Metallica,
As you requested, ran SpSeHjfix and HiJackThis (log below).
I also ran SpyWare Doctor, and the log below shows 16 infections. Should I be concerned.
Finaaly, my PC is still slow as [bleep].
Any advice ?
Regards,
megade3
Logfile of HijackThis v1.99.1
Scan saved at 08:10:44, on 05-06-03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.sympatico.ca/homepage.htmlR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "
http://www.yahoo.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Compagnon - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [sphjfix] C:\DENIS\SPSEHJ~1\SPSEHJ~1.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Denis\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Compagnon) -
http://us.dl1.yimg.c...ebio5_1_6_0.cab05-06-03 08:24:48 05-05-20 12:14:48 DelfinProject Registry HKLM\SOFTWARE\DelFin
Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing
habits and then sends the data back to the author's server for analysis.
regscanner.dll DelfinProject Registry HKLM\SOFTWARE\DelFin## Elevated
DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing habits and
then sends the data back to the author's server for analysis. regscanner.dll
DelfinProject Registry HKLM\SOFTWARE\DelFin\PromulGate Elevated DelfinProject
uses pcsvc.exe, a media viewer to monitor user browsing habits and then sends
the data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate## Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##Version Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##serial Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##Install Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##Data Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media
Viewer Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user
browsing habits and then sends the data back to the author's server for
analysis. regscanner.dll DelfinProject Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer##
Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing
habits and then sends the data back to the author's server for analysis.
regscanner.dll DelfinProject Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media
Viewer##DisplayName Elevated DelfinProject uses pcsvc.exe, a media viewer to
monitor user browsing habits and then sends the data back to the author's server
for analysis. regscanner.dll DelfinProject Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media
Viewer##UninstallString Elevated DelfinProject uses pcsvc.exe, a media viewer to
monitor user browsing habits and then sends the data back to the author's server
for analysis. regscanner.dll DelfinProject Files C:\Program Files\DelFin
Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing
habits and then sends the data back to the author's server for analysis.
diskscanner.dll WhenU.SaveNow Files C:\Program Files\Save Medium A single
process run at startup which monitors open IE windows and opens adverts when it
sees targeted URLs and terms entered into forms. When consumers download the
popular music-swapping software BearShare, they are also downloading SaveNow,
which comes bundled with it. SaveNow is either a comparison-shopping service or
a form of adware, depending on who is describing it. diskscanner.dll NewDotNet
Files C:\WINDOWS\NDNuninstall4_80.exe Info NewDotNet is a legit plugin for
Windows that makes subdomains of new.net act as new top-level domains without
changing the normal domain name servers. It comprises a Winsock2 Layered Service
Provider (LSP) that makes the extra top-level domains visible, and it installs a
Browser Helper Object that redirects browser search pages to NewDotNet’s search
engine. It can however come bundled with Kazaa and AudioGalaxy without the
user’s knowledge, therefore if it was installed legitimately then please add it
to the ignore list. diskscanner.dll Cydoor Files C:\WINDOWS\SYSTEM\cd_clint.dll
Medium As at April 2005, Cydoor files are no longer downloaded to a client PC.
Applications such as iMesh retrieve ads from the Cydoor server so Cydoor
software no longer directly displays ads. Prior to version 3.2.0.9, Cydoor s is
a Browser Helper Object that can redirect your Browser to an Adware site.
Spyware Doctor is only detecting the previous version of Cydoor which is still
malicious.. diskscanner.dll 05-06-03 08:31:53 55891 16 0 General Scanner,
Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner,
Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner
05-06-03 08:21:49 - Spyware Doctor started 3.2.1.359 3.02220 05-05-20 28530
never 0 ON Startup Guard, Browser Guard, Immunizer, Keylogger Guard, Popup
Blocker, Process Guard, Scheduler, Site Guard C:\DENIS\SPYWARE DOCTOR\ English
Yes Yes Yes No Yes 20 Yes no action No No Yes Yes