Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yet another about\blank assult..HIjack this log


  • This topic is locked This topic is locked
25 replies to this topic

#1 crunchy

crunchy

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 06 June 2004 - 07:33 PM

Thanks in advance for any help rendered. I don't have a lot of experience in computers, I am a machinist by trade. If you want mill work lathe or grinding work I'm your man but I will need a lot of hand holding fixing this. I have the cool web search Trojan the real yellow pages version that cws shredder can't eliminate. I have made a hijack this log and I will try to attach it to this listing. again Thanks for your help.

Logfile of HijackThis v1.97.7
Scan saved at 8:08:45 PM, on 6/6/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://multimedia.lycos.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - User Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: PowerReg Scheduler.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 06 June 2004 - 10:50 PM

I want you to fix some of those entries. Please do the following:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please put a checkmark in the box for each of these entries, close all other windows, and click the fix button:


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSADBOT.EXE"
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A


Reboot your computer into Safe Mode.

Then delete these files or directories
C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
C:\Program Files\TimeSink\
C:\WINDOWS\p_981116.exe

Reboot your computer to go back to normal mode and post a new log.

As for your friends computer, see if you can download cwshredder and burn it onto a cd and see if that makes it so he can run ad-aware. Best bet is if you can download mozilla firefox onto a cd and then have him install it and post a log here.

#3 crunchy

crunchy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 07 June 2004 - 08:25 PM

I have to give it to you grinler, you know your stuff. I think it's dead dead dead. I have been fighting cws for about six weeks and this is the most success so far. I have had no return of cws since killing those files. All of the things that you asked me to delete I had found suspisious but I followed the advice given here and asked before acting. If I had acted alone I would have deleted several other things as well. Thank you for your help. Here is my log.



Logfile of HijackThis v1.97.7
Scan saved at 2:51:28 PM, on 6/7/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://multimedia.lycos.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - User Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: PowerReg Scheduler.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab


I'm glad I'm a dos man from way back, some of those files would not appear in windows even with show hidden files turned on. I went into dos and killed them the old school way. I hope everything looks ok, let me know. Thanks Crunchy

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 07 June 2004 - 09:58 PM

No malware or spyware anywhere in that log!! Good job

#5 crunchy

crunchy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 10 June 2004 - 04:38 PM

aaaaahhhhhhh aaaaaaaaahhhhhhhhhhhh AAAAAAAAAAAAHHHHHHHHHHHHHHH
It's back, I have been to the Merijn page and he says this version my not be visible to hijack this. I will post my log but I don't see anything that looks wrong. It my be time to use dll.fix.

Logfile of HijackThis v1.97.7
Scan saved at 5:36:06 PM, on 6/10/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\JUNO2\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://multimedia.lycos.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Remndr] "C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - User Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: PowerReg Scheduler.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

Thank's for the help

Crunchy

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 10 June 2004 - 06:47 PM

Fix this last entry:

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)


Now lets do dllfix ( I see you have been read the posts ):

tep 1. Download DLLFix from:

http://downloads.subratam.org/dllfix.exe

or

http://tools.zerosrealm.com/dllfix.exe

Step 2. After it has completed downloading, navigate to the folder you saved it in and double-click on dllfix.exe.

Step 3. It will prompt you to extract the files somewhere. Type in c:\dllfix and press install.

Step 4. Navigate to c:\dllfix and double-click on start.bat

Step 5. Run Option 1 by pressing 1. The program will now start searching.

Step 6. Once the search is complete a notepad will open called output.txt. Post the contents as a reply to this post.

#7 crunchy

crunchy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 10 June 2004 - 09:18 PM

If I double post I'm sorry, I locked up and was not sure if my last post got thru.

To Quote myself AAAAAAAAAAAHHHHHHHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!!!!
IT's Back!

I think I have the varity of cws that is mixed with realyellowpages because cws shredder can't seem to remove it. It might be time for dll fix


Logfile of HijackThis v1.97.7
Scan saved at 5:36:06 PM, on 6/10/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\JUNO2\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://multimedia.lycos.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Remndr] "C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - User Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: PowerReg Scheduler.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab

I'm thinking of looking up a cheap airfare and flying to russia to the cws home office and commiting homicide.

#8 crunchy

crunchy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 10 June 2004 - 09:35 PM

I downloaded dll.fix from the first listing on your reply and tried to run it. It gave a message that it's for win 2000 or xp only I'm running win 98. yes yes I know Im in the dark ages but I still like win98 go ahead lash me with a wet noodle I'm gonna try the second listing but I think I'm licked.

#9 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 10 June 2004 - 10:57 PM

My apologies for not noticing that. Follow these directions instead:

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.

#10 crunchy

crunchy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 12 June 2004 - 01:00 PM

The water's gettin deep and my waders are lookin short.

StartDreck (build 2.1.5 public BETA) - 2004-06-12 @ 13:52:13
Platform: Windows 98 (Win 4.10.1998 )

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*Keyboard Manager=C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
*Mouse Suite 98 Daemon=PELMICED.EXE
*RCScheduleCheck=C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
*Fix-It AV=C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*3dfx Tools=rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
*InCD=C:\Program Files\Ahead\InCD\InCD.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*Remndr="C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE"
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FF0F1647=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF42D7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF5567=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF6A13=C:\WINDOWS\SYSTEM\MSGLOOP.EXE
*FFFE8C57=C:\WINDOWS\SYSTEM\MSG32.EXE
*FFFE8D6B=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE3F1B=C:\WINDOWS\EXPLORER.EXE
*FFFD19AB=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
*FFFD4B93=C:\WINDOWS\SYSTEM\PELMICED.EXE
*FFFC0AE7=C:\WINDOWS\TASKMON.EXE
*FFFCD943=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFC225B=C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
*FFFC7E9F=C:\PROGRAM FILES\CASINOONLINE\CSREMND.EXE
*FFFAE0BF=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
*FFFA077F=C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
*FFF900D3=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
*FFFC9F1B=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
*FFFA5453=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
*FFFA398B=C:\PROGRAM FILES\JUNO2\BIN\JUNO.EXE
*FFF8E227=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFF8604F=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFF76547=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF73993=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFF6178B=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFF4A687=C:\PROGRAM FILES\VCOM\POWERDESK\PDEXPLO.EXE
*FFF54963=C:\WINDOWS\TEMP\~~PDTEMP\STARTDRECK.EXE
翠pplication specific

Window Procedure Ms.dll RUNDLL32.EXE C:\WINDOWS\SYSTEM\Ms.dll C:\WINDOWS\RUNDLL32.EXE

Sorry I guess that's backwards but I seem to do everything s backwards

Thanks Crunchy

#11 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 12 June 2004 - 01:51 PM

I do not see anything here.

What web pages are you redirecting to?

#12 crunchy

crunchy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 13 June 2004 - 07:32 AM

I can't seem to get the log from spyware guard to paste so I will manually tupe in what I think are the important parts.

Start page About Blank

search bar //c:windows\temp\sp.html

Search page//c:\windows\temp\sp.html

bho:{28eb5c44-bd0c-11d8-988f-00000a579b86}

I had spyware guard remove each or returned to original value.

Does this help at all?

Thanks

Crunchy.

Hey, I have to thank you again for taking way to much of your valuable time, I want you to know that it is appreciated.

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 13 June 2004 - 12:41 PM

1. Goto the site : http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm

2. Download Win98Fix.zip and extract it into c:\win98fix.

3. Navigate to the c:\win98fix folder and double-click on the RunFix.reg. If it prompts you to allow it run, say Yes.

4. When that is done reboot your computer.

5. Now find c:\windows\system32\ms.dll which should be visible now and delete the file.

6. Post a new hijackthis log.

#14 crunchy

crunchy
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 20 June 2004 - 02:50 PM

I have had a super busy week and have been unable to reply. I followed the directions and I have not had a cws pop up since. But I am not able to find the file that you said to delete. The folder shows as empty. Am I missing somthing?




Logfile of HijackThis v1.97.7
Scan saved at 3:54:10 PM, on 6/20/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\VCOM\SYSTEMSUITE\MXTASK.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\JUNO2\BIN\JUNO.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://multimedia.lycos.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\SYSTEM~1\MEMCHECK.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - User Startup: SystemSuite.lnk = C:\Program Files\VCOM\SystemSuite\MXTask.exe
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: Office Startup.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: Microsoft Find Fast.lnk = C:\Program Files\Windows Messaging\NEWPROF.EXE
O4 - User Startup: PowerReg Scheduler.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

#15 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:59 PM

Posted 20 June 2004 - 08:31 PM

Looks good. You should reinstall Spywareguard or download and install the latest spybot. Tutorials for both programs can be found in the Tutorial section.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users