Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Extra Buttom Spyware


  • Please log in to reply

#1
ALONGTHEWAY

ALONGTHEWAY

    Member

  • Member
  • PipPip
  • 52 posts
Hello, my name is Steve and I'm 21 years old... just a very breif background.

Well my computer was infected with spyware. And I have done everything I know to get rid of it. SpyDot search and destroy 1.3, Hijack this and various reistry cleaners.

I got rid of A LOT of stuff, but I'm left with just one things that's freaking me out. Here is my Hi-Jack this log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:34:22 AM, on 5/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\AIM\WXBUG.EXE
C:\PROGRAM FILES\AIM\MINIBUGTRANSPORTER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydelet...2.php?KBID=1063 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE

It's pretty short and very less infected than most of the files I've searched...

My problem is this right?

O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydelet...2.php?KBID=1063 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE


HiJack this will not fix the problem, so I am led to believe it's in my reistry.

Any help on removing this would be great.

And I'm looking forward to sharing my knowledge with all of you aswell..

Thanks

Steve
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Your problem are these:

O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydelet...2.php?KBID=1063 (file missing)

Please download CW-Shredder at the link below:
http://cwshredder.ne.../CWShredder.exe

Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Regards,
  • 0

#3
ALONGTHEWAY

ALONGTHEWAY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Still there. Even tried running everything in SafeMode...

Although I'm not quite sure how the shredder program works... but I did everything you asked for the spfix program... I tried to run spfix in safemode and it didn't do anything...should I wait a few minutes?

I believe I did everything correctly... Here is my current HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:42:46 AM, on 5/12/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydelet...2.php?KBID=1063 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE


Any more advice?

Thanks

Steve
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
It did manage to get rid of the Sp startup, so we did make some progress.
  • Download the Registry Search Tool.
  • Unzip the contents of RegSrch.zip to a convenient location.
  • Double-click on RegSrch.vbs.
  • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
  • In the "Enter search string (case insensitive) and click OK..." box paste this string:
    • {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}
  • Click "OK" to search the registry for that string.
  • Wait for a few minutes while it completes the search.
  • Click "OK" to open the results in WordPad.
  • Copy and paste the entire results into your next post.
Regards,
  • 0

#5
ALONGTHEWAY

ALONGTHEWAY

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Here are my results:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "FB74C951-ACA1-4e33-A94C-A9261EB2CCB7" 5/12/05 5:39:16 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}"=dword:00002004
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Good job. :tazz:

Copy the part in bold below to Notepad, and save as Remclsid.reg (save as type: 'all files' )
Doubleclick Remclsid.reg, and answer yes when asked if you want to merge it with the Registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}]

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
"{FB74C951-ACA1-4e33-A94C-A9261EB2CCB7}"=-



Reboot and post a new log.

Regards,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP