JJCrump
2008-03-04, 22:51
Hi..
I have a win98SE laptop PII-300, dial-up, 256Mram, full updates, incl the unofficial service pack, AVG7.5 S&D1.5 and run a manually update Adaware SE occasionally..
Recently I noticed that my NETSTAT -a 30 command was showing a pair of established links to 007guard.com every time I opened a browser link (IE or KMELEON) or retrieved my email (foxmail 5)
A pair of connections to 007guard.com at random ports, or to ONE random port plus pop3 with email.
Ok.. I checked my hosts file, 007guard.com is re-routed with the S&D host file, to 127.0.0.1 so HOPEFULLY nothing is getting through (???)
So time to clean house..
HJT showed nothing particular
Fxit 3 showed nothing particular
AVG, S&D, AAWareSE nadda...
Still there... wait.. now I dont get it when
only using IE 6 (sp1)
It shows up with foxmail and kmeleon..
Hmmph..
Went through the registry looking for stuff that shouldnt be there with Foxmail.. nadda. With FOXHOT (the hotmail proxy) nadda
Went to Kaspersky, Norton etc pages, looked up 007guard.com , searched manually for the usual files associated with it... NOpe..
Removed dial-upnetwork stack, re-installed it.. nope..
Used the cexx(?) network remover, re-installed
dial-up networking.. Still there..
Got a host file editor or 2, added some more 127.0.0.1
entries ENSURED THEY WERE ALL 127.0.0.1 entries, removed ###COMMENTS...
Now 007guard.com is gone and I get localhost connections, in pairs at random ports. Its the same problem because I get the pop3 localhost connections too..
I am stumped! There are not too many programs I can scan with with a WIN98SE system.. (oh! - add clamwin and SPYWARE TERMINATOR, and all the others in SAFE MODE.. I even removed the 2 Microsoft funny long number hotfixes.. no help..)
I am worried that before I removed the #comments from the host files, stuff WAS GETTING THROUGH to 007guard.com
HOLY KEYLOGGER BATMAN!
Obviously some dirtbag at 007guard.com has updated their little nasty thing..
I can think of a proper way to remove 007guard.com for good, and it would start at someone's kneecaps...
Hmmmmmmm.... until then...
Please.. Any news on NEW VARIANTS.. suggestions, and some reassurances that the S&D host file entries originally installed WERE routing the 007guard.com back to 127.0.0.1, even though netstat was showing ESTABLISHEDD connections on all kinds of random ports before I removed all ###comments## ???????
Well, I have to thank the Spybot S&D team for a progie that still works on WIN98SE...
Some of us cant give it up yet..
Any trolls who say Linux or XP can buy me a laptop that will handle those..
So thanks for still keeping 98SE going...
I thought it was too simple to get picked on..
Hmmmph!
Oh here is my HJT log, from 2 mins ago:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:25 PM, on 3/4/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\3WEB\3WEB.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\K-MELEON\K-MELEON.EXE
C:\WINDOWS\NETSTAT.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\ANALOGX\MAXMEM\MAXMEM.EXE
C:\PROGRAM FILES\FOXMAIL\FOXMAIL.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mobile.wunderground.com/auto/mobile/-edited out-.html?feature=animatedzoomradar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
--
End of file - 2602 bytes
I have a win98SE laptop PII-300, dial-up, 256Mram, full updates, incl the unofficial service pack, AVG7.5 S&D1.5 and run a manually update Adaware SE occasionally..
Recently I noticed that my NETSTAT -a 30 command was showing a pair of established links to 007guard.com every time I opened a browser link (IE or KMELEON) or retrieved my email (foxmail 5)
A pair of connections to 007guard.com at random ports, or to ONE random port plus pop3 with email.
Ok.. I checked my hosts file, 007guard.com is re-routed with the S&D host file, to 127.0.0.1 so HOPEFULLY nothing is getting through (???)
So time to clean house..
HJT showed nothing particular
Fxit 3 showed nothing particular
AVG, S&D, AAWareSE nadda...
Still there... wait.. now I dont get it when
only using IE 6 (sp1)
It shows up with foxmail and kmeleon..
Hmmph..
Went through the registry looking for stuff that shouldnt be there with Foxmail.. nadda. With FOXHOT (the hotmail proxy) nadda
Went to Kaspersky, Norton etc pages, looked up 007guard.com , searched manually for the usual files associated with it... NOpe..
Removed dial-upnetwork stack, re-installed it.. nope..
Used the cexx(?) network remover, re-installed
dial-up networking.. Still there..
Got a host file editor or 2, added some more 127.0.0.1
entries ENSURED THEY WERE ALL 127.0.0.1 entries, removed ###COMMENTS...
Now 007guard.com is gone and I get localhost connections, in pairs at random ports. Its the same problem because I get the pop3 localhost connections too..
I am stumped! There are not too many programs I can scan with with a WIN98SE system.. (oh! - add clamwin and SPYWARE TERMINATOR, and all the others in SAFE MODE.. I even removed the 2 Microsoft funny long number hotfixes.. no help..)
I am worried that before I removed the #comments from the host files, stuff WAS GETTING THROUGH to 007guard.com
HOLY KEYLOGGER BATMAN!
Obviously some dirtbag at 007guard.com has updated their little nasty thing..
I can think of a proper way to remove 007guard.com for good, and it would start at someone's kneecaps...
Hmmmmmmm.... until then...
Please.. Any news on NEW VARIANTS.. suggestions, and some reassurances that the S&D host file entries originally installed WERE routing the 007guard.com back to 127.0.0.1, even though netstat was showing ESTABLISHEDD connections on all kinds of random ports before I removed all ###comments## ???????
Well, I have to thank the Spybot S&D team for a progie that still works on WIN98SE...
Some of us cant give it up yet..
Any trolls who say Linux or XP can buy me a laptop that will handle those..
So thanks for still keeping 98SE going...
I thought it was too simple to get picked on..
Hmmmph!
Oh here is my HJT log, from 2 mins ago:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:25 PM, on 3/4/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGCC.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\3WEB\3WEB.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\K-MELEON\K-MELEON.EXE
C:\WINDOWS\NETSTAT.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\ANALOGX\MAXMEM\MAXMEM.EXE
C:\PROGRAM FILES\FOXMAIL\FOXMAIL.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mobile.wunderground.com/auto/mobile/-edited out-.html?feature=animatedzoomradar
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
--
End of file - 2602 bytes