Looking for the knight to kill the specific911 dragon again!!!

[stretched]

Hey, I really trust you guys since yours is the only forum that had tackled this beast before when I first posted.

I had written on some other similar forums writing about this problem and the way I got it, at the time, there were few forums which I found that had any posts.

I tried to also warn everyone about it...now if I do a google or the like for specific911, I see many many more people got struck by it since I started trying to warn about it.

I am going to post here a message I wrote on another forum which was ignored, (as was the case with many of them) listing some of the addresses which users should beware of because they are merely places of attack for specific911....if the message should be put somewhere else please let me know...anyway, I had some questions about your last instructions in my last post....

[stretched]

I posted the lengthy information about it under the news section, if something I have written should be removed or, moved, there is no need to explain....and I apologize if that is so...

[MicroBell]

Yes....DOS=Command Prompt.

Yes..Check those keys in regedit.

Scanreg.exe <--try to type that in when you make a new task. If it won't run..locate the whole path to the file and type it in. My last post about the registry keys....we are looking to see if those values are present.

Your EXE file associations I think are screwed up...so we need to set them back to there default entrys. Your EXE's for these programs are now being associated with IE...hence it opens IE when clicked.

[stretched]

Scanreg.exe under dos said good registry, and your registry was backed up

!!!!

here are the dates of the backups:

8/25
8/24
8/23
8/22

Now I think I got wacked on 8/25, should I restore 8/22???

Regarding the other stuff, a bit of confusion about the paths.

I dont see HKEY_CLASSES_ROOT\exefile\shell\open\command

I have HKEY_CLASSES_ROOT\*\Shell\open\command

its has the ab image; then (default), and under "data" it says: "notepad.exe %1"
It looks like a space between "exe" and "%1"

I also have HKEY_CLASSES_ROOT\.exe

it has the following three items:

ab image; then (default), and "exefile"
ab image; then Content Type, and "application/x-msdownload"
ab image; then ZAMailSafeExt, and "zl9"

This is a list of the only "e" folders under HKEY_CLASSES_ROOT\ :

.emf
.eml
.eps
.exc
.exe

the last of which I provided....

it looks like something's wrong...

[MicroBell]

Ok..go ahead and restore the registy to 8/22. Your only issue would be you may have to reinstall any programs that you installed since then..as the restore will remove the programs registry entrys.

Those settings you listed...are correct. The paths may be off...as you have Windows98 and I can't remember what there correct paths were..

[stretched]

"Microbell is the winner of the 'I cured specific911 and its resulting ailments in Windows 98' award."

(a rare title at this time, a pioneer in his field)

I have given you an award, since I can not thank you enough, I will add a message to the news I posted since it is clear to me now, that the key to most of the troubles I experienced for the past month are due to what it did to the registry.

Now I need advice, I downloaded so many programs, I will try to explore around and see remnants are there from them which I have to remove and reinstall.

Are there any important matters I need to beware when doing that, and what steps should I take now, knowing that I have to go through that?

[MicroBell]

stretched,

While we are close.....I don't want to consider this solved just yet. I'll address how to prevent this from happening again..when we are done...but please post another hijackthis log so I can see if we got anything lingering around since we restored the registry to an earlier date.

[stretched]

crap
I already started getting the other programs and went to panda...I have to reget highjack this...

[stretched]

alright heres the HJT log and I put the panda results after it here - from before the HJT scan:

(I'll wait this time before doing anything else)

Logfile of HijackThis v1.99.1
Scan saved at 04:23:39 م, on 27/09/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADSERVICE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\IOMEGA\AUTODISK\ADUSERMON.EXE
C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\SMC\SMC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\GETRIGHT\GETRIGHT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = NOT USED (OK)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {51641EF3-8A7A-4D84-8659-B0911E947CC8} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [zSPGuard] c:\program files\pjw\spguard\spguard.exe /s /r
O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
O4 - HKLM\..\Run: [JeticoPFStartup] "C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe"
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ADService] C:\Program Files\Iomega\AutoDisk\ADService.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunServices: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - HKCU\..\RunServices: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpySubtract.lnk = C:\WINDOWS\Desktop\SpySub.exe
O4 - Startup: GetRight Monitor.lnk = C:\Program Files\GetRight\getright.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDPB.DLL
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...etslv32_EN.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...bridge-c15.cab
O16 - DPF: {3D061514-8D58-40D8-BB88-2BA6DCA9E5DE} - http://www.qurancomplex.org/Download...dQuranFont.cab
O16 - DPF: {B0067CA5-2C37-4C6B-AAEC-5E2CE8635060} - http://www.qurancomplex.org/Download...Smooth_New.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://wdownload.weatherbug.com/mini...ansporter.cab?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab



Here's panda


Incident Status Location

Adware:adware/wupd No disinfected Windows Registry
Dialer:dialer.b No disinfected HKEY_CURRENT_USER\SOFTWARE\RUBOSKIZO
Dialer:dialer.ce No disinfected HKEY_CLASSES_ROOT\CLSID\{F72BC3F0-6C20-4793-9DDA-258589D8A907}
Adware:adware/adshooter No disinfected Windows Registry

I did some cleaning before that with some of the other programs....

[MicroBell]

Excellent. Nothing major returned...

Delete these registry keys.....

HKEY_CURRENT_USER\SOFTWARE\RUBOSKIZO

HKEY_CLASSES_ROOT\CLSID\{F72BC3F0-6C20-4793-9DDA-258589D8A907}

Other then that Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.


Reset hidden/system files and folders

Windows XP
===============

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 2000
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Select the Advanced settings box option.
• Select the Hidden files Folders.
• Deselect the Show all files option.
• Click Yes to confirm.
• Click OK.

Windows ME
===============

• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Windows 95/98/98SE
===============

• Open My Computer.
• Select the View
• Select the Folder Options option.
• Select the View tab. option.
• Select the Advance Advanced settings box option.
• Select the Hidden files folder.
• Deselect the Show all files option
• Click Apply to confirm.
• Click OK.

Create a new System Restore point

Windows XP
===============

• Click Start >> Run - type SYSDM.CPL & press Enter
• Select the System Restore Tab
• Tick on the checkbox - "Turn off System Restore on all drives"
• Click Apply
• Then untick the same checkbox & click OK
• This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

• Click the Start tab.
• Select the Settings option.
• Select the Control Panel option.
• Double Click the System icon Performance tab option.
• Select File System
• Select the Troubleshooting tab
• Check the Disable System Restore box
• Click Apply to confirm.
• Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

• Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

• Click the Start button.
• Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
• Choose Create a restore point, and then click Next.
• In the Restore point description box, type a name for your restore point, and then click Next.
  Click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• Tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SpywareGuard to catch and block spyware before it can execute.
• IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
• WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Sygate Personal Firewall
• Kerio Personal Firewall
• OutPost Firewall

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

• Grisoft AVG Anti-Virus System
• Alwil Avast 4 Home Edition
• Softwin BitDefender Free Edition Version 7

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

Please respond to this thread one more time so we can mark this thread as resolved.

[stretched]

Ok I removed those from the registry, and as much of the other things that I can do with Windows 98 Arabic Enabled, (since the updates at windows do not support it anymore) and the update selection under start/settings/windows update takes me to a page that Microsoft says no longer exists....

For
"Create a new System Restore point"
You did not mention where I look to do this in this system (win98)

I have some of each area of those recommended I am check avast since I probably have to remove it and download it again....otherwise, so far eveything looks good now...

[tetonbob]

Hi stretched -

Windows98 has no System Restore, so ignore that portion of the final instructions. DO follow up on the rest of MB's advice. Click this link to take you to the Update Page, it was embedded in MB's reply. I've pulled it out in the clear for you:

http://v4.windowsupdate.microsoft.com/en/default.asp

If that fails, you can go to the Windows Update Catalog page

http://v4.windowsupdate.microsoft.co...en/default.asp

From there, you should be able to select your OS and Language preferences and get all critical updates in download form...I found 53 critical updates available for download there. There are quite a few hoops to jump through to download and install patches this way, but I believe you can get it done.


There's an interesting third party application called ConfigSafe which will work with 95 and 98. I've added this statement as information only, not recommendation.

As another side note, you may want to consider updating your OS, as support for 98 by MS is beginning to fade, which you've already seen.

Good work! I hope this helps clear things up for you.

Safe and happy surfing! Be careful what you click on.

[stretched]

Hey TB, this is the thing, I think you told me to go to those update pages before, and there it recognizes the system first, then gives me a page that says this:

"The Windows Update Web site no longer supports the following operating system locales:
Arabic (Enabled)
Greek OEM codepage 869
Hebrew (Enabled)
Slovak
Slovenian
Thai (Enabled)
Updates that currently appear on the Windows Update site remain available for download. For continued access to new updates for your operating system, visit one of the following Web sites:
If you are using Windows Millennium Edition (Windows Me), visit the Microsoft Download Center Web site.
If you are using Windows 98, visit the Windows 98 Downloads Web site. "

And I am using
Arabic (Enabled)

So I am scared to just download any of those things that are for Win98 after they informed of this. So this is the question, are there certain categories of things they would have for regular 98 which I should try to download.

For example, the Arabic bit allows me to see the arabic text on sites if any, and it also allows Word and other text files to use it, and it also allows files to be named with it, etc. But I assume that there must be some of those patches and internet related things that would be compatable in either case, but I am afraid to act on that assumption, not knowing what would happen if I instal a fix or patch or upgrade for regular 98 if it will corrupt something else related to 98 arabic enabled....

This is the problem, I will check out that other program you mentioned and see how it looks, thanks for the heads up and please let me know your opinions about this other matter, in either case, if you want to move this to a proper thread go ahead, perhaps now we are dealing with issues that should be discussed somewhere else...

[MicroBell]

I would move your question back to the 98 forum...or an Arabic forum. MS is cutting off support for Windows 98...so updateing won't matter. Anyway..I'm going to move this to resolved.