|
|
|
spyware
Showing all messages in thread #1094477832
Windows 98 Annoyances Discussion Forum
The following are all of the messages in this thread (16 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
|
spyware
Monday, September 6, 2004 at 6:37 am
Posted by melissa
(58 messages posted)
A few days ago i did a adaware scan i found 171 things when i tried to delete them
it kept telling me that my hardrive was full then did nothing .. so i downloaded
hijack this - I was wondering if someone could tell me whats safe to delete and what
isnt - I have the high jack this log ... Running win98 SE ... thanks !
[Reply or follow-up to this message]
| |
re: spyware
Monday, September 6, 2004 at 7:25 am
Posted by Helen~
(2626 messages posted)
HI Melissa,
While you're waiting for someone able to help with Hijack This log, you could do
a little disk maintenance using Carol'sDiskMaintenanceThen
download Spybot S&D from Major Geeks and run it. After that run AdAware again possibly
in Safe Mode. Next run Hijack this again. The purpose of all this is to clean up
so that there isn't so much to look over in the HJT log. Good luck, :o)
On Monday, September 6, 2004 at 6:37 am, melissa wrote:
>A few days ago i did a adaware scan i found 171 things when i tried to delete them
>it kept telling me that my hardrive was full then did nothing .. so i downloaded
>hijack this - I was wondering if someone could tell me whats safe to delete and
what
>isnt - I have the high jack this log ... Running win98 SE ... thanks !
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 8:17 am
Posted by James
(782 messages posted)
Melissa, Post your HiJackThis Log.
 
On Monday, September 6, 2004 at 6:37 am, melissa wrote:
>A few days ago i did a adaware scan i found 171 things when i tried to delete them
>it kept telling me that my hardrive was full then did nothing .. so i downloaded
>hijack this - I was wondering if someone could tell me whats safe to delete and
what
>isnt - I have the high jack this log ... Running win98 SE ... thanks !
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 9:14 am
Posted by melissa
(58 messages posted)
Logfile of HijackThis v1.98.2
Scan saved at 9:22:06 AM, on 9/6/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://crackspider.net/ie/assist.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50171
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program
Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {58359010-BF36-11D3-99A2-0050DA2EE1BE} - (no file)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program
Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\BIN\DMSERVER.EXE /onreboot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRAM FILES\AGNITUM\TAUSCAN 1.6\TAUMON.EXE
O4 - HKLM\..\Run: [49J#8D#2G2MPRR] C:\WINDOWS\SYSTEM\Wdj7.exe
O4 - HKLM\..\Run: [t46h36Q] IPRBUTIL.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SPYWAREBLOCKER.EXE"
/0
O4 - HKCU\..\Run: [c3pnRWcnO] ITILL32.EXE
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE"
-winstart
O4 - HKCU\..\Run: [TV Media] C:\TV MEDIA\Tvm.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM
FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}
- C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Search cracks at CrackSpider.NET - {10954C80-4F0F-11d3-B17C-00C0DFE39736}
- http://crackspider.net/ie/btn.php (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Search cracks at CrackSpider.NET - {10954C80-4F0F-11d3-B17C-00C0DFE39736}
- http://crackspider.net/ie/btn.php (file missing) (HKCU)
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {10954C80-4F0F-11D3-B17C-00C0DFE39736} - http://hot.thebugs.ws/fav.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\SYSTEM\MSSARU.DLL
On Monday, September 6, 2004 at 8:17 am, James wrote:
>Melissa, Post your HiJackThis Log.
>
>![]()
>src="http://img.photobucket.com/albums/v194/mecada/James-10.png">
>
>
>
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 12:26 pm
Posted by Ms. Eagle
(33640 messages posted)
"Melissa, Post your HiJackThis Log."
James, spyware cleaners must be run first. Helen had that covered.
Secondly, since you're not experienced in advising on HJT logs, you shouldn't request
they be posted. Period. Advising on those logs is a serious thing. On most security
forums, not just anyone is allowed to deal with them.
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 12:33 pm
Posted by Ms. Eagle
(33640 messages posted)
Melissa, did you run a spyware scan first as Helen suggested? If so, do you have
the latest versions and update installed. The poster that told you to post your log,
had no business doing so. He's not experienced in advising on those logs, anyway.
First, run the CWShredder tool to scan for CWSearch variants: CWShredder
Close all browser windows and press FIX to Scan and Clean. Reboot. Run it again.
Install either AW or SpyBot S&D, which are the two main programs used and recommended
for malware removal. Ad-Aware is easier for inexperienced users:
Ad-Aware SE Personal Also, download the 'Ad-aware SE referencefile'
update and the "Ad-Aware VX2 Cleaner Plug-In". Follow these instructions and run
a full system scan.
Note: Run either scan in Safe mode for best cleaning results. Reboot and press and
hold the Ctrl key and choose Safe mode.
Reconfigure Ad-Aware for Full Scan
 _SpyBot
Search_&_Destroy v1.3 After installing and rebooting, check for
and download the updates. Log off the net, close browser windows, run the "Default
mode" scan. 'Check All', and fix everything labeled in RED. Reboot.
Clear out all your temp folders: Internet Options - General tab. Delete temporary
internet files - choose 'delete all Offline content'. Settings - set the size of
your TIF folder between 5 - 10 MB. Empty C:\Windows\temp folder and C:\temp folder,
if you have one. Note: Some temp files may currently be in use, until the next reboot.
Empty Recycle bin.
After doing those things, move Hijack This into a new folder. It's creates backups.
Ex: put in C:\HJT\HijackThis.exe. Before posting the log, choose the posting option
below, so the message will be properly formatted. First, close ALL open windows.
Then choose Scan. Most of the entries listed are legitimate or required entries.
Don't fix anything, until you know which items to fix. For a description of the entries:
Help2go: HJT tutorial
After the scan is finished, the Scan button will turn into Save Log. Press that and
paste the contents here. Before posting your message, choose this posting Option
below, so your message will be properly formatted: Check this box to preserve
your spacing, etc....
Install SpywareBlaster to will help prevent future malware infections. Check for
and download updates after installing it. Enable protection. SpywareGuard can be
used, in addition, for real time protection. Check for updates often:
JavaCoolSoftware.com
[Reply or follow-up to this message]
|
Addendum
Monday, September 6, 2004 at 1:24 pm
Posted by Ms. Eagle
(33640 messages posted)
I'm sorry, Melissa. I should learn how to read, missed your note about "trying" to
run Ad-aware.
It should work successfully in Safe Mode, and clear out all your temp folders first.
Be sure AW is up to date. It's very important to have the newest version and latest
updates installed. I skimmed through your log and you do have a lot of malware infections
and hijacker.
Considering the mess you have, running another online virus scan would be a good
idea. I see you've run Housecall, but I don't know how recently. Choose to auto clean.
Run it after the spyware scans.
Panda Active Scan or Bitdefender
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 3:54 pm
Posted by James
(11 messages posted)
Carol,
I realize you should run Spyware Programs before using HJT and Posting the HJT Log.
My post followed the Post by Helen, whereby, she referred to the use of Spyware Programs.
Why should I repeat what she had posted? I am sure that anyone with common sense
would understand the order of such Posting. Your statement about leaving "Posting
to those experienced in advising on HJT logs" is a true statement. However, your
being the number one poster here via the Win98 Forum doesn't quailfy you to be the
judge of my knowledge. My Education, Degree, Experience and Daily Work is my qualifier.
Should you desire to Post your College Diploma, Microsoft Degree and Resume, I will
gladly post the same, thus showing which of use is truely qualified. When my Friends
and Family who are far away need help with PC problems, due to my lack of time to
spend explaining the steps of needed repair, I often give them reference to your
various Posts here at annyances.org.. I greatly respect your knowledge far more
than your attitude. Attitudes are like the thine own true self allowing all to see
the depths therein. Thus all being said keep up the fine and quality post that you
are known for.
James
On Monday, September 6, 2004 at 12:26 pm, Carol J wrote:
>
>
>"Melissa, Post your HiJackThis Log."James, spyware cleaners must be run first. Helen
had that covered.Secondly, since you're not experienced in advising on HJT logs,
you shouldn't request
>they be posted. Period. Advising on those logs is a serious thing. On most security
>forums, not just anyone is allowed to deal with them.
>
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 5:05 pm
Posted by Ms. Eagle
(33640 messages posted)
Then we need to wait to hear back from the poster, when the scans have been done.
When you requested simply, "post the log", what was she s'posed to think she should
do, James?
Your reference to diplomas and degrees is a bit ridiculous and hasn't one thing to
do with it. It has nothing to do with your education, but have you had training on
helping with these? People have had their system's ruined, because well meaning "helpers"
advised them. Often, and it may be the case here, I refer them to a malware support
forum for help.
This has nothing to do with attitude. I'm being straight-forward and telling it like
it is. I realize that doesn't do much for my popularity sometimes, but that's tough.
Someone needs to look out for people and make sure they don't get bad advice on those
logs. I'm sorry, if I offended you, which isn't my intention. Please don't take it
personally. Thanks for the compliment.
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 5:42 pm
Posted by James
(782 messages posted)
Carol,
I do take it personally when someone broadcasts to the world that I am not qualifed
etc.. As to your question, yes, I have had training and obtain the knowledge of
such. You are right, I should have stated, use Spyware Programs first.
James
On Monday, September 6, 2004 at 5:05 pm, Carol J wrote:
>
>
>Then we need to wait to hear back from the poster, when the scans have been done.
>When you requested simply, "post the log", what was she s'posed to think she should
>do, James? Your reference to diplomas and degrees is a bit ridiculous and hasn't
one thing to
>do with it. It has nothing to do with your education, but have you had training
on
>helping with these? People have had their system's ruined, because well meaning
"helpers"
>advised them. Often, and it may be the case here, I refer them to a malware support
>forum for help. This has nothing to do with attitude. I'm being straight-forward
and telling it like
>it is. I realize that doesn't do much for my popularity sometimes, but that's tough.
>Someone needs to look out for people and make sure they don't get bad advice on
those
>logs. I'm sorry, if I offended you, which isn't my intention. Please don't take
it
>personally. Thanks for the compliment.
>
[Reply or follow-up to this message]
|
re: spyware
Monday, September 6, 2004 at 6:37 pm
Posted by Ms. Eagle
(33640 messages posted)
True, and I apologize. Although, I also take it personally, when people refer to
my so-called attitude. I don't have an attitude problem.
[Reply or follow-up to this message]
|
re: spyware
Tuesday, September 7, 2004 at 8:27 am
Posted by Cyber Cowboy 009
(104 messages posted)
Hello Melissa,hope this link helps:
Dealing
with Unwanted Spyware and Parasites
On Monday, September 6, 2004 at 6:37 am, melissa wrote:
>A few days ago i did a adaware scan i found 171 things when i tried to delete them
>it kept telling me that my hardrive was full then did nothing .. so i downloaded
>hijack this - I was wondering if someone could tell me whats safe to delete and
what
>isnt - I have the high jack this log ... Running win98 SE ... thanks !
[Reply or follow-up to this message]
|
re: spyware
Tuesday, September 7, 2004 at 8:58 am
Posted by James
(782 messages posted)
Melissa,
The correct method, which allows for a cleaner HJT Log, is to first clean-up the
system with Spyware Programs etc., then Post the clean HJT Log. However, since you
already had problems running Spyware Programs, I wanted to view your HJT Log. I wanted
to check to see if anything was Obfuscated and converting the Hexadecimal values.
Also, my desire was to check the CLSID number values, to see if any ended with an
underscore of { _ }.
I cannot find where any harm has been created due to my suggestion. Follow the advice
of Helen and Carol. Carol, is one of the best at helping with HJT Logs. Since statements
we made against my knowledge, therefore, I assume it would be difficult for you or
anyone to trust my judgement and/or advice, hence, I withdraw my support from this
post.
..........................................
Carol, with all respect and regrads, I accept you apology. If, I have in any manner
misspoke or caused offense I also offer my apology.
James
On Monday, September 6, 2004 at 6:37 am, melissa wrote:
>A few days ago i did a adaware scan i found 171 things when i tried to delete them
>it kept telling me that my hardrive was full then did nothing .. so i downloaded
>hijack this - I was wondering if someone could tell me whats safe to delete and
what
>isnt - I have the high jack this log ... Running win98 SE ... thanks !
[Reply or follow-up to this message]
|
re: spyware
Wednesday, September 8, 2004 at 12:38 pm
Posted by Ms. Eagle
(33640 messages posted)
Hi Melissa,
I'm sorry about the interruptions. Have you ran those scans I suggested, to clean
up as much as possible? Your log shows a tremendous amount of problems, but I know
there will still be things to fix with HJT.
Please feel free to post the log, when you're ready. Any questions, just ask.
[Reply or follow-up to this message]
|
re: spyware
Friday, September 10, 2004 at 5:32 pm
Posted by melissa
(58 messages posted)
Hi carol ... Sorry it took so long to post this but here it is ... Also please excuse
this mess if i didnt do it right not all that computer smart .......
Logfile of HijackThis v1.98.2
Scan saved at 8:25:23 PM, on 9/10/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\SPYWARE BLOCKER\SPYWAREBLOCKER.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\GIP49XK.EXE
C:\WINDOWS\SYSTEM\TEQXGRB.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride
= localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program
Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {58359010-BF36-11D3-99A2-0050DA2EE1BE} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: Pop-Up Blocker - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program
Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRAM FILES\AGNITUM\TAUSCAN 1.6\TAUMON.EXE
O4 - HKLM\..\Run: [49J#8D#2G2MPRR] C:\WINDOWS\SYSTEM\Xzm0J.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SPYWAREBLOCKER.EXE"
/0
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE"
-winstart
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM
FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD}
- C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\SYSTEM\MSSARU.DLL
On Wednesday, September 8, 2004 at 12:38 pm, Carol J wrote:
>
>
>Hi Melissa, I'm sorry about the interruptions. Have you ran those scans I suggested,
to clean
>up as much as possible? Your log shows a tremendous amount of problems, but I know
>there will still be things to fix with HJT. Please feel free to post the log, when
you're ready. Any questions, just ask.
>
[Reply or follow-up to this message]
|
re: spyware
Friday, September 10, 2004 at 10:49 pm
Posted by Ms. Eagle
(33640 messages posted)
Melissa, it wasn't that long, before you got back to us. It takes time to do those
things, too. Just wanted to be sure you were still with us.
The log shows up properly formatted in the reply window. I must need to redo my instructions,
because a lot of people miss this: Before posting your message, choose this posting
Option below, so your message will be properly formatted: Check this box to preserve
your spacing, etc.... You need to tick where it says that before you post. You'll
see that below the posting window.
The log sure looks better than it did. There are still hijacking entries to clear,
a strange executable, and that TV Media program. It may take another step to get
rid of that one. Go into in Add/Remove programs, scroll down and highlight TV
Media - choose remove. Look for a Backweb entry and remove any/all that
are listed. It's considered spyware and is installed with a lot of applications.
Uninstall "Windows Update Critical Update Notification" in Add/Remove. Check for
updates manually every few months or so, for IE security updates mainly.
You need to create a special folder for HJT, because it creates backups of everything
fix. They auto save in the same folder. Ex: C\HJT\HIJACKTHIS.EXE. Close all open
windows. Run HJT and select these entries. Fix checked. Reboot into Safe Mode to
delete the files and folders, indicated below.
C:\WINDOWS\SYSTEM\GIP49XK.EXE
C:\WINDOWS\SYSTEM\TEQXGRB.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\TV MEDIA\TVMBHO.DLL
O2 - BHO: (no name) - {58359010-BF36-11D3-99A2-0050DA2EE1BE} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [49J#8D#2G2MPRR] C:\WINDOWS\SYSTEM\Xzm0J.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop
Messenger\8876480\Program\LDMConf.exe
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINDOWS\SYSTEM\MSSARU.DLL
(In Safe mode) Make sure "show hidden files" is selected in Folder Options. If unsure,
check:
How to Show System Files
Delete TV Media folder in: C:\TV MEDIA\
Note: Careful in the system folder and delete only these two files, if found:
C:\WINDOWS\SYSTEM\Xzm0J.exe<<-delete .exe file
C:\WINDOWS\SYSTEM\MSSARU.DLL<<- delete .DLL file
Before rebooting, clear out all those temp folders again. Then reboot into normal
mode, run HJT again and post the New log. Any questions or problems with any of the
instructions, let me know.
[Reply or follow-up to this message]
| |
| |
Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
| |
Return to the Windows 98 Discussion Forum
|
|
|
|
