[don77]

There is a new fix out lets see if we can get it to work for you,

Download SpSeHjfix into a folder. Disconnect from the net and Close ALL OPEN PROGRAMS. Run 'SpSeHjfix' and click on "Start Disinfection". When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

[Advertisements]

Please refrain from giving help until you have been trained at GeekU.

Thanks
Don

Edited by don77, 29 March 2005 - 03:51 PM.

[raybee]

Please refrain from giving help until you have been trained at GeekU.

Thanks
Don

Edited by don77, 29 March 2005 - 03:51 PM.

[rjs]

OK one thing at a time lets try don77 new sespfix first.

Have run all the normal things again in safe mode

Housecall
Spybot
adware
cwshredder
about buster
cleanup
registerlite and deleted sp entry
then fixed remaining items in hijackthis

then ran spsefix

and rebooted a couple of times here is hijack log now as it seems after a few minutes to be holding up - ie no popups yet. I will use for a day and report back with another log if things go wrong

or shall I try the other suggestion about a fake se.dll file ?

Still got the odd mouse movement /cpu problem any ideas as this is very frustrating ?

Logfile of HijackThis v1.99.1
Scan saved at 22:17:36, on 29/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG TCP SERVER\AVGTCPSV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\TPPALDR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ADSUBTRACT\ADSUB.EXE
C:\PROGRAM FILES\ZYKON\TWISTER GAMEPAD\ACTIVE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Voodoo2] rundll32.exe 3dfxv2ps.dll,UpdateRegSettings
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [avgtcpsv.exe] C:\PROGRA~1\GRISOFT\AVGTCP~1\AVGTCPSV.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Startup: Twister Gamepad Activator.lnk = C:\Program Files\Zykon\Twister Gamepad\Active.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.2.1,38.9.211.2

log of spsefix



(3/29/05 22:05:35) SPSeHjFix started v1.1.0
(3/29/05 22:05:35) OS: Win98SE A (4.10.2222)
(3/29/05 22:05:35) Language: english
(3/29/05 22:05:44) Disinfect started
(3/29/05 22:05:44) Bad-Dll(IEP): (not found)
(3/29/05 22:05:44) Bad-Dll(IEP) in BHO: (not found)
(3/29/05 22:05:44) UBF: 4
(3/29/05 22:05:44) UBB: 0
(3/29/05 22:05:44) UBR: 14
(3/29/05 22:05:44) Bad IE-pages:
(3/29/05 22:05:44) Stealth-String found: C:\WINDOWS\BACKGRGD.GIF
(3/29/05 22:05:44) Temp-Files delete on Reboot
(3/29/05 22:05:44) File added to delete: c:\windows\backgrgd.gif
(3/29/05 22:05:44) File added to delete: c:\windows\temp\fb_-65759.lck
(3/29/05 22:05:44) File added to delete: c:\windows\temp\~df85f3.tmp
(3/29/05 22:05:44) File added to delete: c:\windows\temp\~df88d3.tmp
(3/29/05 22:05:44) File added to delete: c:\windows\temp\~dfc8da.tmp
(3/29/05 22:05:44) File added to delete: c:\windows\temp\~dfc88e.tmp
(3/29/05 22:05:44) Reboot
(3/29/05 22:08:21) SPSeHjFix 2nd Step
(3/29/05 22:08:21) Stealth-String not present. Disinfection succesfully
(3/29/05 22:09:02) Cleaned

[raybee]

Hi,

If don777's fix works then that would be a better solution. I will try it as well when the next opportunity arises.

I would class my suggestion as a work-around not a fix. It renders the hijacker useless but doesn't remove it.

From what I can gather this hijacker changes constantly to avoid removal. Hopefully this tool is the answer.

Good Luck
Raybee

[rjs]

Well guys after 2 days fix appears to be DON77 fix seems to be holding no reoccurances as yet.

Can't be sure it was just the fix or th combination of all the other clearners and then the fix. Anyway great news for me and hopefully for others.

Thanks alot Don for your help.

I suggest we leave this topic open for a week to prove all is well.

RE my PC slowing down (mouse pointer freezing, or sound output freezing)for 2 seconds every 10 secounds, do you have an idea where i can start looking ? Is there a process manager on win 98 like on XP so I can see what process is hogging the CPU ? or do I need to start a ne topic ?

[don77]

Great news rjs !!!

The mouse and sound may be a hardware issue,
do you have another mouse you could try ?

You may want to post a new topic in the hardware section

[rjs]

just for complteness - Pc now seems fine, and have solved stuttering problem it was the twister games console not fully plugged in and must have been causing some sort of interupts. Anyway screwing in the plug has fixed it.

Thanks again for your persistance

[don77]

Great news rjs thanks for the update,
As this topic is resolved I m closing it,
Should have any further problems or need it reopened for any reason you can pm me or any of the other Trusted Helpers or a Mod


Thanks
Don