View Full Version : Are all the Red results bad spyware?
I am trying really hard to understand all that I've read, but it just isn't 'jelling' for me. Basically, I've been fighting with this computer for five days now, and am exhausted. :mad: Might someone please tell me if all of the following red results are baddies? Do I have a virus or malware?
WonWebLauncherControl: [SBI $26E3C4F6] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WONWebLauncherControl.WONWebLauncher
WonWebLauncherControl: [SBI $26E3C4F6] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WONWebLauncherControl.WONWebLauncher.1
WonWebLauncherControl: [SBI $26E3C4F6] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A031D222-B496-11D2-9CC8-00105A10AAF6}
RealDownloadExpress: [SBI $1EDE24BC] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RealDownloadExpress.IE
RealDownloadExpress: [SBI $1EDE24BC] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RealDownloadExpress.IE.1
RealDownloadExpress: [SBI $1EDE24BC] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56336BCB-3D8A-11d6-A00B-0050DA18DE71}
RealDownloadExpress: [SBI $3BB925FD] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{FDF5CDE5-17A6-40B3-A544-A8527AE8B243}
--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---
2008-06-02 unins000.exe (51.49.0.0)
2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2008-01-28 SDFiles.dll (1.5.1.19)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2007-12-26 Includes\Dialer.sbi (*)
2008-05-28 Includes\Cookies.sbi (*)
2008-05-28 Includes\Revision.sbi (*)
2008-05-28 Includes\Hijackers.sbi (*)
2008-05-28 Includes\Malware.sbi (*)
2008-04-30 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-04-16 Includes\Spybots.sbi (*)
2008-04-16 Includes\Spyware.sbi (*)
2008-04-16 Includes\Adware.sbi (*)
2008-05-28 Includes\Trojans.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-05-28 Includes\TrojansC.sbi (*)
2008-05-28 Includes\SpybotsC.sbi (*)
2008-05-28 Includes\SecurityC.sbi (*)
2008-05-28 Includes\PUPSC.sbi (*)
2008-05-28 Includes\MalwareC.sbi (*)
2008-05-28 Includes\KeyloggersC.sbi (*)
2008-05-28 Includes\HijackersC.sbi (*)
2008-05-28 Includes\DialerC.sbi (*)
2008-05-28 Includes\HeavyDuty.sbi (*)
2008-05-28 Includes\AdwareC.sbi (*)
2008-05-28 Includes\SpywareC.sbi (*)
2008-03-04 Plugins\Chai.dll
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
pskelley
2008-06-07, 15:10
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I understand it can be confusing at times, let me see if I can help a little. This is the malware removal forum and for us to help we need information, I have posted a link to that information above and it is also pinned (sticky) to the top of the forum.
http://forums.spybot.info/forumdisplay.php?f=4 <<< this is where the Spybot S&D experts reside, they work with this tool and the results of Spybot scans all of the time and we work with general malware removal. What you have posted are items Spybot is finding in the registry and if Spybot says they are bad, you can remove them to "Recovery" (like quarantine but you can recover what you move there in an emergency)
If you open your Spybot S&D program and click "Help" at the top then Tutorial you will get information you should review to help you understand how Spybot S&D works. If you have Spybot S&D issues you can not resolve, then post your query for the experts in the link I provided.
If you have malware issues, then read and follow the instructions in "Before you Post".
Thanks...Phil
http://forums.spybot.info/forumdisplay.php?f=4 <<< this is where the Spybot S&D experts reside, they work with this tool and the results of Spybot scans all of the time and we work with general malware removal.
Thanks for answering my request for help, Phil. I've been checking the the other Forum http://forums.spybot.info/forumdisplay.php?f=17 for an answer, but forgot to look here, until tonight. I truly appreciate your response .
I had read all those instructions earlier, but got confused by some of the terms (like, what is a "HJT log") - so, I just kind of gave up trying to understand, and took the plunge to post here. But before I posted my request for help here, I did go to the Kaspersky website, tried to download all the prerequisites, then realized it wouldn't work on my old OS & old computer!
:sad:
If you open your Spybot S&D program and click "Help" at the top then Tutorial you will get information you should review to help you understand how Spybot S&D works. If you have Spybot S&D issues you can not resolve, then post your query for the experts in the link I provided.
Actually, I've read the "Help" section several times, but it's written for someone with more computer knowledge than I have. If I understand your reply correctly, this is NOT a Malware issue; and I should endeavor to try again in the other Forum after downloading the HJTInstall.exe
Thanks again for being so nice & patient with me.:heart:
I was afraid to get rid of the things I thought were Registry Keys (whatever they are!?) because I've read they are critically important, but one of the links you provided helped me understand that action can be recovered. (But what if I can't get back online after fixing those registry keys?...do they impact me getting back online?:oops:
AdanVdo
pskelley
2008-06-14, 14:23
Good morning, if you are asking about fixing stuff that Spybot Finds, I can say that I have been using Spybot S&D for ten years and it has never removed anything that caused me a problem and I can also say that anything it removes is place in a folder called (Recovery) kind of Spybot's answer to quarantine and all items can be recovered from there. Here is a little information:
How to
http://ict.cas.psu.edu/training/howto/util/removespybot.htm
Recovery
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
I am not sure if I can help you at all, start with a HijackThis log. Follow these instructions:
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
http://www.webmasternow.com/copyandpaste.html
Thanks...Phil
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:47 AM, on 6/14/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\E_S6I2C1.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TOAST.NET ACCELERATOR\TOASTCORE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LTDAEMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\DESKTOP\PROGS\SPYWARE CHECKERS\SPYBOT - SEARCH & DESTROY\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\TOAST.NET ACCELERATOR\TOASTGUI.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.toast.net/start/"); (C:\Program Files\Netscape\Users\fake_alias\prefs.js)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {863F4140-1812-11D8-9F06-444553540000} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-US\MSNTB.DLL
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: NOW!Imaging - {9AA2F14F-E956-44B8-8694-A5B615CDF341} - C:\PROGRAM FILES\TOAST.NET ACCELERATOR\COMPONENTS\NOWIMAGING.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\WINDOWS\DESKTOP\PROGS\SPYWAR~1\PCTOOL~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\WINDOWS\DESKTOP\PROGS\SPYWAR~1\PCTOOL~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.5000.1021\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: TOAST.net Accelerator - {8B79EE88-E62D-4AA8-B530-CC357BA112B7} - C:\PROGRAM FILES\TOAST.NET ACCELERATOR\TOOLBAND.DLL
O4 - HKLM\..\Run: [BIDTech StrtMenu] C:\WINDOWS\DESKTOP\PROGS\STRTMENU\STRTMENU.EXE /auto
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\SYSTEM\E_S6I2C1.EXE /P26 "EPSON Stylus CX3800 Series" /O7 "EPUSB1:" /M "Stylus CX3800"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SlipStream] "C:\Program Files\TOAST.net Accelerator\toastcore.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LT DAEMON] C:\WINDOWS\SYSTEM\ltdaemon.exe
O4 - HKLM\..\RunServices: [PersFw] C:\Program Files\Tiny Personal Firewall\persfw.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A "C:\WINDOWS\SYSTEM\E_S9094.TMP"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Progs\Spyware checkers\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A "C:\WINDOWS\SYSTEM\E_S9094.TMP" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SpybotSD TeaTimer] C:\WINDOWS\Desktop\Progs\Spyware checkers\Spybot - Search & Destroy\Spybot - Search & Destroy\TeaTimer.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - .DEFAULT Startup: TOAST.net Accelerator.lnk = C:\Program Files\TOAST.net Accelerator\toastgui.exe (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: TOAST.net Accelerator.lnk = C:\Program Files\TOAST.net Accelerator\toastgui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=http://home.bellsouth.net
O16 - DPF: Tarantella Framework Java Archive - http://www.runaware.com/tarantella/java/asad-du.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: HushEncryptionEngine - https://mailserver2.hushmail.com/hushmail/HushEncryptionEngine.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: ChatSpace Java Client 2.1.0.91L - http://65.106.39.246:8001/Java/cs4msl091.cab
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: ConferenceRoom Java Client - http://mail.igl.net:8000/java/cr.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo.com - http://pool23.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit24.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo06.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
O16 - DPF: {38911EED-5726-41B4-9612-265534EC7A13} (Address Magic Web Edition Download Stub) - http://www.returnpath.net/registration/WebEdition.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
--
End of file - 10339 bytes
---------------------------My Comments/questions---------------------
It all looks harmless to me:angel:
I'm wondering how to clean up all those remnants of games I once looked at, but thought I deleted? Also, I use Firefox as my browser. Do I need to be concerned what about things done to Internet Explorer?
pskelley
2008-06-15, 01:11
Thanks for posting the HJT log, now that I see your Operating System I can tell you that I also have a old Compaq that runs like a new computer but since it is no longer supported by Microsoft, see the information in the links, I rarely take it out of the garage anymore and then only to quickly update a few programs. Without security support I would never think of surfing or doing most anything online as dangerous as the internet is anymore.
http://www.microsoft.com/windows/support/endofsupport.mspx
End of support for Windows 98, Windows Me, and Windows XP Service Pack 1
I'm wondering how to clean up all those remnants of games I once looked at, but thought I deleted? Also, I use Firefox as my browser. Do I need to be concerned what about things done to Internet Explorer?I will do what I can, Firefox is considered safer but in my opinion that is only because hackers go after numbers and that is Internet Explorer. In your case, without security updates, if you spend anytime online, no matter what browser you use, you will get infected.
C:\PROGRAM FILES\GRISOFT\AVG7\AVGAMSVR.EXE <<< to my knowledge, AVG7 (free) expired 5/31/2008. I am not 100% positive this applies to Windows 98 but I sure believe so. You should have been getting prompts from AVG to update for a while now...let me know if this is the case.
I'll clean what I see and you can let me know what else you wish to get rid of.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {863F4140-1812-11D8-9F06-444553540000} - (no file)
O4 - .DEFAULT Startup: PowerReg SchedulerV2.exe (User 'Default user')
O4 - Startup: PowerReg SchedulerV2.exe
(the next 8 you may keep any you use)
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/game...s/y/sdt1_x.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet...-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo.com - http://pool23.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/free...-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit24.pogo.com/applet/popp...-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo.com - http://turbo06.pogo.com/applet/turbo...-ob-assets.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/game...ts/y/st2_x.cab
(make sure to delete the next two...adware)
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/d...in/actxcab.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/
Restart and post a new HJT log, tell me how the computer is running.
Thanks
Thanks again Phil,
It's comforting to know you haven't given up on this old machine. I'll get on the Fixes you've given me asap. But meanwhile, I have more questions of a more general nature.
I know that Trojans can install their own nasty little programs. But, if Spybot gets rid of the Trojan, can their 'stuff' still be on my system? I'm asking this because when I did the initial Spybot scan that started this thread, I DID get ride of some Red things.
Those were items that Spybot said were left behind by Trojans and not needed or useful for me.
So, now the Trojans are gone? .....and the 'poop' they generated were found by Spybot....and now are gone too because I let Spybot clean it up? Is that how this works?
pskelley
2008-06-15, 20:23
I will post here instead of in PM, first you need to read the link from Microsoft I posted especially this:
Microsoft is retiring support for these products because they are outdated and can expose customers to security risks. We recommend that customers who are still running Windows 98 or Windows Me upgrade to a newer, more secure Microsoft operating system, such as Windows XP, as soon as possible.
You will be the first case of Grisoft extending support to AVG 7 that I have ever heard of. I do have free antivirus programs that will run on Windows 98.
Having said that, because of what even Microsoft has to say, I personally would never use the Operating System online for anything that requires security.
When you talk about trojans, that can mean a lot of malware, have a look at this generic information:
http://www.symantec.com/security_response/writeup.jsp?docid=2001-062614-1754-99
When any member who posts here has one of these backdoor trojans in their HJT log, I give them this information right away:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
My advice to you would have to be, if you need to do anything online, bill paying, banking, online shopping (that requires use of Credit Card numbers) or anything else of a secure nature, I would NOT do it on a computer running Windows 98.
http://www.google.com/search?hl=en&q=Windows+98+and+security&btnG=Search
Thanks
Sorry it took so long to do what you directed. I had to go online to download HijackThis several times because it wouldn't work, at first.
My friend is hopefully bringing her computer to me this Saturday. So, meanwhile I'm trying to stay off the Net (I've read all the material in the links - and more). I understand better, now, that this computer isn't safe to use for my usual activities. I know where one of the trojans came from, and that it was introduced through Paltalk.
Would you, please, glance at two reports from HJT and tell me if I can safely delete a few more Registry entries the same way as you instructed before? The "HJTlog" done after the fix, and the "HJT Startup List Log".
pskelley
2008-06-24, 17:26
Would you, please, glance at two reports from HJT and tell me if I can safely delete a few more Registry entries the same way as you instructed before? The "HJTlog" done after the fix, and the "HJT Startup List Log".
I am not really sure what you are asking, and no reports were posted. This is not really what I do. Here are some resources that might help:
http://www.bleepingcomputer.com/startups/
http://netsquirrel.com/msconfig/
http://www.pacs-portal.co.uk/startup_index.htm
http://computercops.biz/StartupList.html
http://www.sysinfo.org/startuplist.php
Thanks
pskelley
2008-06-26, 23:59
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.