Author Topic: hidden cws (Read 1509 times)

Guest_Terry_* · « **on:** March 21, 2005, 07:08:22 PM »

Hello:

Been having trouble with CWS. I've ran Cwshredder, hijack this, trojan hunter and a couple others, but it keeps returning. I use adaware and spybot. I know it's in pretty deep and will probably be pretty involved to get rid of. I'm using Mozilla now, but since it's still there it "messes" me up when I open folders and files, etc.

downloaded startdreck, but couldn't get it to unzip - it said i needed an additional file? tried this a couple times and same thing.

Here's my hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 9:28:49 AM, on 3/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {027C4097-9949-11D9-8504-00A0DFA7EB35} - C:\WINDOWS\SYSTEM\ABJK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .com/individualapp/app?screenIdTextField=PageFramework&actionTextField=displayPrintable&FORM_ID=IN&APPLICATION_ID=1000065151: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O18 - Filter: text/html - {027C4096-9949-11D9-8504-00A0B0EB4EAE} - C:\WINDOWS\SYSTEM\ABJK.DLL
O18 - Filter: text/plain - {027C4096-9949-11D9-8504-00A0B0EB4EAE} - C:\WINDOWS\SYSTEM\ABJK.DLL

Thanks
Terry

guestolo · « **Reply #1 on:** March 22, 2005, 02:00:52 AM »

Sorry for the delay

Can you please register to the forum and post your log again

Also, to unzip Startdreck you will need an Unzipping utility
Most use the Evaluation version of Winzip<<Don't worry about the 21 day warning
http://www.winzip.com/downwzeval.htm

There is also others out there that are not evaluation versions
Such as
IZArc
http://www.tucows.com/preview/335168.html

You only need one or the other

If you don't have an unzipping utility you should get one, you will need it now and for other future downloads
Even after we're done here, it's something to hold onto

iago · « **Reply #2 on:** March 22, 2005, 11:25:24 AM »

Hi! Thanks for replying so quickly. I registered (sorry I didn't before) and here's my hjt log. also I was able to unzip stardreck and I've added that log.

Thanks

Terry

Logfile of HijackThis v1.99.1
Scan saved at 9:28:49 AM, on 3/21/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O2 - BHO: (no name) - {027C4097-9949-11D9-8504-00A0DFA7EB35} - C:\WINDOWS\SYSTEM\ABJK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .com/individualapp/app?screenIdTextField=PageFramework&actionTextField=displayPrintable&FORM_ID=IN&APPLICATION_ID=1000065151: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O18 - Filter: text/html - {027C4096-9949-11D9-8504-00A0B0EB4EAE} - C:\WINDOWS\SYSTEM\ABJK.DLL
O18 - Filter: text/plain - {027C4096-9949-11D9-8504-00A0B0EB4EAE} - C:\WINDOWS\SYSTEM\ABJK.DLL

stardrecklog

StartDreck (build 2.1.7 public stable) - 2005-03-21 @ 20:32:38 (GMT -05:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Terry Wise at F8U9F1

»Registry
»Run Keys
»Current User
»Run
*SpybotSD TeaTimer=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
»RunOnce
»Default User
»Run
*SpybotSD TeaTimer=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*Propel Accelerator="C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
**wlcu=rundll32 C:\WINDOWS\YAPS.LOG,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
*Ipswitch.WsftpBrowserHelper.1/{601ED020-FB6C-11D3-87D8-0050DA59922B}
`InprocServer32=C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
*{FE96DAAD-99E5-11D9-8504-00A09F8FAD5D}
`InprocServer32=C:\WINDOWS\SYSTEM\ABJK.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\SYSTEM\autoexec.nt
*C:\WINDOWS\wininit.ini
*C:\WINDOWS\wininit.bak
»System/Drivers
»Running Processes
+FFEF6551=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF11C9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF2639=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF3371=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE97BD=C:\WINDOWS\RUNDLL32.EXE
+FFFEDF55=C:\WINDOWS\EXPLORER.EXE
+FFFD810D=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFFD6B35=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FFFD6A5D=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFFD1325=C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
+FFFC2009=C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
+FFFBA761=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFB6DF9=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF9B8A9=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF8385D=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFF8BBA9=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
+FFF724A5=C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
+FFF8F061=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF1A56D=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
+FFF21A65=C:\PROGRAM FILES\STARTDRECK.EXE
+FFF1D361=C:\WINDOWS\TEMP\STARTDRECK.EXE
»NT Services
»Application specific

guestolo · « **Reply #3 on:** March 23, 2005, 12:52:22 AM »

I see the hidden installer, we can remove it through a Dos prompt, but can I get you to try this beta tool please

Download and save to Desktop SpSeHjFix_Beta8.zip
[attachment=82:attachment]
UNZIP the folder within, to your desktop
So you will now have SpSeHjFix_Beta8.exe on your desktop

I need you to disable Spybot's Tea Timer so it won't interfere with any fixes we try
Start Spybot>>Click Mode>>advanced Mode>>Ok it
Tools>>Resident>>Uncheck Resident Tea Timer>>Accept the change

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE

The tool will remove these files, but if you find them delete them now
Find and delete these files if found
C:\WINDOWS\SYSTEM\ABJK.DLL <-file
C:\WINDOWS\YAPS.LOG <-file

Navigate to, and delete the contents of your temp folders, or whatever you can
C:\WINDOWS\Temp <-delete contents
C:\WINDOWS\Temporary Internet Files <-delete contents

Stay in safe mode
Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {027C4097-9949-11D9-8504-00A0DFA7EB35} - C:\WINDOWS\SYSTEM\ABJK.DLL

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O18 - Filter: text/html - {027C4096-9949-11D9-8504-00A0B0EB4EAE} - C:\WINDOWS\SYSTEM\ABJK.DLL
O18 - Filter: text/plain - {027C4096-9949-11D9-8504-00A0B0EB4EAE} - C:\WINDOWS\SYSTEM\ABJK.DLL

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Ensure you unzipped SpSeHjFix_Beta8.exe
Double click to open it and click the
Start Disinfection

It should restart your computer when done, if not restart anyways back to Normal mode

Back in Windows
Don't open a browser yet, instead access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

Post back a fresh Hijackthis log and a New Startdreck log
Also post the log from SpSeHjFix_Beta8.exe

If some entries return, we should get them on the next round

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

iago · « **Reply #4 on:** March 23, 2005, 09:36:39 PM »

Hi

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

You're impressin' me here!

Followed your instructions and here are the new logs:

Logfile of HijackThis v1.99.1
Scan saved at 9:24:09 PM, on 3/23/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .com/individualapp/app?screenIdTextField=PageFramework&actionTextField=displayPrintable&FORM_ID=IN&APPLICATION_ID=1000065151: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

StartDreck (build 2.1.7 public stable) - 2005-03-23 @ 21:29:59 (GMT -05:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Terry Wise at F8U9F1

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*Propel Accelerator="C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
**izr=rundll32 C:\WINDOWS\YAPS.LOG,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
*Ipswitch.WsftpBrowserHelper.1/{601ED020-FB6C-11D3-87D8-0050DA59922B}
`InprocServer32=C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\SYSTEM\autoexec.nt
*C:\WINDOWS\wininit.bak
»System/Drivers
»Running Processes
+FFEF6E09=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF1A91=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF2D61=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF3829=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE9CE5=C:\WINDOWS\RUNDLL32.EXE
+FFFEDAE9=C:\WINDOWS\EXPLORER.EXE
+FFFDE4A1=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFFD4F19=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FFFD4FD1=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFFBC66D=C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
+FFFA5809=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFA1E51=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFBB6C9=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
+FFF9CA1D=C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
+FFF90A75=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF83A89=C:\PROGRAM FILES\STARTDRECK.EXE
+FFF83619=C:\WINDOWS\PROGRAMFILES\STARTDRECK.EXE
»NT Services
»Application specific

3/23/05 9:12:04 PM SPSeHjFix started v1.08
3/23/05 9:12:04 PM OS: Win98SE A (4.10.67766446)
3/23/05 9:12:04 PM Bad-Dll(IEP): (not found)
3/23/05 9:12:04 PM BHO-DLL: (not found)
3/23/05 9:12:04 PM Searchassistant Unintaller found
3/23/05 9:12:04 PM Searchassistant Unintaller - Keys Deleted
3/23/05 9:12:04 PM UBF: 4
3/23/05 9:12:04 PM UBB: 2
3/23/05 9:12:04 PM UBR: 5
3/23/05 9:12:04 PM Bad IE-pages:
3/23/05 9:12:04 PM Stealth-String found: C:\WINDOWS\YAPS.LOG
3/23/05 9:12:04 PM File added to delete: c:\windows\system\abjk.dll
3/23/05 9:12:04 PM File added to delete: c:\hjruon.txt
3/23/05 9:12:04 PM File added to delete: c:\windows\yaps.log
3/23/05 9:12:04 PM Reboot
3/23/05 9:14:24 PM SPSeHjFix 2nd Step
3/23/05 9:14:25 PM RunServicesOnce-Key: (alex)
3/23/05 9:14:34 PM Cleaned

Is it fixed?

Appreciate your help.

Iago

guestolo · « **Reply #5 on:** March 23, 2005, 11:04:00 PM »

Still some work to do
Seems like the Beta fix didn't get rid of the Hidden infection
We have to get rid of this bad guy identified in the startdreck log

Code: [Select]

»RunServicesOnce
**izr=rundll32 C:\WINDOWS\YAPS.LOG,DllGetClassObject

Download and save to Desktop Remove.zip
[attachment=83:attachment]
Unzip the contents so you now have Remove.reg on the desktop

Please Print the rest of this out or write it down

I need you to Restart your computer into MS-Dos Mode
START>>Shutdown>>select Restart in MS-DOS mode
OK

At restart you should be at this prompt

C:\WINDOWS>

Type in the below excluding the (Enter), that indicates hitting Enter on your Keyboard>>>Take note of all the spaces too

attrib -r -s -h C:\WINDOWS\YAPS.LOG (Enter)
del YAPS.LOG (Enter)

If you want a rundown of what that should all look like with all the spaces, I've included below the same commands with = signs indicating where there should be a single space, you will not input the = sign, just the space
======================================================
attrib=-r=-s=-h=C:\WINDOWS\YAPS.LOG
del YAPS.LOG
======================================================

Use CTRL+ALT+DEL to Restart your computer back to Normal mode

This should restart the computer back in Normal mode
Double click on Remove.reg and allow to merge to the registry

Restart your computer again

Post back a fresh hijackthis log and a Fresh Startdreck log

iago · « **Reply #6 on:** March 24, 2005, 03:25:40 PM »

Okay. Here Goes

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Thanks, again for your time!

Logfile of HijackThis v1.99.1
Scan saved at 3:10:41 PM, on 3/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\Propel Accelerator\pac-page.html
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\Propel Accelerator\pac-addwl.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\Propel Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O12 - Plugin for .com/individualapp/app?screenIdTextField=PageFramework&actionTextField=displayPrintable&FORM_ID=IN&APPLICATION_ID=1000065151: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll

StartDreck (build 2.1.7 public stable) - 2005-03-24 @ 15:13:24 (GMT -05:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Terry Wise at F8U9F1

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*Propel Accelerator="C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -url "%1"
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
*Ipswitch.WsftpBrowserHelper.1/{601ED020-FB6C-11D3-87D8-0050DA59922B}
`InprocServer32=C:\PROGRAM FILES\IPSWITCH\WS_FTP PRO\WSBHO2K0.DLL
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\SYSTEM\autoexec.nt
*C:\WINDOWS\wininit.bak
»System/Drivers
»Running Processes
+FFEF6E1B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF1A83=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF2D73=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFF383B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFEDEFB=C:\WINDOWS\EXPLORER.EXE
+FFFDD82F=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFFDA8C3=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FFFDB7A3=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFFCDB97=C:\PROGRAM FILES\PROPEL ACCELERATOR\PROPELAC.EXE
+FFFC258F=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFBE967=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFB3E23=C:\WINDOWS\DESKTOP\STARTDRECK.EXE
»NT Services
»Application specific

guestolo · « **Reply #7 on:** March 24, 2005, 08:49:23 PM »

Looks good, how's everything?

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Guest · « **Reply #8 on:** March 25, 2005, 12:53:04 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Seems to be okay!

I switched to Mozilla, but will check out the links you have listed, just in case I have to use IE.

Thanks!!!!

Terry

guestolo · « **Reply #9 on:** March 25, 2005, 09:49:38 PM »

I'll lock this topic as your problems appear resolved
If you need it reopened please PM a Mod or the site Admin and supply a link to this thread

I use Mozilla Firefox all the time, very rarely even open IE
But I still have IE-Spyad installed just in case
Internet Explorer is so integrated into Windows it is just safer to have IE-Spyad installed

SpywareBlaster also has protection for Mozilla Browsers, so you should defintely install it

Take Care

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

TheTechGuide Forum

News:

Author Topic: hidden cws (Read 1509 times)

Guest_Terry_*

hidden cws

guestolo

hidden cws

iago

hidden cws

guestolo

hidden cws

iago

hidden cws

guestolo

hidden cws

iago

hidden cws

guestolo

hidden cws

Guest

hidden cws

guestolo

hidden cws