Startup

I have recently noticed the following in my Windows 98SE startup with
checkmarks

CRCM.EXE
and
Microsoft Works Update Detection

Are these spyware? What is the best course of action?

I am not sure how either one was added to my Selective Startup.

CRCM.EXE most likely is, yes.

Dealing with Trojans & Hijackware

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just
a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents to
the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the machine
until the scan completes.

If the scan shows any infections in System Restore files:

(1) create a new Restore Point (StartProgramsAccessoriesSystem
ToolsSystem Restore), then

(2) delete all but the most recent Restore Point
(StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]).

Afterwards, update your own anti-virus application and perform another full
system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan)

2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877;
Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in
red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)


Joni wrote:
I have recently noticed the following in my Windows 98SE startup with
checkmarks

CRCM.EXE
and
Microsoft Works Update Detection

Are these spyware? What is the best course of action?

I am not sure how either one was added to my Selective Startup.

"PA Bear" wrote:

CRCM.EXE most likely is, yes.

Dealing with Trojans & Hijackware

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just
a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents to
the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the machine
until the scan completes.

If the scan shows any infections in System Restore files:

(1) create a new Restore Point (StartProgramsAccessoriesSystem
ToolsSystem Restore), then

(2) delete all but the most recent Restore Point
(StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]).

Afterwards, update your own anti-virus application and perform another full
system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan)

2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877;
Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in
red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)


Joni wrote:
I have recently noticed the following in my Windows 98SE startup with
checkmarks

CRCM.EXE
and
Microsoft Works Update Detection

Are these spyware? What is the best course of action?

I am not sure how either one was added to my Selective Startup.

Thank you. Do you have any comment on the second item, Microsoft Works
Update Detection. It seems that soon before I noticed this in my Selective
Startup I got a message from Zone Alarm (free version). I thought it was
Microsoft Word that was asking for access to the Internet and I denied it;
however after reading a comment I located on Google, it seems someone else
denied a similar zone item and now I believe it was actually Microsoft Works
that may have asked permission. I read something else on Google and it
sounded as if this was spyware and still another item made it sound like this
was a perfectly normal request for access. I'm still not sure how it got
into my selective startup.

"PA Bear" wrote:

CRCM.EXE most likely is, yes.

Dealing with Trojans & Hijackware

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just
a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents to
the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the machine
until the scan completes.

If the scan shows any infections in System Restore files:

(1) create a new Restore Point (StartProgramsAccessoriesSystem
ToolsSystem Restore), then

(2) delete all but the most recent Restore Point
(StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]).

Afterwards, update your own anti-virus application and perform another full
system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan)

2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877;
Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in
red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)


Joni wrote:
I have recently noticed the following in my Windows 98SE startup with
checkmarks

CRCM.EXE
and
Microsoft Works Update Detection

Are these spyware? What is the best course of action?

I am not sure how either one was added to my Selective Startup.

Many programs have automatic update functions. In most cases it's an =
option, in others it's built in. Whether or not they classify as spyware =
is debatable. In the best cases, when the app launches and its internal =
scheduler calls for a check for updates (could be on a schedule, could =
be every time you run it,) it checks to see if there is a live internet =
connection, and if there is, it checks its profile against a catalog at =
its home site. If there is an update available that you don't have, it =
asks you if you'd like to download and install it. And that's all it =
does.

In less ideal cases, it forces a dial-up prompt whether one is active or =
not, or pops up an error warning that it couldn't find the site. If it =
does find the site, it downloads and installs without prompting (all of =
this not being optional.) I suppose it might also check to see if you =
have a legal copy of the software, and perhaps even catalog your visit =
to the site.

In some cases, the app might be considered adware--every time you use =
it, it pops up ads. However, I seriously doubt that any reputable =
software vendor does much more than that. If it was actually =
transmitting personal data to the mothership, it wouldn't take long for =
users to discover this breech of trust and raise holy hell. Such adware =
and/or spyware apps might disguise themselves as Automatic Updaters, but =
any decent adware/spyware scanner would presumably include such apps in =
their databases.

In your particular case, you probably have an Option or Preference that =
enables/disables the automatic updater and/or modifies its behavior. =
Note that if you have it disabled in MSCONFIG when you change the Option =
or Preference, the change may not stick. Always enable such items in =
MSCONFIG, click OK, but don't restart when prompted. Then change the =
Option or Preference appropriately.

--=20
Gary S. Terhune
MS MVP Shell/User
=20
"xxx" wrote in message =
...
Thank you. Do you have any comment on the second item, Microsoft =
Works=20
Update Detection. It seems that soon before I noticed this in my =
Selective=20
Startup I got a message from Zone Alarm (free version). I thought it =
was=20
Microsoft Word that was asking for access to the Internet and I denied =
it;=20
however after reading a comment I located on Google, it seems someone =
else=20
denied a similar zone item and now I believe it was actually Microsoft =
Works=20
that may have asked permission. I read something else on Google and =
it=20
sounded as if this was spyware and still another item made it sound =
like this=20
was a perfectly normal request for access. I'm still not sure how it =
got=20
into my selective startup.
=20
"PA Bear" wrote:
=20
CRCM.EXE most likely is, yes.
=20
Dealing with Trojans & Hijackware
=20
A. Removing Trojans and Trojanware with Sysclean
=20
Create a new folder named Sysclean (e.g., C:\Program files\Sysclean =
or just=20
a desktop folder). Download 'Sysclean.com' from=20
http://www.trendmicro.com/download/dcs.asp to this folder. Download =
the=20
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from=20
http://www.trendmicro.com/download/pattern.asp and extract its =
contents to=20
the same folder; see the Readme text file for instructions.
=20
Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)=20
accepting the option to delete all offline content. Reboot and =
delete=20
contents of TEMP folders and Recycle Bin.
=20
Close all running programs including your anti-virus application, go =

offline, and run Sysclean. For best results, do nothing with the =
machine=20
until the scan completes.
=20
If the scan shows any infections in System Restore files:
=20
(1) create a new Restore Point (StartProgramsAccessoriesSystem =

ToolsSystem Restore), then
=20
(2) delete all but the most recent Restore Point=20
(StartProgramsAccessoriesSystem ToolsDisk CleanupMore options =
[tab]).
=20
Afterwards, update your own anti-virus application and perform =
another full=20
system scan.
=20
B. Hijackware
=20
Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm
=20
Run the following tools in this order with nothing else running in=20
background:
=20
1. CWShredder v2.0 (no updates available currently; choose Fix, not =
Scan)
=20
2. Ad-Aware SE (Reconfigure per =
http://aumha.org/forum/viewtopic.php?t=3D5877;=20
Fix all found)
=20
3. Spybot (RTFM; Immunize first and then scan; Generally, fix =
everything in=20
red)
=20
Important: You must seek updates for Ad-Aware, Spybot, etc., before =
each and=20
every use, even "right out of the box". But even they can't catch=20
everything, 24/7.
=20
When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred =
tool to=20
use. It will help you to both identify and remove any =
hijackware/spyware.=20
**Post your files to http://forums.spywareinfo.com/,=20
http://castlecops.com/forum67.html or=20
http://forum.aumha.org/viewforum.php?f=3D30 for expert analysis, not =
here.**
=20
[Alternate download pages for many of the above tools may be found =
at=20
http://aumha.org/a/parasite.htm.]
=20
So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=3D957
=20
--=20
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)
=20
=20
Joni wrote:
I have recently noticed the following in my Windows 98SE startup =
with
checkmarks

CRCM.EXE
and
Microsoft Works Update Detection

Are these spyware? What is the best course of action?

I am not sure how either one was added to my Selective Startup.=20
=20

Looks legit:

wkdetect.exe
http://startup.iamnotageek.com/srch-wkdetect.exe.html
http://sysinfo.org/startuplist.php?filter=wkdetect.exe

WkUFind.exe
http://sysinfo.org/startuplist.php?l...0&offset=6 50
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)


xxx wrote:
Thank you. Do you have any comment on the second item, Microsoft Works
Update Detection. It seems that soon before I noticed this in my
Selective Startup I got a message from Zone Alarm (free version). I
thought it was Microsoft Word that was asking for access to the Internet
and I denied it; however after reading a comment I located on Google, it
seems someone else denied a similar zone item and now I believe it was
actually Microsoft Works that may have asked permission. I read
something else on Google and it sounded as if this was spyware and still
another item made it sound like this was a perfectly normal request for
access. I'm still not sure how it got into my selective startup.

"PA Bear" wrote:

CRCM.EXE most likely is, yes.

Dealing with Trojans & Hijackware

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or
just a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents
to the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the
machine until the scan completes.

If the scan shows any infections in System Restore files:

(1) create a new Restore Point (StartProgramsAccessoriesSystem
ToolsSystem Restore), then

(2) delete all but the most recent Restore Point
(StartProgramsAccessoriesSystem ToolsDisk CleanupMore options
[tab]).

Afterwards, update your own anti-virus application and perform another
full system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not
Scan)

2. Ad-Aware SE (Reconfigure per
http://aumha.org/forum/viewtopic.php?t=5877; Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix
everything in red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before
each and every use, even "right out of the box". But even they can't
catch everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool
to use. It will help you to both identify and remove any
hijackware/spyware. **Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not
here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)


Joni wrote:
I have recently noticed the following in my Windows 98SE startup with
checkmarks

CRCM.EXE
and
Microsoft Works Update Detection

Are these spyware? What is the best course of action?

I am not sure how either one was added to my Selective Startup.

Thank you. I followed some of your advice and incorporated it with advice
from Ahuma and finally ended up posting my HijackThis Log to Auhuma. I had
many questions along the way. I include a copy of my post and would
appreciate any answers you can supply since I am afraid all my questions may
not be addresses by Ahuma. Any additional comments are welcome.

My Post:

I would appreciate very much receiving answers to my questions in addition
to instructions on what to remove from log. Thank you.

I am posting my log here. The reason I am doing this is because I had
CRCM.EXE listed in my Selective Startup and I did not put it there. I was
advised by a post at a Microsoft forum that it is most likely spyware and it
was suggested that I do the following:

I also questioned Ahuma about this and it was suggested that I do a thorough
virus cleaning and parasite screen-and-clean of my computer.

First I followed the MS instructions and I ran Sysclean.com from
trendmicro.com
http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/download/pattern.asp
Sever (correction: several) errors occurred during the scan and they were
marked access denied. The scan did not find anything. I updated my Norton
Anti-virus 2004 and ran it. It found inst2 dll (filename) Adware lefeats
(threat name) The delete failed. I then downloaded a fixit tool (fixlefts)
and ran it and I then got a message via Notepad that Adware lefeats was not
found on my computer. I assume it was removed (?) If I look in Norton it
says:
1/13/05 Virus scanner (feature) threat name adware lefeats Action taken
Delete failed.
If I try to copy and paste this line into this document, I get:
,Threat category: AdwareSource: C:\WINDOWS\Downloaded Program
Files\inst2.dll,Description: The file C:\WINDOWS\Downloaded Program
Files\inst2.dll is a Adware threat. If I do find it tells me it does not
exist.

I have now discovered that when I look in the Norton Reports Activity Log
it tells me that on 1-13-05 Delete failed. If I look in the Norton activity
Log Quarantine, under backup items, it lists crcm.exe (file name) Adware
lefeats (threat name) says it is a backup of a deleted item. Note last week
when I ran Norton, it also found Adware lefeats and they were deleted. Now we
know what crcm.exe is. Norton gives an explanation. at
http://securityresponse.symantec.com...e.iefeats.html
(modifies the start page of the web browser without permission)
I do wonder: If I had run my spyware programs first if they would have
found and gotten rid of this item. The additional instructions from MS forum
were similar to the Quick Fix Protocol so I followed it before posting this
log.

I have questions concerning these instructions. 1. Show It All. Why is it
important to show hidden files? Do they not get checked otherwise? I ran my
scans with show hidden files selected. There were many WRL files on the
desktop but if I looked in my documents, many more were listed. Does each
one listed on the desktop represent a series of files?. There were also
several files now showing that I recognize as my own WORD Documents but they
show with an ~$ or ~$k preceding the document name. I have no idea why they
show up like this. These $ signs really puzzle me (I think they show in some
Winzip files also)

2. Housecleaning I emptied temp Internet files and cookies. I recently
ran CleanALL.BAT to clean out the temp files. It is my understanding that
needed files will not get deleted this way – for example Zone Alarm.. I then
remember closing ZA, SG and Norton. I probably just deleted the temp
Internet files after that. I do not think I actually deleted the temp files
using Ctrl +A
So I must have tried deleting the temp files according to your directions
although I know that every time I reboot, these programs open automatically.

3. Quick Check finds nothing.

I updated my Spyware programs and ran them I have CWShredder, Ad-Aware SE
(free)
Spybot. I also updated SpywareGuard, SpywareBlaster and ie-Spyad.

Note: When I ran CWS it restored 2 Internet Explorer pages and SpywareGuard
popped up telling me about browser helpers - changes. I restored old one but
ran CWS several times and the same thing happened.

These are the most recent reports in SG
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:01:28 01/14/2005 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Bar
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:04:43 01/14/2005 a browser page change was detected.
Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Page
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:08:14 01/14/2005 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Bar
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:08:18 01/14/2005 a browser page change was detected.
Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Page
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:09:10 01/14/2005 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Bar
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:09:14 01/14/2005 a browser page change was detected.
Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Page
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:12:24 01/14/2005 a browser page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Bar
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

--------------------------------------------------------------------------------
BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On 01:12:28 01/14/2005 a browser page change was detected.
Registry Location: HKLM\Software\Microsoft\Internet Explorer\Main\
Value Name: Search Page
Old Value: res://C:\WINDOWS\vgcms.dll/sp.html#44768
New Value:
User Action Taken: RESTORE OLD VALUE

In checking over my SG log, it seems this was not the first time I got these
messages. Also see these items in HijackThis log below. This leads me to
believe that I will continue to get these changes unless fixed via HijackThis
instructions.

I ran Ad-Aware SE (free) full scan and it found 17 negligible items and I
removed them. I ran the scan again and 4 more were found. I also removed
them. After reading something from an Auhuma page,it seems that Spybot in
some form also removes these MRU’s (negligible items) and it sounds to me
like that is not such a good idea. any comment?

I ran Spybot. (Please note: In the instructions I received from the MS
forum it said immunize first and then scan. When I originally used Spybot I
immunized. I did it again before running the scan Seems it immunized
additional items. Now I am wondering if you should immunize each time before
you run the scan? When I immunized I got this menu:

See Permanently running bad download blocker for IE
Browser Helper to block bad downloads NOT installed.
Enable permanent blocking of bad addresses in IE. Can’t do anything here.
Is this something I should have installed? Note I do not use Teatime since I
use SpywareGuard. I wonder if I would be better off with teatime and if so
would I have to uninstall Spybot and reinstall? SG uses a lot of resources.
I am not sure if teatime has anything to do with this.

I ran Spybot and all it found was the DSO Exploit (the bug in program) that
keeps coming back each time I run Spybot. I understand that you can get rid
of this if you use the Advanced mode. I am not sure if I’m ready for the
advanced mode.

Please note this all started because I saw CRCM.EXE in my Startup group.
Even though it seems that Norton has deleted and backed it up it still
appears in Selective Startup Weatherbug at one time was downloaded and I
removed it in add/remove; however, it still appears in Selective Startup,
There is also a blank box with no description that appears in Selective
startup. I believe I once used a registry cleaner but it didn’t remove these
items. I do not feel comfortable editing the registry manually.

Also note I have a folder on my C drive called My Search. There is nothing
in Add/Remove relating to this. I believe ms forum told me I could delete it
if still there after all these scans. Please comment The reason I happened
to find this is that I ran a Pest Patrol scan and it found My search –
Toolbar C:\Program Files\my search.

Please note I once remember something being placed in my Trusted Zone that I
did not put there (I believe something from AOL). I decided to check my
Trusted Sites list and this is what I found.

I tried to remove it but it would not remove even after a reboot. Therefore
and since I do not keep anything in my trusted zone, I moved the slider from
low to high and I went to restricted sites and typed in
*.frame.crazywinnings.com. What does the * mean?. I now have this item in
both trusted and restricted so I don’t know what will happen but not it is
listed in the HijackThis log below. Please comment A lot of items in my
restricted zone were placed there via ie-spyad. I am wondering if this one
could have been a misplacement in trusted?

Note: Other times when I ran HijackThis, I was not told if I had anything
disabled by MSConfig or any other startup manager, please re-enable it before
scanning to post. I did not do this this time either because I am not to
clear on the matter. Would I have to use Normal startup and would I have to
do start – programs – disabled startup items and open all of them? If this
is absolutely necessary, please explain if I can just do it then run
HijackThis again and post?

Logfile of HijackThis v1.99.0
Scan saved at 4:19:39 AM, on 1/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\vgcms.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://cgi.verizon.net/bookmarks/bmr...1.5&bm=ho_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\vgcms.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet
Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {13F30093-3988-8533-C5DC-3E8EE66F3EDF} -
C:\WINDOWS\SYSTEM\IPYK.DLL (file missing)
O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft
Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common
Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "c:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
-service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -
C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O13 - DefaultPrefix:
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: (HKLM)
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) -
http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -
http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) -
http://www2.verizon.net/update/msnwe...s/vzWebIns.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj
Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) -
http://esupport.aol.com/help/engine/aolcinst.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
(PPSDKActiveXScanner.MainScreen) -
http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/binFramework/v10...o.cab32846.cab
O16 - DPF: {78FAE917-35E2-4A6B-9B40-000AD226482B} (MSN Money Ticker) -
http://moneycentral.msn.com/cabs/ticker.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) -
http://download.zonelabs.com/bin/pro...tor/WebSWK.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) -
http://www.t058.com/inst/enter.cab

PS After posting this log, Norton ran as scheduled and once again found
Ad.lefets Delete failed and the fix tool ran and left the message Ad-ware
lefeats has not been found on your computer. Is this because they previously
backed it up and I suppose automatically quarantined it? Seems like Norton
finds it all the time now. This I do not understand.

I suppose each time I run CWShredder I'll keep getting BHO messages until
Auhuma advised me to remove certain items in the scan/post.




"xxx" wrote:



"PA Bear" wrote:

CRCM.EXE most likely is, yes.

Dealing with Trojans & Hijackware

A. Removing Trojans and Trojanware with Sysclean

Create a new folder named Sysclean (e.g., C:\Program files\Sysclean or just
a desktop folder). Download 'Sysclean.com' from
http://www.trendmicro.com/download/dcs.asp to this folder. Download the
latest 'Trend Pattern File' zip (e.g., lpt123.zip) from
http://www.trendmicro.com/download/pattern.asp and extract its contents to
the same folder; see the Readme text file for instructions.

Delete Temporary Internet Files (IE ToolsInternet OptionsGeneral)
accepting the option to delete all offline content. Reboot and delete
contents of TEMP folders and Recycle Bin.

Close all running programs including your anti-virus application, go
offline, and run Sysclean. For best results, do nothing with the machine
until the scan completes.

If the scan shows any infections in System Restore files:

(1) create a new Restore Point (StartProgramsAccessoriesSystem
ToolsSystem Restore), then

(2) delete all but the most recent Restore Point
(StartProgramsAccessoriesSystem ToolsDisk CleanupMore options [tab]).

Afterwards, update your own anti-virus application and perform another full
system scan.

B. Hijackware

Help with Hijackware (all are MS MVP sites)
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/Darnit.htm
http://www.mvps.org/sramesh2k/Malware_Defence.htm

Run the following tools in this order with nothing else running in
background:

1. CWShredder v2.0 (no updates available currently; choose Fix, not Scan)

2. Ad-Aware SE (Reconfigure per http://aumha.org/forum/viewtopic.php?t=5877;
Fix all found)

3. Spybot (RTFM; Immunize first and then scan; Generally, fix everything in
red)

Important: You must seek updates for Ad-Aware, Spybot, etc., before each and
every use, even "right out of the box". But even they can't catch
everything, 24/7.

When all else fails, HijackThis
(http://forum.aumha.org/downloads/hijackthis.zip) is the preferred tool to
use. It will help you to both identify and remove any hijackware/spyware.
**Post your files to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or
http://forum.aumha.org/viewforum.php?f=30 for expert analysis, not here.**

[Alternate download pages for many of the above tools may be found at
http://aumha.org/a/parasite.htm.]

So How Did I Get Infected Anyway?
http://boards.cexx.org/viewtopic.php?t=957

--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE)


Joni wrote:
I have recently noticed the following in my Windows 98SE startup with
checkmarks

CRCM.EXE
and
Microsoft Works Update Detection

Are these spyware? What is the best course of action?

I am not sure how either one was added to my Selective Startup.