Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan horse startpage 19.j


  • Please log in to reply

#1
megade3

megade3

    New Member

  • Member
  • Pip
  • 9 posts
Sir /* Madam,

Here is the log from startdreck.

Thanks,


megade3


StartDreck (build 2.1.7 public stable) - 2005-05-31 @ 14:49:27 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 5.50.4522.1800
Logged in as at NA

»Registry
»Run Keys
»Current User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*Spyware Doctor="C:\Denis\Spyware Doctor\swdoctor.exe" /Q
»RunOnce
»Default User
»Run
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
*Spyware Doctor="C:\Denis\Spyware Doctor\swdoctor.exe" /Q
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SM56ACL=sm56hlpr.exe
*LoadQM=loadqm.exe
*QuickTime Task=C:\WINDOWS\SYSTEM\QTTASK.EXE
*Pop-Up Stopper="C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
*ConMgr.exe="C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
*KAZAA=C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
*Lexmark X74-X75="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
*LexStart=lexstart.exe
*AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
*AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
*AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
»RunServicesOnce
**suwz=rundll32 C:\WINDOWS\DENISAB.PWL,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FFEF7333=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF47AB=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF4FB3=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFFA72B=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE12DB=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE6E4B=C:\WINDOWS\RUNDLL32.EXE
+FFFE07FB=C:\WINDOWS\SYSTEM\LEXBCES.EXE
+FFFE4DCB=C:\WINDOWS\SYSTEM\RPCSS.EXE
+FFFD3BE7=C:\WINDOWS\SYSTEM\LEXPPS.EXE
+FFFD9E6F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFD8EDF=C:\WINDOWS\EXPLORER.EXE
+FFFCB34B=C:\WINDOWS\TASKMON.EXE
+FFFCBDDF=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFCE18B=C:\WINDOWS\SM56HLPR.EXE
+FFFC46FF=C:\WINDOWS\LOADQM.EXE
+FFFCD57F=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFB6A7F=C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
+FFFB7ACF=C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
+FFFB61EF=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
+FFFDC15F=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
+FFFB9433=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
+FFFBEF67=C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
+FFFBE257=C:\WINDOWS\RunDLL.exe
+FFFA2C9B=C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
+FFFA07BB=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFBCCE7=C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
+FFFB3D13=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF8D297=C:\PROGRAM FILES\AOL 7.0\WAOL.EXE
+FFF5B877=C:\WINDOWS\NOTEPAD.EXE
+FFF63B6B=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF594B7=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFF39DDF=C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
+FFF3A1B7=C:\UNZIPPED\STARTDRECK\STARTDRECK.EXE
»Application specific
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download, unzip and run: http://www.derbilk.de/SpSeHjfix112.zip

Post the log it makes and a HijackThislog when you are done.

Regards,
  • 0

#3
megade3

megade3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sir / Madam,

Here are the two logs you requested.

Regards,


megade3




(5-31-05 15:08:34) SPSeHjFix started v1.1.2
(5-31-05 15:08:34) OS: Win98SE A (4.10.2222)
(5-31-05 15:08:34) Language: français
(5-31-05 15:08:34) Win-Path: C:\WINDOWS
(5-31-05 15:08:34) System-Path: C:\WINDOWS\SYSTEM
(5-31-05 15:08:34) Temp-Path: C:\WINDOWS\TEMP\
(5-31-05 15:08:37) Disinfection started
(5-31-05 15:08:37) Bad-Dll(IEP): c:\windows\temp\se.dll
(5-31-05 15:08:37) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\LCGI.DLL
(5-31-05 15:08:37) Searchassistant Uninstaller - Keys Deleted
(5-31-05 15:08:37) UBF: 6 - UBB: 3 - UBR: 19
(5-31-05 15:08:37) FilterKey: HKCR\text/html (deleted)
(5-31-05 15:08:37) FilterKey: HKCR\CLSID\{AE20D70A-D1D4-11D9-899E-C45800A7CCF3} (deleted)
(5-31-05 15:08:37) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5-31-05 15:08:37) FilterKey: HKCR\text/plain (deleted)
(5-31-05 15:08:37) FilterKey: HKCR\CLSID\{AE20D70A-D1D4-11D9-899E-C45800A7CCF3} (error while deleting)
(5-31-05 15:08:37) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5-31-05 15:08:37) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE20D70B-D1D4-11D9-899E-C4586FEB6968} (deleted)
(5-31-05 15:08:37) BHO-Key: HKCR\CLSID\{AE20D70B-D1D4-11D9-899E-C4586FEB6968} (deleted)
(5-31-05 15:08:37) UBF: 4 - UBB: 2 - UBR: 19
(5-31-05 15:08:37) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5-31-05 15:08:38) Stealth-String found: C:\WINDOWS\DENISAB.PWL
(5-31-05 15:08:38) File added to delete: c:\windows\system\lcgi.dll
(5-31-05 15:08:38) File added to delete: c:\windows\denisab.pwl
(5-31-05 15:08:38) Reboot
(5-31-05 15:10:36) SPSeHjFix 2nd Step
(5-31-05 15:10:37) Stealth-String not present. Disinfection succesfully
(5-31-05 15:10:41) Cleaned





from Hijackthis:




Logfile of HijackThis v1.99.1
Scan saved at 15:26:57, on 05-05-31
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\AOL 7.0\WAOL.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8FF6CF16-D1DB-11D9-899E-F43BA05FB3FB} - C:\WINDOWS\SYSTEM\LCGI.DLL (file missing)
O3 - Toolbar: Yahoo! Compagnon - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Denis\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Compagnon) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Filter: text/html - {8FF6CF15-D1DB-11D9-899E-F43B508D2D8C} - C:\WINDOWS\SYSTEM\LCGI.DLL
O18 - Filter: text/plain - {8FF6CF15-D1DB-11D9-899E-F43B508D2D8C} - C:\WINDOWS\SYSTEM\LCGI.DLL
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Excellent job. :tazz:

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {8FF6CF16-D1DB-11D9-899E-F43BA05FB3FB} - C:\WINDOWS\SYSTEM\LCGI.DLL (file missing)

O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY

O4 - Startup: PowerReg Scheduler.exe

O18 - Filter: text/html - {8FF6CF15-D1DB-11D9-899E-F43B508D2D8C} - C:\WINDOWS\SYSTEM\LCGI.DLL
O18 - Filter: text/plain - {8FF6CF15-D1DB-11D9-899E-F43B508D2D8C} - C:\WINDOWS\SYSTEM\LCGI.DLL

Then reboot and you should be fine.

Post a new HijackThis log so we can check.

Regards,
  • 0

#5
megade3

megade3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sir,

Here is the log.

Two things:

1) I don't get the AVG "VIRUS DETECTED" window anymore (great !)

2) however, my PC is still EXTREMELY slow (ran system tests, and the speed test results were the same as when I had the startpage virus)

Any pointers on the second topic ?

Regards,

megade3







Logfile of HijackThis v1.99.1
Scan saved at 15:26:57, on 05-05-31
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\AOL 7.0\WAOL.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8FF6CF16-D1DB-11D9-899E-F43BA05FB3FB} - C:\WINDOWS\SYSTEM\LCGI.DLL (file missing)
O3 - Toolbar: Yahoo! Compagnon - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Denis\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Compagnon) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O18 - Filter: text/html - {8FF6CF15-D1DB-11D9-899E-F43B508D2D8C} - C:\WINDOWS\SYSTEM\LCGI.DLL
O18 - Filter: text/plain - {8FF6CF15-D1DB-11D9-899E-F43B508D2D8C} - C:\WINDOWS\SYSTEM\LCGI.DLL
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you post a new log?

You scared me with the old one. :tazz:

Regards,
  • 0

#7
megade3

megade3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sir,

Here is the log from today.


Regards,


megade3




Logfile of HijackThis v1.99.1
Scan saved at 08:42:17, on 05-06-01
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Compagnon - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Denis\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Compagnon) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

That should do it.

Please have a look at my site for some tips on how to remove and prevent spyware.

Regards,
  • 0

#9
megade3

megade3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Metallica,

I have checked the previous, as you suggested. PC is still SLOWWWWWW !! :tazz:

Furthermore, I have a new virus, "Trojan horse StartPage 19.AN", (window states that "WHILE OPENING: .....\CCHDHA.DLL") according to the AVG window that pops up once I invoke the AOL startpage.

I thank you for your help so far, and would appreciate any type of advice to solve my problems.

Kindest regards,

megade3
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Download and Unzip About:Buster from:
http://www.geekstogo...=download&id=25
Reboot into safe mode and run it.
It usually takes two runs to get cleaned.

This is a new version, so download it instead of running any older versions.
Post a new HijackThis log when you are done.

Regards,
  • 0

Advertisements


#11
megade3

megade3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Metallica,

Here is the latest HiJackthis log. I have run AB.

Regards,


megade3



Logfile of HijackThis v1.99.1
Scan saved at 08:48:15, on 05-06-02
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Compagnon - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Denis\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Compagnon) - http://us.dl1.yimg.c...ebio5_1_6_0.cab
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run the SpSeHjfix once more please.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Then reboot and post a new log.

Regards,
  • 0

#13
megade3

megade3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Metallica,

As you requested, ran SpSeHjfix and HiJackThis (log below).

I also ran SpyWare Doctor, and the log below shows 16 infections. Should I be concerned.

Finaaly, my PC is still slow as [bleep].

Any advice ?

Regards,

megade3




Logfile of HijackThis v1.99.1
Scan saved at 08:10:44, on 05-06-03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca/homepage.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
F1 - win.ini: run=hpfsched
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.yahoo.com"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Compagnon - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SM56ACL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunOnce: [sphjfix] C:\DENIS\SPSEHJ~1\SPSEHJ~1.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Denis\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: AOL 7.0 Tray Icon.lnk = C:\Program Files\AOL 7.0\aoltray.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Compagnon) - http://us.dl1.yimg.c...ebio5_1_6_0.cab





05-06-03 08:24:48 05-05-20 12:14:48 DelfinProject Registry HKLM\SOFTWARE\DelFin
Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing
habits and then sends the data back to the author's server for analysis.
regscanner.dll DelfinProject Registry HKLM\SOFTWARE\DelFin## Elevated
DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing habits and
then sends the data back to the author's server for analysis. regscanner.dll
DelfinProject Registry HKLM\SOFTWARE\DelFin\PromulGate Elevated DelfinProject
uses pcsvc.exe, a media viewer to monitor user browsing habits and then sends
the data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate## Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##Version Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##serial Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##Install Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\DelFin\PromulGate##Data Elevated DelfinProject uses
pcsvc.exe, a media viewer to monitor user browsing habits and then sends the
data back to the author's server for analysis. regscanner.dll DelfinProject
Registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media
Viewer Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user
browsing habits and then sends the data back to the author's server for
analysis. regscanner.dll DelfinProject Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer##
Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing
habits and then sends the data back to the author's server for analysis.
regscanner.dll DelfinProject Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media
Viewer##DisplayName Elevated DelfinProject uses pcsvc.exe, a media viewer to
monitor user browsing habits and then sends the data back to the author's server
for analysis. regscanner.dll DelfinProject Registry
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media
Viewer##UninstallString Elevated DelfinProject uses pcsvc.exe, a media viewer to
monitor user browsing habits and then sends the data back to the author's server
for analysis. regscanner.dll DelfinProject Files C:\Program Files\DelFin
Elevated DelfinProject uses pcsvc.exe, a media viewer to monitor user browsing
habits and then sends the data back to the author's server for analysis.
diskscanner.dll WhenU.SaveNow Files C:\Program Files\Save Medium A single
process run at startup which monitors open IE windows and opens adverts when it
sees targeted URLs and terms entered into forms. When consumers download the
popular music-swapping software BearShare, they are also downloading SaveNow,
which comes bundled with it. SaveNow is either a comparison-shopping service or
a form of adware, depending on who is describing it. diskscanner.dll NewDotNet
Files C:\WINDOWS\NDNuninstall4_80.exe Info NewDotNet is a legit plugin for
Windows that makes subdomains of new.net act as new top-level domains without
changing the normal domain name servers. It comprises a Winsock2 Layered Service
Provider (LSP) that makes the extra top-level domains visible, and it installs a
Browser Helper Object that redirects browser search pages to NewDotNet’s search
engine. It can however come bundled with Kazaa and AudioGalaxy without the
user’s knowledge, therefore if it was installed legitimately then please add it
to the ignore list. diskscanner.dll Cydoor Files C:\WINDOWS\SYSTEM\cd_clint.dll
Medium As at April 2005, Cydoor files are no longer downloaded to a client PC.
Applications such as iMesh retrieve ads from the Cydoor server so Cydoor
software no longer directly displays ads. Prior to version 3.2.0.9, Cydoor s is
a Browser Helper Object that can redirect your Browser to an Adware site.
Spyware Doctor is only detecting the previous version of Cydoor which is still
malicious.. diskscanner.dll 05-06-03 08:31:53 55891 16 0 General Scanner,
Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Cookie Scanner,
Browser Defaults, Favorites and ZoneMap Scanner, Browser Scanner, Disk Scanner
05-06-03 08:21:49 - Spyware Doctor started 3.2.1.359 3.02220 05-05-20 28530
never 0 ON Startup Guard, Browser Guard, Immunizer, Keylogger Guard, Popup
Blocker, Process Guard, Scheduler, Site Guard C:\DENIS\SPYWARE DOCTOR\ English
Yes Yes Yes No Yes 20 Yes no action No No Yes Yes
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Let SpywareDoctor clean what it found and reboot before posting a new log.

Regards,
  • 0

#15
megade3

megade3

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Metallica,

Hello again !!

Should I seriously consider trashing my PC ?

Your help was greatly appreciated re: the about:blank/se.dll business.

However, I keep getting Windows "Illegal Operation" (I would estimate between 33 - 50 % of the time) when I am navigating in AOL.

Furthermore, my PC seems to be getting slower every day.

Also, an IE window occasionally pops up with offers:intermute as the entry page (I do not use IE; I use the default AOL browser).

Any advice ?????????

Regards,

megade3
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP