background:- I have a personal url which 'masks' another from a free ISP.

yesterday I got 2 emails "returned by mailer" purporting to be 1 from me @personal url to 'peter@my free url or similar
subject being something like "you have sent out huge amounts of spam"
after studying them at some length I could not make them out, so deleted them whilst still in 'mailwasher' (I did not blacklist or bounce them) today I recieved 46 similar emails, with varying names and subjects.

er.............help ?

I guess it's time for another HJT log. I'd like to see the HJT log before you run any cleaning software, just to see what shows up.

That will get the ball rolling... :)

hi steve..

Logfile of HijackThis v1.99.1
Scan saved at 18:08:54, on 11/08/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\CARD READER\SHWICON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0. DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0. DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [ShowIcon_The Company_USB Storage Device Ver. 1.3] "C:\Program Files\Card Reader\shwicon.exe" -t"The Company\USB Storage Device Ver. 1.3"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunOnce: [MRUBlaster] C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC
O4 - HKCU\..\Run: [TClockEx] C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE
O4 - Startup: MRU-Blaster.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
O8 - Extra context menu item: Download using Download &Express - file://C:\WINDOWS\SYSTEM\MetaProducts\Add_Url.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR3.DLL/cmtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: PRDIE - {CD996360-E11A-11D7-AFC5-444553540000} - C:\PROGRAM FILES\PRIVACY DEFENDER\PRD.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0527.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0527.DLL
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - [url]http://register.btinternet.com/templates/btwebcontrol023.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url]
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - [url]http://www.pcpitstop.com/antivirus/PCPAV.CAB[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - [url]http://www.drivershq.com/DD_v4.CAB[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/msnmessengersetupdownloader.cab[/url]
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - [url]http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab[/url]
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]

Vic, your log looks clean. Are you getting anymore of the return emails? It could be that your email address has been spoofed. Nothing on your computer but your address being used.

This is actually from a trojan that can allow your computer to be controlled from elsewhere... Please use HJT to fix it:

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

Then it would be a good idea to run Ewido... Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


Also, try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review.... If the list is extremely long, you can just paste the lines that begin with the word "File" since those are the ones we need to be most concerned about...

http://www.mwti.net/antivirus/free_utilities.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

Bud', where are you getting the info on that O4 entry? My info shows it as legitimate. rundll32.exe tweakui.cpl, tweakmeup seems to be legit while RunDLL32 tweakUI.DLL, TWEAKUI /tweakmeup would be a problem. tweakui.cpl verses tweakui.dll?

Steve,

I think I misread that one and you are right... :o

Vic 970,

I suggest going ahead with the other scans to make sure there isn't anything lurking... More and more of this garbage isn't showing up in HJT logs lately...

The ewido scan is a good idea. Also, you might check your e-mail client and see if there is any record of you mailing things out. Another idea would be to check your zone alarm logs and see if anything is accessing the internet that you don't know about. If you remove all permissions for programs getting out to the 'net, you might catch something adding a permission without your permission...if you know what I mean... ;)

I hate to rain your parade. Nor is it polite to point when the masters are tired and overworked, seeing as I'm sitting by the lake relaxing.

BUT, doesn't his log show Windows 98? To the best of my knowledge, Ewido requires Win2K or XP?

Maybe an MWAV (http://www.mwti.net/antivirus/mwav.asp) scan should be next?

Trojan Hunter (free trial) is good when using 98/ME.
http://www.misec.net/

Heh heh, thanks CS. ;)

hi folks mwav scan results..


Fri Aug 12 19:24:04 2005 => Total Objects Scanned: 8986
Fri Aug 12 19:24:04 2005 => Total Virus(es) Found: 2
Fri Aug 12 19:24:04 2005 => Total Disinfected Files: 0
Fri Aug 12 19:24:04 2005 => Total Files Renamed: 0
Fri Aug 12 19:24:04 2005 => Total Deleted Objects: 0
Fri Aug 12 19:24:04 2005 => Total Errors: 19
Fri Aug 12 19:24:04 2005 => Time Elapsed: 00:04:22
Fri Aug 12 19:24:04 2005 => Virus Database Date: 2005/08/09
Fri Aug 12 19:24:04 2005 => Virus Database Count: 142843

Fri Aug 12 19:24:04 2005 => Scan Completed.


and the naughty bits......

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mod uleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mod uleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\MediaAccX.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mod uleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\cssweb.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Mod uleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YSBactivex.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\LoadZoom.ex e". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\hookproc.dl l". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\hkdef.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\sisufile.dl l". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\sisuinfo.dl l". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\3d\d3dpvw.e xe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\sisut3d.dll ". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\sisvideo.dl l". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\lcdtv.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\sistv.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\SiS_Compatible_VGA_V2.12\utility\sisudisp.dl l". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\Program Files\IsoView\IsoViewX.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\WINDOWS\SYSTEM\TABCTL32.OCX". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "H:\WINDOWS\SYSTEM\comctl32.ocx". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Sha redDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\YSBactivex.dll". Action Taken: No Action Taken.


I am holding off fixing anything in hjt yet.

Okay, I was suffering from major brain farts... I apologize... :o

I don't see that you need to fix anything in HJT since I was mistaken about that other item and the MWavScan looks okay... We can try a Silent Runners log to see if we are missing anything:

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.

Hopefully this works on Win98.... ???

Budfred,

I am confused, you say that MWAV looks ok? how can 2 viruses & 19 errors be ok?

before running MWAV the problem had increased (86 rtn paths.) & I have since done a clean up, with 'the usuals' today there were none, just 1 spam & 1 note from pc guide. I aint never had so few.

meanwhile, I will d/l & run 'silent runners'

silentrunners scan.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"TClockEx" = "C:\PROGRAM FILES\TCLOCKEX\TCLOCKEX.EXE" ["Dale Nurden"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"ShowIcon_The Company_USB Storage Device Ver. 1.3" = ""C:\Program Files\Card Reader\shwicon.exe" -t"The Company\USB Storage Device Ver. 1.3"" ["MyComp"]
"SystemTray" = "SysTray.Exe" [MS]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" ["Copyright (C) ahead software gmbh and its licensors"]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"RegisterDropHandler" = "C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE" ["8"]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"InstantAccess" = "C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h" [null data]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once\ {++}
"MRUBlaster" = "C:\PROGRAM FILES\MRU-BLASTER\indexcleaner.exe -CC" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services\ {++}
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"RegisterDropHandler" = "C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE" ["8"]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default) = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserRemove" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0. DLL" ["Yahoo! Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\Nero\neroshx.dll" ["ahead software gmbh im stoeckmaedle 6 76307 karlsbad, germany Fax: ++49-7248-911-888 e-mail: info@ahead.de"]
"{eb9ebda0-b3e7-11cf-81c9-0000c0aa665f}" = "FTP Explorer Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ftpxext.dll" ["FTPx Corp."]
"{7850a720-705f-11d0-a9eb-0080488625e5}" = "BestCrypt Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "BCShExt.dll" ["Jetico, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE\OLKFSTUB.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
UltimateZip\(Default) = "{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ULTIMA~1.7\UZSHLEX.DLL" [null data]
BCShellMenu\(Default) = "{7850a720-705f-11d0-a9eb-0080488625e5}"
-> {CLSID}\InProcServer32\(Default) = "BCShExt.dll" ["Jetico, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
UltimateZip\(Default) = "{2F860D81-AF3C-11D4-BDB3-00E0987D8540}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ULTIMA~1.7\UZSHLEX.DLL" [null data]
BCShellMenu\(Default) = "{7850a720-705f-11d0-a9eb-0080488625e5}"
-> {CLSID}\InProcServer32\(Default) = "BCShExt.dll" ["Jetico, Inc."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Paradise.jpg"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"MRU-Blaster" -> shortcut to: "C:\Program Files\MRU-Blaster\mrublaster.exe " [null data]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
imslsp.dll ["Zone Labs, Inc."], 01 - 03, 10
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 04
C:\WINDOWS\SYSTEM\msafd.dll [MS], 05 - 07
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 08 - 09


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL" [MS]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0. DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MSN TOOLBAR\01.01.1629.0\EN-GB\MSNTB.DLL" [MS]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar3.dll" ["Google Inc."]

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "&Yahoo! Companion" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0. DLL" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0527.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0527.DLL" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{CD996360-E11A-11D7-AFC5-444553540000}\
"ButtonText" = "PRDIE"
"Exec" = "C:\PROGRAM FILES\PRIVACY DEFENDER\PRD.EXE" ["SynergeticSoft"]

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0527.DLL" ["Yahoo! Inc."]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 30 seconds, including 8 seconds for message boxes)

Budfred,

I am confused, you say that MWAV looks ok? how can 2 viruses & 19 errors be ok?

before running MWAV the problem had increased (86 rtn paths.) & I have since done a clean up, with 'the usuals' today there were none, just 1 spam & 1 note from pc guide. I aint never had so few.

meanwhile, I will d/l & run 'silent runners'
Those are just orphaned Registry entries and traces of malware that MWav picks up on... I believe I have seen the Altnet one in every log run and the iSearch is pretty common too, so I suspect it may even be a problem with MWav...

The only thing I see in the Silent Runners is this:

C:\PROGRAM FILES\PRIVACY DEFENDER\PRD.EXE

This is on the list of rogue anti-spyware programs.... That means you may have been ripped off, but it is unlikely that it is causing the problems you see... Read about it here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

I would uninstall that one, but I don't see anything else that looks bad....

The only other thing we can do is run a rootkit scan or two, but I am not sure if they even run on Win98... Here are two if you want to try:

http://www.f-secure.com/blacklight/

Please download RootkitRevealer.exe and unzip it into a folder. Run a scan and produce a log...
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
When it is done, go to File and select Save...
Include the log in your next reply.
Do not worry if there are a large number of items, this is normal.
It is a deep scan which will take a considerable amount of time, I suggest you disconnect from the internet and leave the PC alone until its finished.

To reduce the size of the log posted here, please edit out items that appear in these folders if there are some:
C:\RECYCLER\NPROTECT
C:\System Volume Information
before you post the log....

blacklight wouldnt run because

"a required file USERENV was not found."

& rootkit revealer is NT4 & later.

however AVG popped up with BYTEVERIFY & BYTEVER whilsy AdAware was scanning, these are in file Windows/AAWtemp
deleting these does no good as they come back, but is AAWtemp a file produced by AdAware whilst it is scanning?

I had this before & it was a while before I got rid of it, but I now cannot remember how I did.

Make sure you have the latest versions and updates for AVG and Ad-Aware SE... I believe that is a glitch in AVG that was corrected a while ago...

You can try an RKFiles scan for root kit stuff... It is more of a hassle, but I think it works on Win98...

http://skads.org/special/rkfiles.zip

AVG often pops up with this while adaware scans. I'd shut down avg while adaware is scanning. When you're done with adaware then run your avg scan and maybe a trend micro housecall scan. If they find evidence of BYTEVERIFY, you will have a path to the file, which can probably be deleted in safemode.

I'm thinking your email address was spoofed for a while or that your problem was in your temp files and you killed it during your cleanup.

hi steve,

well running avg came up with 'no virus found' online scans didn't complete (I tried several) then I remembered, it was the windows/sun folder that I deleted the last time which cured the problem. so that I did, ran AdAware again, but still the virus report, so I simply did a 'find' for "sun" and there was one in windows/application data. I deleted that and rechecked = problem gone.

for now anyway.

as always, thanks all for your help, time & patience.

now has anyone any ideas/suggestions on filters to use in mailwasher? what was my 'main' account is now bombarded, I have set another now as my 'main' account, but am reluctant to just close/ignore this one.

well the mailer daemon thing is back, it would appear to be a virus similar to the one here.

http://support.onetel.co.uk/index.php?page=231

in so much as it starts

"Dear user vic,

You have successfully updated the password of your (*my account name*) account.

If you did not authorize this change or if you need assistance with your account, please contact support (*my account name*)

Thank you for using (*my account name*) the (*my account name*) team

--------------------------------------
Subject: You have successfully updated your password
--------------------------------------
filename="password.zip"

.....................................
NOTE:- my account name, shown in bold above represents my actual account name.


I have deleted all the emails in mailwasher, done virus checks but nothing so far.

Hi Vic, you know, this sounds like a new problem to me. I'd get in touch with (*my account name*) to see if they are having the same problem as Onetel. The problem may very well be there, not on your computer.

I am not sure what you mean by "my account name", but the fact that it recurs so often in that brief message suggests that it may be using a wildcard to spoof coming from someone you might trust... Have you contacted your ISP to check out whether it is legit??

the account name is my account name eg: vic@free.isp.co.uk which is masked by my bought/registered address, example:

I bought an address like vic@payedfor.co.uk this address masks my free isp address for example vic@notpayedfor.freeisp.co.uk

the emails are from :-vic@payedfor.co.uk to vic@notpayedfor.freeisp.co.uk (or vice versa) so the emails are supposedely from me at one address to me at another address, which is actually the same address. but as the emails multiply, the first names change, example fred@ mary@ support@ reply@ etc. but all with my isp addy

I understood what you meant. ;) But have you asked your isp (my account name) if they know of any problems? That would be my next step.

Unfortunately, even though the scans come up clean, you could still have a problem on your machine. New types of malware take some time before they are noticed and even more time before there is a fix.

See what your isp has to say about it. It really seems to be the same problem Onetel is having.