Can one of you kind helpers have a look at the Hijack This log on this W9x forum post, response #5.

I'm helping a general way with this post but I know that you experts would be far better placed to advise on the log.

Thanks

Derek

Ooooops. Might have just helped a tad if I'd actually posted the link LOL

http://computing.net/windows95/wwwboard/forum/153782.html

Apologies

Derek

Report Offensive Follow Up For Removal

Hi, and PLEASE help me get rid of this nightmare! I am getting hammered by porn pop-ups and this start-space.com garbage. PLEASE HELP!!!!

Here's the HijackThis log...

Logfile of HijackThis v1.97.7
Scan saved at 6:25:15 PM, on 1/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\WIN32US.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE
C:\HPDESK\HPPDDIR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.searchnow.ws/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.jethomepage.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://search.bisextop.com/index1.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://coolsearcher.info/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.mature50.com/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://coolsearcher.info/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://coolsearcher.info/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://coolsearcher.info/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.terra.es/personal7/korona01/r.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-space.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.martfinder.com/spindex.html
R3 - URLSearchHook: XTSearchHook Class - {6E6DD93E-1FC3-4F43-8AFB-1B7B90C9D3EB} - C:\PROGRAM FILES\XUPITER\XTSEARCH.DLL (file missing)
R3 - URLSearchHook: MailTo Class - {01A9EB7D-69BC-11D2-AB2F-204C4F4F5020} - C:\WINDOWS\SYSTEM\ASTCTL32.OCX
N1 - Netscape 4: user_pref("browser.startup.homepage", "WWW.YAHOO.COM"); (C:\Program Files\Netscape\Users\jrcasey\prefs.js)
O1 - Hosts: 216.65.3.76 auto.search.msn.com
O1 - Hosts: 216.65.115.193 members.tripod.com
O1 - Hosts: 216.65.115.193 www.geocities.com
O1 - Hosts: 216.65.115.193 angelfire.com
O1 - Hosts: 216.65.115.193 www.angelfire.com
O1 - Hosts: 216.65.115.193 www.fortunecity.com
O1 - Hosts: 216.65.115.193 smutserver.com
O1 - Hosts: 216.65.115.193 www.smutserver.com
O1 - Hosts: 216.65.115.193 www1.smutserver.com
O1 - Hosts: 216.65.115.193 www2.smutserver.com
O1 - Hosts: 216.65.115.193 www3.smutserver.com
O1 - Hosts: 216.65.115.193 www4.smutserver.com
O1 - Hosts: 216.65.115.193 www5.smutserver.com
O1 - Hosts: 216.65.115.193 www6.smutserver.com
O1 - Hosts: 216.65.115.193 www7.smutserver.com
O1 - Hosts: 216.65.115.193 www8.smutserver.com
O1 - Hosts: 216.65.115.193 www9.smutserver.com
O1 - Hosts: 216.65.115.193 www10.smutserver.com
O1 - Hosts: 216.65.115.193 www11.smutserver.com
O1 - Hosts: 216.65.115.193 www12.smutserver.com
O1 - Hosts: 216.65.115.193 www13.smutserver.com
O1 - Hosts: 216.65.115.193 www14.smutserver.com
O1 - Hosts: 216.65.115.193 www15.smutserver.com
O1 - Hosts: 216.65.115.193 www16.smutserver.com
O1 - Hosts: 216.65.115.193 www17.smutserver.com
O1 - Hosts: 216.65.115.193 www18.smutserver.com
O1 - Hosts: 216.65.115.193 www19.smutserver.com
O1 - Hosts: 216.65.115.193 www20.smutserver.com
O1 - Hosts: 216.65.115.193 tgpfriendly.com
O1 - Hosts: 216.65.115.193 www.tgpfriendly.com
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - C:\WINDOWS\FHFMM.DLL
O2 - BHO: (no name) - {2662BDD7-05D6-408F-B241-FF98FACE6054} - C:\PROGRAM FILES\XUPITER\XTUPDATE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Xupiter - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - C:\PROGRAM FILES\XUPITER\XUPITERTOOLBAR.DLL (file missing)
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [spp] regedit -s C:\WINDOWS\sp.dll
O4 - HKLM\..\Run: [FireTalk Internet Detector] C:\PROGRAM FILES\MULTITUDE\FIRETALK\InternetDetector.EXE -noprompt
O4 - HKLM\..\Run: [XupiterStartup] C:\Program Files\Xupiter\XupiterStartup2003.exe
O4 - HKLM\..\Run: [XupiterCfgLoader] C:\Program Files\Xupiter\XTCfgLoader.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hot_Party15] c:\program files\dialers\hot_party15\hot_party15.exe /noconnect
O4 - HKLM\..\Run: [Connect2Party] c:\program files\dialers\connect2party\connect2party.exe /noconnect
O4 - HKLM\..\Run: [MD IE Plugin] C:\PROGRAM FILES\MD\MD
O4 - HKLM\..\Run: [keymgrldr] rundll32 setupapi,InstallHinfSection Oemkeymgr9x 128 keymgr3.inf
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [win32us] c:\windows\system\win32us.exe /noconnect
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Washerns] C:\Program Files\Washer-NS\washerns.exe /1
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [5-2-125-1] c:\windows\5-2-125-1.exe -m
O4 - HKCU\..\Run: [5-2-104-8] c:\windows\5-2-104-8.exe -m
O4 - HKCU\..\Run: [5-2-125-6] c:\program files\Webdialer\5-2-125-6.exe -m
O4 - HKCU\..\Run: [5-4-49-3] c:\program files\Webdialer\5-4-49-3.exe -m
O4 - HKCU\..\Run: [5-1-70-10] c:\program files\Webdialer\5-1-70-10.exe -m
O4 - HKCU\..\Run: [od-stnd59] c:\program files\Webdialer\od-stnd59.exe -m
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .txt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00000012-890E-4AAC-AFD9-EFF6954A34DD} -
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} (FHFMMObj Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab

Thanks for your help!

Dude you have a mess, download and run
cwshredder;
cwshredder.zip

cwshredder.exe

Download Ad-Aware and update it.
http://www.lavasoftusa.com/support/download/

From lavasoft faqs.
Use the Custom Scan with Memory and Both registry scans ON for your first scan.
I keep it at that setting.

Also.... make sure that you activate IN-DEPTH scanning before you proceed.
Actually you should always use IN-DEPTH scanning whichever mode you choose.
This will be made a default setting in Ad-aware 6.2 when released.

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Next...
Run Ad-aware 6.

Online scan, remove what it finds.
http://www.ravantivirus.com/scan/

Post another log after your done.
Late night here, will check on you tomorrow.

Dude you have a mess, download and run
cwshredder;
cwshredder.zip

cwshredder.exe

Download Ad-Aware and update it.
http://www.lavasoftusa.com/support/download/

From lavasoft faqs.
Use the Custom Scan with Memory and Both registry scans ON for your first scan.
I keep it at that setting.

Also.... make sure that you activate IN-DEPTH scanning before you proceed.
Actually you should always use IN-DEPTH scanning whichever mode you choose.
This will be made a default setting in Ad-aware 6.2 when released.

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Next...
Run Ad-aware 6.

Online scan, remove what it finds.
http://www.ravantivirus.com/scan/

Post another log after your done.
Late night here, will check on you tomorrow.

Derek, as you can see, this is starting
to stress me out. For the post in question.

"I do like Kazaa and Incredimail so if I can help it I don't want anything to happen to them but otherwise there's nothing I can think of."

His problems are not hijack related, at
least not yet.

Thx abnormal, I'll pass on your comments.

D

Right. I rather thought the S&V forum would reply directly on this link but I did get one response on what I posted there (#5), see this:
http://computing.net/security/wwwboard/forum/8622.html

The post got confused by someone else stupidly posting their "Hijack This" log on the same thread. It seems like it is suggesting that your "Hijack This" log was fine so maybe our assumption that this was spyware/malware based is incorrect.

Despite this I still feel there is nothing lost in doing what I suggested downloading at least the ones I gave in #3. Even if they don't help this time they are likely to help in the future. The same applies to SpywareBlaster (afterwards) because this is an excellent free preventer. None of these use resources in the background.

Did you try beansoups item 2 in #4?

I think we'll leave the Help file problem for a bit - two things at a time LOL.

As for your doubled control panel entries it goes like this. All of these are files that end with the extension .cpl and are normally located in c:\windows\system. The only exceptions may be the odd one in c:\windows\sysbackup.

Windows will not allow two files of the same name in the same folder so the incorrect ones must either have a wrong name or be located elsewhere.

Sorry if it's a bit long winded but I think the only safe way forward is as follows:

1. Indicate which CP icons are duplicated.

2. List out "all" the icon names in CP.

3. Type *.cpl in the Run box. This will list all of the .cpl files. Let me know what all of them are called and where they are located.

Hopefully I can then suggest which ones you could try saving somewhere (for safety) then deleting. You can double click any .cpl yourself of-course. This will bring up the CP item which may be a help to you.

Moving on, I think it might be worth trying a couple of harmless aspirins (LOL) that are harmless but have been known to fix many general problems:

1. Go to Control Panel/Add-Remove and double click the Microsoft IE & Tools entry. If this gives a repair option go for it.

2. "Shut down" to MS-DOS and type scanreg /fix (followed by Return key). This will rebuild your current registry which might help if it has got a little corrupted. Type exit (Return) to restart Windows.

I think it would be worthwhile doing the latter 1 & 2 so that they are out of the way. Best to save thrashing around if the boring old fixes happen to help.

Derek

Report Offensive Follow Up For Removal

IGNORE POST #7 I POSTED IT ON THE WRONG THREAD.

Sorry

Derek

Dear Abnormal,

Thanks for your help! I downloaded and ran cwshredder, updated Ad-Aware to 6 and ran that as well. I also ran the scan, the log of which I've included below, but when I look for the files, they're not there. At least when I run a "find", I'm told they don't exist and when I look for them manually in their folders, I can't find them. I've altered the properties to show the hidden files but no luck... Damn, I hate being only semi-computer literate! LOL

I'll post the Hijack this log after the scan log...

THANKS VERY MUCH for your help!!!!! I appreciate it more than I can say!

Scan started at 1/8/04 10:27:17 PM

Scanning memory...
c:\link.exe - Backdoor:IRC/K-Ident.2_0 -> Suspicious
c:\i.exe - TrojanDropper:Win32/Small.gen -> Infected
c:\WINDOWS\sp.dll - WinREG/StartPage* -> Infected
c:\WINDOWS\Downloaded Program Files\014018.exe->(UPXW) - Tool:PornDialer.gen! -> Infected
c:\WINDOWS\Downloaded Program Files\006139.exe->(UPXW) - Tool:PornDialer.gen! -> Infected
c:\WINDOWS\Downloaded Program Files\014582.exe->(UPXW) - Tool:PornDialer.gen! -> Infected
c:\WINDOWS\Downloaded Program Files\014334.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
c:\WINDOWS\Downloaded Program Files\lwsetup.exe->(UPXW) - Backdoor:Win32/WbeCheck.D -> Infected
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\014334.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
c:\WINDOWS\Downloaded Program Files\CONFLICT.2\014334.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
c:\WINDOWS\Downloaded Program Files\CONFLICT.2\free_sex_viewer.exe - Trojan:Win32/Tumbo.A -> Infected
c:\Program Files\Netscape\Users\jrcasey\Mail\INBOX->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
c:\Program Files\Netscape\Users\jrcasey\Mail\Sent.snm->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
c:\Program Files\Netscape\Netscape 6\word perfect->(CABSfx)->\intro.exe - Trojan:Win32/RC5_Dropper.E -> Infected
c:\Program Files\ISTsvc\istsvc.exe - TrojanDownloader:Win32/IstBar.B -> Infected
c:\Program Files\WordPerfect Office 2002 Trial\intro.exe - Trojan:Win32/RC5_Dropper.E -> Infected

Scanned
============================
Objects: 42843
Directories: 3639
Archives: 648
Size(Kb): -826926
Infected files: 10

Found
============================
Viruses found: 7
Suspicious files: 6
Disinfected files: 0
Mail files: 2508

Hijack this log....

Logfile of HijackThis v1.97.7
Scan saved at 12:16:11 AM, on 1/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE
C:\HPDESK\HPPDDIR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "WWW.YAHOO.COM"); (C:\Program Files\Netscape\Users\jrcasey\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [FireTalk Internet Detector] C:\PROGRAM FILES\MULTITUDE\FIRETALK\InternetDetector.EXE -noprompt
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hot_Party15] c:\program files\dialers\hot_party15\hot_party15.exe /noconnect
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Washerns] C:\Program Files\Washer-NS\washerns.exe /1
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [5-2-125-1] c:\windows\5-2-125-1.exe -m
O4 - HKCU\..\Run: [5-2-104-8] c:\windows\5-2-104-8.exe -m
O4 - HKCU\..\Run: [5-2-125-6] c:\program files\Webdialer\5-2-125-6.exe -m
O4 - HKCU\..\Run: [5-4-49-3] c:\program files\Webdialer\5-4-49-3.exe -m
O4 - HKCU\..\Run: [5-1-70-10] c:\program files\Webdialer\5-1-70-10.exe -m
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .txt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thanks, Abnormal...!

Regards,
Geoffrey I.

Dear Abnormal,

Thanks for your help! I downloaded and ran cwshredder, updated Ad-Aware to 6 and ran that as well. I also ran the scan, the log of which I've included below, but when I look for the files, they're not there. At least when I run a "find", I'm told they don't exist and when I look for them manually in their folders, I can't find them. I've altered the properties to show the hidden files but no luck... Damn, I hate being only semi-computer literate! LOL

I'll post the Hijack this log after the scan log...

THANKS VERY MUCH for your help!!!!! I appreciate it more than I can say!

Scan started at 1/8/04 10:27:17 PM

Scanning memory...
c:\link.exe - Backdoor:IRC/K-Ident.2_0 -> Suspicious
c:\i.exe - TrojanDropper:Win32/Small.gen -> Infected
c:\WINDOWS\sp.dll - WinREG/StartPage* -> Infected
c:\WINDOWS\Downloaded Program Files\014018.exe->(UPXW) - Tool:PornDialer.gen! -> Infected
c:\WINDOWS\Downloaded Program Files\006139.exe->(UPXW) - Tool:PornDialer.gen! -> Infected
c:\WINDOWS\Downloaded Program Files\014582.exe->(UPXW) - Tool:PornDialer.gen! -> Infected
c:\WINDOWS\Downloaded Program Files\014334.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
c:\WINDOWS\Downloaded Program Files\lwsetup.exe->(UPXW) - Backdoor:Win32/WbeCheck.D -> Infected
c:\WINDOWS\Downloaded Program Files\CONFLICT.1\014334.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
c:\WINDOWS\Downloaded Program Files\CONFLICT.2\014334.exe->(UPXW) - Tool:PornDialer.gen! -> Suspicious
c:\WINDOWS\Downloaded Program Files\CONFLICT.2\free_sex_viewer.exe - Trojan:Win32/Tumbo.A -> Infected
c:\Program Files\Netscape\Users\jrcasey\Mail\INBOX->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
c:\Program Files\Netscape\Users\jrcasey\Mail\Sent.snm->(Invalid#1*) - MIME/Invalid#1 -> Suspicious
c:\Program Files\Netscape\Netscape 6\word perfect->(CABSfx)->\intro.exe - Trojan:Win32/RC5_Dropper.E -> Infected
c:\Program Files\ISTsvc\istsvc.exe - TrojanDownloader:Win32/IstBar.B -> Infected
c:\Program Files\WordPerfect Office 2002 Trial\intro.exe - Trojan:Win32/RC5_Dropper.E -> Infected

Scanned
============================
Objects: 42843
Directories: 3639
Archives: 648
Size(Kb): -826926
Infected files: 10

Found
============================
Viruses found: 7
Suspicious files: 6
Disinfected files: 0
Mail files: 2508

Hijack this log....

Logfile of HijackThis v1.97.7
Scan saved at 12:16:11 AM, on 1/9/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OSA.EXE
C:\HPDESK\HPPDDIR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "WWW.YAHOO.COM"); (C:\Program Files\Netscape\Users\jrcasey\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [FireTalk Internet Detector] C:\PROGRAM FILES\MULTITUDE\FIRETALK\InternetDetector.EXE -noprompt
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hot_Party15] c:\program files\dialers\hot_party15\hot_party15.exe /noconnect
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [Washerns] C:\Program Files\Washer-NS\washerns.exe /1
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [5-2-125-1] c:\windows\5-2-125-1.exe -m
O4 - HKCU\..\Run: [5-2-104-8] c:\windows\5-2-104-8.exe -m
O4 - HKCU\..\Run: [5-2-125-6] c:\program files\Webdialer\5-2-125-6.exe -m
O4 - HKCU\..\Run: [5-4-49-3] c:\program files\Webdialer\5-4-49-3.exe -m
O4 - HKCU\..\Run: [5-1-70-10] c:\program files\Webdialer\5-1-70-10.exe -m
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O4 - Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .txt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .EXE: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thanks, Abnormal...!

Regards,
Geoffrey I.

Put a check mark next to these, click fix.

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Hot_Party15] c:\program files\dialers\hot_party15\hot_party15.exe /noconnect
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\RunServices: [MOSearch] c:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKCU\..\Run: [5-2-125-1] c:\windows\5-2-125-1.exe -m
O4 - HKCU\..\Run: [5-2-104-8] c:\windows\5-2-104-8.exe -m
O4 - HKCU\..\Run: [5-2-125-6] c:\program files\Webdialer\5-2-125-6.exe -m
O4 - HKCU\..\Run: [5-4-49-3] c:\program files\Webdialer\5-4-49-3.exe -m
O4 - HKCU\..\Run: [5-1-70-10] c:\program files\Webdialer\5-1-70-10.exe -m
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\OSA.EXE
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: {00000000-8c7d-4ea8-b113-9163c935d38e} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -
O16 - DPF: {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} -

Reboot and delete:

C:\WINDOWS\System32\msrexe.exe

Go to windows update and get all critical
updates.
Good luck

abnormal

Dear Abnormal,

THANKS! It's working SO much better.... I can't tell you how much it means to folks like me that only know enough about computers to be dangerous! I appreciate you help!

Regards,
Geoffrey I.

Abnormal. Belated thanks for helping on that link (my #5). Even a nil return is much appreciated - we can then focus on other things.

Derek

Derek, sorry about not answering the post,
he wants to keep kazaa, it will only
take one click for new problems fast.

Geoffrey,
Follow the tips under my name, staying safe is all I ask for my help.