• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Yackal

help with wtoolsa and wsup

15 posts in this topic

I have read your faq and have followed your instructions. I have run Ad-ware and spybot. here is an updated hijacklog. Your help with this is GREATLY appreciated. Thanks a-lot, Dave

 

Logfile of HijackThis v1.97.7

Scan saved at 6:00:38 PM, on 6/11/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.50 (5.50.4134.0600)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\ENUEN.EXE

C:\WINDOWS\SYSTEM\QNH01TMS.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://aifind.info/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\CBJCBAA.DLL/sp.html (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://nkvd.us (obfuscated)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%00@www.e-finder.cc/search/ (obfuscated)

R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - C:\DPE.DLL

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O2 - BHO: (no name) - {E6151084-B889-11D8-B25A-00D08EAE10FF} - C:\WINDOWS\SYSTEM\CBJCBAA.DLL

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [4GL56SE4F6N3PR] C:\WINDOWS\SYSTEM\YjuHP.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O9 - Extra button: ATI TV (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: ComcastHSI (HKCU)

O9 - Extra button: Help (HKCU)

O9 - Extra button: Support (HKCU)

O9 - Extra button: @Home (HKCU)

O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O13 - Home Prefix: http://%6E%6B%76%64%2E%75%73/

O13 - Mosaic Prefix: http://%6E%6B%76%64%2E%75%73/

O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Share this post


Link to post
Share on other sites

Arayh and Yackal, Please see http://www.spywareinfoforum.com/index.php?showtopic=148

 

Yackal, you have more problems than wintools, Coolwebsearch hidden variant has you as well. This needs to be dealt with first.

 

Download this zip.

 

http://tools.zerosrealm.com/pv.zip

Please unzip it to the desktop. It will not work if you run it from inside the zip.

 

After unzipped go to the desktop. Open the pv folder. Double click on the runme9x.bat

 

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

 

Notepad will open with a log in it. Please copy and paste the log into this post.

Edited by Scoff

Share this post


Link to post
Share on other sites

Module information for 'EXPLORER.EXE'

MODULE BASE SIZE PATH

WEBVW.DLL 76320000 245760 C:\WINDOWS\SYSTEM\WEBVW.DLL 5.00.0312.0 Shell WebView Content & Control Library

JAVACYPT.DLL 7c480000 192512 C:\WINDOWS\SYSTEM\JAVACYPT.DLL 5.00.3805 MS Crypt Dll for Java

MSJAVA.DLL 7c000000 958464 C:\WINDOWS\SYSTEM\MSJAVA.DLL 5.00.3805 Microsoft® VM

VMHELPER.DLL 7c520000 294912 C:\WINDOWS\SYSTEM\VMHELPER.DLL 5.00.3805 Microsoft® VM Helper Library

RSABASE.DLL 7ca00000 110592 C:\WINDOWS\SYSTEM\RSABASE.DLL 5.00.1877.7 Microsoft Base Cryptographic Provider (Export Version)

SOFTPUB.DLL 77ac0000 69632 C:\WINDOWS\SYSTEM\SOFTPUB.DLL 5.131.1877.4 Microsoft Trust Policy Providers

CORPOL.DLL 7edd0000 32768 C:\WINDOWS\SYSTEM\CORPOL.DLL 1998.03.6074.0 Microsoft COM Runtime Execution Engine

CFGMGR32.DLL 7f810000 45056 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.10.1998 Configuration Manager Win32 Interface

WINTRUST.DLL 71570000 57344 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.1877.5 Microsoft Trust Verification APIs

CRYPT32.DLL 713d0000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.1877.5 Crypto API32

MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL 5.131.1877.3 Microsoft Trust ASN APIs

IMGUTIL.DLL 704f0000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL 5.50.4134.600 IE plugin image decoder support DLL

UMODEXTRACTORCM.DLL 3a60000 348160 C:\WINDOWS\UMODEXTRACTORCM.DLL 1.0.0.0 UMOD Extract Shell Extension

PLUGIN.OCX 4430000 98304 C:\WINDOWS\SYSTEM\PLUGIN.OCX 5.50.4134.600 ActiveX Plugin OCX

DDRAWEX.DLL 65000000 36864 C:\WINDOWS\SYSTEM\DDRAWEX.DLL 4.87.00.0700 Microsoft DirectDrawEx

DDRAW.DLL baaa0000 413696 C:\WINDOWS\SYSTEM\DDRAW.DLL 4.09.00.0900 Microsoft DirectDraw

NTDLL.DLL bfee0000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.10.1998 Win32 NTDLL core component

FLASH.OCX 3c30000 1732608 C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX 7,0,19,0 Macromedia Flash Player 7.0 r19

COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL 4.72.3510.2300 Common Dialogs DLL

WINMM.DLL bfdf0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.03.1998 System APIs for Multimedia

VBSCRIPT.DLL 6b600000 462848 C:\WINDOWS\SYSTEM\VBSCRIPT.DLL 5.6.0.7426 Microsoft ® VBScript

DISPEX.DLL 3a50000 45056 C:\WINDOWS\SYSTEM\DISPEX.DLL 5.1.0.4615 Microsoft ® DispEx

MSHTMLED.DLL 70f10000 417792 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 5.50.4134.600 Microsoft ® HTML Editing Component

MSLS31.DLL 7a410000 163840 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.337.0 Microsoft Line Services library file

IEPEERS.DLL 70f90000 245760 C:\WINDOWS\SYSTEM\IEPEERS.DLL 5.50.4134.600 Internet Explorer Peer Objects

WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.10.1998 Win32 WINSPOOL core component

JSCRIPT.DLL 712b0000 552960 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.5.0.5207 Microsoft ® JScript

IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.10.1998 Win32 IMM32 core component

MSHTML.DLL 70c30000 2756608 C:\WINDOWS\SYSTEM\MSHTML.DLL 5.50.4134.600 Microsoft ® HTML Viewer

RNR20.DLL 783c0000 61440 C:\WINDOWS\SYSTEM\RNR20.DLL 4.10.2222 Windows Socket2 NameSpace DLL

MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2600.0000 Multi Language Support DLL

ACTXPRXY.DLL 703b0000 94208 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 5.50.4134.600 ActiveX Interface Marshaling Library

SDHELPER.DLL 1f90000 733184 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL

OLEPRO32.DLL 5f300000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4518

WTOOLSB.DLL 1d50000 204800 C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSB.DLL

CBJCBAA.DLL 10000000 45056 C:\WINDOWS\SYSTEM\CBJCBAA.DLL

SENSAPI.DLL 60000000 20480 C:\WINDOWS\SYSTEM\SENSAPI.DLL 5.50.4134.600 SENS Connectivity API DLL

BROWSELC.DLL 718a0000 45056 C:\WINDOWS\SYSTEM\BROWSELC.DLL 5.50.4134.600 Shell Browser UI Library

SHDOCLC.DLL 71820000 401408 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 5.50.4134.600 Shell Doc Object and Control Library

ES.DLL 71720000 114688 C:\WINDOWS\SYSTEM\ES.DLL 1998.09.1003.0 COM+ EventSystem Library

SENS.DLL 60100000 90112 C:\WINDOWS\SYSTEM\SENS.DLL 5.50.4134.600 System Event Notification Service (SENS)

ESTIER2.DLL 71770000 61440 C:\WINDOWS\SYSTEM\ESTIER2.DLL 1998.09.1003.0 COM+ EventSystem Service Library

ESSHARED.DLL 71750000 65536 C:\WINDOWS\SYSTEM\ESSHARED.DLL 1998.09.1003.0 COM+ EventSystem Shared Utilities

WEBCHECK.DLL 70320000 270336 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 5.50.4134.600 Web Site Monitor

RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library

SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services

MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library

SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library

MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library

NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL

NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL

URLMON.DLL 70290000 471040 C:\WINDOWS\SYSTEM\URLMON.DLL 5.50.4134.600 OLE32 Extensions for Win32

SHD401LC.DLL f20000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4134.600 Shell Doc Object and Control Library - IE 4.01 compat

LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking

MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL

MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3510.2300 My Documents Folder UI

SHFOLDER.DLL 719a0000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 6.00.2600.0000 Shell Folder Service

MSI.DLL f30000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer

MSONSEXT.DLL 379b0000 544768 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\MSONSEXT.DLL

VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component

OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4518

BROWSEUI.DLL 71110000 823296 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 5.50.4134.600 Shell Browser UI Library

SQLCN.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\SQLCN.DLL

IPHLPAPI.DLL 7c8e0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL 5.00.1717.2 IP Helper API

MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider

IPCFGDLL.DLL 7c900000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL 5.00.1717.2 Ipconfig API DLL

DHCPCSVC.DLL 7dd90000 28672 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL

ICMP.DLL 7ce10000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL 5.00.1454.1 ICMP DLL

WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows

MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs

WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL

WININET.DLL 70200000 487424 C:\WINDOWS\SYSTEM\WININET.DLL 5.50.4134.600 Internet Extensions for Win32

TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows Telephony API Client DLL

RPCRT4.DLL 70100000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL

WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98

SHDOC401.DLL 50000000 507904 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4134.600 Shell Doc Object and Control Library - IE 4.01 compat

OLE32.DLL 65f00000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT

SHDOCVW.DLL 70fe0000 1159168 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 5.50.4134.600 Shell Doc Object and Control Library

MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft ® C Runtime Library

SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll

EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer

COMCTL32.DLL bfb70000 581632 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library

SHLWAPI.DLL 70bd0000 311296 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 5.50.4134.600 Shell Light-weight Utility Library

USER32.DLL bfc00000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2227 Win32 USER32 core component

GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component

ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component

KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component

Share this post


Link to post
Share on other sites

Download: "StartDreck", from here:

http://members.blackbox.net/hp_links/21/ni.../startdreck.htm

 

Unzip to its own folder and start the program,

 

Press 'Config'

Press 'Unmark All'

 

Check the following boxes only:

Registry -> Run Keys

System/drivers> Running processes

Press 'Ok'

 

Press 'Save' and select the location to save the log file

(default is the same folder as the application)

 

Post the log in this thread.

Share this post


Link to post
Share on other sites

Scoff, I think this is what you needed. let me know if anything is missing. thanks again for staying on top of this. Dave

 

StartDreck (build 2.1.5 public BETA) - 2004-06-15 @ 14:19:37

Platform: Windows 98 SE (Win 4.10.2222 A)

 

»Registry

»Run Keys

»Current User

»Run

»RunOnce

»Default User

»Run

»RunOnce

»Local Machine

»Run

*SystemTray=SysTray.Exe

*4GL56SE4F6N3PR=C:\WINDOWS\SYSTEM\OKRN0Z44.exe

*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe

»RunOnce

»RunServices

*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe

»RunServicesOnce

**rhgr=rundll32 C:\WINDOWS\SYSTEM\SQLCN.DLL,StreamingDeviceSetup

»RunOnceEx

»RunServicesOnceEx

»File Associations (CR)

*.bat

*batfile="%1" %*

*.com

*comfile="%1" %*

*.disabled

*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" %1

*.exe

*exefile="%1" %*

*.hta

*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*

*.htm

*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome

*.html

*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome

*.js

*JSFile=C:\WINDOWS\WScript.exe "%1" %*

*.jse

*JSEFile=C:\WINDOWS\WScript.exe "%1" %*

*.pif

*piffile="%1" %*

*.scr

*scrfile="%1" /S

*.txt

*txtfile=C:\WINDOWS\NOTEPAD.EXE %1

*.vbs

*VBSFile=C:\WINDOWS\WScript.exe "%1" %*

*.vbe

*VBEFile=C:\WINDOWS\WScript.exe "%1" %*

*.wsh

*WSHFile=C:\WINDOWS\WScript.exe "%1" %*

*.wsf

*WSFFile=C:\WINDOWS\WScript.exe "%1" %*

*.lnk

`lnkfile= [key or value does not exist]

»Browser Helper Objects (LM)

*AnalyzeIE.DOMPeek.1/{834261E1-DD97-4177-853B-C907E5D5BD6E}

`InprocServer32=C:\DPE.DLL

*{000020DD-C72E-4113-AF77-DD56626C6C42}

`InprocServer32=

*{87766247-311C-43B4-8499-3D5FEC94A183}

`InprocServer32=C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

*{53707962-6F74-2D53-2644-206D7942484F}

`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

*{43EB5921-BECD-11D8-B25A-00D048C8F1DC}

`InprocServer32=C:\WINDOWS\SYSTEM\EBLHB.DLL

»Files

»Autostart Folders

»Current User

»Default User

»Local Machine

»INI-Files

»WIN.INI\[windows]

*LOAD=

*RUN=

»SYSTEM.INI\[boot]

*SHELL=Explorer.exe

»Text Files

*C:\msdos.sys

*C:\config.sys

*C:\autoexec.bat

*C:\WINDOWS\dosstart.bat

*C:\WINDOWS\wininit.ini

*C:\WINDOWS\wininit.bak

»System/Drivers

»Running Processes

*FFCF1DBB=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFF4A0F=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFF5C9F=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFE7877=C:\WINDOWS\RUNDLL32.EXE

*FFFE1FE7=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFEE0F3=C:\WINDOWS\EXPLORER.EXE

*FFFD4637=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFDFB5F=C:\WINDOWS\SYSTEM\WMIEXE.EXE

*FFFC3253=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE

*FFFDB1BB=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE

*FFFB56FB=C:\WINDOWS\SYSTEM\DDHELP.EXE

*FFFDDE97=C:\WINDOWS\SYSTEM\PSTORES.EXE

*FFFA319B=C:\PROGRAM FILES\PKWARE\PKZIPW\PKZIPW.EXE

*FFFBE4E7=C:\WINDOWS\DESKTOP\PKTMP000.EXE

*FFFA723B=C:\WINDOWS\DESKTOP\STARTDRECK.EXE

»NT Services

»Application specific

Share this post


Link to post
Share on other sites

Download: "Win98Fix.zip" from here:

http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

 

Unzip to its own folder.

 

Open Folder and double click on RunFix.reg file.

Hit 'Yes' to merge it into your registry.

Restart your computer.

 

The bad file should now be visible so you can delete it.

Browse to C:\WINDOWS\SYSTEM\SQLCN.DLL

Right click select 'Properties' and remove any 'Read only' protection.

Right click again and select 'Delete'.

 

(If you cannot find the file, run the 'Who.bat' file in the folder.

The file will be found and listed.)

 

Download CWShredder from here, run the program, select 'fix' (not scan only) and let it fix everything that it finds.

 

Ad-aware has had updates recently, please update it and make sure it is configured to scan as follows. Screenshot instructions for setup are here if needed.

 

First in the main window look in the bottom right corner and click on Check for updates now and download the latest reference files.

 

Make sure the following settings are made and on ------- ON = GREEN

 

From main window : Click Start then Activate in-depth scan (recommended)

 

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

 

Now click on the Tweak button in that same window. Under Scanning Engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot.

 

Click Proceed to save your settings. Now to scan just click the Next button.

 

When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

 

Reboot your computer.

 

You already have Spybot, if you do not have version 1.3 installed, uninstall version 1.2 with the provided uninstaller. Download Spybot 1.3 from http://www.safer-networking.org/index.php?page=download install it, open it and click the Search for Updates button. When updates are found, put a check mark next to all and click the Download Updates button. Now click the Search & Destroy icon in the left pane, then the Check for problems button at the bottom of the window. When the scan completes, make sure all the items in RED are ticked, then click the Fix Selected Problems button. Screenshot instructions for installation and setup are here http://www.bleepingcomputer.com/forums/ind...showtutorial=43 if needed.

 

Reboot and post a fresh log, there is more to clean up!

Share this post


Link to post
Share on other sites

Scoff, did all you instucted, here is the startdreck log file, i think it is the one you wanted. looking forward to more...... thanks, Dave

 

StartDreck (build 2.1.5 public BETA) - 2004-06-18 @ 16:48:03

Platform: Windows 98 SE (Win 4.10.2222 A)

 

»Registry

»Run Keys

»Current User

»Run

»RunOnce

»Default User

»Run

»RunOnce

»Local Machine

»Run

*SystemTray=SysTray.Exe

*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe

»RunOnce

»RunServices

*WinTools=C:\Program Files\Common files\WinTools\WToolsA.exe

»RunServicesOnce

»RunOnceEx

»RunServicesOnceEx

»Files

»System/Drivers

»Running Processes

*FFCF0217=C:\WINDOWS\SYSTEM\KERNEL32.DLL

*FFFF55A3=C:\WINDOWS\SYSTEM\MSGSRV32.EXE

*FFFF4333=C:\WINDOWS\SYSTEM\MPREXE.EXE

*FFFF92F7=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE

*FFFFC403=C:\WINDOWS\SYSTEM\mmtask.tsk

*FFFFC983=C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE

*FFFE040B=C:\WINDOWS\EXPLORER.EXE

*FFFEFCC7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE

*FFFD004F=C:\WINDOWS\SYSTEM\WMIEXE.EXE

*FFFB49FB=C:\PROGRAM FILES\PKWARE\PKZIPW\PKZIPW.EXE

*FFFCF7FF=C:\PKTMP000.EXE

*FFFCBEAF=C:\STARTDRECK.EXE

»Application specific

Share this post


Link to post
Share on other sites

Can you post a new HijackThis log as well and we'll see whats left to get rid of.

 

You are running hijackthis from your desktop, this is not a good idea because when we do a fix hijackthis will create backups and they will be spread all over your desktop. Can you please create a folder in My Documents and call it HijackThis or HJT or similar. Then extract hijackthis into the folder you have created and run it from there. When you have done that, delete the copy of hijackthis that you have on your desktop.

Share this post


Link to post
Share on other sites

O.K. moved hijackthis to my documents. here is new log. Thanks Scoff

 

Logfile of HijackThis v1.97.7

Scan saved at 1:24:46 PM, on 6/21/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.50 (5.50.4134.0600)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O9 - Extra button: ATI TV (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: ComcastHSI (HKCU)

O9 - Extra button: Help (HKCU)

O9 - Extra button: Support (HKCU)

O9 - Extra button: @Home (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/

Share this post


Link to post
Share on other sites

You had a Peper infection, Ad-aware seems to have removed it but I'd like to make sure, click here to download the PeperFix tool, save it to your desktop, doubleclick on it, click 'Find and Fix' and reboot if prompted. Run it again to make sure.

 

Press ctrl+alt+delete to bring up the task manager and end any process running for WinTools

 

Wintools may have an entry in the Add/Remove Programs Control Panel. If so, it may be easy to get rid of. In start > control panel > add or remove programs - make sure you have change or remove programs selected in the sidebar and highlight the following programs and uninstall them.

 

Wintools

 

Close all other windows, except for hijackthis and put a check against the following items and click 'fix checked'.

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50093

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50093

 

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

 

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

 

If this is not the supplier of your PC or ISP then fix this also

 

O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/

 

Now reboot your computer and start in safe mode. To do this, press the F8 key repeatedly as the computer starts up until you see a menu screen (if Windows starts normally, restart it again). Use the arrow keys to highlight "Safe Mode" and press Enter. For further information on safe mode click here

 

Make sure you have all hidden files shown

 

Delete the following entry if it still exists:

Folder

C:\PROGRAM FILES\COMMON FILES\WINTOOLS

 

Reboot and post a fresh log so we can check that everything has been cleaned. This was a pretty serious infestation, you had 3 separate browser hijackers and websearch hijackers, a nasty virus, some unidentified program files (probably viruses) and an unwanted toolbar. Your protection against attacks could do with being beefed up, but you can stop this happening again. Here are some tips to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications, everything listed below is also free:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severly impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. In windows explorer go to C:\WINDOWS\System32\Drivers\Etc, locate the file called hosts (no file extension) and rename it to hosts.old. Then download MVPS hosts file and extract it to the exact same location.
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

  • To protect yourself further:
  • It would be worth reading How did I get infected in the first place?
  • Your operating system/internet explorer is badly out of date, it is very important to go to the windows update page to check for all updates, download and install all marked "critical".
  • Microsoft no longer supports its Java Virtual Machine. This is constantly targeted by spyware because of its security weaknesses. Uninstall Microsoft Java VM and replace it with Sun Java. This will protect you against Coolwebsearch, currently the most common and probably nastiest parasite right now (and responsible for 2 infections for you). Instructions on how to do this are here.
  • I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recyle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.
  • Update your antivirus program regularly. If your subscription has expired try AVG Free Edition.

Edited by Scoff

Share this post


Link to post
Share on other sites

ran peperfix, was ok on that, followed all your instructions, wtoolsa and wsup are no longer running. unreal. got rid of java vm got the updated one. am waiting to install all the free stuff, but looks great. do you guys get paid? this is a really awesome forum. you were great. I can not tell you how much i appreciate your help, AND i learned a lot. here is the fresh log. Dave

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:30:16 AM, on 6/22/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by @Home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O9 - Extra button: ATI TV (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ComcastHSI (HKCU)

O9 - Extra button: Help (HKCU)

O9 - Extra button: Support (HKCU)

O9 - Extra button: @Home (HKCU)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8160.3524074074

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0