help on spyware win98

I have a friend that has a computer with win98. He has some spyware that put a Red circle with a red X over it Icon on his toolbar. This program runs in the save mode
Spybot and adware don’t find it. Also when I try to run regedit a popup window come Up with regedit has been blocked by you administer??????
The spyware runs popup the say you computer is has a virus you need the run guard scanner
If you click ok in this box it runs internet explorer to a web site that try to sell you a scan program for money
Will not let you close Internet explorer the only way out of the loop is shut down You computer??????
Help

 

Hi, johngkerr.

Please carefully follow the instructions in this link and paste the HijackThis v2.0.2 log here in this thread.


NOTE: The Deckard's System Scanner will not run on Windows 98 so you can skip downloading that application.

 

hijackthis log

this is the log from my freinds computer:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:28:09 PM, on 1/4/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\AOLFIX.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\DESKTOP\MY SOFTWARE\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.yahoo.com
O2 - BHO: H - {CC9BC69C-F035-46bc-A67B-353B8BAE61CD} - qwww1m.dll (file missing)
O2 - BHO: WindowsUpdate Class - {B3B010A1-A877-4CD7-BAB5-9EE8F9965E20} - C:\WINDOWS\TEMP\IEOBJ.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [InstallAurealDemos] C:\windows\temp\InstallAurealDemos.js //b
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [System Helper] syshlp.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolFix] C:\windows\system\AolFix.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe "
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\windows\TEMP\~~install.dll

--
End of file - 4763 bytes

Please help

 

Hi johngkerr
Sorry for the late reply, kind of busy here.

Please go to Control Panel > Add/Remove Programs and remove the following (if present):

System Helper

Please note any other programs that you dont recognize in that list and post them in your next response


Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: H - {CC9BC69C-F035-46bc-A67B-353B8BAE61CD} - qwww1m.dll (file missing)
O2 - BHO: WindowsUpdate Class - {B3B010A1-A877-4CD7-BAB5-9EE8F9965E20} - C:\WINDOWS\TEMP\IEOBJ.DLL
O4 - HKLM\..\Run: [System Helper] syshlp.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present << Fix if they did not set restrictions themselves
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present << Fix also as above.
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):
Please look in these location for this file, Not sure exactly which it would be located in.

C:\WINDOWS\SYSTEM\SYSHLP.EXE
C:\Windows\SYSTEM32\NPP\syshlp.exe
C:\Windows\SYSTEM32\syshlp.exe

After that, Reboot.

Please post a New HJT Log into this Thread.
Let me know how things are.

Thanks
Geri

 

still have problem

I ran hijackthis and fixed what you said but it did not fix problem. i still can not run regedit. i also ran ATF and regclean. this is the log from hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:54 PM, on 1/6/08
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\AOLFIX.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\DESKTOP\MY SOFTWARE\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.yahoo.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [InstallAurealDemos] C:\windows\temp\InstallAurealDemos.js //b
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolFix] C:\windows\system\AolFix.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe "
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\windows\TEMP\~~install.dll

--
End of file - 4379 bytes


also this is the web page that this spyware takes you too

!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN ">
<!-- saved from url=(0031)http://www.spysnipe.com/?wmid=7 -->
<HTML><HEAD><TITLE>SpySnipe - Spyware Protection for Free</TITLE>
<META http-equiv=Content-Type content= "text/html; charset=windows-1252 "><LINK
title=style href= "SpySnipe - Spyware Protection for Free_files/dizstyle.css"
type=text/css rel=stylesheet><LINK title=style
href= "SpySnipe - Spyware Protection for Free_files/style.css" type=text/css
rel=stylesheet>
<SCRIPT src= "SpySnipe - Spyware Protection for Free_files/jz.js "></SCRIPT>

<META content= "MSHTML 6.00.2800.1555" name=GENERATOR></HEAD>
<BODY>
<TABLE height= "100%" cellSpacing=0 cellPadding=0 width=714 align=center
bgColor=#dfe3e6 border=0>
<TBODY>
<TR height=93>
<TD class=d_left width=7 rowSpan=5>&nbsp;</TD>
<TD width=700><!-- [HEAD] -->
<TABLE cellSpacing=0 cellPadding=0 width= "100%" align=center broder= "0 ">
<TBODY>
<TR height=93>
<TD><IMG
src= "SpySnipe - Spyware Protection for Free_files/L.gif "></TD>
<TD class=d_t_center width=688>
<TABLE cellSpacing=0 cellPadding=0 width= "100%" border=0>
<TBODY>
<TR>
<TD rowSpan=2><A href= "http://www.spysnipe.com/?pg=main "><IMG
src= "SpySnipe - Spyware Protection for Free_files/logo.png "></A></TD>
<TD style= "PADDING-LEFT: 70pt "><IMG
src= "SpySnipe - Spyware Protection for Free_files/CNN.gif "></TD>
<TD>If you use the internet, There is <B>over 90% chance</B>
your computer is <BR>infected with spyware - <FONT
color=#ff0000><B>Source CNN</B></FONT></TD></TR>
<TR>
<TD class=smaller2 colSpan=2>© SpySnipe is the world's leading
spyware remover. Copyright 2007 - Glam Software LLC. All
Rights Reserved.</TD></TR></TBODY></TABLE></TD>
<TD><IMG
src= "SpySnipe - Spyware Protection for Free_files/R.gif "></TD></TR></TBODY></TABLE><!-- [/HEAD] --></TD>
<TD class=d_right width=7 rowSpan=5>&nbsp;</TD></TR>
<TR height=28>
<TD><!-- [BUTTONS] -->
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD><A href= "http://www.spysnipe.com/?pg=download "><IMG class=dbt
onmouseover=Mouse(this,1,1) onmouseout=Mouse(this,1,0)
src= "SpySnipe - Spyware Protection for Free_files/b1.gif "></A></TD>
<TD><A href= "http://www.spysnipe.com/?pg=news "><IMG class=dbt
onmouseover=Mouse(this,2,1) onmouseout=Mouse(this,2,0)
src= "SpySnipe - Spyware Protection for Free_files/b2.gif "></A></TD>
<TD><A href= "http://www.spysnipe.com/?pg=features "><IMG class=dbt
onmouseover=Mouse(this,3,1) onmouseout=Mouse(this,3,0)
src= "SpySnipe - Spyware Protection for Free_files/b3.gif "></A></TD>
<TD><A href= "http://www.spysnipe.com/?pg=faq "><IMG class=dbt
onmouseover=Mouse(this,4,1) onmouseout=Mouse(this,4,0)
src= "SpySnipe - Spyware Protection for Free_files/b4.gif "></A></TD>
<TD><A href= "http://www.spysnipe.com/?pg=testimonials "><IMG
class=dbt onmouseover=Mouse(this,5,1) onmouseout=Mouse(this,5,0)
src= "SpySnipe - Spyware Protection for Free_files/b5.gif "></A></TD>
<TD><A href= "http://www.spysnipe.com/?pg=contacts "><IMG class=dbt
onmouseover=Mouse(this,6,1) onmouseout=Mouse(this,6,0)
src= "SpySnipe - Spyware Protection for Free_files/b6.gif "></A></TD></TR></TBODY></TABLE><!-- [/BUTTONS] --></TD></TR>
<TR height=5>
<TD><IMG
src= "SpySnipe - Spyware Protection for Free_files/under.gif "></TD></TR>
<TR height= "100% ">
<TD class=d_body>
<TABLE height= "100%" cellSpacing=0 cellPadding=0 width= "100%" border=0>
<TBODY>
<TR>
<TD class=d_lefti width=6>&nbsp;</TD>
<TD class=d_Cbg width= "100% "><!-- [BODY] --><BR><BR>
<TABLE cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR>
<TD rowSpan=3>
<TABLE cellSpacing=0 cellPadding=0>
<TBODY>
<TR>
<TD style= "PADDING-LEFT: 62pt "><IMG
src= "SpySnipe - Spyware Protection for Free_files/Pack1.jpg "></TD></TR>
<TR>
<TD style= "PADDING-LEFT: 62pt "><IMG
src= "SpySnipe - Spyware Protection for Free_files/Pack2.jpg "></TD></TR>
<TR>
<TD><IMG
src= "SpySnipe - Spyware Protection for Free_files/Pack3.jpg "></TD></TR></TBODY></TABLE></TD>
<TD>
<TABLE cellSpacing=0 cellPadding=0 align=center border=0>
<TBODY>
<TR>
<TD><A href= "http://www.spysnipe.com/?pg=download "><IMG
class=dbt onmouseover=Mouse(this,7,1)
onmouseout=Mouse(this,7,0)
src= "SpySnipe - Spyware Protection for Free_files/btDownloadNow.gif "></A>
<IMG style= "POSITION: absolute"
src= "SpySnipe - Spyware Protection for Free_files/certif.gif ">
</TD></TR>
<TR>
<TD>&nbsp;</TD></TR>
<TR>
<TD><IMG
src= "SpySnipe - Spyware Protection for Free_files/uptxt1.gif "></TD></TR>
<TR>
<TD>&nbsp;</TD></TR>
<TR>
<TD style= "PADDING-LEFT: 45pt "><IMG
src= "SpySnipe - Spyware Protection for Free_files/uptxt2.gif "></TD></TR>
<TR>
<TD>&nbsp;</TD></TR>
<TR>
<TD style= "PADDING-LEFT: 55pt "><IMG
src= "SpySnipe - Spyware Protection for Free_files/uptxt3.gif "></TD></TR>
<TR>
<TD>&nbsp;</TD></TR>
<TR>
<TD><B>Customer <FONT
class=red_alert>TESTIMONIALS</FONT></B>
<P class=indent> "I can’t thank you enough for your
product. I scanned my system because it was running
really, really slow and I was amazed to find out that we
had over 60 (no exaggeration!) infections on our
computer. After running your program, our computer is
running the way it did when it was new. Thank you!" <A
href= "http://www.spysnipe.com/?pg=testimonials ">More...</A>
</P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE><BR>
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR>
<TD width=180>
<TABLE cellSpacing=0 cellPadding=0 width=150 align=right
border=0>
<TBODY>
<TR>
<TD id=padT colSpan=2><B>Are there unseen Trojans,
dialers or worms lurking on your computer?</B></TD></TR>
<TR>
<TD class=sqr id=padT>
<LI class=sqr></LI></TD>
<TD class=red_alert id=padT>Do you surf the
internet?</TD></TR>
<TR>
<TD class=sqr id=padT>
<LI class=sqr></LI></TD>
<TD class=red_alert id=padT>Does your PC run slow?</TD></TR>
<TR>
<TD class=sqr id=padT>
<LI class=sqr></LI></TD>
<TD class=red_alert id=padT>Do you get bombarded with
annoying pop-up ads?</TD></TR>
<TR>
<TD id=padT colSpan=2>Chances are, you’ve got adware or
Spyware wrecking havoc on your system and you don’t even
know it.</TD></TR></TBODY></TABLE></TD>
<TD style= "PADDING-LEFT: 20pt "><!-- [PANEL] -->
<TABLE cellSpacing=0 cellPadding=0 border=0>
<TBODY>
<TR height=36>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/topL.gif "></TD>
<TD class=d_pan_topC width= "100% "></TD>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/topR.gif "></TD></TR>
<TR height=24>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/top_barL.gif "></TD>
<TD class=d_pan_top_barC width= "100% "><NOBR><!-- [PANEL::TOP] --><IMG
src= "SpySnipe - Spyware Protection for Free_files/pantxt.gif ">
<!-- [/PANEL::TOP] --></NOBR></TD>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/top_barR.gif "></TD></TR>
<TR>
<TD width= "100%" colSpan=3>
<TABLE cellSpacing=0 cellPadding=0 width= "100%"
border=0>
<TBODY>
<TR>
<TD class=d_pan_CL_blue width=19></TD>
<TD class=d_pan_CC_blue><!-- [PANEL::BODY] -->
<TABLE cellSpacing=0 cellPadding=0 width= "100%"
border=0>
<TBODY>
<TR>
<TD style= "BORDER-RIGHT: #000000 1pt dotted"
width= "49% ">
<TABLE>
<TBODY>
<TR>
<TD id=padT>
<LI class=sqrbig></LI></TD>
<TD id=padT>SpySnipe scans your computer for
hidden parasites and removes them
permanently.</TD></TR>
<TR>
<TD id=padT>
<LI class=sqrbig></LI></TD>
<TD id=padT>Our advanced system cleaner works to
repair and correct errors caused by ad and
spywares and tweaks your PC for optimal
performance.</TD></TR>
<TR>
<TD id=padT>
<LI class=sqrbig></LI></TD>
<TD id=padT>Annoying pop-up ads are blocked
before they have a chance to bother you
again.</TD></TR></TBODY></TABLE></TD>
<TD class=bigger1
style= "PADDING-RIGHT: 30pt; PADDING-LEFT: 30pt; PADDING-BOTTOM: 0pt; PADDING-TOP: 30pt"
width= "51% ">Get rid of Spyware and Adware today!
Take back control of your PC, and keep it
running at its original speed. <BR><BR><A
href= "http://www.spysnipe.com/?pg=download ">Click
here to download</A> </TD></TR></TBODY></TABLE><!-- [/PANEL::BODY] --></TD>
<TD class=d_pan_CR_blue
width=19></TD></TR></TBODY></TABLE></TD></TR>
<TR height=24>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/but_barL.gif "></TD>
<TD class=d_pan_but_barC width= "100% "><NOBR><!-- [PANEL::BOTTOM] --><!-- [/PANEL::BOTTOM] --></NOBR></TD>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/but_barR.gif "></TD></TR>
<TR height=36>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/butL.gif "></TD>
<TD class=d_pan_butC width= "100% "></TD>
<TD width=65><IMG
src= "SpySnipe - Spyware Protection for Free_files/butR.gif "></TD></TR></TBODY></TABLE><!-- [/PANEL] --></TD></TR></TBODY></TABLE><BR>
<CENTER><IMG
src= "SpySnipe - Spyware Protection for Free_files/protection_all_in_one.gif "></CENTER><!-- [/BODY] --></TD>
<TD class=d_righti width=6>&nbsp;</TD></TR></TBODY></TABLE></TD></TR>
<TR height=29>
<TD><!-- [FOOT] -->
<TABLE cellSpacing=0 cellPadding=0 width= "100%" border=0>
<TBODY>
<TR height=10>
<TD class=d_butc_links colSpan=3>
<TABLE align=center>
<TBODY>
<TR>
<TD><A class=d_butc_links
href= "http://www.spysnipe.com/?pg=main ">Home</A> |
<TD><A class=d_butc_links
href= "http://www.spysnipe.com/?pg=download ">Download now!</A>
|
<TD><A class=d_butc_links
href= "http://www.spysnipe.com/?pg=features ">Features</A> |
<TD><A class=d_butc_links
href= "http://www.spysnipe.com/?pg=contacts ">Contacts</A> |
<TD><A class=d_butc_links
href= "http://www.spysnipe.com/?pg=faq ">FAQ</A> |
<TD><A class=d_butc_links
href= "http://www.spysnipe.com/?pg=privacy ">Privacy</A> |
<TD><A class=d_butc_links
href= "http://www.spysnipe.com/?pg=about_us ">About Us</A>
</TD></TR></TBODY></TABLE></TD></TR>
<TR height=19>
<TD><IMG
src= "C:\download\SpySnipe - Spyware Protection for Free_files\R(1).gif "></TD>
<TD class=d_butC width= "100% ">&nbsp;</TD>
<TD><IMG
src= "C:\download\SpySnipe - Spyware Protection for Free_files\L(1).gif "></TD></TR><!-- [/FOOT] --></TD></TR></TBODY></TABLE>
<SCRIPT>
var i;
for (i=0;i<8;i++)
document.write('<img src= "'+cuts+'" width=1 height=1 style= "position: absolute; top: 0pt; left: 0pt; z-index: '+(i+100)+'; ">');
</SCRIPT>
</TR></TBODY></TABLE></BODY></HTML>

 

Hi johngkerr

Please click on Start > Run then copy and paste the contents of the code box below into the run box and click OK.
A txt file will be placed on your desktop named HKLMSTS.txt

Please post the contents of that here.

Code:

regedit /e  "%userprofile%\desktop\HKLMSTS.txt" 
 "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler "

Thanks
Geri

 

also

also on bootup it reported and error in the config.sys file, cdrom driver not found. the file was changed to look for the driver in a dir that did not exist "c:\cdrom\ ". i found the driver in c:\windows\command\, i change the config.sys file and it found the driver on bootup ok. i will have to go back to my freinds house sometime next week run that file and post the contents.

thank you

 

Hi
OK let me know.

Geri

 

regedit

did you see that
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
came back after hijackthis fixed it ???
do you think that this site can help
http://www.2-spyware.com/remove-spysnipe.html
also do you think this will fix regedit problem


REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegedit "= "0 "

thanks

 

Hi johngkerr
did you see that

Yes I seen that.

No that is not the correct regfix, the DWORD is wrong.

I don't see SpySnipe in the HJT log, just as long as he didn't downlod it from the web page it should not be on the system.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now run this, DO NOT restart the computer before doing this.

Please click on Start > Run then copy and paste the contents of the code box below into the run box and click OK.
A txt file will be placed on your desktop named HKLMSTS.txt

Please post the contents of that here.

Code:

regedit /e  "%userprofile%\desktop\HKLMSTS.txt" 
 "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler "

Thanks
Geri

 

?

could spybot have locked my out of regedit ?

 

Hi
No, The infection on the machine is locking you out.

Until we can get rid of it you can't use regedit.

Please do as I asked.

Geri

 

did not work

i copy and paste this
regedit /e "%userprofile%\desktop\HKLMSTS.txt"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler "

to the run box and it did not put this file HKLMSTS.txt anywere on my friends computer help

 

??

do you think that sysnipspsetup.exe will remove spysnipe or is just more sypware????????

 

Hi johngkerr

OK, I was hoping we could get it when fixing with HJT first.

I have never used it and for the time being, I would like to stick with known tools. Lets see if SuperAntiSpyware will kill it.

Download and Install SuperAntiSpyware Free Version Home Users

• Launch SuperAntiSpyware
• Click Check for Updates and update to the latest definitions.
• Click Scan your Computer
  • Check all boxes in the Scan Location box.
  • Check the Complete Scan radio button.
  • Click Scanning Preferences/Control Centre button.
    • Uncheck Ignore files larger than 4MB (recommended)
    • Check Scan Alternate Data Streams.
    • Click Close.
  • Click Next
• SuperAntiSpyware will now scan your computer for infection. (This could take in excess of an hour depending on the number of files scanned)
• When finished it will present you with a summary of its findings.
• Click OK.
• The Removal Screen will open.
  • Check the items in the list to mark them for Quarantine.
  • Click Next and SAS will Quarantine them.

Please send me the log.

• Click the Preferences button.
  • Click the Statistics/Logs tab.
    • Logs are listed by date and time, click on the latest one to highlight it (at the top).
    • Click View log.
  • This will open a log page.
  • Copy/Paste the contents in your next post please.

CAUTION: SuperAntiSpyware comes with a programme called Bootsafe, do not for any reason use this programme, if used on an infected computer it could render it UNBOOTABLE.

Please post the log.

Thanks
Geri

 

SUPERAntiSpyware Scan Log

this is the log what next??????



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/13/2008 at 02:03 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Custom Scan
Total Scan Time : 00:36:23

Memory items scanned : 158
Memory threats detected : 0
Registry items scanned : 2374
Registry threats detected : 0
File items scanned : 15924
File threats detected : 32

Adware.Tracking Cookie
C:\WINDOWS\Cookies\hp authorized customer@1071712319[2].txt
C:\WINDOWS\Cookies\hp authorized customer@cpocommerceinc.112.2o7[1].txt
C:\WINDOWS\Cookies\hp authorized customer@bs.serving-sys[1].txt
C:\WINDOWS\Cookies\hp authorized customer@tacoda[2].txt
C:\WINDOWS\Cookies\hp authorized customer@1064461693[1].txt
C:\WINDOWS\Cookies\hp authorized customer@serving-sys[2].txt
C:\WINDOWS\Cookies\hp authorized customer@ad.yieldmanager[2].txt
C:\WINDOWS\Cookies\hp authorized customer@tribalfusion[1].txt
C:\WINDOWS\Cookies\hp authorized customer@specificclick[1].txt
C:\WINDOWS\Cookies\hp authorized customer@adserver[1].txt
C:\WINDOWS\Cookies\hp authorized customer@questionmarket[2].txt
C:\WINDOWS\Cookies\hp authorized customer@anad.tacoda[2].txt
C:\WINDOWS\Cookies\hp authorized customer@revsci[2].txt
C:\WINDOWS\Cookies\hp authorized customer@msnportal.112.2o7[1].txt
c:\WINDOWS\Cookies\hp authorized customer@windowsmedia[2].txt
c:\WINDOWS\Cookies\hp authorized customer@primedia.us.intellitxt[1].txt
c:\WINDOWS\Cookies\hp authorized customer@www.windowsmedia[2].txt
c:\WINDOWS\Cookies\hp authorized customer@track.bestbuy[2].txt

Dialer.Dial/Gen Variant
C:\WINDOWS\TEMP\JGFJIPMD.EXE
C:\WINDOWS\TEMP\JBLGHOMD.EXE
C:\WINDOWS\TEMP\POAELPMD.EXE
C:\WINDOWS\TEMP\FKGOIPMD.EXE
C:\WINDOWS\TEMP\HFLNIPMD.EXE
C:\WINDOWS\TEMP\AIHBJPMD.EXE

Adware.ClickSpring/PuritySCAN
C:\WINDOWS\TEMP\PS_INSTALL_TBC_0715.EXE

Trojan.Downloader-Gen/Suspicious
C:\WINDOWS\SYSTEM\HOT SEX SOFTWARE-UNINSTALL.EXE
C:\WINDOWS\SYSTEM\SYSTEMIE.EXE
C:\WINDOWS\SYSTEM\SIEF.DAT
C:\NNCTL.EXE

Spyware.Melkosoft (CoolWebSearch Variant)
C:\WINDOWS\ITSHTA.EXE

Unclassified.SpywareBot (Not A Threat)
C:\RECYCLED\DC2\SETUP.EXE
C:\JOHN FOLDER\SETUP.EXE

 

Hi
OK lets see if we can get the file now.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Please click on Start > Run then copy and paste the contents of the code box below into the run box and click OK.
A txt file will be placed on your desktop named HKLMSTS.txt

Please post the contents of that here.

Code:

regedit /e  "%userprofile%\desktop\HKLMSTS.txt" 
 "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler "

Please post a new HJT log.

Thanks
Geri

 

hijackthis

hijackthis dose not fix:
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

????

 

Hi
OK please post a new HJT log.

Thanks
Geri

 

Hi
OK before posting the HJT log please do this,

Lets see if we can locate the registry hive files and get copies of them from command prompt only mode.

Please paste this text in a command window.

dir C:\system.dat /a h /s >C:\hives.txt
dir C:\user.dat /a h /s>>C:\hives.txt
echo.>>C:\hives.txt
if exist C:\Windows\Profiles dir C:\Windows\Profiles>>C:\hives.txt
exit
cls


Please post the contents of C:\hives.txt

Thanks
Geri