Post by: chels82 on April 02, 2005, 06:56:24 PM
Logfile of HijackThis v1.99.1
Scan saved at 3:17:11 PM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
D:\PROGRAM FILES\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O2 - BHO: (no name) - {75D16F01-9EB1-11D9-AB5E-4445A30A93E7} - C:\WINDOWS\SYSTEM\PJDI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O13 - WWW. Prefix: http://
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {75D16F00-9EB1-11D9-AB5E-4445CC46367C} - C:\WINDOWS\SYSTEM\PJDI.DLL
O18 - Filter: text/plain - {75D16F00-9EB1-11D9-AB5E-4445CC46367C} - C:\WINDOWS\SYSTEM\PJDI.DLL
I apologize for not reading the rules before, I hope you will still be willing to help me.
Post by: guestolo on April 02, 2005, 07:07:40 PM
I'm just stepping out the door for a few hours
But could you in the meantime
Download Startdreck.zip
Unzip it to it's own folder
[attachment=105:attachment]
run StartDreck.exe:
Hit: -config
hit: -Unmark all
Check these boxes only:
*Registry->run keys
*Registry->Browser helper objects
*System/drivers> Running processes
hit >ok.
Use the "save" tab, to save, name and post this log
Also
Download DLLCompare (http://\"http://downloads.subratam.org/DllCompare.exe\")
Start the Program and click the Run Locate.com
Let it complete the SCAN, which won't take long
Click the Compare button to start the next process.This will take a bit longer.
The results appear in two panes - files in the upper pane have been verified to 'exist'.
Files in the lower pane were 'not able to be accessed'.
Very few files should be listed in the lower pane,if any, when the Compare scan is complete.
Click on each of the listed entries in the lower pane to select them. Right-click on the file and use the option Rescan. This will cause Windows Find to see if the file does exist, and then if so it will be removed from the list to reduce the number of identified files.
Click the Make a Log of what was found button and post it back here
Also post a fresh Hijackthis log
Post by: chels82 on April 02, 2005, 07:40:55 PM
StartDreck (build 2.1.7 public stable) - 2005-04-02 @ 16:28:25 (GMT -08:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Chelsea at DELL INSPIRON
»Registry
»Run Keys
»Current User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Default User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*LoadQM=loadqm.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Browser Helper Objects (LM)
*WER8274.WER8274.1/{CF021F40-3E14-23A5-CBA2-717765728274}
`InprocServer32=C:\WINDOWS\SYSTEM\WER8274.DLL
*{75D16F01-9EB1-11D9-AB5E-4445A30A93E7}
`InprocServer32=C:\WINDOWS\SYSTEM\PJDI.DLL
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
»Files
»System/Drivers
»Running Processes
+FFEFC2DF=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF95BB=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF820B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE78C3=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE106B=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE1CD7=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
+FFFEC893=C:\WINDOWS\EXPLORER.EXE
+FFFD229F=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD9B57=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFD898F=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFC6F73=C:\WINDOWS\TASKMON.EXE
+FFFC48A3=C:\WINDOWS\LOADQM.EXE
+FFFC39C7=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC29A3=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
+FFFC284B=D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
+FFFCE52B=D:\PROGRAM FILES\AIM\AIM.EXE
+FFFB24E7=D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
+FFFB7577=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFA0DB7=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF8A53F=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF8BE57=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF82DB3=C:\WINDOWS\RUNDLL32.EXE
+FFF83093=D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
+FFF62747=D:\AMERICA ONLINE 9.0\SHELLMON.EXE
+FFF673DB=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF4887F=C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
+FFF32783=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF37D63=D:\PROGRAM FILES\STARTD\STARTDRECK.EXE
»Application specific
* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />"________________________________________________
863 items found: 863 files, 0 directories.
Total of file sizes: 141,430,308 bytes 134.88 M
--------------------End log---------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:40:30 PM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\RUNDLL32.EXE
D:\AMERICA ONLINE 9.0\WEmail RemovedEXE
D:\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOLTPSPD.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O2 - BHO: (no name) - {75D16F01-9EB1-11D9-AB5E-4445A30A93E7} - C:\WINDOWS\SYSTEM\PJDI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O13 - WWW. Prefix: http://
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O18 - Filter: text/html - {75D16F00-9EB1-11D9-AB5E-4445CC46367C} - C:\WINDOWS\SYSTEM\PJDI.DLL
O18 - Filter: text/plain - {75D16F00-9EB1-11D9-AB5E-4445CC46367C} - C:\WINDOWS\SYSTEM\PJDI.DLL
Post by: guestolo on April 02, 2005, 10:34:53 PM
to help clean your temp folders,cookies,recylebin
Windows Cleanup (http://\"http://www.antispyware.nextdesigns.net/installs/cleanup.php?type=exe\")
Install for now, don't run a scan yet
===Download CWShredder.exe from my signature below and save it too desktop
===Download and Save Remove.zip and UNZIP the contents too desktop so you now have Remove.reg on the desktop
[attachment=107:attachment]
===Download the Pocket Killbox (http://\"http://www.downloads.subratam.org/KillBox.zip\")
UNZIP it to a folder of your choice
Save these instructions to a Notepad file on your desktop
Disconnect from the Internet (Close down all browser windows) and all unnecessary programs running in the background
Run Pocket KillBox>>Now you have Killbox and this notepad file open
click on Tools --> Select Delete Temp Files. Click OK.
In the Full Path of File to Delete box, copy and paste the entire line directly below in bold
C:\WINDOWS\SYSTEM\WER8274.DLL
Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO
Do the same for this file
C:\WINDOWS\SYSTEM\PJDI.DLL
and this one
C:\WINDOWS\TEMP\SE.DLL
But this time allow the computer to Reboot
or reboot anyways
Back in Windows, stay disconnected from the Internet
Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DON'T log off or restart yet
Instead,
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Cls - {CF021F40-3E14-23A5-CBA2-717765728274} - C:\WINDOWS\SYSTEM\WER8274.DLL
O2 - BHO: (no name) - {75D16F01-9EB1-11D9-AB5E-4445A30A93E7} - C:\WINDOWS\SYSTEM\PJDI.DLL
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O13 - WWW. Prefix: http://
O18 - Filter: text/html - {75D16F00-9EB1-11D9-AB5E-4445CC46367C} - C:\WINDOWS\SYSTEM\PJDI.DLL
O18 - Filter: text/plain - {75D16F00-9EB1-11D9-AB5E-4445CC46367C} - C:\WINDOWS\SYSTEM\PJDI.DLL
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on Remove.reg and allow to merge to the registry
Open just CWShredder, click only the FIX button, let it fix what it finds
Restart your computer and post back a fresh Hijackthis log
and a new Startdreck log
Post by: chels82 on April 02, 2005, 11:26:08 PM
Scan saved at 8:18:35 PM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
D:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\CWB3DSND.EXE
D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: run=c:\DELL\WINBATCH.EXE
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: America Online 9.0 Tray Icon.lnk = D:\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: {8F0F5093-0A70-11D0-BCA9-00C04FD85AA6} - http://fdl.msn.com/public/oc/setupbbs.ocx (http://\"http://fdl.msn.com/public/oc/setupbbs.ocx\")
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab (http://\"http://www.cult3d.com/download/cult.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab (http://\"http://www.pandasoftware.com/activescan/as5/asinst.cab\")
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.Email (http://\"http://download.av.Email\") Removed/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.Email (http://\"http://aolcc.Email\") Removed/computercheckup/qdiagcc.cab
StartDreck (build 2.1.7 public stable) - 2005-04-02 @ 20:19:19 (GMT -08:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2600.0000
Logged in as Chelsea at DELL INSPIRON
»Registry
»Run Keys
»Current User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Default User
»Run
*MoneyAgent="c:\Program Files\Microsoft Money\System\mnyexpr.exe"
*AIM=D:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
»RunOnce
»Local Machine
»Run
*SystemTray=SysTray.Exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe /q
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*AOLDialer=C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
*AOL Spyware Protection="D:\AMERIC~1.0\DOWNLOAD\AOLSPY~1\AOLSP Scheduler.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*AolAcsDaemon1="C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="D:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=c:\windows\WScript.exe "%1" %*
+.jse
*JSEFile=c:\windows\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=c:\windows\NOTEPAD.EXE %1
+.vbs
*VBSFile=c:\windows\WScript.exe "%1" %*
+.vbe
*VBEFile=c:\windows\WScript.exe "%1" %*
+.wsh
*WSHFile=c:\windows\WScript.exe "%1" %*
+.wsf
*WSFFile=c:\windows\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\America Online 9.0 Tray Icon.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Crystal 3D Audio Control.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\America Online 9.0 Tray Icon.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=c:\DELL\WINBATCH.EXE
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\WINDOWS\msdos.sys
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\SYSTEM\autoexec.nt
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\dosstart.bat
»System/Drivers
»Running Processes
+FFEFEE5F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFFB93B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFFAE8B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE5443=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE3CEB=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE37AB=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
+FFFEE32B=C:\WINDOWS\EXPLORER.EXE
+FFFDE507=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD0E6B=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFDA8A7=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFC4A3B=C:\WINDOWS\TASKMON.EXE
+FFFC6E6F=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFC1A2F=C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
+FFFC008F=D:\AMERICA ONLINE 9.0\DOWNLOAD\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
+FFFCDC13=D:\PROGRAM FILES\AIM\AIM.EXE
+FFFC8233=C:\WINDOWS\CWB3DSND.EXE
+FFFB593F=D:\AMERICA ONLINE 9.0\AOLTRAY.EXE
+FFFBFE0B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFBE4FB=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF98377=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF88D63=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFB5677=D:\PROGRAM FILES\STARTD\STARTDRECK.EXE
»NT Services
»Application specific
Post by: guestolo on April 02, 2005, 11:37:39 PM
How is everythiing???
Ensure you clean out your Temp Internet files
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Delete files + offline content
You should set up protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Your way behind on Windows Updates, you should visit Windows Update
Install ALL Latest Critical updates and service packs
Restart when prompted
Revisit Windows Updates until you have all Critical updates installed
Don't install the Recommended updates unless they are something you prefer