Jump to content


Photo

help with wtoolsa and wsup


  • Please log in to reply
14 replies to this topic

#1 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 11 June 2004 - 06:16 PM

I have read your faq and have followed your instructions. I have run Ad-ware and spybot. here is an updated hijacklog. Your help with this is GREATLY appreciated. Thanks a-lot, Dave

Logfile of HijackThis v1.97.7
Scan saved at 6:00:38 PM, on 6/11/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\ENUEN.EXE
C:\WINDOWS\SYSTEM\QNH01TMS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50093
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com...nder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com...nder.cc/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com...nder.cc/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50093
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com...nder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50093
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com...nder.cc/search/ (obfuscated)
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\DPE.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {E6151084-B889-11D8-B25A-00D08EAE10FF} - C:\WINDOWS\SYSTEM\CBJCBAA.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [4GL56SE4F6N3PR] C:\WINDOWS\SYSTEM\YjuHP.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O9 - Extra button: ATI TV (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: @Home (HKCU)
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/
O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 arayh

arayh

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 11 June 2004 - 06:43 PM

i've had the same problem before. you can't use task manager to "end task" for the wtoolsa.exe but it remains on registry startup. trick is to delete the files in safemode.

here's a link with the fix i think: http://www.computerc...postt43453.html

#3 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 13 June 2004 - 01:43 AM

Arayh and Yackal, Please see http://www.spywarein...p?showtopic=148

Yackal, you have more problems than wintools, Coolwebsearch hidden variant has you as well. This needs to be dealt with first.

Download this zip.

http://tools.zerosrealm.com/pv.zip
Please unzip it to the desktop. It will not work if you run it from inside the zip.

After unzipped go to the desktop. Open the pv folder. Double click on the runme9x.bat

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

Notepad will open with a log in it. Please copy and paste the log into this post.

Edited by Scoff, 13 June 2004 - 10:46 AM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#4 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 14 June 2004 - 01:19 PM

Module information for 'EXPLORER.EXE'
MODULE BASE SIZE PATH
WEBVW.DLL 76320000 245760 C:\WINDOWS\SYSTEM\WEBVW.DLL 5.00.0312.0 Shell WebView Content & Control Library
JAVACYPT.DLL 7c480000 192512 C:\WINDOWS\SYSTEM\JAVACYPT.DLL 5.00.3805 MS Crypt Dll for Java
MSJAVA.DLL 7c000000 958464 C:\WINDOWS\SYSTEM\MSJAVA.DLL 5.00.3805 Microsoft® VM
VMHELPER.DLL 7c520000 294912 C:\WINDOWS\SYSTEM\VMHELPER.DLL 5.00.3805 Microsoft® VM Helper Library
RSABASE.DLL 7ca00000 110592 C:\WINDOWS\SYSTEM\RSABASE.DLL 5.00.1877.7 Microsoft Base Cryptographic Provider (Export Version)
SOFTPUB.DLL 77ac0000 69632 C:\WINDOWS\SYSTEM\SOFTPUB.DLL 5.131.1877.4 Microsoft Trust Policy Providers
CORPOL.DLL 7edd0000 32768 C:\WINDOWS\SYSTEM\CORPOL.DLL 1998.03.6074.0 Microsoft COM Runtime Execution Engine
CFGMGR32.DLL 7f810000 45056 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.10.1998 Configuration Manager Win32 Interface
WINTRUST.DLL 71570000 57344 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.1877.5 Microsoft Trust Verification APIs
CRYPT32.DLL 713d0000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.1877.5 Crypto API32
MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL 5.131.1877.3 Microsoft Trust ASN APIs
IMGUTIL.DLL 704f0000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL 5.50.4134.600 IE plugin image decoder support DLL
UMODEXTRACTORCM.DLL 3a60000 348160 C:\WINDOWS\UMODEXTRACTORCM.DLL 1.0.0.0 UMOD Extract Shell Extension
PLUGIN.OCX 4430000 98304 C:\WINDOWS\SYSTEM\PLUGIN.OCX 5.50.4134.600 ActiveX Plugin OCX
DDRAWEX.DLL 65000000 36864 C:\WINDOWS\SYSTEM\DDRAWEX.DLL 4.87.00.0700 Microsoft DirectDrawEx
DDRAW.DLL baaa0000 413696 C:\WINDOWS\SYSTEM\DDRAW.DLL 4.09.00.0900 Microsoft DirectDraw
NTDLL.DLL bfee0000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.10.1998 Win32 NTDLL core component
FLASH.OCX 3c30000 1732608 C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX 7,0,19,0 Macromedia Flash Player 7.0 r19
COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL 4.72.3510.2300 Common Dialogs DLL
WINMM.DLL bfdf0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.03.1998 System APIs for Multimedia
VBSCRIPT.DLL 6b600000 462848 C:\WINDOWS\SYSTEM\VBSCRIPT.DLL 5.6.0.7426 Microsoft ® VBScript
DISPEX.DLL 3a50000 45056 C:\WINDOWS\SYSTEM\DISPEX.DLL 5.1.0.4615 Microsoft ® DispEx
MSHTMLED.DLL 70f10000 417792 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 5.50.4134.600 Microsoft ® HTML Editing Component
MSLS31.DLL 7a410000 163840 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file
IEPEERS.DLL 70f90000 245760 C:\WINDOWS\SYSTEM\IEPEERS.DLL 5.50.4134.600 Internet Explorer Peer Objects
WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.10.1998 Win32 WINSPOOL core component
JSCRIPT.DLL 712b0000 552960 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.5.0.5207 Microsoft ® JScript
IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.10.1998 Win32 IMM32 core component
MSHTML.DLL 70c30000 2756608 C:\WINDOWS\SYSTEM\MSHTML.DLL 5.50.4134.600 Microsoft ® HTML Viewer
RNR20.DLL 783c0000 61440 C:\WINDOWS\SYSTEM\RNR20.DLL 4.10.2222 Windows Socket2 NameSpace DLL
MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2600.0000 Multi Language Support DLL
ACTXPRXY.DLL 703b0000 94208 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4134.600 ActiveX Interface Marshaling Library
SDHELPER.DLL 1f90000 733184 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL
OLEPRO32.DLL 5f300000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4518
WTOOLSB.DLL 1d50000 204800 C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSB.DLL
CBJCBAA.DLL 10000000 45056 C:\WINDOWS\SYSTEM\CBJCBAA.DLL
SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4134.600 SENS Connectivity API DLL
BROWSELC.DLL 718a0000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4134.600 Shell Browser UI Library
SHDOCLC.DLL 71820000 401408 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 5.50.4134.600 Shell Doc Object and Control Library
ES.DLL 71720000 114688 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library
SENS.DLL 60100000 90112 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4134.600 System Event Notification Service (SENS)
ESTIER2.DLL 71770000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library
ESSHARED.DLL 71750000 65536 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities
WEBCHECK.DLL 70320000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4134.600 Web Site Monitor
RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library
SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services
MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
URLMON.DLL 70290000 471040 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4134.600 OLE32 Extensions for Win32
SHD401LC.DLL f20000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4134.600 Shell Doc Object and Control Library - IE 4.01 compat
LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking
MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3510.2300 My Documents Folder UI
SHFOLDER.DLL 719a0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 6.00.2600.0000 Shell Folder Service
MSI.DLL f30000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
MSONSEXT.DLL 379b0000 544768 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\MSONSEXT.DLL
VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4518
BROWSEUI.DLL 71110000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4134.600 Shell Browser UI Library
SQLCN.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\SQLCN.DLL
IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 5.00.1717.2 IP Helper API
MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL 5.00.1717.2 Ipconfig API DLL
DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL
WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
WININET.DLL 70200000 487424 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4134.600 Internet Extensions for Win32
TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows™ Telephony API Client DLL
RPCRT4.DLL 70100000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
SHDOC401.DLL 50000000 507904 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4134.600 Shell Doc Object and Control Library - IE 4.01 compat
OLE32.DLL 65f00000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
SHDOCVW.DLL 70fe0000 1159168 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4134.600 Shell Doc Object and Control Library
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft ® C Runtime Library
SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer
COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
SHLWAPI.DLL 70bd0000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4134.600 Shell Light-weight Utility Library
USER32.DLL bfc00000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2227 Win32 USER32 core component
GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component

#5 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 14 June 2004 - 10:31 PM

Download: "StartDreck", from here:
http://members.black.../startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Post the log in this thread.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#6 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 June 2004 - 02:20 PM

Scoff, I think this is what you needed. let me know if anything is missing. thanks again for staying on top of this. Dave

StartDreck (build 2.1.5 public BETA) - 2004-06-15 @ 14:19:37
Platform: Windows 98 SE (Win 4.10.2222 A)

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*4GL56SE4F6N3PR=C:\WINDOWS\SYSTEM\OKRN0Z44.exe
*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe
»RunOnce
»RunServices
*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe
»RunServicesOnce
**rhgr=rundll32 C:\WINDOWS\SYSTEM\SQLCN.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
*.bat
*batfile="%1" %*
*.com
*comfile="%1" %*
*.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1
*.exe
*exefile="%1" %*
*.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
*.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
*.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
*.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
*.pif
*piffile="%1" %*
*.scr
*scrfile="%1" /S
*.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
*.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
*.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
*.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
*.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AnalyzeIE.DOMPeek.1/{834261E1-DD97-4177-853B-C907E5D5BD6E}
`InprocServer32=C:\DPE.DLL
*{000020DD-C72E-4113-AF77-DD56626C6C42}
`InprocServer32=
*{87766247-311C-43B4-8499-3D5FEC94A183}
`InprocServer32=C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
*{43EB5921-BECD-11D8-B25A-00D048C8F1DC}
`InprocServer32=C:\WINDOWS\SYSTEM\EBLHB.DLL
»Files
»Autostart Folders
»Current User
»Default User
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\dosstart.bat
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\wininit.bak
»System/Drivers
»Running Processes
*FFCF1DBB=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF4A0F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF5C9F=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE7877=C:\WINDOWS\RUNDLL32.EXE
*FFFE1FE7=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFEE0F3=C:\WINDOWS\EXPLORER.EXE
*FFFD4637=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFDFB5F=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFC3253=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
*FFFDB1BB=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
*FFFB56FB=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFDDE97=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFFA319B=C:\PROGRAM FILES\PKWARE\PKZIPW\PKZIPW.EXE
*FFFBE4E7=C:\WINDOWS\DESKTOP\PKTMP000.EXE
*FFFA723B=C:\WINDOWS\DESKTOP\STARTDRECK.EXE
»NT Services
»Application specific

#7 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 15 June 2004 - 02:23 PM

by the way, your link for startdrek is no longer anygood. i found it at:
http://www.niksoft.a.../startdreck.htm

#8 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 16 June 2004 - 02:29 AM

Download: "Win98Fix.zip" from here:
http://www10.brinkst...last/pvtool.htm

Unzip to its own folder.

Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.

The bad file should now be visible so you can delete it.
Browse to C:\WINDOWS\SYSTEM\SQLCN.DLL
Right click select 'Properties' and remove any 'Read only' protection.
Right click again and select 'Delete'.

(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)

Download CWShredder from here, run the program, select 'fix' (not scan only) and let it fix everything that it finds.

Ad-aware has had updates recently, please update it and make sure it is configured to scan as follows. Screenshot instructions for setup are here if needed.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.

Make sure the following settings are made and on ------- ON = GREEN

From main window : Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning Engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot.

Click Proceed to save your settings. Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Reboot your computer.

You already have Spybot, if you do not have version 1.3 installed, uninstall version 1.2 with the provided uninstaller. Download Spybot 1.3 from http://www.safer-net...p?page=download install it, open it and click the Search for Updates button. When updates are found, put a check mark next to all and click the Download Updates button. Now click the Search & Destroy icon in the left pane, then the Check for problems button at the bottom of the window. When the scan completes, make sure all the items in RED are ticked, then click the Fix Selected Problems button. Screenshot instructions for installation and setup are here http://www.bleepingc...showtutorial=43 if needed.

Reboot and post a fresh log, there is more to clean up!
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#9 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 18 June 2004 - 04:51 PM

Scoff, did all you instucted, here is the startdreck log file, i think it is the one you wanted. looking forward to more...... thanks, Dave

StartDreck (build 2.1.5 public BETA) - 2004-06-18 @ 16:48:03
Platform: Windows 98 SE (Win 4.10.2222 A)

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe
»RunOnce
»RunServices
*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FFCF0217=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF55A3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF4333=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF92F7=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
*FFFFC403=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFC983=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
*FFFE040B=C:\WINDOWS\EXPLORER.EXE
*FFFEFCC7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFD004F=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFFB49FB=C:\PROGRAM FILES\PKWARE\PKZIPW\PKZIPW.EXE
*FFFCF7FF=C:\PKTMP000.EXE
*FFFCBEAF=C:\STARTDRECK.EXE
»Application specific

#10 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 18 June 2004 - 06:30 PM

Can you post a new HijackThis log as well and we'll see whats left to get rid of.

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it HijackThis or HJT or similar. Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#11 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 21 June 2004 - 01:28 PM

O.K. moved hijackthis to my documents. here is new log. Thanks Scoff

Logfile of HijackThis v1.97.7
Scan saved at 1:24:46 PM, on 6/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50093
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50093
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50093
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O9 - Extra button: ATI TV (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: @Home (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/

#12 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 21 June 2004 - 10:08 PM

You had a Peper infection, Ad-aware seems to have removed it but I'd like to make sure, click here to download the PeperFix tool, save it to your desktop, doubleclick on it, click 'Find and Fix' and reboot if prompted. Run it again to make sure.

Press ctrl+alt+delete to bring up the task manager and end any process running for WinTools

Wintools may have an entry in the Add/Remove Programs Control Panel. If so, it may be easy to get rid of. In start > control panel > add or remove programs - make sure you have change or remove programs selected in the sidebar and highlight the following programs and uninstall them.

Wintools

Close all other windows, except for hijackthis and put a check against the following items and click 'fix checked'.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch...spx?tb_id=50093
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch...spx?tb_id=50093
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch...spx?tb_id=50093

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe


If this is not the supplier of your PC or ISP then fix this also

O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

Make sure you have all hidden files shown

Delete the following entry if it still exists:
Folder
C:\PROGRAM FILES\COMMON FILES\WINTOOLS

Reboot and post a fresh log so we can check that everything has been cleaned. This was a pretty serious infestation, you had 3 separate browser hijackers and websearch hijackers, a nasty virus, some unidentified program files (probably viruses) and an unwanted toolbar. Your protection against attacks could do with being beefed up, but you can stop this happening again. Here are some tips to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications, everything listed below is also free:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severly impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • To protect yourself further:
  • It would be worth reading How did I get infected in the first place?
  • Your operating system/internet explorer is badly out of date, it is very important to go to the windows update page to check for all updates, download and install all marked "critical".
  • Microsoft no longer supports its Java Virtual Machine. This is constantly targeted by spyware because of its security weaknesses. Uninstall Microsoft Java VM and replace it with Sun Java. This will protect you against Coolwebsearch, currently the most common and probably nastiest parasite right now (and responsible for 2 infections for you). Instructions on how to do this are here.
  • I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recyle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
  • Update your antivirus program regularly. If your subscription has expired try AVG Free Edition.

Edited by Scoff, 21 June 2004 - 10:11 PM.

Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#13 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 22 June 2004 - 11:37 AM

ran peperfix, was ok on that, followed all your instructions, wtoolsa and wsup are no longer running. unreal. got rid of java vm got the updated one. am waiting to install all the free stuff, but looks great. do you guys get paid? this is a really awesome forum. you were great. I can not tell you how much i appreciate your help, AND i learned a lot. here is the fresh log. Dave


Logfile of HijackThis v1.97.7
Scan saved at 11:30:16 AM, on 6/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O9 - Extra button: ATI TV (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: @Home (HKCU)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8160.3524074074

#14 Scoff

Scoff

    SWI Junkie

  • Retired Staff
  • PipPipPipPip
  • 294 posts

Posted 23 June 2004 - 02:32 AM

Looks like you're good to go

All volunteers here! http://www.spywareinfo.com/support.php

if you want to know a bit more - keeping reading the site and think about the boot camp.

Happy surfing!
Regards
Scoff

We've heard that a million monkeys at a million keyboards could produce the complete works of Shakespeare; now, thanks to the Internet, we know that is not true. - Robert Wilensky

#15 Yackal

Yackal

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 24 June 2004 - 04:07 PM

Great! Thanks! All the best to you and yours, Scoff.

Take care, Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button