Member Avatar for Brian
Brian 0 Newbie Poster
Re: Auto Internet Connection

Thanks for your suggestion. Have just come back from holiday, and before leavibg arranged for exactly what you suggested. Thanks again.


Brian

Microsoft Windows windows-9x
Member Avatar for Brian
Brian 0 Newbie Poster
Auto internet connection

I am running Widows 98, and was infected with kernels32.exe. I believe that this has been succesfully removed. However, when I switch on my computer, the computer tries to log on to Freeserve, a message pops up, "program already installed", and I lost my Freeserve Desktop Icon, but have replaced it. Zone alarm sows "Systempe" is tring to access the internet, when I log on. I have run Bug Doctor, Mighty Max, Adaware, Spybot, CWS Shredder and AVG scan. They all show the system as being free of viruses/errors. Any ideas on what the fault is and how to fix it? I am not very computer literate, and would apreciate any help being given in fairly basic steps. I originally posted this in Wndows ME9x, forum in error

Thanks

Brian

Information Security windows-virus
Member Avatar for Brian
Brian 0 Newbie Poster
Auto Internet Connection

I am running Widows 98, and was infected with kernels32.exe. I believe that this has been succesfully removed. However, when I switch on my computer, the computer tries to log on to Freeserve, a message pops up, "program already installed", and I have lost my Freeserve Desktop Icon. I have run Bug Doctor, Mighty Max, Adaware, Spybot, CWS Shredder and AVG scan. They all show the system as being free of viruses/errors. Any ideas on what the fault is and how to fix it? I am not very computer literate, and would apreciate any help being given in fairly basic steps.

Thanks

Brian

Microsoft Windows windows-9x
Member Avatar for Brian
Brian 0 Newbie Poster
Re: kernels32.exe

Thanks for your reply. Sorry but I am not very computer literate. How do I find the executable file?

Thanks

Brian

Information Security windows-virus
Member Avatar for Brian
Brian 0 Newbie Poster
kernels32.exe

I have a dialler I believe. Every time I turn on my computer itb tries to access the internet. I have attached a HJT log. Can nyone help?

ThLogfile of HijackThis v1.99.0
Scan saved at 21:38:53, on 21/09/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\KERNELS32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\E_S4I0S2.EXE
C:\WINDOWS\SYSTEM\KERNELS32.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SYSTEMP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - …

Information Security windows-virus
Member Avatar for Brian
Brian 0 Newbie Poster
Re: Computer clean up

Hi,you are way behind on you version of hijackthis time to update it ,!
Please be sure to Close all Browsera and open windows,and when running Hijackthis
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Please do this.
Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.

3. Close ALL windows except HJT

4. SCAN with HJT

5. POST the new log in this thread using 'Add Reply'

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO YOUR COMPUTER'S HEALTH

Thanks for that. I have downloaded the new version, and the log is below:

file of HijackThis v1.99.0
Scan saved at 15:23:26, on 26/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:

Microsoft Windows windows-9x
Member Avatar for Brian
Brian 0 Newbie Poster
Re: Computer clean up

Deleting onknown entrys will get you into trouble ,just because they are marked unknown doesnt mean they are bad ,just that there dadabase doesent know what they are !!

Thanks for the advice. I am a little afraid of using Hijack this, as the last time I used it and followed advice, my PC developed a fatal exceptio error, and I had to format the hard drive, and re-instal windows. However, I have run another HJT LOg and it is below. Can anyone advise me as to whether all entires are OK, and what I can safely delete.

Thanks

Brian
file of HijackThis v1.97.7
Scan saved at 20:47:58, on 25/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\SYSTEMP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: …

Microsoft Windows windows-9x
Member Avatar for Brian
Brian 0 Newbie Poster
Computer clean up

I was reading in the press about a new freeware clean up tool X-RAYPC. I ran it and deleted a "bad" entry. There are several other entries marked as "unknown", I want to clean up my computer, as it doesn't always close down properly, and I do not know what I can safely delete. Can someone out there look at the log below, and let me know what is bad and should be deleted.

Thanks

Brian:cry:

Thanks

Brian

Registry Settings:
IE Start Page (User) : http://www.google.com/
IE Start Page (Global) : about:blank
IE Blank Page : C:\WINDOWS\SYSTEM\blank.htm
IE Default Page :
IE Search Page (User) :
IE Search Page (Global) :
IE Default Search :
IE Search Bar :

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL (471040 375b0813980ae17dcc689e913ab9dd7b)
C:\WINDOWS\SYSTEM\MSGSRV32.EXE (11920 15020a139f22cdbf9c70aa8d80f6ae0e)
C:\WINDOWS\SYSTEM\MPREXE.EXE (28672 562d04789250a81ce629d60646a0d191)
C:\WINDOWS\SYSTEM\mmtask.tsk (1184 38bae36e67c8b1ae3abc077837953b89)
C:\WINDOWS\SYSTEM\MSTASK.EXE (111888 39d6b416d9c73a7729cdaed247430d21)
C:\WINDOWS\SYSTEM\MDM.EXE (119400 95d85d69ffc099c516d99cb9581e3fe2)
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE (115200 6ead5b8c2c469aa993c32b8ac2d46806)
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE (20480 cf63aae9020129b18d452870ec6cbe7b)
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE (1213720 b0dc29a8390d82110fb1a0312fcc48b1)
C:\WINDOWS\EXPLORER.EXE (180224 b22b28f61b1bb06723019307f0faacfc)
C:\WINDOWS\SYSTEM\RPCSS.EXE (20480 ce9c4007585f538f769cc80f01d09d33)
C:\WINDOWS\TASKMON.EXE (28672 f795110611101279aa15997801abaca0)
C:\WINDOWS\SYSTEM\SYSTRAY.EXE (32768 73681085dcd0997e531240100ca12b28)
C:\WINDOWS\SYSTEM\KHOOKER.EXE (307200 3249f275334e9becfc28288f69d2bbc8)
C:\WINDOWS\RUNDLL32.EXE (24576 3857d93aa630abbd63467db4aeffce2c)
C:\WINDOWS\SYSTEM\DDHELP.EXE (31744 f62f3495c1e013a63698d556c80e1b62)
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE (684032 3f7be7864b7fa4071b773f2caad8fd5d)
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE (131157 f961c28664381d89ac8a8fc425a096b3)
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE (369209 1113c60b056a07e76c03cdcbeb9c5a0e)
C:\WINDOWS\MHOTKEY.EXE (491008 048491e13d708285a0dd3a73a3ccfd53)
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE (294972 a97812a623d23727e50f501f95719b23)
C:\WINDOWS\SYSTEM\USBMONIT.EXE (40960 57a33a66d43084485e3a93ee0194fe6b)
C:\WINDOWS\SYSTEM\STIMON.EXE (114688 3a395315c2d9e63c0ce4704afa404ffa)
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE (902432 5accd5a8cb0b40c4516d7a8a5ea0424e)
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE …

Microsoft Windows windows-9x
Member Avatar for Brian
Brian 0 Newbie Poster
Re: Hidden Dialler

MM

I followed everything that you suggested, however on re-boot, the computer stated that I had a fatal exception error, and I could do nothing further. I then tried re-installing Windows 98, it loaded, but with 13 mins left ( I don't know whether that is significant) it stopped due to another fatal exception error. I tried sveral times, but each time it stopped re-installing at that point. I have now arranged to have the hard disk formatted and to re-install from scratch.

Brian

Information Security windows-virus
Member Avatar for Brian
Brian 0 Newbie Poster
Re: Hidden Dialler

Thank you MM. I have done everything that you suggested and the latest HJT log is shown below. I have not deleted the sites that you suggested yet, as I thought it best to await your further instructions.

Thanks for your help

Brian
Logfile of HijackThis v1.97.7

Scan saved at 19:48:16, on 01/07/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE

C:\WINDOWS\SYSTEM\USBMONIT.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\MHOTKEY.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\DAP\DAP.EXE

C:\WINDOWS\SYSTEM\MMGR.EXE

C:\WINDOWS\SYSTEM\WYREG.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE

C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 …

Information Security windows-virus
Member Avatar for Brian
Brian 0 Newbie Poster
Hidden Dialler

I have a problem with, I believe a dialler. When I am working off-line, after about 20-30 mins the PC dialls the internet. I have run the latest editions of CWS and ADAWARE, and both say that the system is clean.It clearly isn't. I am on pay as you go and am afraid of a large phone bill. I have run Hijack this and the log is below. Can anyone help me with this.

Thanks

Logfile of HijackThis v1.97.7

Scan saved at 21:10:21, on 30/06/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE

C:\WINDOWS\SYSTEM\USBMONIT.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\MHOTKEY.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\DAP\DAP.EXE

C:\WINDOWS\SYSTEM\MMGR.EXE

C:\WINDOWS\SYSTEM\WYREG.EXE

C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE

C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\PROGRAM FILES\DAP\DAPBHO.DLL

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O3 - Toolbar: …

Information Security windows-virus
Member Avatar for Brian
Brian 0 Newbie Poster
Re: prosearching.com/ passthrough/index

Sorry, I didn't spell check this message. I have now corrected it and it should make more sense!!

I have now fixed the problem. I was unable to delete the "O4 - HKLM\..\Run: [does safe] C:\PROGRA~1\BROWSE~1\Vc curb close.exe" file from mthe Browse folder as the message came up that it was a protected file. There was nothing else in the Browse folder,, so I closed it, right-clicked on the folder, selected delete, and the folder and it's contents were able to be deleted. I then ran "Hijackthis", and deleted the two items

Microsoft Windows web-browser
Member Avatar for Brian
Brian 0 Newbie Poster
Re: prosearching.com/ passthrough/index

:lol:


I have now fixed the problem. I was unable to delete the "O4 - HKLM\..\Run: [does safe] C:\PROGRA~1\BROWSE~1\Vc curb close.exe" file from mthe Browse folder as the message came up that it was a protected file. There was nothing else in the Browse folder,, so I losed it, right-clicked on the folder, selected delete, and the foldr an it's conr tents were able to be deleted. I then ran "Hijacckthis", and deleted the two items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost

I then re-booted and bingo!! problem gone.

Thanks very much for all of your help. I will post a donation to your site.


Brian

Microsoft Windows web-browser
Member Avatar for Brian
Brian 0 Newbie Poster
Re: prosearching.com/ passthrough/index

Thanks for that. I did as you suggested only to find that on rebooting,. prosearching returned, together with04-HKLM\..Run: (does safe) c:\progra~1\browsestore\Vccurb close.exe. I ran "HIJACKTHIS" again, and the results are below. I clicked on the properties of "Vc curb" and it said that it reattaches the hijack on re-boot. I then went to "Browse" and found the "Vc curb" program. I right clicked and tried to delete it but I couldn't as it said that the file was protected. I assume that this is the program that I must remove. Any ideas on how it can be done. The results of the latest "Hijack this" are below.

ning processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\BROWSE STORE\VC CURB CLOSE.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/index.html?http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - …

Microsoft Windows web-browser
Member Avatar for Brian
Brian 0 Newbie Poster
prosearching.com/ passthrough/index

I have been hijacked!! Ihave run Adaware, hijack this, coolweb shreader, but everytime I reboot the same thing returns. Nothing seems to get rid of it. The result of the Hijack this scan is below. Does anyone know how to remove it I am not very computerb literate so please make it easy!!

Logfile of HijackThis v1.97.7

Scan saved at 19:41:15, on 23/03/04

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\MDM.EXE

C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RPCSS.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\KHOOKER.EXE

C:\WINDOWS\RUNDLL32.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE

C:\WINDOWS\SYSTEM\USBMONIT.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\MHOTKEY.EXE

C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE

C:\PROGRAM FILES\BROWSE STORE\VC CURB CLOSE.EXE

C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE

C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\WINZIP\WINZIP32.EXE

C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/index.html?http://www.google.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure.html

R3 …

Microsoft Windows web-browser