I'm begging PLESE HELP??!!!!! (merged)

Discussion in 'adware, spyware & hijack cleaning' started by kdavis, May 22, 2004.

Thread Status:
Not open for further replies.
  1. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    I'm begging PLESE HELP??!!!!!

    My PC was completely hijacked a few weeks back, and I posted my hijackthis log
    and was given instructions and followed them. It worked on those problems, but
    the HJing was so far advanced, I couldn't get back here for more help. (BTW is
    Netintergrations and this forumn the same? I can't get to NI now and was
    wondering.)And not long after (a few hours) My PC crashed.
    After a lot of work I got it back up with what I thought was suppose to be
    a clean reinstall (Windows 98 OS). I never even got back on line and was being
    overrun again. I had popups talking to one another! Well since then I
    reinstalled (FDISK: deleting all DOS extensions and recreating) about 3 times
    (I'm serious that it could be more. Then I had one helluva time reinstalling
    drivers to devices. I have all my drivers on disk but couldn't install. Took a
    lot more work but at least got my modem, display and sound cards working. I
    still have an issue with my printer installation. Says my CPU is at level 5 and
    needs to be at level 6. No changes have been made on my PC except added memory
    a few yrs back. I have no idea what this is, or how to fix it. Yet. I have
    three notebooks full of notes. I have taken every iota of info (chips etc...)
    off of my mother board (M5CNB), but have NEVER found ANY info on my PC (INTEVA)
    except the name.
    Right now I can't get updates. Windows update scan gives and error code that
    I've sent to MS several times, but have yet to get any feedback. I did do MS
    Search "Win 98 drives" and found quite a few updates (some critical).
    I couldn't download Hijack this (had it a few days back but it and SpyWare
    Blaster were destroyed by what ever is in my PC), or get to some help sites at
    all. When I do, and try and download, I'm always interrupted, or a big blue
    screen comes up and says "FATAL ERROR BLA, BLA, BLA". Idid have a friend
    download Hijackthis, CWShredder, SpywareBlaster (but can't get updates),
    BHOlist.zip (but can't run) on a floppy, and so I do have a HJthis log to
    display.
    NOTE: Before all this occurred, I only used my PC as an apparatus to get on
    line. It's been a crash course to say the VERY least, and I've come a long way
    from nowhere, and am determined. I saw a topic about an incidious creature
    involving a DOS command "cd C:windowssystemf0r0r" and deletion, and am
    interested but not sure how exactly. I get Windows and DOS command formats
    confused, but after some study in help files can do basic stuff. Wouldn't know
    where to start in deleting a DOS file, or a file in DOS (you can tell I'm
    green).
    Another poster SUZE(?) I believe, posted some similar happenings on her(?)
    PC, but I can't identify the files like she did.

    I know this is long, and a lot to ask, but I'm frustrated as hell, and scared
    I won't get back in "time".
    I'm desperate and begging. Please help?!!!

    Here's my Hijackthis log: (I was able to clean some things up with SpyBot
    S&D, and CWS fixed some IE problems, and out of desperation I checked the
    About:Blank list on hijackthis scan and shredded it)...............



    Logfile of HijackThis v1.97.7
    Scan saved at 3:16:16 PM, on 5/22/14
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM
    FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRAM
    FILES\PROPEL ACCELERATOR\PRPL_IEPOPUPBLOCKER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
    C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL
    ACCELERATOR\PROPELAC.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft
    Money\System\reminder.exe
    O4 - Startup: MSN Quick View.lnk = C:\Program Files\ONMSN\MSNDC.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) -
    http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38124.8584259259
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) -
    http://download.zonelabs.com/bin/free/cm/ICSCM.cab

    -------------------------------------------------------------------------------

    I couldn't post the above post when I wrote it, so I tried to clean up some more and am now back with a more current log.

    Again, Please HELP?!!!


    Logfile of HijackThis v1.97.7
    Scan saved at 3:16:16 PM, on 5/22/14
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = msn.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRAM FILES\PROPEL ACCELERATOR\PRPL_IEPOPUPBLOCKER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - Startup: MSN Quick View.lnk = C:\Program Files\ONMSN\MSNDC.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) - http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38124.8584259259
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: I'm begging PLESE HELP??!!!!!

    Hi kdavis,

    Can you find this file c:\windows\hosts and rename it to hosts.bak ?
    Let me know if you can reach N-I (which is not the same but similar to this board) now.

    Regards,

    Pieter
     
  3. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Re: I'm begging PLESE HELP??!!!!!

    I did Peter. Haven't tried to go to NI yet. Will shortly.
    Anyway, there was also another C:\windows\host file found "Lmhost", do I rename it also?
     
  4. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Re: I'm begging PLESE HELP??!!!!!

    current Hijackthis log.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:46:00 AM, on 5/24/14
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUCOMSERVER.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\LUALL.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = msn.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BKOM.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = msn.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRAM FILES\PROPEL ACCELERATOR\PRPL_IEPOPUPBLOCKER.DLL
    O2 - BHO: (no name) - {39DE70A7-DA4A-4E28-8F04-870CAEA59F53} - C:\WINDOWS\SYSTEM\BKOM.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
    O4 - Startup: MSN Quick View.lnk = C:\Program Files\ONMSN\MSNDC.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
    O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) - http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38124.8584259259
    O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
     
  5. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Re: I'm begging PLESE HELP??!!!!!

    For what it's worth I ran the PV program (as many options as I could) and here they are. If they need to be moved (or irrelevant), tell me where as it would be more sure to copy from this post at this time.

    --------------------------------------------------------------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{656EC4B7-072B-4698-B504-2A414C1F0037}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39DE70A7-DA4A-4E28-8F04-870CAEA59F53}]

    ------------------------------------------------------------------------


    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
    "MenuText"="@shdoclc.dll,-864"
    "MenuStatusBar"="@shdoclc.dll,-865"
    "Script"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,77,65,62,5c,72,65,6c,61,74,65,\
    64,2e,68,74,6d,00
    "clsid"="{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
    "Icon"=",4"
    "HotIcon"=",4"
    "ButtonText"="@shdoclc.dll,-866"

    -------------------------------------------------------------------------


    Module information for 'RUNDLL32.EXE'
    MODULE BASE SIZE PATH
    SQLPB.DLL 2ae60000 131072 C:\WINDOWS\SYSTEM\SQLPB.DLL
    IPHLPAPI.DLL 7d4a0000 32768 C:\WINDOWS\SYSTEM\IPHLPAPI.DLL
    MSAFD.DLL 7c110000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL
    IPCFGDLL.DLL 7d4c0000 28672 C:\WINDOWS\SYSTEM\IPCFGDLL.DLL
    DHCPCSVC.DLL 7e2d0000 20480 C:\WINDOWS\SYSTEM\DHCPCSVC.DLL
    ICMP.DLL 7d960000 24576 C:\WINDOWS\SYSTEM\ICMP.DLL
    WSOCK32.DLL 78810000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL
    MSWSOCK.DLL 7b120000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL
    WS2_32.DLL 78860000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL
    WININET.DLL 70200000 610304 C:\WINDOWS\SYSTEM\WININET.DLL
    OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL
    OLE32.DLL 65f00000 794624 C:\WINDOWS\SYSTEM\OLE32.DLL
    CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL
    RPCRT4.DLL 70100000 339968 C:\WINDOWS\SYSTEM\RPCRT4.DLL
    MSOSS.DLL 5e380000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL
    WS2HELP.DLL 78850000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL
    RUNDLL32.EXE 400000 24576 C:\WINDOWS\RUNDLL32.EXE
    SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL
    COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL
    SHLWAPI.DLL 70bd0000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    MSVCRT.DLL 78000000 278528 C:\WINDOWS\SYSTEM\MSVCRT.DLL
    USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL
    GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL
    ADVAPI32.DLL bfea0000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL
    KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL

    -------------------------------------------------------------------------

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "SystemTray"="SysTray.Exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
    "Propel Accelerator"="C:\\PROGRAM FILES\\PROPEL ACCELERATOR\\PROPELAC.EXE"
    "Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Reminder"="C:\\Program Files\\Microsoft Money\\System\\reminder.exe"

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

    REGEDIT4


    --------------------------------------------------------------------------
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: I'm begging PLESE HELP??!!!!!

    OK. You completely and totally lost me, so I'll just start fresh.

    Download and unzip: http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm
    DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Then post the log and give us a chance to respond. As you may have noticed it's a bit busy in here and we all have to do this in our spare time.

    Regards,

    Pieter
     
  7. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Re: I'm begging PLESE HELP??!!!!!

    Pieter, I apologise for sounding pushy. That was not my intention when posting all the info. Please forgive me?
    I'm a bit nervous every time I get the chance to post that it might be my last for awhile. This has been a long fight and I've taken a beating. I've become quite paranoid of help sites and downloads. I keep getting attacks and I don't know where they're coming from. Right now, I only have a few more "clicks" and I'm shut down for a few hours, where after a lot of scans and disk-cleaning; browser page resets I can get just enough time to post (not always).

    Thanks for even trying to help, and please try and over look my being a bit freaked. I've put my PC in the shop (was suppose to be fixed), but it's become "if you gonna do it right, you have to do it yourself" project. Needless to say i had no idea what I was getting into, but on the positive side, I've learned a helluva lot in the process.

    Here's my log:

    StartDreck (build 2.1.5 public BETA) - 2014-05-24 @ 18:20:43
    Platform: Windows 98 (Win 4.10.1998 )

    »Registry
    »Run Keys
    »Current User
    »Run
    *Reminder=C:\Program Files\Microsoft Money\System\reminder.exe
    »RunOnce
    »Default User
    »Run
    *Reminder=C:\Program Files\Microsoft Money\System\reminder.exe
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *vptray=C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    *Propel Accelerator=C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    *Tweak UI=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *rtvscn95=C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    *defwatch=C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    »RunServicesOnce
    **kyt=rundll32 C:\WINDOWS\SYSTEM\SQLPB.DLL,StreamingDeviceSetup
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FFEF2543=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFF1FF7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFF6167=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFF8ABF=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFF4E13=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFFEF13=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    *FFFE2ECF=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    *FFFE10FF=C:\WINDOWS\RUNDLL32.EXE
    *FFFD3767=C:\WINDOWS\EXPLORER.EXE
    *FFFDEB53=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    *FFFC01AF=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    *FFFC4D3B=C:\WINDOWS\TASKMON.EXE
    *FFFC536F=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFCB713=C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    *FFFCE7F3=C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    *FFFBF3A3=C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    *FFFA34F7=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    *FFFBE813=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFF9D9AB=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    *FFFABB8B=C:\UNZIPPED\STARTDRECK[1]\STARTDRECK.EXE
    »Application specific
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: I'm begging PLESE HELP??!!!!!

    Hi kdavis,

    No problem. I can understand how frustrating it is.

    Please boot to DOS and remove this file:
    C:\WINDOWS\SYSTEM\SQLPB.DLL

    Then boot normally and scan your computer using AdAware as described here:
    https://www.wilderssecurity.com/showthread.php?t=15913

    Regards,

    Pieter
     
  9. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Re: I'm begging PLESE HELP??!!!!!

    2 things:


    1) I'm not familiar with how to remove a file in DOS. Could you please give me a step-by-step directional?

    2) I not long ago ran CWShredder, and before it ran, it said I had a CW variant "Smartsearch2". But when it ran, all fields were said to be not infected. Is this related to the DOS file you want me to delete, and if not , could you please help me with how to remove it as well?

    Thanks again!!!!
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: I'm begging PLESE HELP??!!!!!

    Real easy actually.

    In DOS from the C: prompt type these commands, hit ENTER after each line

    cd Windows
    cd System
    del SQLPB.DLL

    AdAware or CWShredder will be able to get rid of all the CWS files after the reinfecting dll is gone.

    Regards,

    Pieter
     
  11. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    RE: I'm Begging Please Help?!!

    Per order of Pieter Arnz I deleted (I think) a file in DOS "C:\WINDOWS\SYSTEM\SQLPB.DLL" like so--C:cd windows, it then gave me the promt C:\WINDOWS>. I then typed cd systems after the latter prompt, and the next promt was C:\WINDOWS\SYSTEM>, which I followed with del SQLPB.DLL, and the next prompt was C:\WINDOWS>; all in this order.
    I then rebooted with Cntrl-Alt-Del and an error message was to the affect that "could find SQLPB.DLL". I clicked "OK". I ran Adaware 6 as presribed, and then ran Spybot S&D, and checked and removed all red, coded, threats. I then scanned with Hijackthis, and without checking back with Pieter, I checked and fixed a recurring browser hijack named "v/4 windows update" or close to this. I may have done wrong, but it was out of frustration. I the rescanned Hijackthis and my log is below. Before I came in here to post my log, About:Blank was back on my home page.

    I know it's tough to get to everyone timely but please, if someone could, help me to continue this?


    Logfile of HijackThis v1.97.7
    Scan saved at 7:45:08 PM, on 5/25/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
    O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
    O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
    O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} (MSN Setup BBS Object) - http://fdl.msn.com/public/msnqfe/oc/setupbbs.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  12. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi kdavis,

    I have merged your 2 threads together. Please stay in one thread (this one) until the problems are fixed. If you are having trouble locating your thread, you can click on your name and then click on the "Find all posts by kdavis" to locate your original thread. :)

    Thank you,

    snap
     
  13. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Shoot! I really don't know what to say. Per Pieter's instructions I tried (at least to delete the "file", and then he said to follow the link would have instructions to clean the rest. I did, and in that instructional it posted a link "post Hijackthis log here".
    I knew it wasn't back in this thread, so I believed I was intentionally being redirected to a specific site where HJT logs are interpreted.



    -----------------------------------------------------------------------

    Please Help if possible?
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi kdavis,

    Your log is clean now. Could you try and explain what the problem is?
    If about:blank is your homepage, is it still that ugly search page or is it blank as it should be now?

    Regards,

    Pieter
     
  15. kdavis

    kdavis Registered Member

    Joined:
    May 4, 2004
    Posts:
    9
    Well, not a whole lot has changed as far as performance. about:blank is gone I think, but when I run CWShredder I get a header message OaLSH_J`.X1<9TWNg40B where "CWSHREDDER" is suppose to be and the message is that I have a CoolWWWSearch trojan variant. when I scan without fix there are some named CWWWS in that log that I can't find in my files. I get about 9 to 13 problems to fix everytime I run SpybotS&D. I did find a couple of Alexarelated1 and 2 files and quite a few other suspicious files. I drug the Alexa related issues to SPybotS&D shredder and kicked it up to "20" times.


    Here are some of the wierd files (and they may be fine, just strange to me, and also a lot of recently modified files as recent as hours ago that I have not opened or used.

    ALEXAR~1 and ~2.ZIP
    OWINDO~2XML
    OWINDO~1XML
    IEUSER~1.INI
    DXM_RU~1.INI and DAT
    GLC1382.TMP
    {C95fe080-8f5d-IId2-a206-00aa003c157a}


    Stuff (curious) like WindowsExplorer125, 71, and 159

    {SUB_RFC1766}
    IEPEERS.DLL (he he. I am a bit paranoid)
    IEMIGRAT.DLL
    Cool.Type (a lot of other strange things in Acrobat Reader 5)
    Cool.DLL
    1zzp3dzz.dat
    WIZPLUGIN with related file extensions "1pv spop"

    Please be patient as I'm just hoping anything would give you a tip.

    There are some funny looking WinZip files, as well as AINF0000, LGC, and PNF files

    My cursor is extremely irratic.

    I also would appreciate a web link or book referrence where I could find and compare files and extensions (is there such a thing?). And other places where I can learn for myself. I did enjoy that Hijackthis log tutorial, and I'm not afraid of any mistakes as it would take me FAR less time to FDISK and reboot than what I'm going through now. Thing is I don't want to give up. I have aleady made a few mistakes and most were easily repaired.


    Please don't get upset with all this rambling, and I don't want to take too much of your time. Any educational sites or ideas is just as good (to me) as helpful directions. REALLY! It's taking me way too long to get back and forth from here. Not anyones fault here.

    I'm not gonna be satisfied anyway until I learn this for my self. It's what we all need to do really.


    AGAIN!!!! any help is always appreciated. Thanks.



    The CWShredder fix scan came up clean, but here is the scan only record.

    CWShredder v1.57.0 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip

    Windows 98 (4.10.1998 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\system
    AppData folder: C:\WINDOWS\Application Data
    Username: Keith Davis

    Hosts file not present
    Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwebsearch.com [*] dword:4
    CWS.Oslogo (if value is 2) Registry value: Domains: *.coolwwwsearch.com [*] dword:4
    CWS.Googlems.2 (if value is 2) Registry value: Domains: *.xxxtoolbar.com [*] dword:4
    CWS.Googlems.4 (if value is 2) Registry value: Domains: *.teensguru.com [*] dword:4
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: C:\WINDOWS\win.ini (7485 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: run=
    Found System.ini file: C:\WINDOWS\system.ini (2181 bytes, A)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -

    Hijackthis log

    Logfile of HijackThis v1.97.7
    Scan saved at 5:17:53 PM, on 5/26/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\SYMANTEC_CLIENT_SECURITY\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\UNZIPPED\HIJACKTHIS1977\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\SYMANT~1\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\SYMANT~1\defwatch.exe
    O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi kdavis,

    There is one other hijacker that is invisible to HijackThis. to see if you have it: download VX2Finder from this link:
    http://www.downloads.subratam.org/VX2Finder9x.exe

    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.