Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Error#317[RESOLVED]

Started by lawree , May 13 2005 05:46 PM

This topic is locked

#1
lawree

Posted 13 May 2005 - 05:46 PM

New Member

Member
5 posts

Hi,
Hope someone can help. Something got installed on my computer.
I keep getting
Error #317 Microsoft Windows Security Warning
-8080
-3128
......install AntiSPY

I also have an icon in my taskbar. Its a circle with a cross in it. When I click on this (both right and left click) it opens hottopics web pages. This also opens when I'm not online and when I am, it keeps taking me to these pages.
I saw others with this same problem. They also posted a hijack log. I downloaded hijackthis also.
Here is my hijack log.
I hope someone can help.
:-) Thanks for your time.

hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:31:32 PM, on 5/13/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NETFXUPDATE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NGEN.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://start.traffer.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0244/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: (no name) - {69555BE2-9A78-11d2-BA91-00600827878D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.1.4322] "C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V1.1.4322\NETFXUPDATE.EXE" 0 v1.1.4322 GAC + NI NID
O4 - HKCU\..\Run: [CSIM] C:\PROGRAM FILES\CSIM\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: WorldShare - {0C31B6C0-0697-11D4-B0B4-E65F0988FD37} - http://www.worldshare.net (file missing) (HKCU)
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O18 - Protocol: wavetop - (no CLSID) - (no file)

Wow. If anyone can help and understand all this... Thanks!!

#2
Guest_thatman_*

Posted 17 May 2005 - 03:14 AM

Guest

Hi lawree

Please read through the instructions before you start (you may want to print this out).

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Reboot when prompted to let it clean out the remaining files.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop.
Run CWShredder to fix your CWS problem.

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.traffer.ru
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://start.traffer.ru
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0244/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: (no name) - {69555BE2-9A78-11d2-BA91-00600827878D} - (no file)
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - http://www.net2phone.com/ (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: WorldShare - {0C31B6C0-0697-11D4-B0B4-E65F0988FD37} - http://www.worldshare.net (file missing) (HKCU)
O18 - Protocol: wavetop - (no CLSID) - (no file)
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\web\related.htmExit Explorer.Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#3
lawree

Posted 18 May 2005 - 06:08 AM

New Member

Topic Starter
Member
5 posts

Hi,
Thanks for the help.
It didn't work though.
When I downloaded the CleanUp, I could not select/check the 'prefetch' utility. It was faded out and the different options settings wouldn't let me either.
When I ran it, a popup Cannot Delete came up for: DBZ-HA~_ it could not find file/ check path and file name.
When rebooting after this the computer froze while trying to load windows.
Had to reboot a couple of times to get back on.
With the CWS download, after running there was a popup for C:\windows\HCW Clear.exe that said it 'could' be part of CWS Control 3.
Checked/fixed the selected Hijackthis log. And deleted in safe mode the "related.htm" .
The next part with the online Panda and Housecall scan took forever. I kept getting those popups and the pages kept getting hickjacked trying to start them.
(AntiSPY and hottopics) and kept having to go back to page I was on which made me start all over again.
When trying to run The Trend/housecall site, 'Microsoft Internet Explorer' popup came up a few times saying that it incountered problem and had to shut down.
Trend/housecall found: Joke SOJFUSE.A in C:\unzipped\ereator_bot\Occy....
I deleted that?

Still have tons of the popups and have hottopics hijack pages and the icon (circle with cross threw it) is still in the system/task bar and cannot be closed or use right clicked.

The Panda scan results and new HijackThis log:

Panda Scan:

Incident Status Location ;

Adware:Adware/Hotoffers No disinfected C:\WINDOWS\SYSTEM32\PARAM32.DLL
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet &nbs p;
Adware:Adware/SaveNow No disinfected C:\PROGRAM FILES\BEARSHARE\RUNMSC.DLL ;
Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log &nbs p;
Adware:Adware/Hotoffers No disinfected Windows Registry ;
Adware:Adware/Hotoffers No disinfected C:\WINDOWS\SYSTEM32\param32.dll
Adware:Adware/Hotoffers No disinfected C:\WINDOWS\Downloaded Program Files\dropper.exe &n bsp;
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorSilentSetup.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorFileDrop.log &nb sp;
Spyware:Spyware/New.net No disinfected C:\WINDOWS\newdotnet3_36.dll &nb sp;
The New HijackThis Log:
Logfile of HijackThis v1.99.1

Scan saved at 6:49:14 AM, on 5/18/05

Platform: Windows 98 Gold (Win9x 4.10.1998)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

c:\windows\SYSTEM\KB891711\KB891711.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\STARTER.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE

C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE

C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE

C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0244/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun

O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe

O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"

O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"

O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE

O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE

O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE

O4 - HKCU\..\Run: [CSIM] C:\PROGRAM FILES\CSIM\aim.exe -cnetwait.odl

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE

O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

O18 - Protocol: wavetop - (no CLSID) - (no file)

ThankYou for your time in trying to help. I hope you still can.
Lawree.

#4
Guest_thatman_*

Posted 18 May 2005 - 07:57 AM

Guest

Hi lawree

Please read through the instructions before you start (you may want to print this out).

[*]Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0244/
Click on Fix Checked when finished and exit HijackThis.

C:\Program Files\NewDotNet<--Delet the whole folder
C:\PROGRAM FILES\BEARSHARE<--Delet the whole folder
C:\WINDOWS\gator*.log &nbs p;<--Delet this file
C:\WINDOWS\Downloaded Program Files\dropper.exe &n bsp;<--Delet this file
C:\WINDOWS\GatorSilentSetup.log<--Delet this file
C:\WINDOWS\GatorFileDrop.log &nb sp;<--Delet this file
C:\WINDOWS\SYSTEM32\PARAM32.DLL<--Delete this file

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:

#5
lawree

Posted 18 May 2005 - 04:29 PM

New Member

Topic Starter
Member
5 posts

Hi,
Thank you so much for replying and helping me out with this.
But, I can't figure some of the last out. Sorry!!
First, I have dsl always-on internet. I can't figure out how to close it.
I unhooked the dsl cable, but the pop ups still try to open. <there's gotta be something easy and simple to close the internet right?
ok,
I ran the hijack again and 'fixed' the RO - HKCU.....

I deleted:
NewDotNet, (folder)
BEARSHARE, (folder)
*these next two are all I could find in the windows folder. (it is setup to show all files) I deleted these two.
GatorSilentSetup 'log' file.
GatorFileDrop 'log' file *but it didn't have the extra "&nb sp;"

When I used file find for C:\Windows\gator*.log &nbs p; it found over 4000 files...including the above two files I then deleted. I didn't see anything else that had 'gator' in it.

For C:\Wndows\Downloaded Program Files\dropper.exe &n bsp;
There wasn't any listed (though, there were 3 files with just a bunch of long numbers) and I couldn't file find it....

When I used file find for C:\Windows\dropper.exe &n bsp; it found 3 text documents in 'C:\Windows\Profiles....' I didn't do anything to those.

When I tried to delete PARAM32.DLL it wouldn't let me. It said that the file is being used by windows.

Sorry for not being able to figure this out.
Thanks again for your help and patience.
Lawree

Oh, can I just go to (in open web window) File>Work Offline? would that work inclosing the internet?

#6
Guest_thatman_*

Posted 19 May 2005 - 01:41 AM

Guest

Hi lawree

Please run the Panda online scan save the scan.log
Then run HijackThis save the log.

Post the panda scan.log with a HJT.log

Thanks

Kc :tazz:

#7
lawree

Posted 19 May 2005 - 04:35 AM

New Member

Topic Starter
Member
5 posts

Hi Thatman.
Here is the Panda scan report:

Incident Status Location

Adware:Adware/Hotoffers No disinfected C:\WINDOWS\SYSTEM32\PARAM32.DLL
Spyware:Spyware/New.net No disinfected C:\WINDOWS\newdotnet*.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Hotoffers No disinfected C:\WINDOWS\SYSTEM32\param32.dll
Adware:Adware/Hotoffers No disinfected
Spyware:Spyware/New.net No disinfected C:\WINDOWS\newdotnet3_36.dll
I tried using 'work offline' and to delete the last reply.
On this one.
I cannot delete C:\WINDOWS\SYSTEM32\PARAM32.DLL ..it was being used by Windows.
I deleted C:\WINDOWS\newdotnet*.dll

I can not find these files also used 'file-find' It is checked to 'show all files' in the hidden section.
C:\WINDOWS\Downloaded Program Files\dropper.exe
C:\WINDOWS\newdotnet3_36.dll

Is there some other way to look for these files?
Is there any way to stop windows from using that param32?

These all say 'no disinfect'. That was checked when scanning.

Hope you can help with this.
Laurie

#8
Guest_thatman_*

Posted 19 May 2005 - 07:38 AM

Guest

Hi lawree

Try this one Killbox

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\SYSTEM32\PARAM32.DLL

Now we get the big gun out

Post a Hjt.log and any information.

Kc :tazz:

#9
lawree

Posted 19 May 2005 - 04:29 PM

New Member

Topic Starter
Member
5 posts

Hi Thatman!!
Hey!..I think it work!!! :-D
I'm not getting any popups and that circle with the cross threw it is no longer on my system/task bar!!!!
ThankYou Sooo much !!!!!!
You have been a Real big help!!!!! ThankYou!!!!
Here is the new hijack log: I hope it all looks good.

Logfile of HijackThis v1.99.1
Scan saved at 6:29:52 PM, on 5/19/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\DCFSSVC.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\PNY ATTACHé\SHWICON.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [Dcfssvc] c:\windows\System32\Drivers\dcfssvc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [ShowIcon_PNY_PNY Attaché] "C:\Program Files\PNY Attaché\shwicon.exe" -t"PNY\PNY Attaché"
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [CSIM] C:\PROGRAM FILES\CSIM\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.h...edsolutions.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Protocol: wavetop - (no CLSID) - (no file)

Oh. If my system really is ok now, would this be a good time to do one of those backups? Will that save and get rid of anything if something else happens?
And on Windows 98 is all I would have to do (if it would be a good idea) is go to Start>Programs>Accessories>System Tools>Backup> and then check 'create new back up job'?

Again, Thank You So Much for your time and your help.
Laurie

ThankYou.

#10
Guest_thatman_*

Posted 20 May 2005 - 09:17 AM

Guest

Hi lawree

Congratulations! Your system is CLEAN

Microsoft® Windows AntiSpyware (Beta) 2000 and XP ONLY.
SpyBot Search & Destroy v1.3
Spybot Tutorial
Disable Spybot Tutorial

Winpatrol Free

Ad-Aware SE Personal Edition Free
AdAware Tutorial

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Tony Klien: So how did I get infected in the first place

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use). Click Here
QUOTE
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox.
http://www.mozilla.o...oducts/firefox/
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html.
http://www.java.com/...load/manual.jsp Windows (Offline Installation)

After doing all these, your system will be thoroughly protected from future threats.

Kc :tazz:

#11
Guest_thatman_*

Posted 30 May 2005 - 12:22 PM

Guest

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.