[anne101]

Hello.....the past week and a half,my history folder is showing that I visited a site called *raph.us*........After seeinig this appear numerous times......I clicked on it in my history and went to see what it was.It says its as follows:

http://raph.us/.................raph.us-3dartist and 3d artworks

Several times,while i'm emailing or playing games or working I"ll get a *box* that comes up wanting me to install this raph.us on my computer........I always hit cancel or decline but it keeps coming up and I have to restart my computer.I havent installed any new software in months.I keep up on the cleaning of my computer and always notice if something is different.....How do I get rid of this raph.us or stop it from popping up again?......I appreciate your help....as you can probably tell.......I"m the one they wrote *computers for dummies* for

[RSM123]

Greetings,

Go to the link below and download Spybot Search & Destroy.
Once installed > Run > click Online > Search for Updates and get them. Close Internet Explorer. In Spybot click Search for problems > let it scan > click Fix all checked. Done

http://security.kolla.de/

I would though point out that you should keep updating Spybot with the Online feature to retain its effectiveness.

Next go to this link and download Hijack This. Once you run it - Hit 'Scan' > once the scan is complete the scan button changes to 'Savelog' > save the logfile > then Copy / Paste it in another post in this thread. Do not delete / change anything yourself at this stage, someone else will go through it and advise you what needs to be removed.

http://www.tomcoyote.org/hjt/

Lastly - hit 'Report' at the top of this thread and ask for the thread to be moved to the Security Forum.


Good Luck.

[anne101]

Thank-You RSM123......I downloaded spybot s&d.....I tried to download Hijackthis.......however,when I did this,it opened to wordpad with writing that I couldnt read.I"m not sure what to do now........I"ve looked in my settings,programs,everywhere I can think of but I can't find this raph.us........but it appears in my histories and pops up.

[RSM123]

Hi,

What may be useful is if you could redo the Hijack This Scan. Save the log - then copy / paste here for someone to check.

Then hit Report - top of your post and ask that the thread be moved to Security Forum.

[anne101]

Hello.....*S*.....I"ve just tried to download hijackthis again.....The dialog box shows it being downloaded.....immediately after it goes into wordpad.....I dont have an option to scan so I can save it for you.

[RSM123]

Not sure what prob. you're having .... like everything else 'its always easy if you know how.'

Ask for thread to be moved then perhaps a Moderator can see a way to post your log.

[Miz]

It sounds like you don't have an unzipping utility installed. The HijackThis! file is a zipped file.

When you download, are you getting a window asking if you want to save or open the file? If so, tell it to Save, then remembered where you saved it to. If not, in Internet Explorer, go to Tools>Internet Options>Advanced tab, scroll down to and check "Notify when downloads complete," click OK. That should give you the message window with the option to save the file.

You can download a free, 30-day trial of Winzip from http://download.com.com/3000-2250-10161502.html. Install it then open the HijackThis! file you downloaded...it will automatically open in Winzip which will then unzip the file to the folder of your choice.

[anne101]

Thank-you,I needed to install winzip....I've scanned this with hijack this ......I saved the log.....here's the loLogfile of HijackThis v1.97.7
Scan saved at 12:50:30 AM, on 1/5/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\FHCHOOK.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\SYSTEMIE.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SRECR40M.EXE
C:\PROGRAM FILES\SYSTEM & INTERNET WASHER\CSERASER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/p/hp/?http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\SYSTEM\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\PROGRAM FILES\SYSTEM & INTERNET WASHER\PKEXT.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\SYSTEM\YCOMP5_1_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [fhchook] C:\WINDOWS\SYSTEM\FHCHOOK.exe
O4 - HKLM\..\Run: [SRECR40M] C:\WINDOWS\SYSTEM\SRECR40M.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: HP Internet Center.lnk = C:\HP Internet\Surfboard\Surfbrd.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\America Online 5.0a\aoltray.exe
O4 - Startup: System & Internet Washer.lnk = C:\Program Files\System & Internet Washer\cseraser.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: System & Internet Washer (HKCU)
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_1_5_0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {2A9146F3-E5DE-48D8-8B53-E1214450B778} (Generator Class) - http://users.rcn.com/hornms/MachineID.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {5D69BE0A-23A3-4907-BCC4-D7AFCA5AE486} (Token Class) - http://users.rcn.com/hornms/SiteToken.CAB
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdcc...d/tgctlins.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/game...ts/y/et1_x.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...367/wmavax.CAB
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct2_x.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB

g

[RSM123]

Hi,

You might want to read his about BACKWEB.EXE which is in your log :

http://www.pestpatrol.com/PestInfo/B/Backweb.asp

Not sure whether its something preinstalled by your PC Dealer but hopefully someone can tell you if its safe to delete. I don't want to cause you more grief than you've already had.

[~Candy~]

O4 - HKLM\..\Run: [fhchook] C:\WINDOWS\SYSTEM\FHCHOOK.exe
O4 - HKLM\..\Run: [SRECR40M] C:\WINDOWS\SYSTEM\SRECR40M.exe

Do you have any idea what those are?

[IMM]

The other thing I notice is that systemie is a running process
You might want to see
http://www.computing.net/security/ww...orum/8431.html

[anne101]

Hello....*S*...ACA Candy and IMM......Actually I dont have any idea what most of these things are......I just know that HijackThis found them and I have them saved .I dont know what to let HijackThis take care of and what to leave alone..........but raph.us is still coming up daily in my history.