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb
O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1
O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2
O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL
O2 - BHO: (no name) - {81078902-C8FF-11D8-A1EC-0010B8E6A557} - C:\WINDOWS\SYSTEM\BPEAAEA.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#4 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 09:57 PM

Download FindnFix.exe from here:
http://freeatlast100....com/index.html or
http://downloads.sub...rg/FINDnFIX.exe

Double Click on the FindnFix.exe and it will install the batch file in its own folder.

Open the FindnFix folder and double click on !LOG!.bat
IMPORTANT! Before you run this tool please close ALL running programs and ALL open windows except for the FindnFix folder.

Relax, sit back and wait a few minutes while the program collects the necessary information.

*NOTE:If your AntiVirus is running a scriptblocker, when you run this tool, you will probably receive an alert warning you that the script is running. "Allow" the script to run.


When the program is finished:

Open the FindnFix folder.
1. Post the contents of Log.txt in this thread.
2. Attach file Win.txt to the same post. (Please attach, do not post)
(If this board does not provide the ability to attach documents to your post, then please post the Win.txt file in this thread)
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#5 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 29 June 2004 - 10:11 PM

Thank you so much for responding. FindnFix is asking to add items to my registry. Should i do that? My OS is Win 98.

#6 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 10:22 PM

NO and my apologies. FindnFix is for Win 2K and XP, not 98.

Delete the FindnFix folder from your computer.

Then....

Download: "StartDreck", from here:
http://members.black.../startdreck.htm
http://www.niksoft.a.../startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#7 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 29 June 2004 - 10:41 PM

StartDreck (build 2.1.5 public BETA) - 2004-06-29 @ 22:38:47
Platform: Windows 98 SE (Win 4.10.2222 A)

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
*QRIA=
聞efault User
舞un
舞unOnce
*QRIA=
腿ocal Machine
舞un
*ScanRegistry=c:\windows\scanregw.exe /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*POINTER=point32.exe
*SystemTray=SysTray.Exe
*PTSNOOP=ptsnoop.exe
*CountrySelection=pctptt.exe
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FFCF26F7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFD15B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFE62B=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE6733=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE0D53=C:\WINDOWS\EXPLORER.EXE
*FFFD05F3=C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
*FFFD6203=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFD38F7=C:\WINDOWS\ptsnoop.exe
*FFFDCFDF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFB6D33=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFB3D07=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFFC227B=C:\WINDOWS\SYSTEM\HPHIPM11.EXE
*FFFA7FF7=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFFC185B=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
翠pplication specific

#8 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 11:11 PM

Thanks, the scan was negative for th ehidden dll. must have been leftover entries;


Check the following items in HiJackThis:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINDOWS\MADOPEW.DLL
O2 - BHO: (no name) - {81078902-C8FF-11D8-A1EC-0010B8E6A557} - C:\WINDOWS\SYSTEM\BPEAAEA.DLL


Close all browser and explorer windows and press 'Fix Checked'


Post another HiJackThis log in this thread for final review.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#9 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 29 June 2004 - 11:21 PM

Logfile of HijackThis v1.97.7
Scan saved at 11:20:20 PM, on 6/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O1 - Hosts: 204.46.198.11 r5imbnt1.r05res.epa.gov r5imbnt1 r5dev1
O1 - Hosts: 204.46.198.12 r5imbnt2.r05res.epa.gov r5imbnt2 r5dev2
O1 - Hosts: 204.46.177.44 r5notes2.r05tok.epa.gov r5notes2
O1 - Hosts: 204.46.180.38 r5imbnt3.r5gware.epa.gov r5imbnt3 r5notes3_nt
O1 - Hosts: 204.46.180.40 r5imbnt4.r5gware.epa.gov r5imbnt4 r5notes4_nt
O1 - Hosts: 204.46.177.72 r5imbnt5.r05tok.epa.gov r5imbnt5 r5notes5_nt
O1 - Hosts: 204.46.180.46 r5imbnt9.r5gware.epa.gov r5imbnt9 r5notes9
O1 - Hosts: 204.46.189.72 r5nt6.r5oig.epa.gov r5nt6 r5notes6_nt
O1 - Hosts: 204.46.177.57 r5nt6a.r05tok.epa.gov r5nt6a
O1 - Hosts: 204.46.180.37 r5nt6b.r05.epa.gov r5nt6b
O1 - Hosts: 204.46.189.71 r5ntdomfax1.r5oig.epa.gov r5ntdomfax1 r5notes7_fax
O1 - Hosts: 204.46.181.31 r5edont1.r5edo.epa.gov r5edont1 r5notes8_oh
O1 - Hosts: 204.46.189.70 r5ntbkup.r5oig.epa.gov r5ntbkup
O1 - Hosts: 204.46.180.39 r5imbnt3a.r5gware.epa.gov r5imbnt3a
O1 - Hosts: 204.46.198.85 r5ntora.r05res.epa.gov r5ntora
O1 - Hosts: 204.46.177.35 r5leg1.r05tok.epa.gov r5leg1
O1 - Hosts: 204.46.177.37 r5cubix1.r05tok.epa.gov r5cubix1
O1 - Hosts: 204.46.177.38 r5cubix2.r05tok.epa.gov r5cubix2
O1 - Hosts: 204.46.185.12 pm1.r5pmd.epa.gov pm1
O1 - Hosts: 204.46.185.13 pm2.r5pmd.epa.gov pm2
O1 - Hosts: 204.46.185.14 pm3.r5pmd.epa.gov pm3
O1 - Hosts: 204.46.185.15 pm4.r5pmd.epa.gov pm4
O1 - Hosts: 204.46.185.16 pm5.r5pmd.epa.gov pm5
O1 - Hosts: 204.46.185.17 pm6.r5pmd.epa.gov pm6
O1 - Hosts: 204.46.185.18 pm7.r5pmd.epa.gov pm7
O1 - Hosts: 204.46.185.11 r5pmd-ur.r5pmd.epa.gov r5pmd-ur
O1 - Hosts: 204.46.177.23 r5pmd-tbb.r05tok.epa.gov r5pmd-tbb
O1 - Hosts: 204.46.186.12 fm1.r5fms1.epa.gov fm1
O1 - Hosts: 204.46.186.13 fm2.r5fms1.epa.gov fm2
O1 - Hosts: 204.46.186.14 fm3.r5fms1.epa.gov fm3
O1 - Hosts: 204.46.186.15 fm4.r5fms1.epa.gov fm4
O1 - Hosts: 204.46.186.16 fm5.r5fms1.epa.gov fm5
O1 - Hosts: 204.46.186.17 fm6.r5fms1.epa.gov fm6
O1 - Hosts: 204.46.186.11 r5fms1-ur.r5fms1.epa.gov r5fms1-ur
O1 - Hosts: 204.46.177.24 r5fms1-tbb.r05tok.epa.gov r5fms1-tbb
O1 - Hosts: 204.46.187.12 rc1.r5rcra.epa.gov rc1
O1 - Hosts: 204.46.187.13 rc2.r5rcra.epa.gov rc2
O1 - Hosts: 204.46.187.14 rc3.r5rcra.epa.gov rc3
O1 - Hosts: 204.46.187.15 rc4.r5rcra.epa.gov rc4
O1 - Hosts: 204.46.187.16 rc5.r5rcra.epa.gov rc5
O1 - Hosts: 204.46.187.17 rc6.r5rcra.epa.gov rc6
O1 - Hosts: 204.46.187.18 rc7.r5rcra.epa.gov rc7
O1 - Hosts: 204.46.187.19 rc8.r5rcra.epa.gov rc8
O1 - Hosts: 204.46.187.20 rc9.r5rcra.epa.gov rc9
O1 - Hosts: 204.46.187.21 rc10.r5rcra.epa.gov rc10
O1 - Hosts: 204.46.187.22 rc11.r5rcra.epa.gov rc11
O1 - Hosts: 204.46.187.23 rc12.r5rcra.epa.gov rc12
O1 - Hosts: 204.46.190.24 rc13.r5rcra.epa.gov rc13
O1 - Hosts: 204.46.190.25 rc14.r5rcra.epa.gov rc14
O1 - Hosts: 204.46.187.11 r5rcra-ur.r5rcra.epa.gov r5rcra-ur
O1 - Hosts: 204.46.177.25 r5rcra-tbb.r05tok.epa.gov r5rcra-tbb
O1 - Hosts: 204.46.188.12 ar1.r5ard.epa.gov ar1
O1 - Hosts: 204.46.188.13 ar2.r5ard.epa.gov ar2
O1 - Hosts: 204.46.188.14 ar3.r5ard.epa.gov ar3
O1 - Hosts: 204.46.188.15 ar4.r5ard.epa.gov ar4
O1 - Hosts: 204.46.188.16 ar5.r5ard.epa.gov ar5
O1 - Hosts: 204.46.188.17 ar6.r5ard.epa.gov ar6
O1 - Hosts: 204.46.188.18 ar7.r5ard.epa.gov ar7
O1 - Hosts: 204.46.188.19 ar8.r5ard.epa.gov ar8
O1 - Hosts: 204.46.188.20 ar9.r5ard.epa.gov ar9
O1 - Hosts: 204.46.188.21 ar10.r5ard.epa.gov ar10
O1 - Hosts: 204.46.188.22 ar11.r5ard.epa.gov ar11
O1 - Hosts: 204.46.188.23 ar12.r5ard.epa.gov ar12
O1 - Hosts: 204.46.188.24 ar13.r5ard.epa.gov ar13
O1 - Hosts: 204.46.188.25 ar14.r5ard.epa.gov ar14
O1 - Hosts: 204.46.188.26 ar15.r5ard.epa.gov ar15
O1 - Hosts: 204.46.188.27 ar16.r5ard.epa.gov ar16
O1 - Hosts: 204.46.188.28 ar17.r5ard.epa.gov ar17
O1 - Hosts: 204.46.188.29 ar18.r5ard.epa.gov ar18
O1 - Hosts: 204.46.188.30 ar19.r5ard.epa.gov ar19
O1 - Hosts: 204.46.188.31 ar20.r5ard.epa.gov ar20
O1 - Hosts: 204.46.188.32 ar21.r5ard.epa.gov ar21
O1 - Hosts: 204.46.188.33 ar22.r5ard.epa.gov ar22
O1 - Hosts: 204.46.188.34 ar23.r5ard.epa.gov ar23
O1 - Hosts: 204.46.188.35 ar24.r5ard.epa.gov ar24
O1 - Hosts: 204.46.188.36 ar25.r5ard.epa.gov ar25
O1 - Hosts: 204.46.188.37 ar26.r5ard.epa.gov ar26
O1 - Hosts: 204.46.188.38 ar27.r5ard.epa.gov ar27
O1 - Hosts: 204.46.188.39 ar28.r5ard.epa.gov ar28
O1 - Hosts: 204.46.188.40 ar29.r5ard.epa.gov ar29
O1 - Hosts: 204.46.188.41 ar30.r5ard.epa.gov ar30
O1 - Hosts: 204.46.188.42 ar31.r5ard.epa.gov ar31
O1 - Hosts: 204.46.188.43 ar32.r5ard.epa.gov ar32
O1 - Hosts: 204.46.188.44 ar33.r5arb.epa.gov ar33
O1 - Hosts: 204.46.188.45 ar34.r5arb.epa.gov ar34
O1 - Hosts: 204.46.188.46 ar35.r5arb.epa.gov ar35
O1 - Hosts: 204.46.188.47 ar36.r5arb.epa.gov ar36
O1 - Hosts: 204.46.188.48 ar37.r5arb.epa.gov ar37
O1 - Hosts: 204.46.188.49 ar38.r5arb.epa.gov ar38
O1 - Hosts: 204.46.188.50 ar39.r5arb.epa.gov ar39
O1 - Hosts: 204.46.188.51 ar40.r5arb.epa.gov ar40
O1 - Hosts: 204.46.188.52 ar41.r5arb.epa.gov ar41
O1 - Hosts: 204.46.188.53 ar42.r5ard.epa.gov ar42
O1 - Hosts: 204.46.188.54 ar43.r5ard.epa.gov ar43
O1 - Hosts: 204.46.188.55 ar44.r5ard.epa.gov ar44
O1 - Hosts: 204.46.188.56 ar45.r5ard.epa.gov ar45
O1 - Hosts: 204.46.188.11 r5ard-ur.r5ard.epa.gov r5ard-ur
O1 - Hosts: 204.46.177.26 r5ard-tbb.r05tok.epa.gov r5ard-tbb
O1 - Hosts: 204.46.189.12 oi1.r5oig.epa.gov oi1
O1 - Hosts: 204.46.189.13 oi2.r5oig.epa.gov oi2
O1 - Hosts: 204.46.189.11 r5oig-ur.r5oig.epa.gov r5oig-ur
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab

#10 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 30 June 2004 - 12:01 AM

Any downside to killing the 01 Hosts?

#11 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 30 June 2004 - 12:13 AM

Unlessyou need them none whatsoever. They were all for the EPA and iasu,ed you put them there.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#12 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 30 June 2004 - 12:19 AM

OK. Am I clean? What about the 03 shdocvw.dll ? I read somewhere that it is a parasite. And, I cannot tell you how much I appreciate your help.

#13 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 30 June 2004 - 10:04 AM

I removed most of the Hosts. I think I have a Notes program that is automatically adding them. Latest HJT log attached. Thank you again.
Logfile of HijackThis v1.97.7
Scan saved at 10:00:05 AM, on 6/30/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP2 (5.00.3314.2100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O1 - Hosts: 161.80.11.133 admin_lan
O1 - Hosts: 134.67.208.97 epahubx
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab

#14 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 30 June 2004 - 11:31 PM

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

2. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#15 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 30 June 2004 - 11:51 PM

Thank you so much. I will follow your advice above. Two quick questions. What about the 03 shdocvw.dll in my HJT log? I read somewhere that it is a parasite. Any thoughts about Norton anti-virus instead of or in addition to the programs you recommend?

#16 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 01 July 2004 - 12:22 AM

Ah ,the backyard geniuses that want you to delete shdocvw.dll. Ask tehm to delete their copy first. Google will give you a lot of info about it. I simple terms, do not delete it, MS depends upon it!!

An AV is mandatory if you surf the net and evevn if you don't!!! Norton is g ood, as are several others. Somebody will always tell you your AV is no good. For me, it is a matter of personal choice.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#17 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 01 July 2004 - 12:47 AM

I should have googled first. Thank you so much for your help. You all are just amazing to offer your time and expertise. I am encouraged that there are folks like you to keep the jerks that propogate this stuff at bay. Peace.

#18 zachism

zachism

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 12:59 AM

I think norton is basically useless with some of this stuff. They are aimed more at hard core viruses. I belive if you are unsure about a .dll, or .exe, you can use google to search it you should be able to tell if its a random and/or bad name. Personally i would search ur processes and stuff that end with 32 and/or have add anywhere in the name. When my comp was hijacked, most of the random files had 32, add, or looked a LOT like regular windows files.

#19 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 02 July 2004 - 12:05 AM

I am back and in some pain. IE will not download. Downloaded IE6 and ZoneAlert via Netscapt. ZoneAlert found and supposedly eliminated new virus, including Bagel. IE 6 still will not download and Netscape is real shakey with Zone Alert on. HJT showed O10 - Broken Internet access because of LSP provider 'imslsp.dll' missing. Ran LSP fix from cexx.org and the R10 is gone, but IE still will not download. Here is the latest HJT log. Any Ideas. Thanks.
Logfile of HijackThis v1.97.7
Scan saved at 11:38:39 PM, on 7/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab

#20 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 12:16 AM

Reg,

Lesson #1 in spyware removal. Just because its listed by HiJackThis does not mean its bad.

This file, Imslsp.dll, belongs to ZoneAlarm, and guess what??: You just broke it by removing that file with LSPFix.

Now, if you want me to continue working on your log, you do not remove anything without my permission first. I cannot work on a log when you are busy making changes.

Good luck fixing ZA!
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#21 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 02 July 2004 - 12:49 AM

OK. I will absolutely wait for you. I had to reboot because the machine froze. Here is a new log. I would be most pleased if you could take a look, and I will not touch a thing until I hear from you.
Logfile of HijackThis v1.97.7
Scan saved at 12:47:40 AM, on 7/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MSN (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab

#22 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 01:03 AM

OK, first order of business for you is to uninstall ZoneAlarm, delete any leftovers, reboot and the install it again. RIghtnow you have no firewall.

Then download HiJackThis again, there is anew version out. (198.0), RUn it and post the log in this thread. It has some additional detections.

Right now, your log is clean.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#23 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 02 July 2004 - 01:35 AM

Done on ZA, but I had to close it to get Netscape to run. New HJT 198.0 log attached.
Logfile of HijackThis v1.98.0
Scan saved at 1:29:31 AM, on 7/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS 2.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

#24 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 July 2004 - 04:51 PM

This is the bad entry that is causing all the problems: O3 - Toolbar: (no name) - {82599E0A-8C81-11d7-9F97-0050FC5441CB} - C:\WINDOWS\SYSTEM\shdocvw.dll, but we cannot use HiJackThis to remove it since shdocvw.dll is needed system file.

We will take it out using Regedit.

Start --> Run --> regedit


Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

Then find and delete this subkey:
{82599E0A-8C81-11d7-9F97-0050FC5441CB}

Close regedit, reboot, run HiJackThis again and post a new log.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#25 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 05 July 2004 - 02:27 AM

LoPhat, I have been away from my machine for a couple of days. I have followed your directions re regedit and a new HJT log is attached. When I tried to upload this with IE, I got an illegal op messsage and everything shut down. Also, I still have to close ZA to get Netscape to load. Does Rubber Ducky have a fix above? I await your instructions.

Logfile of HijackThis v1.98.0
Scan saved at 2:19:34 AM, on 7/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS 2.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

#26 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 05 July 2004 - 02:01 PM

Nothing in yout log but the one R1 entry came back.

Check the following in HiJackThis:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

Close all windows exccept HiJackThis and press 'Fix Checked'


It certainly can't hurt to try Rubber Ducky's fix. Run it twice!!

Please download About:Buster from one of the following locations:
http://www.atribune....AboutBuster.zip or
http://tools.zerosre...AboutBuster.zip

Unzip about:buster to it's own folder.


=== Run About:Buster ===
Close all open windows.

Open the about:buster folder.
Double click on the program.

Next click 'OK'and allow the program to run. (it may take a few minutes)

Make a copy of the log it creates for posting later.

Then run the About:Buster a second time just to be sure it got everything.

Make a copy of the log it creates again.

Reboot.

Post both of the about:buster logs in this thread.

Run HiJackThis again, and post the log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#27 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 05 July 2004 - 02:29 PM

Both Buster logs:
About Buster Version 1.24
Attempted Clean of Temp Folder
Pages Reset ... Done

latest HJT log
Logfile of HijackThis v1.98.0
Scan saved at 2:21:16 PM, on 7/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS 2.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

#28 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 05 July 2004 - 02:51 PM

OK, lets wait and see if anything comes back,

I am not sure about the IE issue. Removing that toolbar entry shuold not cause IE to crash on upload. Reboot and try again. If it still crashes you may need to do a repair installation of IE.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#29 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 05 July 2004 - 04:31 PM

OK. I ran Ad-aware, Spybot, Buster, and CWShredder again. Pretty much negative (Ad-aware found Alexa), but when I opened the Shredder, it said that I have a variant of Cool Web Search "CWS.Smartsearch.2" that was trying to prevent the Shredder from opening. It hterefore went to a random srting and ran anyway, but found nothing. IE is working some but will not load certain sites (spywareinfo.com. for example), and when I try to download critical windows updates IE shuts down. Netscape has been stuck on an alta-vista homepage (despite what it says in HJT) and will not change. IE homepage changed to Google, I think after I ran the buster. I could remove IE6 and revert to IE4, but I had the same problems with IE4. Oh, I still have to close ZA to get Netscape to load anything. Any other ideas. I do appreciate your help. Latest HJT lod attached.

Logfile of HijackThis v1.98.0
Scan saved at 4:27:22 PM, on 7/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\NETSCAPE.EXE
C:\HIJACKTHIS 2.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

#30 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 05 July 2004 - 04:37 PM

THe log look good. Try resetting your Hosts file and see if that makes any difference.

=== Begin Hosts File Reset ===
1.Download the Hoster from here:
http://members.aol.c...dbee/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
4. Exit Program.

Note: This program also has a Hosts file backup facility that may want to use if you have added custom entries to the Hosts file.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#31 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 05 July 2004 - 04:57 PM

Did the Hoster. No change in anything. Oh, I was able to get to the board (slowly) via IE, but as soon as I tried to Add Reply, IE closed.

#32 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 05 July 2004 - 05:17 PM

Hey, LoPhat, this looks similar to my problem??
http://www.spywarein...topic=6618&st=0

#33 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 07 July 2004 - 01:32 AM

It's back. Gave up on IE and removed Netscape. Downloaded Mozilla Firefox which is great. Anyway, I ran Ad-Aware tonight and CWS came up all over. Ad-aware supposedly removed it. CWShredder said I was clean afterward. Buster was clean. Here is the lasest HJT log. This is depressing. Thanks again for the help.

Logfile of HijackThis v1.98.0
Scan saved at 1:25:43 AM, on 7/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\ISAFE.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACKTHIS 2.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r5.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r5.attbi.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.altavista.com"); (C:\Program Files\Netscape\Users\netscape_profile\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=2c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra 'Tools' menuitem: AV Home - {06FE5D04-8F11-11d2-804F-00105A133818} - http://jump.altavista.com/avie5/home (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE (file missing)
O9 - Extra button: MSN - {E19D474D-B5FD-11D2-AE0E-00C04FAEA83F} - (no file) (HKCU)
O12 - Plugin for .gov/FOTW23WebApp/servlet/StudentAccessServlet?dowhat=printsumpdf&phase=10&state=11&historyid=2&pageid=175&mode=0: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

#34 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 07 July 2004 - 12:15 PM

You are clean again. I see your firewall but no Anti Virus. An AV is mandatory if you are on the 'net. Try AVG, it's free, and so is AVAST. Google will give you the websites.

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

2. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm

1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#35 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 07 July 2004 - 02:26 PM

LoPhat,
Thank you for your reply. I thought I was running an introductory ZA Suite with a firewall and AV, but I will check. I will try AVG. I have already adjusted my IE security settings, and I will download and install SpywareBlaster and Guard and IE/Spyad. IE still will not download; specifically, at Windows Update, it will scan and locate critical updates, but it freezes when I try to download them. Windows Update will not run on Mozilla. I downloaded a couple of updates from the MS download center via Mozilla, but it is awkward to locate them all there. Am I missing something about the updates? Also, any idea why Ad-aware identified and, I guess, removed CWS again last night? Finally, assuming that I can get the os updated, can I just forget IE and use Mozilla? Thank you again so much for your interest and assistance. You and this board are great.

#36 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 07 July 2004 - 02:50 PM

You can use FireFox or Opera, instead of Internet Explorer, but keep IE updated. You will still need it to use Windows Updates.

After finding a few extensions that make posting on boards easier I have FireFox as my default browser.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#37 Reg

Reg

    Member

  • Full Member
  • Pip
  • 30 posts

Posted 07 July 2004 - 02:56 PM

OK. I will use Firefox as my default. My remaining problem, though, is that IE will NOT download critical windows updates. Any suggestions?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button