re: winsysmngr
Wednesday, September 8, 2004 at 1:08 pm
Windows 98 Annoyances Discussion Forum
Posted by Ms. Eagle
(33640 messages posted)
Hi Debra,
You have quite a number of problems, so let's eliminate some of it. I know it will
take more than one HJT run to clean it all up. Perhaps a referal to a malware support
forum for one of your problems.
First thing, move Hijack This into it's own folder before fixing entries. It creates
backups, which are auto saved in the same folder.Ex: C\HJT\HIJACKTHIS.EXE
You've a Keylogger installed, and a backdoor trojan on your system: Backdoor Troj/Winload
and PERFECT KEYLOGGER LITE. Those, along with a couple CWS variants, and more. First,
check in Add/Remove programs for anything suspicous installed. If that Keylogger
is listed, highlight it and remove it.
Reboot into Safe Mode to run Hijack This and fix these entries and delete the folders.
Once in Safe mode, with no other windows open, run HJT. Select these items. Fix Checked.
Delete folders indicated below and reboot into normal mode. (first two items may
not show up)
C:\PROGRAM FILES\PERFECT KEYLOGGER LITE\BPK.EXE
C:\WINDOWS\SYSTEM\EXPLORER32\WINSYSMNGR.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wideopenwest.com/portal/michigan/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - (no file)
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program
Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A08E-8E1CA787AD2D} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program
Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM
FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\SYSTEM\EXPLORER32\Winload.exe
O4 - HKCU\..\Run: [BPK] C:\PROGRAM FILES\PERFECT KEYLOGGER LITE\BPK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
NOTE: 08 items- fix any 08 entries you no longer use or want)
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f}
- C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://204.168.68.163/pfr/tdserver.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} (Toolbar Reg Sniff Activate) -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4045/ftp.coupons.com/v3123/cpbrkpie.cab
Note: spyware installed with Webshots, removing will not affect the function of
Webshots Desktop:
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class)
- http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
Make sure you've selected to show "hidden files" in Folder options. Delete the folders
indicated in bold:
C:\PROGRAM FILES\PERFECT KEYLOGGER LITE\
C:\PROGRAM FILES\MYSEARCH\BAR\
C:\Program Files\QuickSearch\
C:\PROGRA~1\INTERN~1\ <<--(I forget the full name, if you're unsure when you
check, wait on that. I'll check into it)
Clear out ALL temp folders, while still in safe mode:
Go into Internet Options - delete TIF and choose 'delete all Offline content'. Settings
- set the size of your TIF folder between 5 - 10 MB. Empty C:\Windows\temp folder
and C:\temp folder, if you have one. Empty Recycle bin.
It was likely missed, that you'd ran Spybot initially, but make sure you have the
latest version and updates installed, and as was mentioned, run the CWShredder. Once
you've done that, run HijackThis and post the New log here. As an aside, you don't
have anything installed to prevent/protect your system from malware infections. We'll
get to that too.
- Written in response to:
- re: winsysmngr (Debra: Tuesday, September 7, 2004 at 2:26 pm)
Responses to this message:
|
|
All messages in this thread [show all]
 |  | | | | | |  | re: winsysmngr (Ms. Eagle: Wed, Sep 8, 2004, 1:08 pm) |
| |
| |
| |
Return to the Windows 98 Discussion Forum
|
|
