specific hidden files?

I have read and carried out instructions on READ & RUN ME FIRST, and HIJACK THIS. Also for PSGuard removal (no traces so didn't run Panda online).

Attempted quick background - somewhere between Spyware Doctor and Windows Updates a few weeks ago some problems emerged related to MyTob.worm (Spyware Doctor detection). Deleted requested files, later SD admitted it was a bug and a false positive in their system. Around same time both Win and Firefox issued security updates.

In between some strange things were happening, like unexpected downloading. So partly I'm trying to trace the source for this.

More importantly, SD while scanning paused for up to a minute on certain files. Some came up every scan. PSGuard was one, Spytech Software another. This latter I am most concerned about and would like help on, being the only user of my computer, and theoretically the only one with access to it. Possibly it's "benign" but equally possible extremely not. I can explain further in a private email if necessary.

I'm aware that SD's bugs and false positives may be responsible, but can't take the risk! After applying the SD update the above files were no longer paused on.

I also have some (new) problems on shutdown - originally, most times, SD "not responding", so have uninstalled it. Since that sometimes, FrmHidden "not responding".

If I can be helped with these two things I'd appreciate it. I feel I've got as far as I can.

Have attached most recent HJT log (some O2/O8/O9 things didn't delete, not feeling certain one way or other).

Adaware scans revealed 9 negligible objects - checks on recently opened files. Attempted removal of 4 RealPlayer ones, but they were there again on re-scan.

Spysweeper originally found CWS Aboutblank and removed. All scans have shown c:\windows\win386.swp unscanned because the file was in use by another process - this is expected?

Sorry not very short intro.

Thanks in advance


tamar

 

Welcome to MajorGeeks.com!

Please follow forum guidelines and perform cleaning steps in the sticky thread before posting HijackThis logs.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

 

Sorry, I was trying to keep that mail brief! I have been through the process several times but will report all download/scan situations from the beginning. If I have missed something else please tell me.

Running win98se (not updated to its most recent because of the 'extra' download wextract_cleanup0 (now picked up by Spysweeper) on dialup.

Hidden files are enabled... but I can't find certain files through Find or physical search.

Only F-Prot av on my system.

Downloaded ad-aware, crapcleaner, spysweeper and spybot [Running spysweeper link on http://forums.majorgeeks.com/showthread.php?t=35407 doesn't go to that page, but I found it by chance later and printed out before scanning.] All appeared to download, instal and update OK, though it seemed TeaTimer chose to download itself. (Ccleaner didn't do as it wasn't asked for).

Downloaded HJT. Looked at MSconfig via start run... I can't remember now what I did [but have looked since original post: there is a 'config.sys' tab but it's empty other than... an empty highlightable one-character size box. The general tab has normal, selective and diagnostic startup options, diagnostic was ticked, have now switched to normal.]


Online scans:

Bitdefender (normal mode) - first scan before scanning window came up, the system froze but Zone Alarm showed continued web activity. I disconnected and tried again - found and deleted dialer T trojan.

Trend Micro (normal mode) - constant firewall activity (blocked hacks every few secs). Twice got disconnected. 3rd try system froze while download occurred. Shut down tried again, loaded fine (but I can't see it in HJT logs) but took about an hour. Which is why I stopped after two online scans! I will do more if necessary.

TM required me to download SunJava systems first and scan through that kernel.

In early part of TM scan, the 'address bar' in TM showed "permission denied", but later in scan at various times "Done" or was running through my file names or known file names as would be expected.

[Reminds me that when running Spyware Doctor (SD) when 'problem' had started, that it covered the first 11% of scan almost immediately, and the first approx 50% within a minute compared to the final 50%]

TM found bhjk_se.55151, trojan SE61618, and cookies SE.5284, SE.49712 - and deleted them. Not found on rerun.

This (from memory) is when SD began freezing on shutdown - a 'programme not responding' small window, with the desktop 'dulled out'. Changed settings in SD so it didn't run at start and shutdown OK. Soon after uninstalled it completely.

Into safe mode:
ran ccleaner
ran adaware – found 1 critical with 2 traces (deleted) and recognised 6 negligible risks - MRU objects.
ran spybot – sorry I wrote nothing down and can’t find a log. So I guess there was nothing but possibly a cookie or similar. Immunized 6 files (I remember).
ran spysweeper – it asked: diagnostic or (?) normal? I chose diagnostic but it detected an authentication error during installation and asked for a re-instal. I got a close program window with 4 progs showing: SpySweeper (blued out), explorer, Wrsssdk, Rnaapp.



uninstalled and reinstalled SS but without redownloading.

during this time shutdown hampered by ‘FrmHidden’ not responding, but system not hung, allowed me to return to windows and shutdown normally.


back into safe mode, ran Ccleaner again
ran SS – found and deleted cws-aboutblank. File 051217 attached – shows 2 scans (plus partial scan). Second scan clear of cws but shows c:\windows\win386.swp as inaccessible, plus many SS files. Also shows an ‘invalid stream’ [whatever!]

back into normal mode and ran HJT (MSconfig not disabled) – attached file 051217
but didn’t do anything more there.


Took a break...

updated virusscan and ran – clear.

downloaded CWShredder

Trend Micro - updated signatures – Firewall (ZA) asked for IE to act as server, said yes, then TM main screen blanked out other than top and bottom bars but address bar says opening a TM window and download activity going on (via ZA). ‘Stopped’ it, went back to previous page and began again. All happened as expected.

Ran TM – found cookie SE.5284 (as before), deleted. Ran again, cookie was back.

Pointer hung (with fixed hourglass) shut down via cntrl-alt-delete

Re-opened – system configuration files being updated.

shut down and re-opened in safe mode.

ran CCleaner
adaware – 6 neglible (file saved in word)
spybot – nothing but immunised 6
spysweeper – ran in not-diagnostic mode – nothing found but same files being unswept
cwshredder – nothing
re-ran adaware – 7 moderate (opening word was probably a mistake?) – saved file.

followed instructions for PSGuard on http://forums.majorgeeks.com/showthread.php?t=74265
no named files showing in HJT, so didn’t run smitREM or Panda (couldn’t face another long download!)

[was checking for PSGuard because had spotted its name when Spyware Doctor paused]


Took a break... began again today

opening and running programmes is getting slow.

updated file signatures (adaware, spybot)
shutdown, reboot, forgot safe mode and got a message again about updating configurations
screen froze on shutdown again with FrmHidden – returned to windows and shut down

into safemode
ran Ccleaner
adaware – 9 neglible objects – tried deleting 4 realplayer ones but they came back on re-scan
spybot – clear but immunised 17 extra
spysweeper – clear exept for unswept files as before

system slow on shutdown

rebooted to normal
ran HJT file and went through list deleting two O4 Quicktime task, and O4 Startup: MIcrosoft Office.lnk

Identified others that maybe should be deleted, but got confused because the source name seems right or it wasn’t listed in any way (that I could find). So thought not-deleting but asking might be better.

So I posted to forum attaching that last HJT log (I thought).
(I am running HJT from explorer folder not via start-programmes-HJT because there is no folder there – does this matter?)


*****

since posting I thought about a windows update, and tried the ActiveX one but as already mentioned the file wextract_cleanup0 came up – spysweeper attributed no manufacturer etc to it, so I cut the download.

I disabled (I think) MSconfig – 2 new files appeared in HJT
O4 - Startup: Microsoft Find Fast.lnk = D:\Program Files\Microsoft Office\Office\MSQRY32.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

on reboot an error message shows MSO97.dll missing. click OK and everything seems OK

screensaver changed itself to jungle scene. Is it trying to tell me something? It certainly spooked me!

*******
system slows up quite easily. I downloaded aida32 so can attach system details - don’t know how explicit they need to be.

sorry so long and convoluted. Hope you can help.

I won’t do anything more until hearing so to do.

 

There is nothing in your log to indicate that there is any malware.

Please run the Panda ActiveScan and post the log once it is finished.

 

Thanks!

Panda Activescan downloaded/ran smoothly.

Main scan found nothing
email scan found nothing
local disks found 3 viruses/1 disinfected - file attached
re-run found 2 viruses (undisinfected 2)
my docs found nothing
my comp found 2 spyware (adware) and 2 viruses (undisinfected 2) - file attached.

The Eicar.mod virus was picked up earlier in the year by ActiveScan. I queried it then with Frisk F-Prot who explained it is a generic file for testing av software is working OK (or something like that), and were surprised that Panda AS had picked it up. I'll take your advice on it now!

Tried checking email before disconnecting, but unable, Disconnected and tried again but strange ring tones. On reboot dialled normally, but programme loading and running is slow.

Since my post yesterday PC Tools/Spyware Doctor have replied indicating there was only one false-positive, the MyTob. I specifically queried the pausing and file names seen, and they indicated again there was only one false positive.

Many thanks again for your help. Will wait to hear before doing anything (but have updated and run av sig files.

 

Eicar.mod is not a Virus. It is a test file to show that Antivirus scanners are working.

C:\WINDOWS\Favorites\Health <<----- Delete the Folder

Follow the directions for Running Spy Sweeper that should remove all traces of Gater/GAIN/Claria from the system.

After doing the above your system should be clean.

 

thanks...

deleted the folder and ran spysweeper as instructions. Unfortunately it didn't pick gator up - file attached.

Ran Panda again, it's still there - file attached, but the folder one gone.

I really appreciate your help on this.

(the SS is saved as a txt file via the software process - didn't read the copy/paste until after)

 

Update the definitions to Spybot S&D.

Reboot to Safe Mode.

Run Spybot S&D.

• Fixing SpyBot's Ignore Products Bug: Please run SpyBot and get into the Advanced mode by selecting Mode and then Advanced mode. Then select Settings and the in the left column select Ignore Products. In the right window pane make sure the All products tab is selected. Then in that window, right click your mouse and choose "Deselect all".

Reboot and run Panda ActiveScan again.

 

thanks.

No joy with Spybot either. I already had the advanced mode bug fixed but checked again in safe mode.

No change on Panda either - saved a file but unable to upload as it's the same.

?

 

Download
- Registry Search Tool

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread

 

thanks, have attached files for both...

 

Copy the contenets of the below quote box to notepad and save as FixReg.reg to your Desktop.

Locate FixReg.reg on the Dsktop and double-click, answer Yes, when asked if you want to merge with the registry.

REBOOT.

How is your computer running?

 

Unfortunately still there when running Panda Activescan. Tried twice.

The first time after saving the file (or maybe after your email had downloaded), I was disconnected. Though may have been because of a large file also starting to download.

 

Well that's good then! Thanks for sorting all that out SPD and chaslang, though I am a bit lost with your explanation (spybot bad?) but perhaps that safer if I've reached depths I don't understand!

I was thinking after last post how much faster the system is running, but was gutted to find the adware still in Panda.

I also asked originally about Spytech Spyagent which was originally "detected" by spyware doctor. I noticed in Spybot Advanced Mode that Spyagent was 'traceable' yet hasn't been found. Would the other searches I've been doing with your guidance show it if it really is here? If not, can you help on this too?

Thanks in advance.

 

This scan will show stuff if it is there.

Run CCleaner before doing the below.

Download WinPFind

Extract it to the root folder of drive C ( C:\ ). This will create a folder called WinPFind in the C:\ folder. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard. Then save it to a file using notepad and upload the text file here as an attachment.

 

Thanks...

Have downloaded and run WinPFind and file attached. It ran for only two minutes though - I tried twice. Also there is no 'Copy to Clipboard' button, only two: Start Scan and Configure Scan Options. In Configure, everything under Folder Options and Registry Key Options is ticked, as is Run Add-ons box on the right - but none of those listed beneath (Monitor defs, Open Command defs etc) are. Is this right?

Also updated F-Prot sigs - and thought to look at options before running. Found that 'compressed archives' weren't being checked so scanned with it. Coincidentally it picked up on Spybot's Spycleaner file as a suspicious one - can send a report if you think necessary. Thought your spybot comment might have been hinting at this, chaslang!

In case it makes any differences, when the problems started I set up a windows login and all scans/searches etc have been done under that. I've now/currently reverted to no login.

Thanks again for all your help

 

Your log is fine.

Virus scanners sometimes identify the signatures files of other applications as being infected. This is a known problem and if enough people make it know to the software manufacturer they will fix the issue.

Your OS may have some corrupt files, running sfc /scannow from teh command prompt will replace any missing or corrupt files.

 

Thanks.

I'm not brilliant when it comes to command prompt so sorry for asking maybe a stupid question. Do I boot into DOS and literally type "sfc /scannow" in and that is all?

I checked (without fixing) in sfc in normal mode and it suggested only an F-Prot file FPATCL.dll is corrupt. Though there have been numerous updates and deletions - I didn't know about this tool and guess I should have been running it regularly.

 

Open a command prompt DOS box, you don't have to boot to DOS mode, enter sfc /scannow at the prompt you will need your Windows CD.

 

thanks... another tool I didn't know about.

I'm getting "bad command or file name" though

 

Do this Start -> Run

type sfc /scannow

This command works on Windwos 98

 

I promise I am! Can I send you a screengrab?

 

Yes please

 

bit pixelated, can crop and make larger file size if necessary.

 

Shall I hang around for a while or can I come back to it tomorrow (it's late here)?

I've done some searching on the file names associated with the spytech folders I 'spotted'. They seem to be associated with worms:

suchost.exe
deploy.exe

also but not associated winde.exe

All others it paused on were legit files although some are also associated with malware.

Sorry probably should have done that sooner, but was more focused on the spy aspect.

Thanks for all your help.

 

Post a fresh HijackThis log.

 

I can see some new things...

 

Your log shows no signs of malware.

Can you post a list of all teh files in the spytech folders.

 

There were only those two file names associated with spytech:

Program Files/Spytech Software/Spy Agent/suchost.exe
Program Files/Spytech Software/Spy Agent/deploy.exe

I never saw more than one of them during each scan, but did see one on every scan at that time, until PCTools false-positive update. Possibly sometimes the /Spy Agent/ was /Spytech [otherword]/

Other files noted down as paused on sometimes, but not every time

under /Program Files/

WatchDog/wdserver.exe
PSGuard/wndlayer.dll
Comet Systems/....
Comet Systems/Platform/Bin/cscore.dll
Comet Systems/Platform/Bin/comutil.dll


under /System/

winde.exe
msudp.dll
nfomon/nfom.dll
kehide.dll
*.dll
ahtun.exe
systemout.exe


under /Windows/

svchost.exe
yahoodll.dll


others noted down but without location

setup-mdart.dll
GDSys/GDH.dll (I think System)
csrss.exe (I think System)
GogoTools/Search Gogo/
FWBarTemp/searchbar.exe
COMET/BIN/autosearch.dll
Internetlogs/tvdebug.log



------------

Yesterday the system didn't hang at all, but today it did again on shutdown, in the same way with 'FrmHidden'. Cancelling it, brought up an extra window indicating that Spysweeper had been terminated and would close down and restart (or similar). There was a spell of this happening and then it was fine again. Was just dropping off to sleep when I realised the previous hanging was Spyware Doctor related... don't know if this means anything.

I've always had difficulty rebooting directly into DOS but shutting down first and opening via F8 has never been a problem. The same error message came in main DOS.

Also, when I ran SFC in normal mode, loads of files were coming up as deleted or updated - I followed Windows logic for a few (agreeing or restoring from CD), then realised there were too many I didn't have a clue what they were about and so 'ignored' some more before stopping and looking at the available tools and turning those two options off.

I hope I haven't created a block to that DOS command. Sorry if so.

Thanks again for all your help.

 

I wrote down a list of the SFC files I looked at if nec.

 

Follow the directions for Smitfraud, SpySheriff, SpyAxe & PSGuard Removal.

Post teh smitfuard log when done.

 

Will do, though I tried before my original post, and none of the lines showed so didn't see the process through.

The last post of yours and post no 23 didn't arrive as emails, though the others have.

 

Ran HijackThis but none of the listed files found. Hit 'fix' anyway.

Ran the smitREm tool and followed instructions - nothing found but log attached.

opened Control Panel, 'Display' icon - only 4 tabs showing (2 missing): background/screensaver/appearance/settings. None fitted the description in the procedure (ie "Desktop"), so looked under the 'View' menu in Control Panel, and in folder options there's a Web interface option. But no sign of the 4 things ("security options" etc) so returned to classic interface.

Rebooted to normal - desktop background is now royal blue! [later - can't get the blue-green back, and changing to a wallpaper produces just a small square of it in the middle of the screen]

Panda Activescan is no change - will attempt to attach in case there's a subtle change. [instructions suggest to tick/check the 'autoclean' box, but I couldn't see one]

Looking in Control Panel>Display the six tabs are back with Effects and Web there. Web has an option to view the desktop as web page, but seems to have no effect - if that is what was being asked for.

---------

While looking for the smitfiles.txt I also looked in the scandisk log which has run itself several times this month. I've attached it in case it indicates anything helpful. Many lost clusters recently.

Also a screengrab of files in the C drive - some strange extensions: .~!~, .1st, .--- .

Thanks again...

 

Look in Add or Remove Programs and Uninstall teh followinf inf present:

Reboot to Safe Mode.

Open Windows Explorer and Delete the Following:

Search for the following, and tell me exactly were they are located:

Reboot to Normal Mode.

 

Thanks...

Nothing in Add or Remove Programmes that I wouldn't expect, though unsure if DialUp Networking 1.4 Update for Windows 98SE is right if Microsoft Windows Critical Update Notification is also there.

In safe mode

None of those folders/files were listed in those specific locations.

Using Find, none that you asked to be located could be found, but the tool was hardly looking. Except on 'COMET' (single word) when it found 2 files in Fireworks and in Corel (which seem right). Tested with a known file name/location and it worked properly. I had been having the same problem in normal mode but hadn't clicked!

Tested the Find modified files etc tool - it was obviously 'disabled' or malfunctioning. "Nothing" has been modified or saved in the last 3 months!

Will go back now and do a manual search through the C drive and will report back (but will hang around 5-10 mins first in case you suggest anything else first).

 

If you can't find any of those files, then the Malware should be gone. You are experiencing problems with the OS and you should post in the Software forum. Ig you have any more problems that are Malware in nature, tehn post back here in this thread..

 

Can't locate any of them except C/Windows/Internet Logs/tvdebug.log

So if they've all gone that's good, and thanks for all your help in getting rid of the malware and teaching me a bit more about the workings of my computer.

I will go to the software forum for help on the OS.

Thanks again, and happy holidays.

 

Thanks, have followed instructions on the software forum this seemed to reload the OS rather than just critical files but I may be wrong or missed somethng.

Still had the blue desktop even though the setting is on default, which also changed itself to the win98 desktop. Since found the manual colour change setting and returned it to default blue-green.

Just once, a transparent green "film" began spreading across the screen from the bottom right corner, and then disappeared. I was online at the time.

sfc /scannow in DOS still doesn't work.

I ran sfc in normal mode and it picked up a faulty SYSTEM/setupx.dll file and I reinstalled via the CD (again in normal).

Before that I ran scandisk (in normal) a few times. It repeatedly started itself again saying another programme was writing to disk. Tried again with all taskbar icons switched off/disabled and it ran OK and all was clear (other than some filenames being too long to scan in DOS mode)

I have updated Win98 criticals. Three of the four downloaded files were picked up by spysweeper as having no named manufacturer etc:

RegTLib
c:/windows/regtlib.exe
c:/windows/system/stdole2.tlb
Registry or Startup folder: HKLM; run once


RunOnceEx
rundll32.exe
c:/windows/system/iernonce.dll,runonceexprocess
Registry or startup folder: HKLM: Runonce

wextract_cleanup0
rundll32.exe
c:/windows/system/advpack.dll, delnoderundll32
c:/windows/temp/ixp000.tmp/
Registry or startup folder: HKLM: Run once

the last installed itself, the other two I think are waiting for me to allow them or not.

Most importantly, perhaps, the F-Prot av file error is corrected. F-Prot picked up SpywareCleaner zip with a same name .exe inside in C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery
but was unable to disinfect in normal or through its DOS scanner (the DOS scanner didn't detect it).

How should I get rid of this? Delete, or through Add/Remove Programmes?
The file is a 552KB winzip installed on 16/12/05 - can attach a screengrab if nec.

One other thing happening since repairing the OS is a change in [don't know how to call it] the code used during setup.

The last thing used to be a fifth

C:\ Set TVdumpflags=8 [though the previous 4 had =10]

I now also have


C:\> mode con codepage prepare =((850) C:\ WINDOWS\COMMAND\ega/cpi)

MODE prepare code page function completed

C:\> mode con codepage select=850

MODE select code page function completed

C:\> keyb uk,, C\:WINDOWS\COMMAND\keyboard.sys



Maybe this is still a software forum question but thought I'd ask first.

Many thanks for any help. I really thought my system was clear.

 

quick update to previous mail:

updated panda and ran - no change
updated spysweeper signatures - tried to run but the program hung. Closed it by Ctrl-alt-del. Opened again - slow - but it ran and found nothing. Before closing, momentarily there were 2 icons on taskbar. I'm presuming it's now corrupted.

tried running sfc in safe mode. under 'criteria' tab found several folders' subfolders were marked not to be checked. I set all to be checked but the scan still found nothing.

On rebooting came back into the room and found a blank screen with 'windows protection error - you must restart your computer'. So I did, and it booted to the normal/safe/Dos 1-6 option page but seems to be working normally again now, despite programs being slow to start.

Won't be doing anything more until advised...

Thanks in advance.

 

Anything in C:\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery can be deleted if your system appears to be running OK. Spybot creates backups before fixing anything so you can recover if there is a problem with a fix.

Uninstall Spy Sweeper it is going to by of much use to you now, unless you have purchased the program. Then uninstall and reinstall.

If you are running Windows Update and Updating 98, then ignore Spy Sweeper and allow the fixes.

 

Thanks again for all your advice...

Deleted the dodgy zip file in Spybot. And then uninstalled Spybot - will reinstall... Sorry, not quite what you said I know. After rebooting many folders and files remained, although not exe's. So have deleted all.

Rebooted again, "Start" was hung although other programs were still opening, albeit still slowly. Cntrl-alt-del showed Explorer to be the problem. Shut down and rebooted.

Uninstalled Spysweeper - all folder/file traces gone except in Program files/Webroot/Windows Update Setup Files which i've manually deleted. Rebooted, the system seems to be running faster but programmes still opening slowly.

I would also like to uninstal BDOScan - folders are in WINDOWS/Application Data/ but it's not in Program Files Add/Remove Programs. Can I just delete it? I'd prefer to do that before reinstalling Spybot. I already removed the two (file missing) entries via HJT.

Do you think it's an idea to uninstall all the spyware programmes and reinstalling?

I have a paid-for version of Spyware doctor (currently uninstalled). Shall I re-install?

All the 'mode con code page' blurb is still there at startup.

 

That fine you can Reinstall later.

Maybe a system resource issue. Look at what you have running at system start and decide what yo need and don't need.

That's fine

look in teh folder for an uninstaller, before you delete the folder.

You can do that it may correct any issue with one of the porgrams, that maybe causing problems.

If you bought it, use it. Uless of course, yo don't like the program.

{EDIT} Had to review the thread and you other one. What is the exact error message, word for word.

 

Sent a reply up yesterday, but it seems to have disappeared. Will try again.

 

Sorry, didn't think.

This is happening on startup in both normal and safe modes. The first line occurs four times and they have been there most of this year (F-Prot related I understand), the fifth arrived with a recent F-prot engine update. "tvdumpflags" is two words but can't remeber where the space is)

C:\ Set tvdumpflags=10

C:\ Set tvdumpflags=8

[followed by, new since OS reinstal/repair]

C:\> mode con codepage prepare =((850) C:\ WINDOWS\COMMAND\ega/cpi)

MODE prepare code page function completed

C:\> mode con codepage select=850

MODE select code page function completed

C:\> keyb uk,, C\:WINDOWS\COMMAND\keyboard.sys

C:\

Then, if configuration files are being updated, they happen here.

Some more info on this in a mo, just testing it still arrives.

 

In C:\WINDOWS\COMMAND\ there is

EGA.CPI, EGA2.CPI, EGA3.CPI - all 58kb

KEYBOARD.SYS, KEYBRD2.SYS, KEYBRD3.SYS, KEYBRD4.SYS at 34,32,31,13KB respectively.

No other file seems to have repeats. Every file in that folder is dated 23/04/99 except a further EBD folder 13/06/02. Inside that everything is also 23/04/99 except config.sys 1kb dated 22/12/05. If any of that is relevant to the mystery startup code.

* * *

Couldn't find a BDOscanner uninstall so just deleted the folders. Since found the scanner's main exe and another in the main C drive so deleted those too.
Since finding remnant files in other places, so i guess eventually I'll remove all of them.

Rebooted after deleting the scanner, config files being updated - again - on startup.

Rundll32 caused an invalid page fault (in module Rydial.dll) - this happens from time to time and I've always before ignored it as nothing seemed to be affected.

Downloaded Spybot S&D1.4. Checked in 'ignore products list' at first nothing was listed. That may be something I did, but later they were there with pos 'Sidestep'/PUP already ticked - now unticked and all are clear. The Spybot recovery folder was empty too, but now has Overview.ini at 0kb. I'll try a re-download tomorrow after deleting all the others and see if same happens.

I looked in its other advanced mode folders. on 'systems internal page' excluded by "me" are the following:

%JavaDir%\QTJava.zip [missing shared dll] [no location through Start\Find]
Install.exe [wrong app path] [C:\Program Files\C-Media\DOS - only one found]
MsoHtmEd.exe [wrong app path] [D\rogram Files\Microsoft Office\Office ]
winnt32.exe [wrong app path] [no location through Start\Find]

Do these mean anything? I did delete QuickTime from the startup via HJT but well before downloading Spybot.

Just when I think I'm getting somewhere... more strange things pop out of the digital woodwork!

Many thanks again for your help

 

Rydial.dll is part of NTL Freedom ISP software.

The rest is OS/Software issues. You may have to uninstall and reinstall several items of software. F-Prot should be uninstalled and reinstalled.

 

I think I'm at the stage of getting bleach and a scrubbing brush to the hard disc then reinstalling everything! I bought a WinXP upgrade a few days ago feeling this moment imminent.

I am presuming that wiping the disc should remove whatever is lingering there? I ask only because I'm suspicious that uninstalling isn't doing a proper job:

On reinstalling Spyware Doctor it didn't ask me for my user ID/account details, whatever. When it came to update signatures, the system hung. Rebooted to safe and ran SD anyway (on sigs dated 20 or 21/12/05). Picked up Trojan Qhosts in two IE Favorites and quarantined/removed. Rebooted to normal and updates worked OK, re-ran scan in normal and nothing more found (unsure if I ran it again in safe).

What's *worse*, more 'specific hidden files' are showing in the disc scan. One at least is a different 'legit' spy programme, the COMET folders are showing again, and some others like svchost.exe.

I think I have to have this out with PCTools - either their software's making a mistake or they must find the files on my system... shall I let you know what happens?

Are you suggesting an F-Prot reinstal because the 5th tvdumpflag line is =8 or to get rid of those lines at startup? If the latter, it won't happen!

Many thanks again for your advice and time.

 

After I click 'send' for a reply I am asked again for my login etc, and then 'you will be redirected' page, and then "Invalid Thread specified. If you followed a valid link, please notify the administrator"

tIf I backtrack and send my message again, I'm informed it's a copy of the one I just sent.

I looked on the page the 'administrator' link went to, but found no one listed with that title.

This has happened about 6-7 times. Perhaps it just times out because I take too long typing?