If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Startup
I have recently noticed the following in my Windows 98SE startup with
checkmarks CRCM.EXE and Microsoft Works Update Detection Are these spyware? What is the best course of action? I am not sure how either one was added to my Selective Startup. |
#2
|
|||
|
|||
CRCM.EXE most likely is, yes.
Dealing with Trojans & Hijackware A. Removing Trojans and Trojanware with Sysclean Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just a desktop folder). Download 'Sysclean.com' from http://www.trendmicro.com/download/dcs.asp to this folder. Download the latest 'Trend Pattern File' zip (e.g., lpt123.zip) from http://www.trendmicro.com/download/pattern.asp and extract its contents to the same folder; see the Readme text file for instructions. Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral) accepting the option to delete all offline content. Reboot and delete contents of TEMP folders and Recycle Bin. Close all running programs including your anti-virus application, go offline, and run Sysclean. For best results, do nothing with the machine until the scan completes. If the scan shows any infections in System Restore files: (1) create a new Restore Point (StartProgramsAccessoriesSystem ToolsSystem Restore), then (2) delete all but the most recent Restore Point (StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]). Afterwards, update your own anti-virus application and perform another full system scan. B. Hijackware Help with Hijackware (all are MS MVP sites) http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/Darnit.htm http://www.mvps.org/sramesh2k/Malware_Defence.htm Run the following tools in this order with nothing else running in background: 1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan) 2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877; Fix all found) 3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in red) Important: You must seek updates for Ad-Aware, Spybot, etc., before each and every use, even "right out of the box". But even they can't catch everything, 24/7. When all else fails, HijackThis (http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to use. It will help you to both identify and remove any hijackware/spyware. **Post your files to http://forums.spywareinfo.com/, http://castlecops.com/forum67.html or http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.** [Alternate download pages for many of the above tools may be found at http://aumha.org/a/parasite.htm.] So How Did I Get Infected Anyway? http://boards.cexx.org/viewtopic.php?t=957 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) Joni wrote: I have recently noticed the following in my Windows 98SE startup with checkmarks CRCM.EXE and Microsoft Works Update Detection Are these spyware? What is the best course of action? I am not sure how either one was added to my Selective Startup. |
#3
|
|||
|
|||
"PA Bear" wrote: CRCM.EXE most likely is, yes. Dealing with Trojans & Hijackware A. Removing Trojans and Trojanware with Sysclean Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just a desktop folder). Download 'Sysclean.com' from http://www.trendmicro.com/download/dcs.asp to this folder. Download the latest 'Trend Pattern File' zip (e.g., lpt123.zip) from http://www.trendmicro.com/download/pattern.asp and extract its contents to the same folder; see the Readme text file for instructions. Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral) accepting the option to delete all offline content. Reboot and delete contents of TEMP folders and Recycle Bin. Close all running programs including your anti-virus application, go offline, and run Sysclean. For best results, do nothing with the machine until the scan completes. If the scan shows any infections in System Restore files: (1) create a new Restore Point (StartProgramsAccessoriesSystem ToolsSystem Restore), then (2) delete all but the most recent Restore Point (StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]). Afterwards, update your own anti-virus application and perform another full system scan. B. Hijackware Help with Hijackware (all are MS MVP sites) http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/Darnit.htm http://www.mvps.org/sramesh2k/Malware_Defence.htm Run the following tools in this order with nothing else running in background: 1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan) 2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877; Fix all found) 3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in red) Important: You must seek updates for Ad-Aware, Spybot, etc., before each and every use, even "right out of the box". But even they can't catch everything, 24/7. When all else fails, HijackThis (http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to use. It will help you to both identify and remove any hijackware/spyware. **Post your files to http://forums.spywareinfo.com/, http://castlecops.com/forum67.html or http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.** [Alternate download pages for many of the above tools may be found at http://aumha.org/a/parasite.htm.] So How Did I Get Infected Anyway? http://boards.cexx.org/viewtopic.php?t=957 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) Joni wrote: I have recently noticed the following in my Windows 98SE startup with checkmarks CRCM.EXE and Microsoft Works Update Detection Are these spyware? What is the best course of action? I am not sure how either one was added to my Selective Startup. |
#4
|
|||
|
|||
Thank you. Do you have any comment on the second item, Microsoft Works
Update Detection. It seems that soon before I noticed this in my Selective Startup I got a message from Zone Alarm (free version). I thought it was Microsoft Word that was asking for access to the Internet and I denied it; however after reading a comment I located on Google, it seems someone else denied a similar zone item and now I believe it was actually Microsoft Works that may have asked permission. I read something else on Google and it sounded as if this was spyware and still another item made it sound like this was a perfectly normal request for access. I'm still not sure how it got into my selective startup. "PA Bear" wrote: CRCM.EXE most likely is, yes. Dealing with Trojans & Hijackware A. Removing Trojans and Trojanware with Sysclean Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just a desktop folder). Download 'Sysclean.com' from http://www.trendmicro.com/download/dcs.asp to this folder. Download the latest 'Trend Pattern File' zip (e.g., lpt123.zip) from http://www.trendmicro.com/download/pattern.asp and extract its contents to the same folder; see the Readme text file for instructions. Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral) accepting the option to delete all offline content. Reboot and delete contents of TEMP folders and Recycle Bin. Close all running programs including your anti-virus application, go offline, and run Sysclean. For best results, do nothing with the machine until the scan completes. If the scan shows any infections in System Restore files: (1) create a new Restore Point (StartProgramsAccessoriesSystem ToolsSystem Restore), then (2) delete all but the most recent Restore Point (StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]). Afterwards, update your own anti-virus application and perform another full system scan. B. Hijackware Help with Hijackware (all are MS MVP sites) http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/Darnit.htm http://www.mvps.org/sramesh2k/Malware_Defence.htm Run the following tools in this order with nothing else running in background: 1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan) 2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877; Fix all found) 3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in red) Important: You must seek updates for Ad-Aware, Spybot, etc., before each and every use, even "right out of the box". But even they can't catch everything, 24/7. When all else fails, HijackThis (http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to use. It will help you to both identify and remove any hijackware/spyware. **Post your files to http://forums.spywareinfo.com/, http://castlecops.com/forum67.html or http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.** [Alternate download pages for many of the above tools may be found at http://aumha.org/a/parasite.htm.] So How Did I Get Infected Anyway? http://boards.cexx.org/viewtopic.php?t=957 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) Joni wrote: I have recently noticed the following in my Windows 98SE startup with checkmarks CRCM.EXE and Microsoft Works Update Detection Are these spyware? What is the best course of action? I am not sure how either one was added to my Selective Startup. |
#5
|
|||
|
|||
Many programs have automatic update functions. In most cases it's an =
option, in others it's built in. Whether or not they classify as spyware = is debatable. In the best cases, when the app launches and its internal = scheduler calls for a check for updates (could be on a schedule, could = be every time you run it,) it checks to see if there is a live internet = connection, and if there is, it checks its profile against a catalog at = its home site. If there is an update available that you don't have, it = asks you if you'd like to download and install it. And that's all it = does. In less ideal cases, it forces a dial-up prompt whether one is active or = not, or pops up an error warning that it couldn't find the site. If it = does find the site, it downloads and installs without prompting (all of = this not being optional.) I suppose it might also check to see if you = have a legal copy of the software, and perhaps even catalog your visit = to the site. In some cases, the app might be considered adware--every time you use = it, it pops up ads. However, I seriously doubt that any reputable = software vendor does much more than that. If it was actually = transmitting personal data to the mothership, it wouldn't take long for = users to discover this breech of trust and raise holy hell. Such adware = and/or spyware apps might disguise themselves as Automatic Updaters, but = any decent adware/spyware scanner would presumably include such apps in = their databases. In your particular case, you probably have an Option or Preference that = enables/disables the automatic updater and/or modifies its behavior. = Note that if you have it disabled in MSCONFIG when you change the Option = or Preference, the change may not stick. Always enable such items in = MSCONFIG, click OK, but don't restart when prompted. Then change the = Option or Preference appropriately. --=20 Gary S. Terhune MS MVP Shell/User =20 "xxx" wrote in message = ... Thank you. Do you have any comment on the second item, Microsoft = Works=20 Update Detection. It seems that soon before I noticed this in my = Selective=20 Startup I got a message from Zone Alarm (free version). I thought it = was=20 Microsoft Word that was asking for access to the Internet and I denied = it;=20 however after reading a comment I located on Google, it seems someone = else=20 denied a similar zone item and now I believe it was actually Microsoft = Works=20 that may have asked permission. I read something else on Google and = it=20 sounded as if this was spyware and still another item made it sound = like this=20 was a perfectly normal request for access. I'm still not sure how it = got=20 into my selective startup. =20 "PA Bear" wrote: =20 CRCM.EXE most likely is, yes. =20 Dealing with Trojans & Hijackware =20 A. Removing Trojans and Trojanware with Sysclean =20 Create a new folder named Sysclean (e.g., C:\Program files\Sysclean = or just=20 a desktop folder). Download 'Sysclean.com' from=20 http://www.trendmicro.com/download/dcs.asp to this folder. Download = the=20 latest 'Trend Pattern File' zip (e.g., lpt123.zip) from=20 http://www.trendmicro.com/download/pattern.asp and extract its = contents to=20 the same folder; see the Readme text file for instructions. =20 Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)=20 accepting the option to delete all offline content. Reboot and = delete=20 contents of TEMP folders and Recycle Bin. =20 Close all running programs including your anti-virus application, go = offline, and run Sysclean. For best results, do nothing with the = machine=20 until the scan completes. =20 If the scan shows any infections in System Restore files: =20 (1) create a new Restore Point (StartProgramsAccessoriesSystem = ToolsSystem Restore), then =20 (2) delete all but the most recent Restore Point=20 (StartProgramsAccessoriesSystem ToolsDisk CleanupMore options = [tab]). =20 Afterwards, update your own anti-virus application and perform = another full=20 system scan. =20 B. Hijackware =20 Help with Hijackware (all are MS MVP sites) http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/Darnit.htm http://www.mvps.org/sramesh2k/Malware_Defence.htm =20 Run the following tools in this order with nothing else running in=20 background: =20 1. CWShredder v2.0 (no updates available currently; choose Fix, not = Scan) =20 2. Ad-Aware SE (Reconfigure per = http://aumha.org/forum/viewtopic.php?t=3D5877;=20 Fix all found) =20 3. Spybot (RTFM; Immunize first and then scan; Generally, fix = everything in=20 red) =20 Important: You must seek updates for Ad-Aware, Spybot, etc., before = each and=20 every use, even "right out of the box". But even they can't catch=20 everything, 24/7. =20 When all else fails, HijackThis (http://forum.aumha.org/downloads/hijackthis.zip) is the preferred = tool to=20 use. It will help you to both identify and remove any = hijackware/spyware.=20 **Post your files to http://forums.spywareinfo.com/,=20 http://castlecops.com/forum67.html or=20 http://forum.aumha.org/viewforum.php?f=3D30 for expert analysis, not = here.** =20 [Alternate download pages for many of the above tools may be found = at=20 http://aumha.org/a/parasite.htm.] =20 So How Did I Get Infected Anyway? http://boards.cexx.org/viewtopic.php?t=3D957 =20 --=20 ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) =20 =20 Joni wrote: I have recently noticed the following in my Windows 98SE startup = with checkmarks CRCM.EXE and Microsoft Works Update Detection Are these spyware? What is the best course of action? I am not sure how either one was added to my Selective Startup.=20 =20 |
#6
|
|||
|
|||
Looks legit:
wkdetect.exe http://startup.iamnotageek.com/srch-wkdetect.exe.html http://sysinfo.org/startuplist.php?filter=wkdetect.exe WkUFind.exe http://sysinfo.org/startuplist.php?l...0&offset=6 50 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) xxx wrote: Thank you. Do you have any comment on the second item, Microsoft Works Update Detection. It seems that soon before I noticed this in my Selective Startup I got a message from Zone Alarm (free version). I thought it was Microsoft Word that was asking for access to the Internet and I denied it; however after reading a comment I located on Google, it seems someone else denied a similar zone item and now I believe it was actually Microsoft Works that may have asked permission. I read something else on Google and it sounded as if this was spyware and still another item made it sound like this was a perfectly normal request for access. I'm still not sure how it got into my selective startup. "PA Bear" wrote: CRCM.EXE most likely is, yes. Dealing with Trojans & Hijackware A. Removing Trojans and Trojanware with Sysclean Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just a desktop folder). Download 'Sysclean.com' from http://www.trendmicro.com/download/dcs.asp to this folder. Download the latest 'Trend Pattern File' zip (e.g., lpt123.zip) from http://www.trendmicro.com/download/pattern.asp and extract its contents to the same folder; see the Readme text file for instructions. Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral) accepting the option to delete all offline content. Reboot and delete contents of TEMP folders and Recycle Bin. Close all running programs including your anti-virus application, go offline, and run Sysclean. For best results, do nothing with the machine until the scan completes. If the scan shows any infections in System Restore files: (1) create a new Restore Point (StartProgramsAccessoriesSystem ToolsSystem Restore), then (2) delete all but the most recent Restore Point (StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]). Afterwards, update your own anti-virus application and perform another full system scan. B. Hijackware Help with Hijackware (all are MS MVP sites) http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/Darnit.htm http://www.mvps.org/sramesh2k/Malware_Defence.htm Run the following tools in this order with nothing else running in background: 1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan) 2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877; Fix all found) 3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in red) Important: You must seek updates for Ad-Aware, Spybot, etc., before each and every use, even "right out of the box". But even they can't catch everything, 24/7. When all else fails, HijackThis (http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to use. It will help you to both identify and remove any hijackware/spyware. **Post your files to http://forums.spywareinfo.com/, http://castlecops.com/forum67.html or http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.** [Alternate download pages for many of the above tools may be found at http://aumha.org/a/parasite.htm.] So How Did I Get Infected Anyway? http://boards.cexx.org/viewtopic.php?t=957 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) Joni wrote: I have recently noticed the following in my Windows 98SE startup with checkmarks CRCM.EXE and Microsoft Works Update Detection Are these spyware? What is the best course of action? I am not sure how either one was added to my Selective Startup. |
#7
|
|||
|
|||
Thank you. I followed some of your advice and incorporated it with advice
from Ahuma and finally ended up posting my HijackThis Log to Auhuma. I had many questions along the way. I include a copy of my post and would appreciate any answers you can supply since I am afraid all my questions may not be addresses by Ahuma. Any additional comments are welcome. My Post: I would appreciate very much receiving answers to my questions in addition to instructions on what to remove from log. Thank you. I am posting my log here. The reason I am doing this is because I had CRCM.EXE listed in my Selective Startup and I did not put it there. I was advised by a post at a Microsoft forum that it is most likely spyware and it was suggested that I do the following: I also questioned Ahuma about this and it was suggested that I do a thorough virus cleaning and parasite screen-and-clean of my computer. First I followed the MS instructions and I ran Sysclean.com from trendmicro.com http://www.trendmicro.com/download/dcs.asp http://www.trendmicro.com/download/pattern.asp Sever (correction: several) errors occurred during the scan and they were marked access denied. The scan did not find anything. I updated my Norton Anti-virus 2004 and ran it. It found inst2 dll (filename) Adware lefeats (threat name) The delete failed. I then downloaded a fixit tool (fixlefts) and ran it and I then got a message via Notepad that Adware lefeats was not found on my computer. I assume it was removed (?) If I look in Norton it says: 1/13/05 Virus scanner (feature) threat name adware lefeats Action taken Delete failed. If I try to copy and paste this line into this document, I get: ,Threat category: AdwareSource: C:\WINDOWS\Downloaded Program Files\inst2.dll,Description: The file C:\WINDOWS\Downloaded Program Files\inst2.dll is a Adware threat. If I do find it tells me it does not exist. I have now discovered that when I look in the Norton Reports Activity Log it tells me that on 1-13-05 Delete failed. If I look in the Norton activity Log Quarantine, under backup items, it lists crcm.exe (file name) Adware lefeats (threat name) says it is a backup of a deleted item. Note last week when I ran Norton, it also found Adware lefeats and they were deleted. Now we know what crcm.exe is. Norton gives an explanation. at http://securityresponse.symantec.com...e.iefeats.html (modifies the start page of the web browser without permission) I do wonder: If I had run my spyware programs first if they would have found and gotten rid of this item. The additional instructions from MS forum were similar to the Quick Fix Protocol so I followed it before posting this log. I have questions concerning these instructions. 1. Show It All. Why is it important to show hidden files? Do they not get checked otherwise? I ran my scans with show hidden files selected. There were many WRL files on the desktop but if I looked in my documents, many more were listed. Does each one listed on the desktop represent a series of files?. There were also several files now showing that I recognize as my own WORD Documents but they show with an ~$ or ~$k preceding the document name. I have no idea why they show up like this. These $ signs really puzzle me (I think they show in some Winzip files also) 2. Housecleaning I emptied temp Internet files and cookies. I recently ran CleanALL.BAT to clean out the temp files. It is my understanding that needed files will not get deleted this way – for example Zone Alarm.. I then remember closing ZA, SG and Norton. I probably just deleted the temp Internet files after that. I do not think I actually deleted the temp files using Ctrl +A So I must have tried deleting the temp files according to your directions although I know that every time I reboot, these programs open automatically. 3. Quick Check finds nothing. I updated my Spyware programs and ran them I have CWShredder, Ad-Aware SE (free) Spybot. I also updated SpywareGuard, SpywareBlaster and ie-Spyad. Note: When I ran CWS it restored 2 Internet Explorer pages and SpywareGuard popped up telling me about browser helpers - changes. I restored old one but ran CWS several times and the same thing happened. These are the most recent reports in SG BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:01:28 01/14/2005 a browser page change was detected. Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Bar Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:04:43 01/14/2005 a browser page change was detected. Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Page Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:08:14 01/14/2005 a browser page change was detected. Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Bar Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:08:18 01/14/2005 a browser page change was detected. Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Page Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:09:10 01/14/2005 a browser page change was detected. Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Bar Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:09:14 01/14/2005 a browser page change was detected. Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Page Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:12:24 01/14/2005 a browser page change was detected. Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Bar Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE -------------------------------------------------------------------------------- BROWSER HIJACK ALERT - BROWSER PAGE CHANGED On 01:12:28 01/14/2005 a browser page change was detected. Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\ Value Name: Search Page Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768 New Value: User Action Taken: RESTORE OLD VALUE In checking over my SG log, it seems this was not the first time I got these messages. Also see these items in HijackThis log below. This leads me to believe that I will continue to get these changes unless fixed via HijackThis instructions. I ran Ad-Aware SE (free) full scan and it found 17 negligible items and I removed them. I ran the scan again and 4 more were found. I also removed them. After reading something from an Auhuma page,it seems that Spybot in some form also removes these MRU’s (negligible items) and it sounds to me like that is not such a good idea. any comment? I ran Spybot. (Please note: In the instructions I received from the MS forum it said immunize first and then scan. When I originally used Spybot I immunized. I did it again before running the scan Seems it immunized additional items. Now I am wondering if you should immunize each time before you run the scan? When I immunized I got this menu: See Permanently running bad download blocker for IE Browser Helper to block bad downloads NOT installed. Enable permanent blocking of bad addresses in IE. Can’t do anything here. Is this something I should have installed? Note I do not use Teatime since I use SpywareGuard. I wonder if I would be better off with teatime and if so would I have to uninstall Spybot and reinstall? SG uses a lot of resources. I am not sure if teatime has anything to do with this. I ran Spybot and all it found was the DSO Exploit (the bug in program) that keeps coming back each time I run Spybot. I understand that you can get rid of this if you use the Advanced mode. I am not sure if I’m ready for the advanced mode. Please note this all started because I saw CRCM.EXE in my Startup group. Even though it seems that Norton has deleted and backed it up it still appears in Selective Startup Weatherbug at one time was downloaded and I removed it in add/remove; however, it still appears in Selective Startup, There is also a blank box with no description that appears in Selective startup. I believe I once used a registry cleaner but it didn’t remove these items. I do not feel comfortable editing the registry manually. Also note I have a folder on my C drive called My Search. There is nothing in Add/Remove relating to this. I believe ms forum told me I could delete it if still there after all these scans. Please comment The reason I happened to find this is that I ran a Pest Patrol scan and it found My search – Toolbar C:\Program Files\my search. Please note I once remember something being placed in my Trusted Zone that I did not put there (I believe something from AOL). I decided to check my Trusted Sites list and this is what I found. I tried to remove it but it would not remove even after a reboot. Therefore and since I do not keep anything in my trusted zone, I moved the slider from low to high and I went to restricted sites and typed in *.frame.crazywinnings.com. What does the * mean?. I now have this item in both trusted and restricted so I don’t know what will happen but not it is listed in the HijackThis log below. Please comment A lot of items in my restricted zone were placed there via ie-spyad. I am wondering if this one could have been a misplacement in trusted? Note: Other times when I ran HijackThis, I was not told if I had anything disabled by MSConfig or any other startup manager, please re-enable it before scanning to post. I did not do this this time either because I am not to clear on the matter. Would I have to use Normal startup and would I have to do start – programs – disabled startup items and open all of them? If this is absolutely necessary, please explain if I can just do it then run HijackThis again and post? Logfile of HijackThis v1.99.0 Scan saved at 4:19:39 AM, on 1/14/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\HIJACK THIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vgcms.dll/sp.html#44768 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi.verizon.net/bookmarks/bmr...1.5&bm=ho_home R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vgcms.dll/sp.html#44768 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: Class - {13F30093-3988-8533-C5DC-3E8EE66F3EDF} - C:\WINDOWS\SYSTEM\IPYK.DLL (file missing) O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe" O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll O13 - DefaultPrefix: O15 - Trusted Zone: *.frame.crazywinnings.com O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM) O15 - Trusted IP range: (HKLM) O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwe...s/vzWebIns.CAB O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab32846.cab O16 - DPF: {78FAE917-35E2-4A6B-9B40-000AD226482B} (MSN Money Ticker) - http://moneycentral.msn.com/cabs/ticker.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.t058.com/inst/enter.cab PS After posting this log, Norton ran as scheduled and once again found Ad.lefets Delete failed and the fix tool ran and left the message Ad-ware lefeats has not been found on your computer. Is this because they previously backed it up and I suppose automatically quarantined it? Seems like Norton finds it all the time now. This I do not understand. I suppose each time I run CWShredder I'll keep getting BHO messages until Auhuma advised me to remove certain items in the scan/post. "xxx" wrote: "PA Bear" wrote: CRCM.EXE most likely is, yes. Dealing with Trojans & Hijackware A. Removing Trojans and Trojanware with Sysclean Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just a desktop folder). Download 'Sysclean.com' from http://www.trendmicro.com/download/dcs.asp to this folder. Download the latest 'Trend Pattern File' zip (e.g., lpt123.zip) from http://www.trendmicro.com/download/pattern.asp and extract its contents to the same folder; see the Readme text file for instructions. Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral) accepting the option to delete all offline content. Reboot and delete contents of TEMP folders and Recycle Bin. Close all running programs including your anti-virus application, go offline, and run Sysclean. For best results, do nothing with the machine until the scan completes. If the scan shows any infections in System Restore files: (1) create a new Restore Point (StartProgramsAccessoriesSystem ToolsSystem Restore), then (2) delete all but the most recent Restore Point (StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]). Afterwards, update your own anti-virus application and perform another full system scan. B. Hijackware Help with Hijackware (all are MS MVP sites) http://aumha.org/a/parasite.htm http://aumha.org/a/quickfix.htm http://mvps.org/winhelp2002/unwanted.htm http://inetexplorer.mvps.org/Darnit.htm http://www.mvps.org/sramesh2k/Malware_Defence.htm Run the following tools in this order with nothing else running in background: 1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan) 2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877; Fix all found) 3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in red) Important: You must seek updates for Ad-Aware, Spybot, etc., before each and every use, even "right out of the box". But even they can't catch everything, 24/7. When all else fails, HijackThis (http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to use. It will help you to both identify and remove any hijackware/spyware. **Post your files to http://forums.spywareinfo.com/, http://castlecops.com/forum67.html or http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.** [Alternate download pages for many of the above tools may be found at http://aumha.org/a/parasite.htm.] So How Did I Get Infected Anyway? http://boards.cexx.org/viewtopic.php?t=957 -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE/OE) Joni wrote: I have recently noticed the following in my Windows 98SE startup with checkmarks CRCM.EXE and Microsoft Works Update Detection Are these spyware? What is the best course of action? I am not sure how either one was added to my Selective Startup. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows startup partition drives C:\ , D:\ and E:\ opens upon startup | B. Wilson | General | 0 | September 21st 04 11:44 PM |
How can i prevent users double clicking the Startup Folder which launches Explorer | Douglas | General | 3 | September 9th 04 07:54 PM |
Boot order of applications | JohnB | General | 2 | July 10th 04 12:16 PM |
deleted explorer.exe | Anida | Software & Applications | 20 | June 16th 04 06:21 AM |
Permanent Removal of Startup Items from Listing | HKEK | General | 5 | June 13th 04 07:35 PM |