Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win98, redirection, popups, Trojans

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Win98, redirection, popups, Trojans

Unread postby Sean_Claude » June 15th, 2005, 4:20 pm

On Windows 98, (this is a different computer than my other problem)
Get redirection, popups, and wall paper changed to saying
contaminated by Trojan-Spy.HTML.smitfraud.c

Run Spyware S&D, and
Trojan Hunter, many Trojans removed.
Removed some files via SpywareInfo. Forum advice
but they came back in log. Thanks for any help, here is
my log=

Logfile of HijackThis v1.99.1
Scan saved at 1:06:49 PM, on 6/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SEEVE.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EFAA44EA-D9BD-11D9-9956-000434D7C73D} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\SEEVE.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [brvzbab] c:\windows\system\brvzbab.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O18 - Filter: text/html - {EFAA44E9-D9BD-11D9-9956-0004C405594A} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
O18 - Filter: text/plain - {EFAA44E9-D9BD-11D9-9956-0004C405594A} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm
Advertisement
Register to Remove

Unread postby Nick-YF19 » June 16th, 2005, 1:33 am

I'm looking at your log now and will reply later with a fix.

I noticed that you have aold version of Internet Explorer. You should at the very least have IE 5.5 Service Pack 2 or preferably IE 6 SP1. Is there a reason you haven't updated it? Your computer stands a high chance of being reinfected with such an old version of IE.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Nick-YF19 » June 16th, 2005, 4:29 am

Please follow these steps:

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Response 1

Unread postby Sean_Claude » June 17th, 2005, 1:48 am

Hi Nick,
I haven't updated browser, because I been using
Crazy Brower instead and usually did not have
enough free space to download new stuff. I guess.

Here is what I found under step one=
Hook type: Window Procedure
-Hooked by: Hlpbewl.gif
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\Hlpbewl.gif
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where Hlpbewl.gif is the file name.

Step two =
StartDreck (build 2.1.7 public stable) - 2005-06-16 @ 18:53:20 (GMT -07:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 5.00.2614.3500
Logged in as Default at OEMCOMPUTER

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=c:\windows\scanregw.exe /autorun
*TaskMonitor=c:\windows\taskmon.exe
*SystemTray=systray.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*AtiCwd32=Aticwd32.exe
*AtiKey=Atitask.exe
*Easykey=C:\Program Files\Easy Keyboard\Easykey.exe
*SBWatchDog.EXE=C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
*SoundFusion=RunDll32 cwcprops.cpl,CrystalControlWnd
*sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
*seeve=C:\WINDOWS\SEEVE.exe
*Nsv=C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
*vidctrl=C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
*brvzbab=c:\windows\system\brvzbab.exe
*THGuard="C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
»RunOnce
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=c:\windows\SYSTEM\mstask.exe
»RunServicesOnce
**ytf=rundll32 C:\WINDOWS\HLPBEWL.GIF,DllGetClassObject
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FFCFBDD3=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFE40E7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE78FF=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFE6607=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFEED2B=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFEBA23=C:\WINDOWS\RUNDLL32.EXE
+FFFEF48B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE9AA3=C:\WINDOWS\EXPLORER.EXE
+FFFDC6F3=C:\WINDOWS\RUNDLL32.EXE
+FFFD83DF=C:\WINDOWS\TASKMON.EXE
+FFFD8317=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFC002B=C:\WINDOWS\SYSTEM\ATICWD32.EXE
+FFFC0917=C:\WINDOWS\SYSTEM\ATITASK.EXE
+FFFC21DB=C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
+FFFCC2F7=C:\WINDOWS\RUNDLL32.EXE
+FFFCE473=C:\WINDOWS\SEEVE.EXE
+FFFC8697=C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
+FFFB6E07=C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
+FFFB4FAF=C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
+FFFCC95F=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
+FFFBE25B=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF8893B=C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
+FFF9869F=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFC789E3=C:\WINDOWS\DESKTOP\STARDRECK FOLDER\STARTDRECK.EXE
»Application specific

Thanks for any help, Claude
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » June 17th, 2005, 4:36 am

1. Goto the site : http://www10.brinkster.com/expl0iter/fr ... pvtool.htm

2. Download Win98Fix.zip and extract it into c:\win98fix.

3. Navigate to the c:\win98fix folder and double-click on the RunFix.reg. If it prompts you to allow it run, say Yes.

4. When that is done reboot your computer.

5. Enable hidden files by doing this:

* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Now find C:\WINDOWS\HLPBEWL.GIF which should be visible now and delete the file.

6. Post a new hijackthis log.

There will be other things to fix, but I want to fix the main infection before moving on.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » June 17th, 2005, 7:56 pm

Hi Nick,
Will not let me download here=
1. Goto the site : http://www10.brinkster.com/expl0iter/fr ... pvtool.htm

2. Download Win98Fix.zip and extract it into c:\win98fix.
Anywhere else to download?

Claude
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » June 18th, 2005, 2:37 am

Use this link, I tested and it works

http://www10.brinkster.com/expl0iter/fr ... n98Fix.zip
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » June 18th, 2005, 2:01 pm

Hi Nick,
So far I have not been able to download that zip file yet.

Also I have to be out of town & away from this computer
from the 19th to the 24th. Just so you know, that I will
not beable to respond until after the 24th :(
Thanks for all the help so far. Claude
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » June 19th, 2005, 1:39 am

OK, thanks for letting me know. When you do come back, post here and post a fresh hijackthis log.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » June 24th, 2005, 2:08 pm

Hi Nick,
Hope your having a good day. I am back, still
have not been able to download that file, also
tried a different computer to download with no luck.
Claude
Here is my latest hijack Log=

lLogfile of HijackThis v1.99.1
Scan saved at 11:01:03 AM, on 6/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SEEVE.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EFAA44EA-D9BD-11D9-9956-000434D7C73D} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\SEEVE.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [brvzbab] c:\windows\system\brvzbab.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O18 - Filter: text/html - {EFAA44E9-D9BD-11D9-9956-0004C405594A} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
O18 - Filter: text/plain - {EFAA44E9-D9BD-11D9-9956-0004C405594A} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » June 25th, 2005, 8:14 am

When you say you can't download the file, what so you mean? The last link for the 98fix is a direct and should bring up a dialog box for downloading the file. Does that not happen? What does happen when you click on the link?



Press ctrl and alt and delete at the same time to bring up the task manager and find these and end task them.

C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE


Open the add/delete programs in the control panel and look for DelFin and uninstall it.

Scan with Hijackthis and Check the boxes next to all these,

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\SEEVE.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [brvzbab] c:\windows\system\brvzbab.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/diamond.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx


Now close all other windows, then click Fix Checked.

After that, restart the computer in Safe mode. When the computer is starting, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Enable hidden files by doing this:

* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

Then find and delete these files:

C:\WINDOWS\CERES.DLL
C:\WINDOWS\SEEVE.exe
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE <-=-folder
c:\windows\system\brvzbab.exe


Reboot normally and do the same steps from the begining of this topic. I want to check to see if the file I scanned for before is the same or has changed.

Step 1:

1. Click on Start, then Run and type msinfo32 and press the OK button.
2. Expand the Software Environment section.
3. Expand the System Hooks Section.
4. Look for the which may be listed As:

-Hook type: Window Procedure
-Hooked by: XXXXX.dll
-Application: RUNDLL32.EXE
-Dll path: C:\WINDOWS\SYSTEM\XXXXX.dll
-Application path: C:\WINDOWS\RUNDLL32.EXE

Where XXXXX..dll is the file name.

If you find that file, highlight it with your mouse and click on edit then copy to copy the filename.

Then post that filename with the information in the next step in a reply to this post.

5. Continue to Step 2.

Step 2:

1. Download: "StartDreck" from:

http://www.niksoft.at/download/startdreck.htm

2. Extract the file into c:\startdreck.

3. Navigate to c:\startdreck and double-click on Startdreck.exe

4. When the program opens click on the Config button.

5. Then click on the unmark all button.

6. Then put checkmarks in the following checkboxes:

Under Registry put a checkmark in the Run Keys checkbox.

Under System/Drivers put a check in the Running Proccess checkbox.

7. Press the OK button.

8. Press the Save button. Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

9. Post a copy of the log as a reply to this post.


Then post a new HJT log after doing everything.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Sean_Claude » June 25th, 2005, 12:37 pm

When you say you can't download the file, what so you mean? The last link for the 98fix is a direct and should bring up a dialog box for downloading the file. Does that not happen? What does happen when you click on the link?

*I get http 403 page Forbidden
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Sean_Claude » June 25th, 2005, 3:21 pm

Hi Nick,
I did what you said twice.

[C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
Open the add/delete programs in the control panel and look for DelFin and uninstall it.]
*I couldn't find any of these 3 files or programs.

Then find and delete these files:
C:\WINDOWS\CERES.DLL = could not find
C:\WINDOWS\SEEVE.exe = could not find
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE <-=-folder = Deleted
c:\windows\system\brvzbab.exe = Deleted

On the Hijack Log deleted the 9 you indicated, looks like
they did not come back. Here is my current log=
Claude

Logfile of HijackThis v1.99.1
Scan saved at 12:09:15 PM, on 6/25/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\SYSTEM\ATITASK.EXE
C:\PROGRAM FILES\EASY KEYBOARD\EASYKEY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CRAZY BROWSER\CRAZY BROWSER.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {EFAA44EA-D9BD-11D9-9956-000434D7C73D} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] systray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [Easykey] C:\Program Files\Easy Keyboard\Easykey.exe
O4 - HKLM\..\Run: [SBWatchDog.EXE] C:\WINDOWS\SYSTEM\SBUtils\SBWatchDog.EXE /l
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O14 - IERESET.INF: START_PAGE_URL=www.e4me.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O18 - Filter: text/html - {EFAA44E9-D9BD-11D9-9956-0004C405594A} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
O18 - Filter: text/plain - {EFAA44E9-D9BD-11D9-9956-0004C405594A} - C:\WINDOWS\SYSTEM\KKOMODA.DLL
Sean_Claude
Regular Member
 
Posts: 33
Joined: June 13th, 2005, 4:37 pm

Unread postby Nick-YF19 » June 25th, 2005, 8:54 pm

Please run startdrek again with the settings from my previous post. I want to see if anything has changed. I'm looking for another place to download that file, too.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby Nick-YF19 » June 26th, 2005, 1:05 am

Don't worry about startdrek now, I have a newer fix that will clean up the problem. Do this instead.

Download CW-Shredder at the link below: (don't run it yet)
http://cwshredder.net/bin/CWShredder.exe


Download http://www.derbilk.de/SpSeHjfix109.zip into a folder.
Unzip SpSeHjfix109.zip. (don't run it yet)


1. Open My Computer
2. Right click on your hard drive that you wish to clean (C drive, for example)
3. In the context menu that opens, select properties
4. Under the general tab you should select Disk Cleanup
5. Windows will scan your drive which will take a few seconds/minutes
6. A box will display the various files you can remove.
Check all boxes except compress old files (If listed)
7. Click OK and windows will comply.



Make sure you know how to boot into - SafeMode

Reboot into safe mode. When the computer is starting, begin tapping the F8 key on your keyboard. Continue to do so until the Windows Advanced Options menu appears. Using the arrow keys on the keyboard, scroll to and select the Safe mode menu item, and then press Enter.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

Now run the Shredder - Hit The FIX button!

Reboot and repeat the process above.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.




run it in safe mode and run it twice
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware