Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

startpage - about blank virus [Resolved]


  • This topic is locked This topic is locked

#1
rjs

rjs

    Member

  • Member
  • PipPip
  • 22 posts
I have followed all the instructions given to others 4 times now and thought I had won. System appeard clean for local use. Fo the first time I Opened Internet explorer and as soon as I recieved my home page (google) I had a unusual warning saying that my PC was infected and I needed to download a new scanner. Also my spygaurd sftware issed a warning that something was trying to install a BHO - I have left these warnings on screen and immediatly re run hijack this and posted the log below.

Can any one help - In summary i have tried the following previously

In safe mode
run Adware with all suggested settings
Run spybot
run aboutbuster twice
deleted se.dll from temp
Run CWShredder
Run cleaup
Run cwservicemove
Run hijack this and fixed all odd looking entries
Added TDS virous checker
Run Housecall which crashed PC halfway through
Run Pandasoftware which showed up more files and deleted all these
run adware again now clean

I tought that was it but NO so here is hijack this file - I must have missed something ??????

Logfile of HijackThis v1.99.1
Scan saved at 11:37:14, on 12/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\Program Files\HP DeskJet 690C Series\HPFfbt16.exe
C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\POWERPNT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {0EA1F6E3-92E2-11D9-83E1-00308A2F2F66} - C:\WINDOWS\SYSTEM\PLAEF.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avgtcpsv.exe] C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Twister Gamepad Activator.lnk = C:\Program Files\Zykon\Twister Gamepad\Active.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.2.1,38.9.211.2
O18 - Filter: text/html - {0EA1F6E2-92E2-11D9-83E1-0030E5638AFD} - C:\WINDOWS\SYSTEM\PLAEF.DLL
O18 - Filter: text/plain - {0EA1F6E2-92E2-11D9-83E1-0030E5638AFD} - C:\WINDOWS\SYSTEM\PLAEF.DLL
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi rjs and welcome,
I see you have a number of post in regards to trying to resolve this issue, Please post back to this thread with necessary logs and replies please,

I know you have most of these tools but I will list what will hopefully be the steps to clean this up for you,

First:
Download AboutBuster
Then Unzip it to your desktop.. “Don’t run it yet”
Check it for updates if any are found please download them then close out the program

Download and install Cleanup

Also
Dowload the following program
CWShredder
It should be the current version, but check for updates
“Don’t run it yet”

Please download and install Ad-aware.
Setting up Ad-aware- please make sure you update it first



Next,. Reboot into SAFE MODE
Please restart HJT put a check next to the following if they still exist, close all open windows and click “fix.checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {0EA1F6E3-92E2-11D9-83E1-00308A2F2F66} - C:\WINDOWS\SYSTEM\PLAEF.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {0EA1F6E2-92E2-11D9-83E1-0030E5638AFD} - C:\WINDOWS\SYSTEM\PLAEF.DLL
O18 - Filter: text/plain - {0EA1F6E2-92E2-11D9-83E1-0030E5638AFD} - C:\WINDOWS\SYSTEM\PLAEF.DLL

make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present

C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\SYSTEM\PLAEF.DLL

Next:
Run About Buster twice in safe Mode Save the logs it generates,

Next,
Run Program cwshredder and have it fix anything it finds.
Make sure you click the “Fix” button


Next,
Open Cleanup! Click on clean up now and let it run,
When it has finished click NO to reboot now.

Next,
Scan with AdAware have it remove what it finds

Restart your computer,

Run About Buster twice again please, Again save the log from it and post back all the logs from AboutBuster and a fresh HJT log please.

Edited by don77, 15 March 2005 - 06:29 AM.

  • 0

#3
rjs

rjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thanks very much - Although I have tried all this before have done it again and seems to be holding- Please leave open for a few days to ensure resolution
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Will do,
Could you post back a fresh log please
  • 0

#5
rjs

rjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
NO its not Its back again trying to insert objects into my broswer
log below. I really have no idea

Logfile of HijackThis v1.99.1
Scan saved at 21:50:13, on 17/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avgtcpsv.exe] C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Twister Gamepad Activator.lnk = C:\Program Files\Zykon\Twister Gamepad\Active.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.2.1,38.9.211.2
O18 - Filter: text/html - {4FA14882-972E-11D9-83E1-0030F330FD6E} - C:\WINDOWS\SYSTEM\IJMKF.DLL
O18 - Filter: text/plain - {4FA14882-972E-11D9-83E1-0030F330FD6E} - C:\WINDOWS\SYSTEM\IJMKF.DLL

As I said have trye all of the noted clearers. Remember this is a 98 se pc - is that the problem. I have a firewalled broardband router and am running antivirus TDG but that inot picking up anything
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi again ris,
this bug hides deep on us, please do the following please,

Download: "StartDreck",
Here

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select hte location to save the log file
(default is the same folder as the application)

Post the log in this thread.

Edited by don77, 17 March 2005 - 09:44 PM.

  • 0

#7
rjs

rjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
OK have run start derec and attached log below

tartDreck (build 2.1.7 public stable) - 2005-03-18 @ 22:21:01 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as rsollitt at FAMILY PC

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*EnsoniqMixer=starter.exe
*Voodoo2=rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*internat.exe=internat.exe
*RegShave=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*TPP Auto Loader=C:\WINDOWS\TPPALDR.EXE
*AtiPTA=Atiptaxx.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*avgtcpsv.exe=C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
»RunServicesOnce
**bu=rundll32 C:\WINDOWS\BACKGRGD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FF0FFE61=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE3E59=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE3621=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE14C5=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE9289=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEE0CD=C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
+FFFD1951=C:\WINDOWS\RUNDLL32.EXE
+FFFD9479=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFDF89D=C:\WINDOWS\EXPLORER.EXE
+FFFC457D=C:\WINDOWS\TASKMON.EXE
+FFFC5FC5=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC8CE9=C:\WINDOWS\STARTER.EXE
+FFFCE599=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
+FFFCE9C1=C:\WINDOWS\SYSTEM\INTERNAT.EXE
+FFFB1D61=C:\WINDOWS\TPPALDR.EXE
+FFFB3ACD=C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
+FFFCFC7D=C:\WINDOWS\RUNDLL32.EXE
+FFFB7631=C:\WINDOWS\RunDLL.exe
+FFFBFBED=C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
+FFFBE7D5=C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
+FFFB52D1=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
+FFFC944D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFACC5D=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
+FFFA7A1D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF834BD=C:\STARTDREK\STARTDRECK.EXE
»Application specific
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Win98.fix

Unzip Win98fix.zip to your desktop.

DoubleClick on: Win98fix.reg file, hit 'yes'
on the prompt!
-Restart computer!
-File should be visible!
-Do 'find files' for and delete. C:\WINDOWS\SYSTEM\BACKGRGD.GIF


Dowload the latest version of Spybot 1.3. Please check it for updates, Run the program and have it fix anything it finds in Red.
Restart your computer,

Run another scan with CWShredder be sure and click on the "Fix" button, Restart your computer,


Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {4FA14882-972E-11D9-83E1-0030F330FD6E} - C:\WINDOWS\SYSTEM\IJMKF.DLL
O18 - Filter: text/plain - {4FA14882-972E-11D9-83E1-0030F330FD6E} - C:\WINDOWS\SYSTEM\IJMKF.DLL

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\WINDOWS\TEMP\SE.DLL
C:\WINDOWS\SYSTEM\IJMKF.DLL


Restart your computer, Post back a fresh log please
  • 0

#9
rjs

rjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
On the win98fix.zip link - it says i am not authorised to access the web site?

Do I need some sort of permission.
  • 0

#10
rjs

rjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
OK got over this managed to find a link ton tech guys site to win98fix.zip. I hope it is the same thing ?

Followed your instructions. only there was no file called c:\windows\system\backgrgd.gif but there was one C:\windows\backgrgd.gif so moved this to my desktop forand renamed it for safe keeping and deleted it.

also at the end of your instructiond there was no file called
IJMKF.dll anywhere on my c drive so could not delete .

rebooted and rundll process reported an error that it counld not find
C;windows\temp\se.dll which I Ok'ed.

Immediatly my spygaurd software warned we that a BHO where tying to chanfge my serch page and other things to about blank and other refs, but I have the option to restore original value which i did.

I then went to the internet to post this reply and it came up with google my correct home page.

Below is a hijack this log and a stardrek log taken at boot up. its still not right as even moving my mouse around the screen is stuttered as though something is still taking lots of CPU cycles.

Thanks so far and please don't give up !

Logfile of HijackThis v1.99.1
Scan saved at 00:43:45, on 23/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avgtcpsv.exe] C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Twister Gamepad Activator.lnk = C:\Program Files\Zykon\Twister Gamepad\Active.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.2.1,38.9.211.2

_______________________

StartDreck (build 2.1.7 public stable) - 2005-03-23 @ 00:46:50 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as rsollitt at FAMILY PC

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*EnsoniqMixer=starter.exe
*Voodoo2=rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*internat.exe=internat.exe
*RegShave=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*TPP Auto Loader=C:\WINDOWS\TPPALDR.EXE
*AtiPTA=Atiptaxx.exe
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*avgtcpsv.exe=C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
»RunServicesOnce
**h=rundll32 C:\WINDOWS\BACKGRGD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\AdSubtract.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Twister Gamepad Activator.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\AdSubtract.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Twister Gamepad Activator.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=hpfsched
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FF0FE26F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE2257=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE2FC7=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEA93F=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE948F=C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
+FFFD36E3=C:\WINDOWS\RUNDLL32.EXE
+FFFDA52F=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFD9C6F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFC3383=C:\WINDOWS\EXPLORER.EXE
+FFFCB667=C:\WINDOWS\TASKMON.EXE
+FFFCA017=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC8B3F=C:\WINDOWS\STARTER.EXE
+FFFCCE47=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
+FFFCEA77=C:\WINDOWS\SYSTEM\INTERNAT.EXE
+FFFB61A7=C:\WINDOWS\TPPALDR.EXE
+FFFCB237=C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
+FFFE321B=C:\WINDOWS\RunDLL.exe
+FFFCD38F=C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
+FFFB7C33=C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
+FFFA311F=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
+FFFB060F=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFAE43F=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
+FFF96857=C:\HIJACK THIS\HIJACKTHIS.EXE
+FFF9AA67=C:\WINDOWS\NOTEPAD.EXE
+FFF99DAF=C:\STARTDREK\STARTDRECK.EXE
»NT Services
»Application specific
  • 0

Advertisements


#11
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Not giving up on you, Just been away for the past few days,
Lets see if we can;t get this bug now ,

Please go Here
Download Reglite, Open Reistrar Lite,
In the Address bar on top copy and paste the following into it please,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

When the window opens with the process running look for the following and delete,
Win Server
Win Server Updt
Win Server Updt [C:\WINDOWS\wupdt.exe]
conscorr

Reboot your computer,

Next,
Check Ad-aware and XWS for updates please don't run them yet,

Next, Reboot into SAFE MODE
Please restart HJT put a check next to the following if they still exist, close all open windows and click “fix.checked”

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

make sure you can view all View all Hidden Files/Folders search for and delete the following in BOLD if still present

ieplugin.dll
se.dll
systb.dll
winobject.dll


It is likely you may find any of the above in more than 1 place it is necessary to delete all of them,


Next,
Run Program cwshredder and have it fix anything it finds.
Make sure you click the “Fix” button


Next,
Open Cleanup! Click on clean up now and let it run,
When it has finished click NO to reboot now.

Next,
Scan with AdAware have it remove what it finds

Restart your computer, Post back a fresh log please
  • 0

#12
iddqd

iddqd

    New Member

  • Member
  • Pip
  • 1 posts
Please refrain from giving help until you have been trained at GeekU.

- Matt :tazz:
  • 0

#13
rjs

rjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Right -

I followed myour instructions however

no ref to
Win server
Win server updt
Win server upst
or Conscorr

Although there was a ref to SP with a path name of windows/temp/se.dll

I attempted to delete this which it did but it would come back immediatly.

ran hijackthis and fixed your 04 entry plus all the entries to about balnk and 2 other unknown dll files.

Checked all hiddrn files could be seen. Then serched for all drives for se.dll and deleted out the temp file (only ref) all the others you suggested did not exist.

so moved to safe mode
ran winfix98
ran CWshredder ( nothing found)
ran spybot
ran cleanup
ran adware ( found no critical objects)


Rebooted - Had trouble PC hung 3 times on startup but booted eventually

Mouse still very stuttered every 10 secs and any sounds stutter every 10 secs something is stealling cpu cycles every 10 secs. This does not happenin safe mode mouse is tottally smooth.

My spygaurd has warned me a BHO is has changed my start up page and others things , so I have hit restore on these. Then run the following logs.

No pop ups have occurred since the reboot, but things still don't look right


Scan saved at 00:30:25, on 25/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avgtcpsv.exe] C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Twister Gamepad Activator.lnk = C:\Program Files\Zykon\Twister Gamepad\Active.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.2.1,38.9.211.2


StartDreck (build 2.1.7 public stable) - 2005-03-25 @ 00:52:26 (GMT +00:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as rsollitt at FAMILY PC

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*EnsoniqMixer=starter.exe
*Voodoo2=rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
*RealTray=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
*internat.exe=internat.exe
*RegShave=C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*TPP Auto Loader=C:\WINDOWS\TPPALDR.EXE
*AtiPTA=Atiptaxx.exe
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*avgtcpsv.exe=C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
»RunServicesOnce
**tmor=rundll32 C:\WINDOWS\BACKGRGD.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\SYSTEM\MSHTA.EXE "%1" %*
+.htm
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.html
*htmlfile="C:\PROGRA~1\INTERN~1\iexplore.exe" -nohome
+.js
*JSFile=C:\WINDOWS\WScript.exe "%1" %*
+.jse
*JSEFile=C:\WINDOWS\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=C:\WINDOWS\NOTEPAD.EXE %1
+.vbs
*VBSFile=C:\WINDOWS\WScript.exe "%1" %*
+.vbe
*VBEFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsh
*WSHFile=C:\WINDOWS\WScript.exe "%1" %*
+.wsf
*WSFFile=C:\WINDOWS\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
»Files
»Autostart Folders
»Current User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\AdSubtract.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Twister Gamepad Activator.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Default User
*C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\AdSubtract.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\Twister Gamepad Activator.lnk
*C:\WINDOWS\Start Menu\Programs\StartUp\SpywareGuard.lnk
»Local Machine
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=hpfsched
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\msdos.sys
*C:\config.sys
*C:\autoexec.bat
*C:\WINDOWS\wininit.bak
*C:\WINDOWS\hosts
»System/Drivers
»Running Processes
+FF0FFBDD=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE3BE5=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE0C49=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEB3CD=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE8C01=C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
+FFFD3271=C:\WINDOWS\RUNDLL32.EXE
+FFFD4811=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFD5671=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFDE19D=C:\WINDOWS\EXPLORER.EXE
+FFFC62C1=C:\WINDOWS\TASKMON.EXE
+FFFC6399=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC55DD=C:\WINDOWS\STARTER.EXE
+FFFC892D=C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
+FFFCE8E9=C:\WINDOWS\SYSTEM\INTERNAT.EXE
+FFFC1345=C:\WINDOWS\TPPALDR.EXE
+FFFB2A2D=C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
+FFFB7835=C:\WINDOWS\RunDLL.exe
+FFFE2A79=C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
+FFFB5C1D=C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
+FFFB6385=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
+FFFB5669=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFA3195=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
+FFF98565=C:\WINDOWS\NOTEPAD.EXE
+FFF9186D=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFF8581D=C:\STARTDREK\STARTDRECK.EXE
»NT Services
»Application specific


What next any ideas
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets see what this turns up please,
Please run these two online scans. Make sure they are set to clean automatically:

TrendMicro's HouseCall
ActiveScan

You should try to delete any files that these scanners are unable to clean. Then let us know if its working better and what the scans found.

Then scan again with HijackThis and post another log.
  • 0

#15
rjs

rjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
All about balnks files are back. Tryed House call just this only showed up the new named bollda.dll file in the system directory which is the same file that we keep deleting but always returns with a new name. It couldnt delete it becouse its in use.

Tried to run activescan from panda but every time i clicked on scan now it diverted me to the about blank search page so I could not run it.

I could delete all the same files again but I have done this several times, and unless i do something different Iam sure it will return.

Any idea about the mouse stopping every 10 secs for 2 secs ie something hogging the CPU every 10 secounds ? is this all related ? as this does not happen in safe mode

new hijack log below

Logfile of HijackThis v1.99.1
Scan saved at 13:57:02, on 28/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {8778C4E3-9F71-11D9-83E1-0030121D03BF} - C:\WINDOWS\SYSTEM\BOLLDA.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avgtcpsv.exe] C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Twister Gamepad Activator.lnk = C:\Program Files\Zykon\Twister Gamepad\Active.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.2.1,38.9.211.2
O18 - Filter: text/html - {8778C4E2-9F71-11D9-83E1-00307D51A624} - C:\WINDOWS\SYSTEM\BOLLDA.DLL
O18 - Filter: text/plain - {8778C4E2-9F71-11D9-83E1-00307D51A624} - C:\WINDOWS\SYSTEM\BOLLDA.DLL
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP