re: winsysmngr
Thursday, September 9, 2004 at 4:44 am
Windows 98 Annoyances Discussion Forum
Posted by Debra
(39 messages posted)
I Never realized the problems that I had on my computer. I did all the things that
you both mentioned.
After all that, it did get WINSYSMNGER off my computer. I am still not sure how
it got there.
Here is a copy of my new HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 6:55:29 AM, on 9/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PROFILES\MOM\DESKTOP\NEW FOLDER\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnugget.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= localhost
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.wideopenwest.com/portal/michigan/index.html");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\92pjzkqc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\92pjzkqc.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED
PROGRAM FILES\YCOMP5_3_16_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAM
FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot
- Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: IBBHO - {12BA043E-293E-4CE4-A8C7-8460934FE801} - C:\PROGRAM FILES\INCREDIBAR\BIN\IBBHO.DLL
O3 - Toolbar: ALTAVISTA - {4E7BD74F-2B8D-469E-92EA-EC65A294AE31} - (no file)
O3 - Toolbar: IncrediBar - {D8073790-84C7-4602-BF77-C6ACBF1612E4} - C:\PROGRAM FILES\INCREDIBAR\BIN\IBTBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED
PROGRAM FILES\YCOMP5_3_16_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE"
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: Shortcut to zonealarm.lnk = C:\WINDOWS\Start Menu\System Tools\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: AltaVista Search - file://C:\Program Files\Dynamic
Toolbar\ALTAVISTA\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Translate - file://C:\Program Files\Dynamic Toolbar\ALTAVISTA\Cache\SelectedContextTranslation.htm
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://D:\PROGRAM
FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://D:\PROGRAM
FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM (file missing)
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://D:\PROGRAM
FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM (file missing)
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7}
- res://D:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\PROGRAM
FILES\INCREDIBAR\BIN\IBTBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIMGAMES\AIM95\AIM.EXE
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - D:\Program
Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {435583D3-F647-4943-BB40-B0D64CB02718} (Snapfish File Upload ActiveX Control)
- http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
On Wednesday, September 8, 2004 at 1:08 pm, Carol J wrote:
>
>
>Hi Debra, You have quite a number of problems, so let's eliminate some of it. I
know it will
>take more than one HJT run to clean it all up. Perhaps a referal to a malware support
>forum for one of your problems. First thing, move Hijack This into it's own folder
before fixing entries. It creates
>backups, which are auto saved in the same folder.Ex: C\HJT\HIJACKTHIS.EXEYou've
a Keylogger installed, and a backdoor trojan on your system: Backdoor Troj/Winload
>and PERFECT KEYLOGGER LITE. Those, along with a couple CWS variants, and more. First,
>check in Add/Remove programs for anything suspicous installed. If that Keylogger
>is listed, highlight it and remove it. Reboot into Safe Mode to run Hijack This
and fix these entries and delete the folders.
>Once in Safe mode, with no other windows open, run HJT. Select these items. Fix
Checked.
>Delete folders indicated below and reboot into normal mode. (first two items may
>not show up)C:\PROGRAM FILES\PERFECT KEYLOGGER LITE\BPK.EXE
>C:\WINDOWS\SYSTEM\EXPLORER32\WINSYSMNGR.EXE
>R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
>R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wideopenwest.com/portal/michigan/index.html
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://D:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
>R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
>R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
>R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
>R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
>= localhost
>R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
>R3 - Default URLSearchHook is missing
>O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
>O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - (no file)
>O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program
>Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
>O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
>O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A08E-8E1CA787AD2D} - (no file)
>O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
>O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} -
C:\Program
>Files\QuickSearch\QuickSearchBar1_27.dll (file missing)
>O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM
>FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
>O4 - HKLM\..\Run: [WinLoad] C:\WINDOWS\SYSTEM\EXPLORER32\Winload.exe
>O4 - HKCU\..\Run: [BPK] C:\PROGRAM FILES\PERFECT KEYLOGGER LITE\BPK.EXE
>O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
>O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXENOTE:
08 items- fix any 08 entries you no longer use or want)O9 - Extra button: Wallpaper
- {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
>O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f}
>- C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta
>O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://204.168.68.163/pfr/tdserver.cab
>O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
>O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
>O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.com/downloads/ReadFileApplet.cab
>O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} (Toolbar Reg Sniff Activate) -
>http://toolbar.google.com/data/GoogleActivate.cab
>O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
>O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
>O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4045/ftp.coupons.com/v3123/cpbrkpie.cabNote:
spyware installed with Webshots, removing will not affect the function of
>Webshots Desktop:
>O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class)
>- http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?Make
sure you've selected to show "hidden files" in Folder options. Delete the folders
>indicated in bold:C:\PROGRAM FILES\PERFECT KEYLOGGER LITE\
>C:\PROGRAM FILES\MYSEARCH\BAR\
>C:\Program Files\QuickSearch\C:\PROGRA~1\INTERN~1\ <<--(I forget the
full name, if you're unsure when you
>check, wait on that. I'll check into it)Clear out ALL temp folders, while still
in safe mode:
>Go into Internet Options - delete TIF and choose 'delete all Offline content'. Settings
>- set the size of your TIF folder between 5 - 10 MB. Empty C:\Windows\temp folder
>and C:\temp folder, if you have one. Empty Recycle bin. It was likely missed, that
you'd ran Spybot initially, but make sure you have the
>latest version and updates installed, and as was mentioned, run the CWShredder.
Once
>you've done that, run HijackThis and post the New log here. As an aside, you don't
>have anything installed to prevent/protect your system from malware infections.
We'll
>get to that too.
>
- Written in response to:
- re: winsysmngr (Ms. Eagle: Wednesday, September 8, 2004 at 1:08 pm)
Responses to this message:
|
|
All messages in this thread [show all]
 |  | | | | | | |  | re: winsysmngr (Debra: Thu, Sep 9, 2004, 4:44 am) |
| |
| |
| |
Return to the Windows 98 Discussion Forum
|
|
