Post by: jack1 on March 08, 2005, 10:51:46 AM
Logfile of HijackThis v1.99.1
Scan saved at 10:53:44 AM, on 03/08/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ABCD.EXE
C:\WINDOWS\ADDTQ32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\APIBC.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\natqc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\natqc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\natqc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\natqc.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\natqc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\natqc.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\natqc.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {708855B6-7B1A-0E07-E911-ABFC91C434AC} - C:\WINDOWS\SYSTEM\APPJM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [APIBC.EXE] C:\WINDOWS\APIBC.EXE
O4 - HKLM\..\RunServices: [ADDTQ32.EXE] C:\WINDOWS\ADDTQ32.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab (http://\"http://www.dialpad.com/applet/vscp.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab (http://\"http://activex.microgaming.com/DLhelper/version7/dlhelper.cab\")
Can you help me with this problem.
Post by: HeddaLora on March 08, 2005, 05:50:03 PM
Or get the new Microsoft spyware removal tool. I've heard from several people that it's quite good.
Post by: jack1 on March 08, 2005, 07:55:07 PM
I did what you suggested, I downloaded Adware and ran it on my computer. On the first scan it identified 290 objects, I went through the removal process and adware performed a quaratine of the objects then preceeded to delete them. the deletion process seem to freeze before completing and the deletion process bar remained on my screen untill I closed the application. I decided to re-scan and found that the objects I thought were deleted were detected once again. Again I ran the deletion and again it seem to freeze before completing. A third scan produced the same results. Can you suggest what could be going wrong. Thanks for your help.
Post by: guestolo on March 08, 2005, 08:03:40 PM
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Next:
You may want to print out these instructions to make it easier to follow
RESTART your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=2#_Section2\")
Open Ad-Aware
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer back to Normal mode to finish the cleaning process
Come back here and post a fresh hijackthis log afterwards
Post by: jack1 on March 09, 2005, 08:20:40 AM
Here is my hijackthis log. Running adware in safe mode seams to work. There is no longer a long delay when opening my control panel. However about.blank is still a problem.
Logfile of HijackThis v1.99.1
Scan saved at 8:16:50 AM, on 03/09/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ABCD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\ADDTQ32.EXE
C:\WINDOWS\SYSTEM\ADDNL32.EXE
C:\WINDOWS\SYSTEM\MSKV.EXE
C:\WINDOWS\SYSTEM\SDKBF32.EXE
C:\WINDOWS\SYSTEM\D3BJ32.EXE
C:\WINDOWS\SYSTEM\SYSOE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\SYSOE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SYSOE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSOE.EXE
C:\WINDOWS\ADDZT32.EXE
C:\WINDOWS\CRFN32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Class - {7FD318B9-600D-989C-1DCA-4BF6B4D6258D} - C:\WINDOWS\NETAD.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\RunServices: [ADDTQ32.EXE] C:\WINDOWS\ADDTQ32.EXE
O4 - HKLM\..\RunServices: [SYSOE.EXE] C:\WINDOWS\SYSTEM\SYSOE.EXE
O4 - HKLM\..\RunServices: [ADDNL32.EXE] C:\WINDOWS\SYSTEM\ADDNL32.EXE
O4 - HKLM\..\RunServices: [SDKBF32.EXE] C:\WINDOWS\SYSTEM\SDKBF32.EXE
O4 - HKLM\..\RunServices: [D3BJ32.EXE] C:\WINDOWS\SYSTEM\D3BJ32.EXE
O4 - HKLM\..\RunServices: [MSKV.EXE] C:\WINDOWS\SYSTEM\MSKV.EXE
O4 - HKLM\..\RunServices: [ADDZT32.EXE] C:\WINDOWS\ADDZT32.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab (http://\"http://www.dialpad.com/applet/vscp.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab (http://\"http://activex.microgaming.com/DLhelper/version7/dlhelper.cab\")
Thanks for your help!
Post by: guestolo on March 09, 2005, 10:12:43 PM
Download to desktop About:Buster.zip (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
UNZIP the contents to desktop
Open the AboutBuster folder and run About:Buster.exe
Check for updates and update it
Close it out after you update, we'll run this later
Download and save to desktop the Standalone version of CWShredder.exe (http://\"http://cwshredder.net/bin/CWShredder.exe\")
Don't run it yet
Download the The Hoster (http://\"http://members.aol.com/toadbee/hoster.zip\")
Unzip it to a folder
We'll need this later
Print out the rest of these instructions or save too a Notepad file on the desktop
RESTART again back to Safe mode
Bring up your Task Manager (Ctrl+Alt+Del) and end Task on these if still running
ADDTQ32.EXE
ADDNL32.EXE
MSKV.EXE
SDKBF32.EXE
D3BJ32.EXE
CRFN32.EXE
SYSOE.EXE <--all instances
Find and delete these files or folders if they exist
C:\WINDOWS\system\kylww.dll <--file
C:\WINDOWS\NETAD.DLL
C:\WINDOWS\ADDTQ32.EXE
C:\WINDOWS\SYSTEM\SYSOE.EXE
C:\WINDOWS\SYSTEM\ADDNL32.EXE
C:\WINDOWS\SYSTEM\SDKBF32.EXE
C:\WINDOWS\SYSTEM\D3BJ32.EXE
C:\WINDOWS\SYSTEM\MSKV.EXE
Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\kylww.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7FD318B9-600D-989C-1DCA-4BF6B4D6258D} - C:\WINDOWS\NETAD.DLL
O4 - HKLM\..\RunServices: [ADDTQ32.EXE] C:\WINDOWS\ADDTQ32.EXE
O4 - HKLM\..\RunServices: [SYSOE.EXE] C:\WINDOWS\SYSTEM\SYSOE.EXE
O4 - HKLM\..\RunServices: [ADDNL32.EXE] C:\WINDOWS\SYSTEM\ADDNL32.EXE
O4 - HKLM\..\RunServices: [SDKBF32.EXE] C:\WINDOWS\SYSTEM\SDKBF32.EXE
O4 - HKLM\..\RunServices: [D3BJ32.EXE] C:\WINDOWS\SYSTEM\D3BJ32.EXE
O4 - HKLM\..\RunServices: [MSKV.EXE] C:\WINDOWS\SYSTEM\MSKV.EXE
O4 - HKLM\..\RunServices: [ADDZT32.EXE] C:\WINDOWS\ADDZT32.EXE
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Again, in safe mode
Open AboutBuster.exe
Hit Ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. SAVE the logs >>>Then hit exit
Run CWShredder and Click ONLY the FIX button
Let it clean what it can
When it's done Restart back to Normal mode
Run a scan with About:Buster again, save the log
Don't open a Browser yet
Open HOSTER and "RESTORE ORIGINAL HOSTS"
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content---Also Reset home page
This is important
Look in your C:\Windows\System folder
For this file name
Shell.dll
If it's not there
Download and Save to desktop Shell_98.zip (http://\"http://www.spywareinfo.com/~merijn/files/windows/shell_98.zip\")
UNZIP the contents to your
C:\Windows\System folder
That should replace the missing file
Afterwards, you don't appear to be running any Anti-Virus software
Not very safe
If you have your own, Install it now and update it and run a Full System Scan
If you don't have your own
I very much recommend that you download and Install
AVG7 free
From this link
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Give the link time to load if it's busy
Scroll down until you see
avg70free_308a468.exe or similiar
Save the Installer, Double click to Install
After installation ensure you Check for updates and run a Full system Scan
Once the above is done
Post back with a fresh Hijackthis log
Also post the About:Buster logs from SAFE mode and Normal Mode
Post by: jack1 on March 11, 2005, 03:59:15 PM
I started to carryout the instructions you sent me and ran in to some problems. I downloaded the softwares and restarted in safe mode. I went to the task manager to look for the programs you listed but none of those were running. I then found all the dll and exe files you listed and deleted them. Idid another scan with hijackthis and found that all the R0 items had a file jpwmo.dll instead of the kylww.dll listed in the previous log and so I did not "fix check" them but did "fix check the renaining ones.Still in safe mode I ran "about:buster" saved the log and exit.
I ran CWSSchredder and used the fix button.
Then I rebooted in normal mode and in the process recieved an error "While initializing device IOS" "error:real mode memeroy allocation failed". I had that happen to me one time in the past and the manufacturer directed to do a "system files restore", which cleared the error. I repeated this restore operation, and the error cleared and I was able to restart in normal mode.
Once rebooted I ran another about:buster log.
I ran Hoster and restored the original hosts.
I reset the web settings as you directed.
I found the shell.dll file it was in my system folder.
When shut down and restarted my computer, I was unable to access the internet. So I decided to re-install my PCI card and dsl modem, but this has not resolved my problem. I am posting to you from another computer which has internet access. Another problem also developed in that when I do a normal shut down, the shut down starts normally but then freezes when it gets to the windows "shutting down screen" and then the only way I could finish the shut down process is to hold the power button in for 5 seconds.
Here is latest hijackthis log and the safe mode and normal mode about:buster logs:
Logfile of HijackThis v1.99.1
Scan saved at 3:49:16 PM, on 03/11/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ABCD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jpwmo.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www2.enter.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Dcfssvc] C:\Program Files\Common Files\KODAK\HYDRA_DR\dcfssvc.exe --pdr: "C:\Program Files\Common Files\KODAK\HYDRA_DR\dcmnter.pdr"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ADDZT32.EXE] C:\WINDOWS\ADDZT32.EXE
O4 - HKLM\..\RunServices: [MSKV.EXE] C:\WINDOWS\SYSTEM\MSKV.EXE
O4 - HKLM\..\RunServices: [D3BJ32.EXE] C:\WINDOWS\SYSTEM\D3BJ32.EXE
O4 - HKLM\..\RunServices: [SDKBF32.EXE] C:\WINDOWS\SYSTEM\SDKBF32.EXE
O4 - HKLM\..\RunServices: [ADDNL32.EXE] C:\WINDOWS\SYSTEM\ADDNL32.EXE
O4 - HKLM\..\RunServices: [SYSOE.EXE] C:\WINDOWS\SYSTEM\SYSOE.EXE
O4 - HKLM\..\RunServices: [ADDTQ32.EXE] C:\WINDOWS\ADDTQ32.EXE
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab (http://\"http://www.dialpad.com/applet/vscp.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab (http://\"http://activex.microgaming.com/DLhelper/version7/dlhelper.cab\")
Scanned at: 2:55:48 PM on: 03/10/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25
ADS not scanned System(FAT)
Removed! : C:\WINDOWS\addzt32.exe
Removed! : C:\WINDOWS\addna32.exe
Removed! : C:\WINDOWS\d3lj32.exe
Removed! : C:\WINDOWS\crtu.exe
Removed! : C:\WINDOWS\d3dm32.exe
Removed! : C:\WINDOWS\ieze32.exe
Removed! : C:\WINDOWS\d3rk.exe
Removed! : C:\WINDOWS\netwm32.exe
Removed! : C:\WINDOWS\SYSTEM\d3su.exe
Removed! : C:\WINDOWS\SYSTEM\addwg32.exe
Removed! : C:\WINDOWS\SYSTEM\atltk.exe
Removed! : C:\WINDOWS\SYSTEM\addil.exe
Removed! : C:\WINDOWS\SYSTEM\javaml.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Scanned at: 3:22:57 PM on: 03/10/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25
ADS not scanned System(FAT)
Attempted Clean Of Temp folder.
Pages Reset... Done!
Once again thanks for your help, can you help me resolve these newest problems.
Post by: guestolo on March 12, 2005, 01:37:44 AM
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\jpwmo.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www2.enter.net
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O4 - HKLM\..\RunServices: [ADDZT32.EXE] C:\WINDOWS\ADDZT32.EXE
O4 - HKLM\..\RunServices: [MSKV.EXE] C:\WINDOWS\SYSTEM\MSKV.EXE
O4 - HKLM\..\RunServices: [D3BJ32.EXE] C:\WINDOWS\SYSTEM\D3BJ32.EXE
O4 - HKLM\..\RunServices: [SDKBF32.EXE] C:\WINDOWS\SYSTEM\SDKBF32.EXE
O4 - HKLM\..\RunServices: [ADDNL32.EXE] C:\WINDOWS\SYSTEM\ADDNL32.EXE
O4 - HKLM\..\RunServices: [SYSOE.EXE] C:\WINDOWS\SYSTEM\SYSOE.EXE
O4 - HKLM\..\RunServices: [ADDTQ32.EXE] C:\WINDOWS\ADDTQ32.EXE
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Restart your computer afterwards
Run About:Buster again
I hope you don't think I was kidding about Installing AVG free Edition
Do it now and update it and run a full system scan
A good AV is like running any other Virus or Spyware removal too
Post back with a fresh Hijackthis log afterwards
Please Install and run the free AV on your system
Post by: jack1 on March 12, 2005, 12:59:35 PM
I followed your last instructions.
I am still not able to get on the internet with the computer we are troubleshooting. I get a "cannot find server" error whenever I try to open my internet explorer. I have reinstalled my ethernet PCI card and the device manager says its installed and working. When I check my network configuration tcp/ip>netgear pci adapter is shown. When I check my IP configuration it shows an ip address for my PCI adapter of 169.254.54.213 I don't believe this address is correct. I have a DSL connection with a Zoom modem and a linsys wireless router. I am direct wired from the router to the computer I am having trouble with. I have two other computers a notebook and another desk top with wireless conections to the router, both of the other computers can access the internet through the wireless router.
I still cannot shut down or restart my computer normally, it stalls and has to be shut down using the power button.
I plan on installing the AVG program you suggested as soon as I can get back on to the internet.
Buster came up clean and here is the most recent hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:16:13 AM, on 03/12/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ABCD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\VSTASCAN\VSACCESS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Dcfssvc] C:\Program Files\Common Files\KODAK\HYDRA_DR\dcfssvc.exe --pdr: "C:\Program Files\Common Files\KODAK\HYDRA_DR\dcmnter.pdr"
O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab (http://\"http://www.dialpad.com/applet/vscp.cab\")
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab (http://\"http://activex.microgaming.com/DLhelper/version7/dlhelper.cab\")
Again thanks for your help.
Post by: guestolo on March 12, 2005, 04:22:52 PM
We could try
Winsock2 fix from here
http://www.bu.edu/pcsc/internetaccess/winsock2fix.html (http://\"http://www.bu.edu/pcsc/internetaccess/winsock2fix.html\")
I would like to see a list of your programs first in Add/Remove programs
Can you open Hijackthis>>Open Misc Tools Section>>Open the Uninstall Manager
Click the Save List button
Save the list and post it back here, thanks
Could you also navigate to this file please
C:\WINDOWS\SYSTEM\ABCD.EXE <--file
Right click on it and left click properties
Do you know what it's related too?
What was the date created?
Post by: jack1 on March 13, 2005, 07:25:19 PM
I got to the bottom of my problem, evidently my computer does not like to have both a "dial-up" card and a "ethernet" card installed at the same time. I did another restore with only my "dial-up" card installed. Then I removed the "dial-up" in the device manager, shut down the computer and removed the 'dial-up" card and installed the "ethernet" card. After that both my internet and shut down problems went away.
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> About.blank has also disappeared and my computer speed has increased.
I downloaded and installed the "AVG" you suggested.
Again thanks for your expert help.
Post by: guestolo on March 13, 2005, 07:31:48 PM
I know that there has been an issue with Ad-Aware and TIBS Browser object
Removal caused loss of Internet connection
But I didn't see it in your log
Do you know what this file is related too
It may be legit I just want to make sure
C:\WINDOWS\SYSTEM\ABCD.EXE <--this file
Did AVG find anything?
Post by: jack1 on March 13, 2005, 08:25:58 PM
Sorry I have no idea what ABCD.EXE file is for.
I ran AVG and it found and removed another 296 objects.
I installed AVG in the two other personal computer I have here.
AVG looks great.
Post by: guestolo on March 13, 2005, 08:47:56 PM
Run it through this online malware scan
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")
Use the browse button and navigate to this file
C:\WINDOWS\SYSTEM\ABCD.EXE<--this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results
I though it was related too a spell checker, but I'm not sure
Post by: jack1 on March 13, 2005, 09:01:13 PM
Just ran Jotti's Online Malware scan, here's the results:
Service load: 0% 100%
File: abCD.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
Packers detected: -
AntiVir No viruses found (0.43 seconds taken)
Avast No viruses found (1.53 seconds taken)
AVG Antivirus No viruses found (0.54 seconds taken)
BitDefender No viruses found (0.53 seconds taken)
ClamAV No viruses found (0.63 seconds taken)
Dr.Web No viruses found (0.92 seconds taken)
F-Prot Antivirus No viruses found (0.09 seconds taken)
Fortinet No viruses found (0.44 seconds taken)
Kaspersky Anti-Virus No viruses found (1.01 seconds taken)
mks_vir No viruses found (0.24 seconds taken)
NOD32 No viruses found (0.49 seconds taken)
Norman Virus Control No viruses found (0.80 seconds taken)
Post by: guestolo on March 13, 2005, 09:10:02 PM
What was the creation date of it
You may want to right click on it and rename it too
ABCD.EX_
You will have to shut it down in the task manager first
or Use Hijackthis>>Open Misc Tools section>>
Open Process manager and kill that process beforehand
That way it should do no harm if it is malicious
Just leave it renamed for the time being, if you find no problems with it being renamed
Then you can delete it after a couple of weeks
I have a couple other programs you may be interested in
To set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
If you find it difficult to run a Hijackthis scan after installing IE-Spyad with Windows 98
That is because IE-spyad adds that long list to your registry and Hijackthis checks that area of your registry for Hijackers
It's a very good and small program that is effective is preventing hijacking on your machine
Both Spywareblaster and IE-Spyad don't run in the background
Stay safe
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />
Post by: HeddaLora on March 15, 2005, 09:20:05 PM