help on spyware win98

did some good

removing the files in the temp dir did alot.
it stopped the popups and the red X in toolbar
but i sill can not run regedit
also i try to remove beem.ddl for the startup using msconfig
and a this popup came up [Spybot-SD Resident 1172 Processes Blacklisted]
there is a icon on the toolbar that the popup came from.
can spybot be running and stopping changes to the reg
was also able the run dr web but was taking to long i had to go so i will get
the log later. i will email the system.dat and user.dat

 

Run HijackThis again and fix the following entries.

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


See if the registry editor will open then.

 

can't change registry

I think this is the problem with the locked registry. See link below

http://forums.spybot.info/showthread.php?t=44

this is a old thread but i bet the tea timer popup is bad. He has a old copy of
spybot.
It will be friday before I can is if this is the problem

 

Not one of the logs you posted showed TeaTimer as an active process. Did you enable it? If not active, it can't interfere. In any event, TeaTimer does not disable editing the registry ....... the infection present does.

You mentioned beem.dll ....... where is it located? You said you tried removing it from the startup using msconfig, but I don't see it in the HijackThis log either. Is this a new entry, or one that HijackThis just didn't show? Is there a location of that file given?

 

beem.dll

beem.dll has been removed by spyware programs but there is call for it in startup. I was unchecking it in msconfig startup to stop error message at startup. and spybot did stop me but the popup you can not read like in the thread. I do not think that spybot is the reason i can not run regedit. when i get back over there i will stop tea timer and see if it helps.

by the way the person that owns the computer dosen't know anything about
computers and likes to play.

 

Good News

I things are better know. I turned off tea timer and unistalled old ver spybot.
This let me remove thinks from startup using msconfig also let hijackthis fix that regedit problem, i can run regedit now.

this is the last hijackthis scan log
I know there is more to fix but my freinds computer is get over it's sickness
Let me know what i should fix on the scan, Thanks you all for your help

C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\DESKTOP\MY SOFTWARE\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/p/hp/us/?http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.yahoo.com
O2 - BHO: (no name) - {CC9BC69C-F035-46bc-A67B-353B8BAE61CD} - (no file)
O2 - BHO: (no name) - {B3B010A1-A877-4CD7-BAB5-9EE8F9965E20} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [InstallAurealDemos] C:\windows\temp\InstallAurealDemos.js //b
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [System Helper] syshlp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [AolFix] C:\windows\system\AolFix.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe "
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - (no file)

--
End of file - 4967 bytes

 

Fix the following with HijackThis, then post a new log.

O2 - BHO: (no name) - {CC9BC69C-F035-46bc-A67B-353B8BAE61CD} - (no file)
O2 - BHO: (no name) - {B3B010A1-A877-4CD7-BAB5-9EE8F9965E20} - (no file)
O4 - HKLM\..\Run: [InstallAurealDemos] C:\windows\temp\InstallAurealDemos.js //b
O4 - HKLM\..\Run: [System Helper] syshlp.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - (no file)

 

ok to fix

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = www.yahoo.com
is it ok to fix this so main window will say the page you are at. fixing with hijackthis will that make it defalt?

 

Fixing that entry should reset the window title to 'Microsoft Internet Explorer'.

How's the computer doing now?