Spyware/Virus keeps replicating

Computing.Net > Forums > Security and Virus > Spyware/Virus keeps replicating

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Spyware/Virus keeps replicating

Name: ngoodwin
Date: November 27, 2003 at 19:24:59 Pacific
OS: Win2k
CPU/Ram: P3/256MB

Comment:

I started getting a lot of pop-up ads lately and found that I had a lot of weird processes running and all kinds of spyware had been installed. When I try to end one of the processes using Task Manager, a new one (randomly named) appears in its place. I've found and tried deleting the process' .exe files from the System32 directory, but new files immediately replace them there, too. I've also found an associated Registry Key:
HKLM\Software\Microsoft\Windows\Current Version\RUN : [4HM966N3EDDADX] C:\WINDOWS\system32\Gbi1r6.exe
I've run VirusScan, Spybot S&D, Ad Aware, and TDS-3. I think that I've gotten the pop-ups under control, but I can't get rid of those replicating .exe files. When I look at the version tab of the properties for these replicated files, they either say their original filename was wowex32.exe or kern32.exe. I've scanned and have no files by either name.
Can someone please take a look at my Hijack This log? The replicating processes shown in it are Yyd74.exe and ZifU.exe. I would really appreciate any suggestions.
Logfile of HijackThis v1.97.7
Scan saved at 7:29:07 PM, on 11/27/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\GEARSEC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\WINDOWS\system32\Yyd74.exe
C:\WINDOWS\system32\ZifU.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {782E4F7A-CB73-4E01-A1B6-2EC49DE390DB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [4HM966N3EDDADX] C:\WINDOWS\system32\Gbi1r6.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

Sponsored Link

Ads by Google

Response Number 1

Name: dw226
Date: November 27, 2003 at 19:33:50 Pacific

Reply:

Have you tried deleting the files in safe mode? You sometimes have to be very forceful with spyware. The whole replicating thing reminds me of my horrible experience with Gator. Very bad to have.

Response Number 2

Name: Abnormal
Date: November 27, 2003 at 20:03:24 Pacific

Reply:

You have the peper trojan, Tom41 can
walk you through this one.

Response Number 3

Name: Abnormal
Date: November 27, 2003 at 21:49:48 Pacific

Reply:

Looks like you know what your doing, hope
this helps.
Please follow these steps, in exactly that order:
Run this uninstaller:
http://home01.wxs.nl/~kleyn080/uninst.exe
When done, use the following tool to delete the files themselves:
Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
http://www.mjc1.com/files/mo/drpepertobackup.exe
On the first prompt, copy and paste: Yyd74.exe .... and hit ok.
On the second, paste: ZifU.exe and hit ok again.
It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.
Post another log when done.
Good luck
Abnormal

Response Number 4

Name: ngoodwin
Date: November 28, 2003 at 13:29:53 Pacific

Reply:

Thanks for the help Abnormal. I definitely had the Peper Trojan and I've gotten rid of all those replicating files by following your directions. Here's my new log:
Logfile of HijackThis v1.97.7
Scan saved at 2:16:42 PM, on 11/28/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\GEARSEC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {782E4F7A-CB73-4E01-A1B6-2EC49DE390DB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe

Response Number 5

Name: Abnormal
Date: November 28, 2003 at 14:02:31 Pacific

Reply:

Thank you for posting back ngoodwin,
you can remove this entry;
O2 - BHO: (no name) - {782E4F7A-CB73-4E01-A1B6-2EC49DE390DB} - (no file)

If all is well, you can save your log
for reference.
Abnormal

c++ self replication hpzstatx vba dashboard	Security Tool virus security tool virus ocget.dll
See More

Response Number 6

Name: blender
Date: November 28, 2003 at 14:37:39 Pacific

Reply:

ngoodwin
I would also remove this entry as it will cause problems too.
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install026.exe
I believe it is part of Gator

Response Number 7

Name: Tom41
Date: November 29, 2003 at 01:17:20 Pacific

Reply:

Good Job Abnormal!

Response Number 8

Name: Echoe
Date: November 30, 2003 at 12:37:02 Pacific

Reply:

Hi, I am just a non-techie dumb girl :) and found this message on the peper trojan in a search on web32ex, which I have just found on my system, after hours of searching and running removal programs, both AdAware and SpyBot. Neither found my peper virus that I found trying to get McAfee permissions. I have also run SpyKiller free scan, and it identifies other parasites, but not the Peper. Are the instructions given above unique to ngoodwin? Could anyone provide generic instructions? Any help you can offer is sincerely and extremely appreciated!
Echoe

Response Number 9

Name: Abnormal
Date: November 30, 2003 at 13:01:55 Pacific

Reply:

First, I like to thank Tom41, thanks.
Echo, we need your hijackthis log to
do this.
Download 'Hijack This!'. http://www.tomcoyote.org/hjt/
Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Response Number 10

Name: Echoe
Date: November 30, 2003 at 13:21:33 Pacific

Reply:

Hi Abnormal, thank you so much! I have been working since yesterday, and have removed up to 500 files/registeries. I keep trying everything and anything...and I am not a techie, so don't know what's going on. I think I have a Powerscan virus, too. Each of the programs I use finds different files from the other. The wowex file I found was never found by the removal programs. It's C:\WINDOWS\SYSTEM\ERL6A.exe. Sorry I am rambling, thanks so much for the help!
ogfile of HijackThis v1.97.7
Scan saved at 3:12:42 PM, on 11/30/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.exe
C:\WINDOWS\SYSTEM\HIDSERV.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.exe
C:\COMPAQ\CPQINET\CPQINET.exe
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.exe
C:\CPQS\BWTOOLS\SCCENTER.exe
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\HPZTSB04.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\PROGRAM FILES\SPYKILLER\SPYKILLER.exe
C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SPYWATCH.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\CB706998.DLL
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\HPZSTATX.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dslhome.prodigy.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.exe" /SU
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.exe" /SERVICE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe 1
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SPYWATCH] C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SpyWatch.exe /STARTUP
O4 - HKCU\..\RunServices: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\RunServices: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe 1
O4 - HKCU\..\RunServices: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\RunServices: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\RunServices: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\RunServices: [SPYWATCH] C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SpyWatch.exe /STARTUP
O4 - Startup: Timed Backups Manager Startup.lnk = C:\Program Files\Backup Plus\BackTime.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Response Number 11

Name: Abnormal
Date: November 30, 2003 at 14:08:23 Pacific

Reply:

Hi,
have hijackthis remove
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O4 - HKCU\..\Run: [SPYWATCH] C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SpyWatch.exe /STARTUP
and any thing with spy in it (spyware killer)
that stuff is trash.
Try to uninstall first.
I don't see the peper trojan.
Reboot when your done, have to run now,
I will be back.

Response Number 12

Name: Echoe
Date: November 30, 2003 at 14:16:51 Pacific

Reply:

Thanks, I'll try it! As I said, the peper trojan is that exe file in my Windows/System, none of the removal programs found it, and I don't think Hijacker did either. :( It's still there, staring me in the face. :( My firewall was shutting down for the last three nights. Maybe the programs I have run have removed the identifying files? In any case, please know how much I appreciate your help! I owe ya!
Echoe

Response Number 13

Name: Abnormal
Date: November 30, 2003 at 14:44:51 Pacific

Reply:

You can try to delete that file in safe mode.
They may be up to some new tricks, that I
don't know yet.

Response Number 14

Name: Tom41
Date: November 30, 2003 at 15:17:21 Pacific

Reply:

Let's see if there are any Peper files..
Download 2xExplorer: 2xExplorer
(rightclick on the link and choose "Save Target As").
Unzip 2xExplorer. Double click and set up the following:
Menu> View> Options > Show hidden files should be checked > ok.
Menu > Tools > Find Files:
Named: *.exe
Look in: (browse or paste in) C:\WINDOWS\System32
Check the following: 'Use Text Constraints', 'Search non-text files' and in the 'Find What' paste: kern32
All other fields leave unchecked!
Hit the 'Find' tab...
The scan will run for few seconds and show the results. Rightclick then > print list >right click > select all > copy and post it.

Response Number 15

Name: Echoe
Date: November 30, 2003 at 15:47:17 Pacific

Reply:

k, thanks, guys. I've changed the names of the files and rebooted, everything seems fine, but will try the above and see if we find them. I also just deleted exstub.exe, I am finding alot of files manually that none of these removal programs are finding. :(

Response Number 16

Name: Echoe
Date: November 30, 2003 at 16:00:20 Pacific

Reply:

Okay, here's the list...*sigh! The last file is the one that I referred to, but I changed the name, putting an x in front. When I checked properties, it said, "wowex32.exe".
Echoe
NAME SIZE MODIFIED
Dbhi2q2.exe 225,325 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
FseiJ.exe 442,413 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
Gvwz9S.exe 442,413 11/25/03 9:07:36 PM [C:\WINDOWS\SYSTEM]
IscjOQFY.exe 225,325 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
Iux1Va1z.exe 225,325 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
Leg4SCZ.exe 225,325 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
Nmut5Cu7.exe 225,325 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
UbgrYJn.exe 225,325 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
Xek8.exe 442,413 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
xErl6A.exe 442,413 11/24/03 1:56:54 PM [C:\WINDOWS\SYSTEM]
---------------
10 item(s); 3,121,602 bytes in total

Response Number 17

Name: Tom41
Date: November 30, 2003 at 16:10:38 Pacific

Reply:

Boot into safe mode and delete all those files...

Response Number 18

Name: Tom41
Date: November 30, 2003 at 16:24:49 Pacific

Reply:

If Windows will not let you delete all of them, then click Start > Run > type regedit and click OK.
Click the + next to the following keys:
HKEY_LOCAL_MACHINE
Software
Under Software will be a list of sub-folders, look for any that are 14 %random% characters long and beginning with a number.
They should be up at the top...
( They will look something like this: 4HM9*6N4E7&ADX )
Right click on them and click delete.
Reboot and delete any remaining files.

Response Number 19

Name: Echoe
Date: November 30, 2003 at 16:28:28 Pacific

Reply:

Okay. What about these registry keys? (I've just *deleted* most everything else.) This is from a Spykiller log. Thanks so much!
Echoe
Scan initialized on 11/30/03 12:25:45 PM
========================================
Started memory scan
====================
Running processes:
1: C:\WINDOWS\SYSTEM\KERNEL32.DLL
2: C:\WINDOWS\SYSTEM\MSGSRV32.exe
3: C:\WINDOWS\SYSTEM\SPOOL32.exe
4: C:\WINDOWS\SYSTEM\MPREXE.exe
5: C:\WINDOWS\SYSTEM\MSTASK.exe
6: C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.exe
7: C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.exe
8: C:\WINDOWS\SYSTEM\HIDSERV.exe
9: C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.exe
10: C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.exe
11: C:\WINDOWS\SYSTEM\mmtask.tsk
12: C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.exe
13: C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.exe
14: C:\WINDOWS\EXPLORER.exe
15: C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.exe
16: C:\WINDOWS\TASKMON.exe
17: C:\WINDOWS\SYSTEM\SYSTRAY.exe
18: C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.exe
19: C:\COMPAQ\CPQINET\CPQINET.exe
20: C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.exe
21: C:\CPQS\BWTOOLS\SCCENTER.exe
22: C:\WINDOWS\ptsnoop.exe
23: C:\WINDOWS\SYSTEM\HPZTSB04.exe
24: C:\WINDOWS\LOADQM.exe
25: C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.exe
26: C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.exe
27: C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.exe
28: C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.exe
29: C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe
30: C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.exe
31: C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
32: C:\PROGRAM FILES\SPYKILLER\SPYKILLER.exe
33: C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SPYWATCH.exe
34: C:\WINDOWS\SYSTEM\WMIEXE.exe
35: C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.exe
36: C:\WINDOWS\SYSTEM\IUX1VA1Z.exe
37: C:\WINDOWS\SYSTEM\DBHI2Q2.exe
38: C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
39: C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\CB706998.DLL
Identified Process:
1: WeatherCast - C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe - Adware - WhenU.com Inc.
Memory scan result:
Total modules found:39
Suspicious modules found: 1
Started registry scan
====================
Adware HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0BF1F54D-ECAC-4E46-A5A5-A60ED0332D3E}--Scan and Remove Spyware and Adware Components from your system safely--Comments
Adware - Adware
WebHancer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs--1--C:\WINDOWS\SYSTEM\sporder.dll
Adware - WebHancer
Iambigbrother HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs--1--C:\Program Files\McAfee\McAfee VirusScan\Res00\Vshwin32.dll
Spy - Tybee Software Inc.
WinGuardian HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs--1--C:\Program Files\McAfee\McAfee VirusScan\Res00\WebScanX.dll
Spy - Webroot Software Inc.
Real Spy Monitor HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs--2--C:\WINDOWS\SYSTEM\wshom.ocx
Spy - Mini http
Adware HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Folders----C:\WINDOWS\Desktop\Spyware Adware Remover\
Adware - Adware
Iambigbrother HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\E38AD777E94C4D118BA80005B820A215--C?\Program Files\McAfee\McAfee VirusScan\Res00\Vshwin32.dll--48DFEA78D0CB4D118B580005B820A215
Spy - Tybee Software Inc.
WinGuardian HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\5EE7FDF474F842F46B5445DE0D77DEF7--C:\Program Files\McAfee\McAfee VirusScan\WebScanX.exe--48DFEA78D0CB4D118B580005B820A215
Spy - Webroot Software Inc.
WinGuardian HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\348AD777E94C4D118BA80005B820A215--C?\Program Files\McAfee\McAfee VirusScan\Res00\WebScanX.dll--48DFEA78D0CB4D118B580005B820A215
Spy - Webroot Software Inc.
WebHancer HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\8ABB3AD57CC65D112852000B0DB2A83C--C?\WINDOWS\SYSTEM\sporder.dll--097BF0E917953F141A3CC19F1E35FFA2
Adware - WebHancer
Real Spy Monitor HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Components\37D4D9DF2E0A52846AF1B660FF99A612--C?\WINDOWS\SYSTEM\wshom.ocx--D45F1FB0CACE64E45A5A6AE00D33D2E3
Spy - Mini http
Adware HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Spyware / Adware Remover\ScanSections--True--SpywareAdware
Adware - Adware
Registry scan result:
Suspicious keys found: 12
Started folder scan
====================
BDE C:\WINDOWS\SYSTEM\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Adware - Brilliant Digital

Folder scan result:
Folder processed: 0
Suspicious folders found: 1
Started file scan
====================
Keycorder C:\WINDOWS\SYSTEM\archlib.dll
Spy - Tenebril Software
Keycorder C:\WINDOWS\TEMP\tmprcpf\reslib.dll
Spy - Tenebril Software
Keycorder C:\RECYCLED\DC33\datalib.dll
Spy - Tenebril Software
Keycorder C:\RECYCLED\DC33\syslib.dll
Spy - Tenebril Software
Sqwire D:\CPQS\TOOLS\CC.exe
Spyware - Sqwire Enterprises, Inc.

File scan result:
Suspicious files found: 5
Scanning finished
====================
Suspicious modules found: 1
Suspicious keys found: 12
Suspicious folders found: 1
Suspicious files found: 5
====================
Components ignored:0
Total components found:19

Response Number 20

Name: Tom41
Date: November 30, 2003 at 16:38:58 Pacific

Reply:

Best thing to do is ignore the SpyKiller log and uninstall SpyKiller..It is nothing but a piece of junk.
Don't be surprised if some of your programs quit working after uninstalling SpyKiller.

Response Number 21

Name: Abnormal
Date: November 30, 2003 at 16:49:13 Pacific

Reply:

Tom thanks for droping in, that looks
like an Ad-Aware or SpyBot log.
There are copy cats, out there. You
need to run the free, original versions
above.

Response Number 22

Name: Abnormal
Date: November 30, 2003 at 16:55:00 Pacific

Reply:

You can find the good tools here;
Hijack prevention tips

Response Number 23

Name: Echoe
Date: November 30, 2003 at 17:16:25 Pacific

Reply:

Okay, guys, thank you so much! I deleted the files in safe mode, and deleted a registry entry from local machines/software, too.
I will uninstall SpyKiller, too, at your suggestion, as well as BPS,(copy of Spybot). I still wonder about those registry files, "winguardian", "iambigbrother" and the files found in McAfee, etc., particularly as my firewall has been shutting down. There is also a Catroot file I am concerned about. Any suggestions? Will this recent removal of the peper trojan solve the problems?
Please know I did run AdAware and Spybot first, though, but as you see, neither detected the real problem. All four of the programs found different offensive files, none duplicated another's find. *sigh I will check out the Hijack site, as I am, of course, looking for ONE good spyware. ;)
Any suggestions?
Thanks again, Abnormal and Tom, I can't tell you how much I appreciate the quick and concerted effort!!!
Good luck,
Echoe

Response Number 24

Name: Joe Luce
Date: December 1, 2003 at 09:52:25 Pacific

Reply:

I read the string of questions and responses concerning pop-up ads and am experiencing the same thing. My computer gets so bogged down with ads overnight I have to restart it and continually click off the pop-up ads. I just installed Zone Alarm and Ad-Aware and, this morning, received a pop-up from Zone Alarm asking me if I wanted to grant permission for 'wowex32' to access the internet. It noted the application file as 'IouEld.exe'. I checked "No" and started doing some homework. I came across this website and followed "Abnormal's" directions for "Hijack This" software and ran the scan. I'm a true computer novice and would appreciate any advice assistance from anyone out there. Thanks a million!
Logfile of HijackThis v1.97.7
Scan saved at 12:28:46 PM, on 12/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\R_SERVER.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\STARTER.exe
C:\WINDOWS\SYSTEM\VNICMON.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\CTFMON.exe
C:\PALM5\HOTSYNC.exe
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\BRAIBH6.exe
C:\WINDOWS\SYSTEM\BRAIBH6.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\NOTEPAD.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.com/Fairfax/CoxHighSpeedInternet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=D7F85CAB-019C-4CF8-91F7-A8DAEBFD709F&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cox.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [NIC Monitor] VNICMon.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.exe
O4 - HKLM\..\Run: [3Q9QZFM3F4DTYZ] C:\WINDOWS\SYSTEM\IouEld.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.exe /service
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm5\hotsync.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\XP\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E5F50140-AC73-11D0-A492-444553540000} (CarPointProximityCtrl) - http://carpoint.msn.com/components/grid/CPGrid.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir702d159.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yahoo.com/dl/toolbar/yiebio3.cab
O16 - DPF: ViewTIFF for Java - http://countyrecords.landata.com/JavaViewTIFF/javabin/TIFFView.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/161f61e26936ad1e6015/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37888.4169212963
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Response Number 25

Name: Abnormal
Date: December 1, 2003 at 10:35:37 Pacific

Reply:

Hi Joe,
Please follow these steps, in exactly that order:
Run this uninstaller:
http://home01.wxs.nl/~kleyn080/uninst.exe
When done, use the following tool to delete the files themselves:
Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
http://www.mjc1.com/files/mo/drpepertobackup.exe

On the first prompt, copy and paste: BRAIBH6.EXE.... and hit ok.
On the second, paste: IouEld.exe and hit ok again.

It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.
Copy and paste files found, along with a new hijackthis log.

Response Number 26

Name: JB DIAMOND
Date: December 1, 2003 at 11:57:06 Pacific

Reply:

ABNORMAL,
I have the same problem as ngoodwin with the insidious programs tha self replicate and are called KERN32. I have run PestPatrol and Spybot. I have trapped the pgm from comunicating on the Internet with Zone Alarm. If I download Hijaak This will I be able to eradciate thes pgms using your uninstaller and apps
http://home01.wxs.nl/~kleyn080/uninst.exe
http://www.mjc1.com/files/mo/drpepertobackup.exe
Thanks in advance for your assistance :-)

Response Number 27

Name: Abnormal
Date: December 1, 2003 at 13:00:01 Pacific

Reply:

With your hijackthis log, Tom41 or myself
(still learning) can find the problem.
We need to know the files, to use the
fix above.
Post your log, will get back soon.

Response Number 28

Name: Echoe
Date: December 1, 2003 at 15:24:19 Pacific

Reply:

Hi, Ab and Tom,
I am sorry to hijack this thread, but have a problem, or two. First, I went to the Hijack site and went through the security tests, and did the suggested fixes, now I am locked out of IE Tools/Internet Options! It says "restricted, see administrator"! I am on a stand-alone personal pc, I'm the only admin! What do I do?
Second, this morning, I had two blank error message screens, a McAffee Alert and a Computer Standby...no message content though, had to reboot.
I have run Spybot and Adaware again. Enclosed is my Hijack log if that helps. Can you continue to help me here? I tried to post this this morning, but it wouldn't go through...the confirmation page just hung.
Logfile of HijackThis v1.97.7
Scan saved at 9:33:43 AM, on 12/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.exe
C:\WINDOWS\SYSTEM\HIDSERV.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPDCLNT.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.exe
C:\WINDOWS\TASKMON.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WEBSCANX.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.exe
C:\COMPAQ\CPQINET\CPQINET.exe
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.exe
C:\CPQS\BWTOOLS\SCCENTER.exe
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\HPZTSB04.exe
C:\WINDOWS\LOADQM.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.exe
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dslhome.prodigy.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=2c00&s=searchbar&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.exe" /SU
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE&SOUND\FBMOUNT.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O4 - HKLM\..\RunServices: [McAfee Firewall] "C:\PROGRAM FILES\MCAFEE\MCAFEE FIREWALL\CPD.exe" /SERVICE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.exe 1
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [SPYWATCH] C:\PROGRAM FILES\BULLETPROOFSOFT.COM\SPYWAREREMOVER\SpyWatch.exe /STARTUP
O4 - Startup: Timed Backups Manager Startup.lnk = C:\Program Files\Backup Plus\BackTime.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Home (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Response Number 29

Name: jbdiamond
Date: December 1, 2003 at 17:00:05 Pacific

Reply:

Hi,
Thank you for taking a look at my HT log.
Here are my concerns:
The following pgms's are listed by task manager as running in C:\WINNT\system32:
KERN32 (identified by Zone Alarm) Self replicating
Yly4.exe
Bin9q88.exe
Vre9s6.exe
Oyi6u.exe
UwpEKu.exe
VwUxT.exe
wowex32 (ID as Adware.Quatro by Symantec)
Vgr1.exe
Also Syslog.exe and rundll32.exe are questionable.
Zone alarm as stopped the from communicating so the pop ups have pretty much ceased. Now I'd like to get rid of these pgms without crippling my system :-)
Here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 4:09:39 PM, on 12/1/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\rundll32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\WINNT\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\yupdater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\Bin9fQ88.exe
C:\WINNT\System32\UwpEKu.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jbdiamond\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://sas.r2.attbi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O1 - Hosts: 193.125.201.50 sitefinder.verisign.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll__SpybotSDDisabled (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E03864CD-D769-43A7-A1A7-E049995E4BC2} - C:\WINNT\System32\mgfc40u.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)
O3 - Toolbar: (no name) - {B8B4058D-4719-419F-AD4F-E2A2125BB86B} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\Programs\IspMig.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe -r
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [syslog lptt01] "C:\Program Files\syslog\syslog.exe"
O4 - HKLM\..\Run: [4PHPJMM5TFBSMS] C:\WINNT\System32\Vgr1.exe
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: updater.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/zzyzyx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON29106/flash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/22e0848e9434d7c00c00/netzip/RdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4023.cab
O19 - User stylesheet: c:\winnt\java\my.css

Thanks in advance...
JB Diamond

Response Number 30

Name: Joe Luce
Date: December 1, 2003 at 18:19:16 Pacific

Reply:

Abnormal,
I can't thank you enough - your instructions were impeccable and easy to follow! Following are the list of files deleted and a new hijackthis log. I really appreciate all of you out there sharing your knowledge with those of us who can only dream to understand computers!
Files Deleted:
12/1/03 9:09:30 PM
C:\WINDOWS\SYSTEM\Xijq4g.exe
C:\WINDOWS\SYSTEM\Vtn3.exe
C:\WINDOWS\SYSTEM\Jme7.exe
C:\WINDOWS\SYSTEM\Kksr49S.exe
C:\WINDOWS\SYSTEM\VjliI50.exe
C:\WINDOWS\SYSTEM\Braibh6.exe
12/1/03 9:10:02 PM
C:\WINDOWS\SYSTEM\IouEld.exe
C:\WINDOWS\SYSTEM\Zqyg9f6.exe
C:\WINDOWS\SYSTEM\Nzc3.exe
Logfile of HijackThis v1.97.7
Scan saved at 9:11:48 PM, on 12/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\R_SERVER.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\STARTER.exe
C:\WINDOWS\SYSTEM\VNICMON.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\CTFMON.exe
C:\PALM5\HOTSYNC.exe
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\NOTEPAD.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
Hijack Log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.com/Fairfax/CoxHighSpeedInternet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=D7F85CAB-019C-4CF8-91F7-A8DAEBFD709F&version_id=18
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cox.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [NIC Monitor] VNICMon.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.exe /service
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm5\hotsync.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\XP\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E5F50140-AC73-11D0-A492-444553540000} (CarPointProximityCtrl) - http://carpoint.msn.com/components/grid/CPGrid.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir702d159.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yahoo.com/dl/toolbar/yiebio3.cab
O16 - DPF: ViewTIFF for Java - http://countyrecords.landata.com/JavaViewTIFF/javabin/TIFFView.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/161f61e26936ad1e6015/netzip/RdxIE601.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37888.4169212963
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Response Number 31

Name: Abnormal
Date: December 1, 2003 at 19:00:44 Pacific

Reply:

Echoe, you still have the fake spyware
removal tools, may be causing your problem.
Joe, glad you fixed the big problem, not
good at reading large logs, will look at
it offline, because I will get knocked
offline if I sit to long.
J.B
Please follow these steps, in exactly that order:
Run this uninstaller:
http://home01.wxs.nl/~kleyn080/uninst.exe
When done, use the following tool to delete the files themselves:
Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.
http://www.mjc1.com/files/mo/drpepertobackup.exe

On the first prompt, copy and paste:UwpEKu.exe .... and hit ok.
On the second, paste: Vgr1.exe and hit ok again.

It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.
Post a new log when your done, good luck.
Others that may come across this post using a search engine, start another thread by posting at the security and virus forum, link
at left side of this page.

Response Number 32

Name: jbdiamond
Date: December 1, 2003 at 20:12:35 Pacific

Reply:

Abnormal,
Followed the prescribed steps and here are the HT and Peper logs.
Logfile of HijackThis v1.97.7
Scan saved at 7:45:35 PM, on 12/1/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\rundll32.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\WINNT\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\yupdater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realevent.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jbaum\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchdot.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.searchdot.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchdot.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://sas.r2.attbi.com:8000
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://193.125.201.50
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://search.xrenoder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O1 - Hosts: 193.125.201.50 sitefinder.verisign.com
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll__SpybotSDDisabled (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E03864CD-D769-43A7-A1A7-E049995E4BC2} - C:\WINNT\System32\mgfc40u.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)
O3 - Toolbar: (no name) - {B8B4058D-4719-419F-AD4F-E2A2125BB86B} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\Programs\IspMig.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe -r
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [syslog lptt01] "C:\Program Files\syslog\syslog.exe"
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: updater.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/zzyzyx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON29106/flash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/22e0848e9434d7c00c00/netzip/RdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4023.cab
O19 - User stylesheet: c:\winnt\java\my.css
Here is the Peper log:
12/1/2003 7:43:59 PM
C:\WINNT\system32\Bin9fQ88.exe
C:\WINNT\system32\Oyi6u.exe
C:\WINNT\system32\UwpEKu.exe
C:\WINNT\system32\Vre9S6.exe
C:\WINNT\system32\VweUwT.exe
C:\WINNT\system32\Yly4.exe
12/1/2003 7:44:07 PM
C:\WINNT\system32\Buw1i.exe
C:\WINNT\system32\Rydo84k.exe
C:\WINNT\system32\Vgr1.exe

Thanks,
JB Diamond

Response Number 33

Name: Abnormal
Date: December 1, 2003 at 20:58:12 Pacific

Reply:

Joe and Jb,
glad you guys fixed your main problem,
reading the leftovers are a problem
for me. I know how to spot some of the
problems, not all yet. Hope my teacher
Tom41 will bail me out.
Take care because we care.

Response Number 34

Name: Joe Luce
Date: December 2, 2003 at 04:55:13 Pacific

Reply:

Abnormal,
Thanks so much for your help - I look forward to Tom41's advice.
JL

Response Number 35

Name: Abnormal
Date: December 2, 2003 at 12:29:48 Pacific

Reply:

Hi Joe,
Close all browser windows, then in HijackThis check off the boxes next to the following and then the Fix button....
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?se...F&version_id=18
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/161f61e26936ad1e6015/...ip/RdxIE601.cab
and if you have problems getting to
your security settings, this one.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
Reboot when your done.
Jb will get to you soon.

Response Number 36

Name: Abnormal
Date: December 2, 2003 at 18:53:18 Pacific

Reply:

Jb, run cwshredder and post another log.
I did not forget about you, this may
help me read your log better.
cwshreddder.zip

cwshredder.exe
Whatever version workes for you.
And get your critical windows update.

Response Number 37

Name: Tom41
Date: December 3, 2003 at 01:57:39 Pacific

Reply:

Jb,
Also run RapidBlaster Killer. Reboot and post a new Hijack log.
RBKiller

Response Number 38

Name: jbdiamond
Date: December 3, 2003 at 08:20:35 Pacific

Reply:

Abnormal/Tom41
Thanks for the assistance. Tom41...01:57:39?? Go get some sleep. I'll run this stuff when I get home. I'm having an issue getting the RBKILLER but I'll try again later.
Regards,
JB<>

Response Number 39

Name: blairss
Date: December 3, 2003 at 15:36:31 Pacific

Reply:

Thanks in advance to you all for your help with the trojan problem. My HijachThis log:
Logfile of HijackThis v1.97.7
Scan saved at 6:25:01 PM, on 12/03/2003
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.exe
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.exe
C:\WINDOWS\TASKMON.exe
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MEDIACTR.exe
C:\WINDOWS\FSSCRCTL.exe
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\MSBNTRAY.exe
C:\PROGRA~1\NETROPA\ONSCRE~1\OSD.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\REGEDIT.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\WINDOWS\TEMP\HIJACKTHIS.exe
C:\PROGRAM FILES\MICROSOFT BROADBAND NETWORKING\IPHLPSVR.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=proxy.ne.mediaone.net:8080;gopher=proxy.ne.mediaone.net:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.nytimes.com/
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {D66D6D29-8D0D-47DA-B69C-87FDDC64BAEB} - C:\WINDOWS\SYSTEM\LMSVCRT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [KBD MediaCenter] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [dRMON SmartAgent] drmon\SmartAgt\SmartAgt.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\RunOnce: [NSWCfg.exe] "C:\Program Files\Norton SystemWorks\NSWCfg.exe"
O4 - Startup: MSOffice Toolbar.lnk = D:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O4 - User Startup: MSOffice Toolbar.lnk = D:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - User Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - User Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: RealGuide (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {47F591A1-8783-11D2-8343-00A0C945A819} (WGPlayer Class) - http://download.richfx.com/player/release/vpsetup.cab
O16 - DPF: {340FBD92-B7BB-11D2-8299-00104B27F81B} (ScanCtl Class) - http://outpost.zdnet.com/updates/resources/updates.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {1B77F337-2C1E-4D52-88F7-AAEE5BFB6F5B} - http://www.netbroadcaster.com/player/MovieNetworks1.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002060602/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {00EF2092-6AC5-47C0-BD25-CF2D5D657FEB} (Google Script Object) - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37873.8536342593
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://digitalid.verisign.com/xenroll.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/Components/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/Components/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
Running W98. Am in the process of trying to install NSW 2004 after manually removing 2002, so I am unprotected at the moment. Thanks so much for helping us non-tech folks!

Response Number 40

Name: David3
Date: December 3, 2003 at 19:03:53 Pacific

Reply:

Hey guys I do believe that I have the same thing as everyone else. If someone would be so kind as to help me out I would appreciate it. My Hijack log is below.
Logfile of HijackThis v1.97.7
Scan saved at 9:51:00 PM, on 12/3/2003
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\SSDPSRV.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\RESTORE\STMGR.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.exe
C:\WINDOWS\SYSTEM\HPSYSDRV.exe
C:\PROGRAM FILES\MOTIVE\MOTMON.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.exe
C:\WINDOWS\WT\WCMDMGR.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.exe
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\AV.exe
C:\PROGRAM FILES\WINAMP\WINAMP.exe
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.exe
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\ARUPLD32.exe
C:\PROGRAM FILES\AIM95\AIM.exe
C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.exe
C:\WINDOWS\REGEDIT.exe
C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://server224.smartbotpro.net/7search/?002
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?c001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://server224.smartbotpro.net/7search/?003
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
F1 - win.ini: run=hpfsched
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: (no name) - {000004CC-E4FF-4F2C-BC30-DBEF0B983BC9} - C:\WINDOWS\IPINSIGT.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [KaZaA Media Desktop] C:\Program Files\KaZaA\kazaa.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe C:\PROGRA~1\AIM95\DeadAIM.ocm,ExportedCheckODLs
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\AV.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrte.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - Startup: America Online 6.0 Tray Icon.lnk = C:\America Online 6.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab

Response Number 41

Name: jbdiamond
Date: December 3, 2003 at 20:22:44 Pacific

Reply:

Abnormal/Tom41,
I did a full PestPatrol Scan (I purchased a full license a few weeks ago. I'm not that thrilled with the product so far), Spybot scan and ran CWSHREDDER. I will download SP4 at some point soon and will upgrade to Zone Alrm Pro this weekend. I had 1 halt on reboot but I hit OK too quickly to catch the program name. Hopefully I can fix this on the next re-boot.I could not download RBKILLER. What are your thoughts on Spyware Blaster? Here is my latest HT and CWSHREDDER logs. Once again, Thanks for the help.
HT LOG:
Logfile of HijackThis v1.97.7
Scan saved at 8:00:20 PM, on 12/3/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\WINNT\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jbdiamond\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll__SpybotSDDisabled (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E03864CD-D769-43A7-A1A7-E049995E4BC2} - C:\WINNT\System32\mgfc40u.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)
O3 - Toolbar: (no name) - {B8B4058D-4719-419F-AD4F-E2A2125BB86B} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\Programs\IspMig.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe -r
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [syslog lptt01] "C:\Program Files\syslog\syslog.exe"
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: updater.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/zzyzyx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON29106/flash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/22e0848e9434d7c00c00/netzip/RdxIE.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37958.8083217593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4023.cab
CWSHREDDER LOG:
Done!
Removed from your system:
- CWS.Datanotary
- CWS.Mupdate
- 12 infected IE registry values
Windows 2000 (5.00.2195 SP2)
CWShredder v1.38.2
Written by Merijn - merijn@spywareinfo.com
For any additional help with this program or removing CWS, visit http://forums.spywareinfo.com/
Best Regards,
JB<>

Response Number 42

Name: Abnormal
Date: December 4, 2003 at 17:01:51 Pacific

Reply:

JB, the site for rapid blaster Tom gave
you was, is still having problems.
Found a working download.
http://www.wilderssecurity.net/downloads/rbkiller.exe
Launch the program and hit the Scan button.
RBKiller will find any RapidBlaster variants on your system, kill the process, delete the Registry Run entry, and remove the file and folder itself.
Others finding this post, for a quick response, more log readers at spywareinfo.com

Response Number 43

Name: BarbB
Date: December 5, 2003 at 08:48:44 Pacific

Reply:

Hi-
Thank you so much for helping others - I'm hoping you can help me,too. Many of the problems I am having with pop-ups and ie sound like those described by others in this thread. I have run NAV, ad-aware and spybot which have found gator, alexa, turbodownload and other stuff - but problems w/ pop-ups persist. I think I've seen seen wowex32 in my attempts to figure it out - deleted so many things now I'm confused -I really need help - please. Per advice above - here is my Hijackthis log
Logfile of HijackThis v1.97.7
Scan saved at 11:19:15 AM, on 12/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.exe
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.exe
C:\PROGRAM FILES\B'S CLIP\BSCLIP.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.exe
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\RUNDLL32.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {A8F9C360-2503-11D8-80C3-004F4908CC03} - C:\WINDOWS\SYSTEM\MSCXMS.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\SYSTEM\EXPEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\BSCLIP.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\SYSTEM\expup.exe
O4 - HKLM\..\Run: [28S4LP54Q#38FE] C:\WINDOWS\SYSTEM\Lck7.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: GM Card easyPay (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {22D04E86-B56C-11D2-A796-080009BBAD2C} (Agile Wallet Controls) - https://a.cc.usa.agilewallet.com/awfiles/js/awbho.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/02a930e2155710802515/netzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {323C9B9A-DB6C-42CE-A706-314535FD8EAF} (FTUploader Control) - http://fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37861.777337963
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
THank you.
BarbB

Response Number 44

Name: Tom41
Date: December 5, 2003 at 11:39:14 Pacific

Reply:

Hi BarbB,
Please follow these steps, in exactly that order:
Run this uninstaller:
http://home01.wxs.nl/~kleyn080/uninst.exe
When done, use the following tool to delete the files themselves.
Download and unzip 2xExplorer:
2xExplorer
Double click 2xExplorer and set up the following:
Menu> View> Options > Show hidden files should be checked > ok.
Menu > Tools > Find Files:
Named: *.exe
Look in: (browse or paste in) C:\Windows\System
Check the following: 'Use Text Constraints', 'Search non-text files' and in the 'Find What' paste: kern32
All other fields leave unchecked!
Hit the 'Find' tab...
The scan will run for few seconds and show the results. Delete all files listed.
Then reboot and run another Hijack scan and post the new log.

Response Number 45

Name: BarbB
Date: December 5, 2003 at 16:13:32 Pacific

Reply:

Thanks Tom41-
I did as you said and when I ran 2xExplorer it found nothing. Still have problems as Task Manager had various odd programs:
Osvfm, msbb, sbhc and Wjview. Also when I went on ie had a "Virus Alert" directing me to click ok to scan - I cancelled it - but new window popped at www.popupguard.com.
Here's most recent Hijackthis:
Logfile of HijackThis v1.97.7
Scan saved at 7:02:36 PM, on 12/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.exe
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.exe
C:\PROGRAM FILES\B'S CLIP\BSCLIP.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.exe
C:\PROGRAM FILES\N-CASE\MSBB.exe
C:\WINDOWS\WJVIEW.exe
C:\PROGRAM FILES\SUPERBAR\SBHC.exe
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\PROGRAM FILES\EBATESMOEMONEYMAKER\EBATESMOEMONEYMAKER.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {A8F9C360-2503-11D8-80C3-004F4908CC03} - C:\WINDOWS\SYSTEM\MSCXMS.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\SYSTEM\EXPEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O3 - Toolbar: SuperBar - {6A928700-2734-11D8-80C3-004F4908CC03} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\BSCLIP.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\SYSTEM\expup.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [OSVFM] C:\WINDOWS\OSVFM.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: GM Card easyPay (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Ebates (HKCU)
O16 - DPF: {22D04E86-B56C-11D2-A796-080009BBAD2C} (Agile Wallet Controls) - https://a.cc.usa.agilewallet.com/awfiles/js/awbho.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/02a930e2155710802515/netzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {323C9B9A-DB6C-42CE-A706-314535FD8EAF} (FTUploader Control) - http://fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37861.777337963
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

Anything else I can do?
Thanks
BarbB

Response Number 46

Name: Tom41
Date: December 5, 2003 at 17:11:49 Pacific

Reply:

Yes, There's plenty to do!
Run HijackThis again and place a check in the box next to the following items. Doublecheck so as to be sure not to miss one.
Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer when you're done.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: (no name) - {A8F9C360-2503-11D8-80C3-004F4908CC03} - C:\WINDOWS\SYSTEM\MSCXMS.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - C:\WINDOWS\SYSTEM\EXPEXT.DLL
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O3 - Toolbar: SuperBar - {6A928700-2734-11D8-80C3-004F4908CC03} - C:\PROGRAM FILES\SUPERBAR\SUPERBAR.DLL
O4 - HKLM\..\Run: [Explkw] C:\WINDOWS\SYSTEM\expup.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] wjview /cp:p "C:\Program Files\EbatesMoeMoneyMaker\System\Code" Main lp: "C:\Program Files\EbatesMoeMoneyMaker"
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [OSVFM] C:\WINDOWS\OSVFM.exe
O8 - Extra context menu item: Ebates - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm
O9 - Extra button: Ebates (HKCU)
After restarting delete the following:
Files:
C:\WINDOWS\SYSTEM\expup.exe
C:\WINDOWS\OSVFM.exe
Folders:
C:\Program Files\Common files\updater
C:\PROGRAM FILES\N-CASE
C:\Program Files\SuperBar
C:\Program Files\EbatesMoeMoneyMaker
Also install, update and run Spybot-S&D. Have Spybot fix all red entries it lists.
Spybot

Response Number 47

Name: BarbB
Date: December 5, 2003 at 20:12:35 Pacific

Reply:

Tom41 -
I ran Ad-Aware before getting your last helpful message - the pop ups were driving my husband nuts. I think it changed things - as Hijackthis finds different stuff now. So sorry. Here is the last run of Hijackthis - I promise I won't do anything else until I hear from you as to what to do.
Thank you Thank you Thank you
Logfile of HijackThis v1.97.7
Scan saved at 11:05:49 PM, on 12/5/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.exe
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKD.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.exe
C:\PROGRAM FILES\B'S CLIP\BSCLIP.exe
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe
C:\PROGRAM FILES\COMMON FILES\UPDATER\WUPDATER.exe
C:\PROGRAM FILES\NETWORK ICE\BLACKICE\BLACKICE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\NORTON~2\DEFALERT.exe
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\BSCLIP.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.exe /LOADQUIET
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Network ICE\BlackICE\blackd.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: BlackICE Utility.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: GM Card easyPay (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {22D04E86-B56C-11D2-A796-080009BBAD2C} (Agile Wallet Controls) - https://a.cc.usa.agilewallet.com/awfiles/js/awbho.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2566E4F3-A47B-11D4-9B5D-0010A4F2D6BF} (QwCont Class) - http://www.quicken.com/qw2001/qcominst.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44/02a930e2155710802515/netzip/RdxIE.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {323C9B9A-DB6C-42CE-A706-314535FD8EAF} (FTUploader Control) - http://fototime.com/ftweb/activeX/WebUploadControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37861.777337963
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

-BarbB

Response Number 48

Name: Tom41
Date: December 6, 2003 at 01:41:48 Pacific

Reply:

Hi Barb,
AdAware did a pretty good job cleaning things up, just a few things left to fix.
Run HijackThis again and place a check in the box next to the following items. Next, close all browser Windows, and have HT 'fix checked'.
You Must restart your computer when you're done.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.runsearch.com/search.html
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 209.132.200.78 auto.search.msn.com
O2 - BHO: (no name) - {23BC1CCF-4BE7-497F-B154-6ADA68425FBB} - (no file)
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
After restarting delete the C:\Program Files\Common files\updater folder.

Response Number 49

Name: BarbB
Date: December 6, 2003 at 06:45:52 Pacific

Reply:

Tom41-
Thank you for your help. Your instructions were very easy to follow - looks like everything is cleaned up. Task manager only has what should be running in it and Pop ups aren't a problem. I'm very grateful for your help.
-BarbB

Response Number 50

Name: Joe Luce
Date: December 10, 2003 at 15:39:51 Pacific

Reply:

Abnormal/Tom 41,
I followed your advice, deleted the files (sans the last one) and following is my HT log. Any further recommendations or am I "good to go?" Thanks!
JL
Logfile of HijackThis v1.97.7
Scan saved at 6:35:01 PM, on 12/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\R_SERVER.exe
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\STARTER.exe
C:\WINDOWS\SYSTEM\VNICMON.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\CTFMON.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PALM5\HOTSYNC.exe
C:\PROGRAM FILES\MSAC-FD1\MSSTAT.exe
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.exe
C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\DISTILLR\ACROTRAY.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\PSTORES.exe
C:\WINDOWS\DESKTOP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cox.com/Fairfax/CoxHighSpeedInternet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.cox.net
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [NIC Monitor] VNICMon.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [r_server] C:\WINDOWS\SYSTEM\R_SERVER.exe /service
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm5\hotsync.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Memory Stick Monitor.lnk = C:\Program Files\MSAC-FD1\MSstat.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\XP\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {E5F50140-AC73-11D0-A492-444553540000} (CarPointProximityCtrl) - http://carpoint.msn.com/components/grid/CPGrid.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir702d159.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {22D6F312-B0F6-11D0-94AB-0080C74C7E95} (Windows Media Player) - http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yahoo.com/dl/toolbar/yiebio3.cab
O16 - DPF: ViewTIFF for Java - http://countyrecords.landata.com/JavaViewTIFF/javabin/TIFFView.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37888.4169212963
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2000i\AcDcToday.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\AutoCAD LT 2000i\InstFred.ocx
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

Response Number 51

Name: Joe Luce
Date: December 10, 2003 at 15:46:10 Pacific

Reply:

Abnormal/Tom41,
Forgot to ask about this - as a result of the last "Fix Checked" run, I now have four icons on my screen which read, "Backup-200xx . . . ." I also have a "drpepertobackup" icon from a previous HT scan. Should I leave/delete/move them from my screen?
Thanks!
JL

Response Number 52

Name: Abnormal
Date: December 11, 2003 at 18:34:59 Pacific

Reply:

Hi Joe, glad you came back. All I see is;
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Unless Tom41 spots something I missed.
Yes you can delete the backup stuff.
So I leave you and others with a
prevention post.
Hijack prevention tips
Take care because we care
Abnormal

Response Number 53

Name: jbdiamond
Date: December 13, 2003 at 05:56:46 Pacific

Reply:

Abnormal/Tom41,
Sorry I took so long to respond but I was away on business. I ran the RBKILLER, which found nothing, rebooted and ran anothe HT log. Thanks in advance for the great service you have provided...
HT LOG:
Logfile of HijackThis v1.97.7
Scan saved at 5:42:08 AM, on 12/13/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\devldr32.exe
C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
C:\PROGRA~1\HEWLET~1\HPOFFI~1\bin\hpoevm07.exe
C:\WINNT\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOSTS07.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\HPOFXM07.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Jbdiamond\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://sas.r2.attbi.com:8000
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = ,
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll__SpybotSDDisabled (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E03864CD-D769-43A7-A1A7-E049995E4BC2} - C:\WINNT\System32\mgfc40u.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_9_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)
O3 - Toolbar: (no name) - {B8B4058D-4719-419F-AD4F-E2A2125BB86B} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive2k\Creative Diagnostics 2.0\DIAGENT.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ServiceConfig] "C:\Program Files\Comcast\MigCfg\Programs\IspMig.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe -r
O4 - HKLM\..\Run: [winmain] winmain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINNT\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [syslog lptt01] "C:\Program Files\syslog\syslog.exe"
O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet G Series\bin\hpodev07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: updater.lnk.disabled
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/zzyzyx.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON29106/flash.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/22e0848e9434d7c00c00/netzip/RdxIE.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37958.8083217593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://f1.pg.photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio4023.cab
Regards,
JB<>

Response Number 54

Name: Abnormal
Date: December 14, 2003 at 10:56:59 Pacific

Reply:

Hi again JB, some things I feel safe
telling you to delete.
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - (no file)
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - C:\WINNT\System32\stlbdist.DLL__SpybotSDDisabled (file missing)
O2 - BHO: (no name) - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINNT\ieasst.dll__SpybotSDDisabled (file missing)
O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL__SpybotSDDisabled (file missing)
After you remove this line and reboot, run this uninstaller;
http://www.clearsearchinc.com/Internal/uninstall.html
O2 - BHO: (no name) - {E03864CD-D769-43A7-A1A7-E049995E4BC2} - C:\WINNT\System32\mgfc40u.dll (file missing)
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - C:\WINNT\System32\stlbdist.DLL
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} - C:\PROGRA~1\POWERS~1\Toolbar\pwrswmda.dll (file missing)
O3 - Toolbar: (no name) - {B8B4058D-4719-419F-AD4F-E2A2125BB86B} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [winmain] winmain.exe
Delete this file after reboot.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINNT\uptodate.exe
The rapid blaster entry
O4 - HKLM\..\Run: [syslog lptt01] "C:\Program Files\syslog\syslog.exe"
O4 - Global Startup: updater.lnk.disabled
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/zzyzyx.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON29106/flash.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/22e0848e9434d7c00c00/netzip/RdxIE.cab
Have hijackthis fix above lines
and reboot.
Hope I got it all, and you need to get
your windows critical updates.
Good luck
Abnormal

Sponsored Link

Ads by Google

Strange cookie request......

AVG Update

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Spyware/Virus keeps replicating

spyware/adware keeps coming back

Summary

www.computing.net/answers/security/spywareadware-keeps-coming-back/11998.html

spyware? virus? help?

Summary

www.computing.net/answers/security/spyware-virus-help/8820.html

Not sure if spyware, virus or worm

Summary

www.computing.net/answers/security/not-sure-if-spyware-virus-or-worm/11650.html

From the Geek Dictionary
Frames - In the term Frames per Second (FPS), a frame refers to one still image disp...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Using wireless card

Monitor turnoff

disappearing Spider rummy

Links won't open

cut question

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE