I'm begging PLESE HELP??!!!!! (merged)

I'm begging PLESE HELP??!!!!!

My PC was completely hijacked a few weeks back, and I posted my hijackthis log
and was given instructions and followed them. It worked on those problems, but
the HJing was so far advanced, I couldn't get back here for more help. (BTW is
Netintergrations and this forumn the same? I can't get to NI now and was
wondering.)And not long after (a few hours) My PC crashed.
After a lot of work I got it back up with what I thought was suppose to be
a clean reinstall (Windows 98 OS). I never even got back on line and was being
overrun again. I had popups talking to one another! Well since then I
reinstalled (FDISK: deleting all DOS extensions and recreating) about 3 times
(I'm serious that it could be more. Then I had one helluva time reinstalling
drivers to devices. I have all my drivers on disk but couldn't install. Took a
lot more work but at least got my modem, display and sound cards working. I
still have an issue with my printer installation. Says my CPU is at level 5 and
needs to be at level 6. No changes have been made on my PC except added memory
a few yrs back. I have no idea what this is, or how to fix it. Yet. I have
three notebooks full of notes. I have taken every iota of info (chips etc...)
off of my mother board (M5CNB), but have NEVER found ANY info on my PC (INTEVA)
except the name.
Right now I can't get updates. Windows update scan gives and error code that
I've sent to MS several times, but have yet to get any feedback. I did do MS
Search "Win 98 drives" and found quite a few updates (some critical).
I couldn't download Hijack this (had it a few days back but it and SpyWare
Blaster were destroyed by what ever is in my PC), or get to some help sites at
all. When I do, and try and download, I'm always interrupted, or a big blue
screen comes up and says "FATAL ERROR BLA, BLA, BLA". Idid have a friend
download Hijackthis, CWShredder, SpywareBlaster (but can't get updates),
BHOlist.zip (but can't run) on a floppy, and so I do have a HJthis log to
display.
NOTE: Before all this occurred, I only used my PC as an apparatus to get on
line. It's been a crash course to say the VERY least, and I've come a long way
from nowhere, and am determined. I saw a topic about an incidious creature
involving a DOS command "cd C:windowssystemf0r0r" and deletion, and am
interested but not sure how exactly. I get Windows and DOS command formats
confused, but after some study in help files can do basic stuff. Wouldn't know
where to start in deleting a DOS file, or a file in DOS (you can tell I'm
green).
Another poster SUZE(?) I believe, posted some similar happenings on her(?)
PC, but I can't identify the files like she did.

I know this is long, and a lot to ask, but I'm frustrated as hell, and scared
I won't get back in "time".
I'm desperate and begging. Please help?!!!

Here's my Hijackthis log: (I was able to clean some things up with SpyBot
S&D, and CWS fixed some IE problems, and out of desperation I checked the
About:Blank list on hijackthis scan and shredded it)...............



Logfile of HijackThis v1.97.7
Scan saved at 3:16:16 PM, on 5/22/14
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRAM
FILES\PROPEL ACCELERATOR\PRPL_IEPOPUPBLOCKER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL
ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft
Money\System\reminder.exe
O4 - Startup: MSN Quick View.lnk = C:\Program Files\ONMSN\MSNDC.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) -
http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38124.8584259259
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
http://download.zonelabs.com/bin/free/cm/ICSCM.cab

-------------------------------------------------------------------------------

I couldn't post the above post when I wrote it, so I tried to clean up some more and am now back with a more current log.

Again, Please HELP?!!!


Logfile of HijackThis v1.97.7
Scan saved at 3:16:16 PM, on 5/22/14
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRAM FILES\PROPEL ACCELERATOR\PRPL_IEPOPUPBLOCKER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: MSN Quick View.lnk = C:\Program Files\ONMSN\MSNDC.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) - http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38124.8584259259
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

 

Re: I'm begging PLESE HELP??!!!!!

Hi kdavis,

Can you find this file c:\windows\hosts and rename it to hosts.bak ?
Let me know if you can reach N-I (which is not the same but similar to this board) now.

Regards,

Pieter

 

Re: I'm begging PLESE HELP??!!!!!

I did Peter. Haven't tried to go to NI yet. Will shortly.
Anyway, there was also another C:\windows\host file found "Lmhost", do I rename it also?

 

Re: I'm begging PLESE HELP??!!!!!

current Hijackthis log.

Logfile of HijackThis v1.97.7
Scan saved at 7:46:00 AM, on 5/24/14
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUALL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRAM FILES\PROPEL ACCELERATOR\PRPL_IEPOPUPBLOCKER.DLL
O2 - BHO: (no name) - {39DE70A7-DA4A-4E28-8F04-870CAEA59F53} - C:\WINDOWS\SYSTEM\BKOM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: MSN Quick View.lnk = C:\Program Files\ONMSN\MSNDC.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) - http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38124.8584259259
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab

 

Re: I'm begging PLESE HELP??!!!!!

For what it's worth I ran the PV program (as many options as I could) and here they are. If they need to be moved (or irrelevant), tell me where as it would be more sure to copy from this post at this time.

--------------------------------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39DE70A7-DA4A-4E28-8F04-870CAEA59F53}]

------------------------------------------------------------------------


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
"MenuText"="@shdoclc.dll,-864"
"MenuStatusBar"="@shdoclc.dll,-865"
"Script"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,77,65,62,5c,72,65,6c,61,74,65,\
64,2e,68,74,6d,00
"clsid"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
"Icon"=",4"
"HotIcon"=",4"
"ButtonText"="@shdoclc.dll,-866"

-------------------------------------------------------------------------


Module information for 'RUNDLL32.EXE'
MODULE BASE SIZE PATH
SQLPB.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\SQLPB.DLL
IPHLPAPI.DLL 7d4a0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
MSAFD.DLL 7c110000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL
IPCFGDLL.DLL 7d4c0000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
DHCPCSVC.DLL 7e2d0000 20480 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
ICMP.DLL 7d960000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL
WSOCK32.DLL 78810000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL
MSWSOCK.DLL 7b120000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL
WS2_32.DLL 78860000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL
WININET.DLL 70200000 610304 C:\WINDOWS\SYSTEM\WININET.DLL
OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL
OLE32.DLL 65f00000 794624 C:\WINDOWS\SYSTEM\OLE32.DLL
CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL
RPCRT4.DLL 70100000 339968 C:\WINDOWS\SYSTEM\RPCRT4.DLL
MSOSS.DLL 5e380000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL
WS2HELP.DLL 78850000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL
RUNDLL32.EXE 400000 24576 C:\WINDOWS\RUNDLL32.EXE
SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL
COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL
SHLWAPI.DLL 70bd0000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL
MSVCRT.DLL 78000000 278528 C:\WINDOWS\SYSTEM\MSVCRT.DLL
USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL
GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL
ADVAPI32.DLL bfea0000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL
KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL

-------------------------------------------------------------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"Propel Accelerator"="C:\\PROGRAM FILES\\PROPEL ACCELERATOR\\PROPELAC.EXE"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Reminder"="C:\\Program Files\\Microsoft Money\\System\\reminder.exe"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

REGEDIT4


--------------------------------------------------------------------------

 

Re: I'm begging PLESE HELP??!!!!!

OK. You completely and totally lost me, so I'll just start fresh.

Download and unzip: http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm
DoubleClick: 'StartDreck.exe'
Hit: config
hit: Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.

Then post the log and give us a chance to respond. As you may have noticed it's a bit busy in here and we all have to do this in our spare time.

Regards,

Pieter

 

Re: I'm begging PLESE HELP??!!!!!

Pieter, I apologise for sounding pushy. That was not my intention when posting all the info. Please forgive me?
I'm a bit nervous every time I get the chance to post that it might be my last for awhile. This has been a long fight and I've taken a beating. I've become quite paranoid of help sites and downloads. I keep getting attacks and I don't know where they're coming from. Right now, I only have a few more "clicks" and I'm shut down for a few hours, where after a lot of scans and disk-cleaning; browser page resets I can get just enough time to post (not always).

Thanks for even trying to help, and please try and over look my being a bit freaked. I've put my PC in the shop (was suppose to be fixed), but it's become "if you gonna do it right, you have to do it yourself" project. Needless to say i had no idea what I was getting into, but on the positive side, I've learned a helluva lot in the process.

Here's my log:

StartDreck (build 2.1.5 public BETA) - 2014-05-24 @ 18:20:43
Platform: Windows 98 (Win 4.10.1998 )

»Registry
»Run Keys
»Current User
»Run
*Reminder=C:\Program Files\Microsoft Money\System\reminder.exe
»RunOnce
»Default User
»Run
*Reminder=C:\Program Files\Microsoft Money\System\reminder.exe
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
*Propel Accelerator=C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
*Tweak UI=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
*defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
»RunServicesOnce
**kyt=rundll32 C:\WINDOWS\SYSTEM\SQLPB.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FFEF2543=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFF1FF7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFF6167=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFF8ABF=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFF4E13=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFFEF13=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
*FFFE2ECF=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
*FFFE10FF=C:\WINDOWS\RUNDLL32.EXE
*FFFD3767=C:\WINDOWS\EXPLORER.EXE
*FFFDEB53=C:\WINDOWS\SYSTEM\RNAAPP.EXE
*FFFC01AF=C:\WINDOWS\SYSTEM\TAPISRV.EXE
*FFFC4D3B=C:\WINDOWS\TASKMON.EXE
*FFFC536F=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFCB713=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
*FFFCE7F3=C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
*FFFBF3A3=C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
*FFFA34F7=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
*FFFBE813=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF9D9AB=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
*FFFABB8B=C:\UNZIPPED\STARTDRECK[1]\STARTDRECK.EXE
»Application specific

 

Re: I'm begging PLESE HELP??!!!!!

Hi kdavis,

No problem. I can understand how frustrating it is.

Please boot to DOS and remove this file:
C:\WINDOWS\SYSTEM\SQLPB.DLL

Then boot normally and scan your computer using AdAware as described here:
https://www.wilderssecurity.com/showthread.php?t=15913

Regards,

Pieter

 

Re: I'm begging PLESE HELP??!!!!!

2 things:


1) I'm not familiar with how to remove a file in DOS. Could you please give me a step-by-step directional?

2) I not long ago ran CWShredder, and before it ran, it said I had a CW variant "Smartsearch2". But when it ran, all fields were said to be not infected. Is this related to the DOS file you want me to delete, and if not , could you please help me with how to remove it as well?

Thanks again!!!!

 

Re: I'm begging PLESE HELP??!!!!!

Real easy actually.

In DOS from the C: prompt type these commands, hit ENTER after each line

cd Windows
cd System
del SQLPB.DLL

AdAware or CWShredder will be able to get rid of all the CWS files after the reinfecting dll is gone.

Regards,

Pieter

 

RE: I'm Begging Please Help?!!

Per order of Pieter Arnz I deleted (I think) a file in DOS "C:\WINDOWS\SYSTEM\SQLPB.DLL" like so--C:cd windows, it then gave me the promt C:\WINDOWS>. I then typed cd systems after the latter prompt, and the next promt was C:\WINDOWS\SYSTEM>, which I followed with del SQLPB.DLL, and the next prompt was C:\WINDOWS>; all in this order.
I then rebooted with Cntrl-Alt-Del and an error message was to the affect that "could find SQLPB.DLL". I clicked "OK". I ran Adaware 6 as presribed, and then ran Spybot S&D, and checked and removed all red, coded, threats. I then scanned with Hijackthis, and without checking back with Pieter, I checked and fixed a recurring browser hijack named "v/4 windows update" or close to this. I may have done wrong, but it was out of frustration. I the rescanned Hijackthis and my log is below. Before I came in here to post my log, About:Blank was back on my home page.

I know it's tough to get to everyone timely but please, if someone could, help me to continue this?


Logfile of HijackThis v1.97.7
Scan saved at 7:45:08 PM, on 5/25/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) - http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi kdavis,

I have merged your 2 threads together. Please stay in one thread (this one) until the problems are fixed. If you are having trouble locating your thread, you can click on your name and then click on the "Find all posts by kdavis" to locate your original thread.

Thank you,

snap

 

Shoot! I really don't know what to say. Per Pieter's instructions I tried (at least to delete the "file", and then he said to follow the link would have instructions to clean the rest. I did, and in that instructional it posted a link "post Hijackthis log here".
I knew it wasn't back in this thread, so I believed I was intentionally being redirected to a specific site where HJT logs are interpreted.



-----------------------------------------------------------------------

Please Help if possible?

 

Hi kdavis,

Your log is clean now. Could you try and explain what the problem is?
If about:blank is your homepage, is it still that ugly search page or is it blank as it should be now?

Regards,

Pieter

 

Well, not a whole lot has changed as far as performance. about:blank is gone I think, but when I run CWShredder I get a header message OaLSH_J`.X1<9TWNg40B where "CWSHREDDER" is suppose to be and the message is that I have a CoolWWWSearch trojan variant. when I scan without fix there are some named CWWWS in that log that I can't find in my files. I get about 9 to 13 problems to fix everytime I run SpybotS&D. I did find a couple of Alexarelated1 and 2 files and quite a few other suspicious files. I drug the Alexa related issues to SPybotS&D shredder and kicked it up to "20" times.


Here are some of the wierd files (and they may be fine, just strange to me, and also a lot of recently modified files as recent as hours ago that I have not opened or used.

ALEXAR~1 and ~2.ZIP
OWINDO~2XML
OWINDO~1XML
IEUSER~1.INI
DXM_RU~1.INI and DAT
GLC1382.TMP
{C95fe080-8f5d-IId2-a206-00aa003c157a}


Stuff (curious) like WindowsExplorer125, 71, and 159

{SUB_RFC1766}
IEPEERS.DLL (he he. I am a bit paranoid)
IEMIGRAT.DLL
Cool.Type (a lot of other strange things in Acrobat Reader 5)
Cool.DLL
1zzp3dzz.dat
WIZPLUGIN with related file extensions "1pv spop"

Please be patient as I'm just hoping anything would give you a tip.

There are some funny looking WinZip files, as well as AINF0000, LGC, and PNF files

My cursor is extremely irratic.

I also would appreciate a web link or book referrence where I could find and compare files and extensions (is there such a thing?). And other places where I can learn for myself. I did enjoy that Hijackthis log tutorial, and I'm not afraid of any mistakes as it would take me FAR less time to FDISK and reboot than what I'm going through now. Thing is I don't want to give up. I have aleady made a few mistakes and most were easily repaired.


Please don't get upset with all this rambling, and I don't want to take too much of your time. Any educational sites or ideas is just as good (to me) as helpful directions. REALLY! It's taking me way too long to get back and forth from here. Not anyones fault here.

I'm not gonna be satisfied anyway until I learn this for my self. It's what we all need to do really.


AGAIN!!!! any help is always appreciated. Thanks.



The CWShredder fix scan came up clean, but here is the scan only record.

CWShredder v1.57.0 scan only report
Please understand that a CWShredder 'Scan only' report
might not be sufficient to troubleshoot an infected system.
You can use HijackThis for that:
http://www.merijn.org/files/hijackthis.zip
http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

Windows 98 (4.10.1998 )
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: Keith Davis

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (7485 bytes, A)
Found line in Win.ini: load=
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2181 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

Hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 5:17:53 PM, on 5/26/04
Platform: Windows 98 Gold (Win9x 4.10.199
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

Hi kdavis,

There is one other hijacker that is invisible to HijackThis. to see if you have it: download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder9x.exe

Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

Copy and paste the contents of the log into your next reply here.

Regards,

Pieter