Hijacked! New exe programs downloa

Computing.Net > Forums > Windows 95/98 > Hijacked! New exe programs downloa

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Hijacked! New exe programs downloa

Name: Nanci
Date: April 25, 2004 at 18:41:03 Pacific
OS: Windows 98SE
CPU/Ram: Not sure

Comment:

A few days ago I went to IE (I usually just go to AOL) and instead of the blank page that was supposed to be there, there was a popup that said my computer may be infected yada yada something about porn yada yada. Everytime I clicked on the X to close the box, another one popped up, then the thing downloaded a bunch of stuff to my computer resulting in 6 new icons on my desktop. They are named: (1)0021-bdl94126.exe (2) bs5-nt15v.exe (3)cs4p028.exe (4) o (5) o.bat (6) silent.exe. I searched on google for the first one which led me to this forum, but there was no answer to the question posted earlier so I thought I would give it a shot. I have downloaded Hijack this and have run a scan which I will copy below. I have also downloaded and run Spybot S&D which takes about 3-4 hours to run on my computer. I also downloaded SpywareBlaster a couple of days later. As soon as I downloaded SpywareBlaster, I started getting popups on my computer. If anyone can help me, I would really appreciate it. Also my computer has been running slow for a long time. After I have been on a few hours the time on the computer will be an hour or so behind the real time, but it is the same when I reboot.

Here is the Hijack This log file:
Logfile of HijackThis v1.97.7
Scan saved at 9:03:27 PM, on 4/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.exe
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.exe
C:\WINDOWS\SYSTEM\CARPSERV.exe
C:\WINDOWS\SYSTEM\INTERNAT.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\WINDOWS\TEMP\ANHFP02.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\FGIY.exe
C:\WINDOWS\SYSTEM\FGIY.exe
C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\NEWSFLSH.exe
C:\WINDOWS\SYSTEM\SOUNDD.exe
C:\MY DOWNLOAD FILES\HIJACKTHIS.exe
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} -
C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} -
C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE
SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [Anhfp02] C:\WINDOWS\TEMP\ANHFP02.exe
O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\Sfze5lMu.exe
O4 - HKLM\..\Run: [SOUNDD] C:\WINDOWS\SYSTEM\SOUNDD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee
VirusScan\AVSYNMGR.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON
FILES\AOL\ACS\ACSD.exe"
O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common
Files\MySoftware\NewsFlsh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) -
http://scrisapidemo.seagatesoftware.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2002082001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) -
http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {819F123A-B24A-4EB8-BED1-B5DFC5CB5194} (ComponentOne VSPrinter 8.0) -
http://www.a-closer-look.com/vsprint8.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Thanks!
Nanci

Sponsored Link

Ads by Google

Response Number 1

Name: Bobthearch
Date: April 25, 2004 at 20:22:04 Pacific

Reply:

If your computer is crammed with Spyware and perhaps viruses, that would explain why it's running so slow. Have you tried all of the suggestions already made on this forum - spyware removal? Hijack removers? Is your anti-virus up-to-date?
You are using a firewall, right?
-Bob

Response Number 2

Name: starman1746
Date: April 25, 2004 at 20:32:51 Pacific

Reply:

In the future, Nanci, don't click on those ads. Use the Task Manager to shut them down.

Response Number 3

Name: starman1746
Date: April 25, 2004 at 20:34:23 Pacific

Reply:

Oops! Sorry, thought I was in the XP forums.

Response Number 4

Name: Dan Penny
Date: April 26, 2004 at 02:04:46 Pacific

Reply:

Download, install, update, and run;
Ad-Aware
CWShredder
Sorry I don't have the links handy but a (Google) search will turn them up.

Response Number 5

Name: Tiffany Too
Date: April 26, 2004 at 05:41:51 Pacific

Reply:

Download AVG6 (free) from www.grisoft.com. Since you can't properly install it, you may ge able to extract and run the DOS program AVG.exe.
If installed normally, it would reside here:
C:\PROGRA~1\GRISOFT\AVG6\AVG.exe
but I'd guess you can run it anywhere.

WebReportSource.WebReportSource remove Mysoftware newsflash uncompile exe program	auto.exe program windows where are new installed programs msinfo32.exe program indir
See More

Response Number 6

Name: mesich
Date: April 26, 2004 at 06:41:24 Pacific

Reply:

Hello everyone,
Nanci,
Go to Add/Remove Programs in the Control Panel and remove TwainTech.
Remove these items using hijackthis.
O4 - HKLM\..\Run: [Anhfp02] C:\WINDOWS\TEMP\ANHFP02.exe
O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\Sfze5lMu.exe
Delete the 6 desktop items.
Restart the computer.
Best Regards,
Mesich

Response Number 7

Name: Nanci
Date: April 26, 2004 at 23:03:55 Pacific

Reply:

Thanks everyone for your responses!
Bob and Dan, after visiting this forum for the first time when this problem first arose, I downloaded CWShredder, Hijack This! and Spybot S&D. I already had Ad Aware installed. Everything was updated and run. Spybot found a couple of problems. I used Hijack This to fix a couple of things that another poster was told to fix. I later added SpywareBlaster after which the popups started.
Tiffany Too, I am not familiar with AVG6. I will check it out tomorrow when I am more awake!
Mesich, I went to Add/Remove and Twain Tech is not a choice on the list of programs. When I went to delete the programs on the desktop I received a warning that if I delete it I may not be able to edit some documents. Should I proceed with deleting them?
I have also noticed I have a new program, Newsflash, in my start menu. And when I do ctrl alt del I see "Zriir" which I do not remember seeing before. Any reason to keep either one of these? If no, how do I get rid of them?
I did fix the two items listed using Hijack This. I noticed that when I deleted O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\Sfze5lMu.exe a new program popped up on the log when I re-scanned. It is O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\BpaEG.exe. Since it looked the same as the one just deleted, I fixed it and then the first one reappeared on the next scan.
Here is the new Hijack This log:
Logfile of HijackThis v1.97.7
Scan saved at 1:55:29 AM, on 4/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.exe
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.exe
C:\WINDOWS\EXPLORER.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.exe
C:\WINDOWS\SYSTEM\CARPSERV.exe
C:\WINDOWS\SYSTEM\INTERNAT.exe
C:\WINDOWS\SYSTEM\QTTASK.exe
C:\WINDOWS\TEMP\ANHFP02.exe
C:\PROGRAM FILES\COMMON FILES\MYSOFTWARE\NEWSFLSH.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\WINDOWS\SYSTEM\DDHELP.exe
C:\WINDOWS\SYSTEM\ZRIIR.exe
C:\WINDOWS\SYSTEM\ZRIIR.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe
C:\MY DOWNLOAD FILES\HIJACKTHIS.exe
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.exe
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.exe" -atboottime
O4 - HKLM\..\Run: [SOUNDD] C:\WINDOWS\SYSTEM\SOUNDD.exe
O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\Sfze5lMu.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.exe"
O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://scrisapidemo.seagatesoftware.com/viewer/activeXViewer/activexviewer.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002082001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {819F123A-B24A-4EB8-BED1-B5DFC5CB5194} (ComponentOne VSPrinter 8.0) - http://www.a-closer-look.com/vsprint8.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Thanks so much everyone!
Nanci

Response Number 8

Name: Abnormal
Date: April 27, 2004 at 02:44:54 Pacific

Reply:

Hi Nanci,
you have the peper trojan, run this
uninstaller.
http://home.iprimus.com.au/mbuchan/peperuninst.exe
Double click on 'uninst.exe', let it run and terminate.
You must be online for it to work.
Put a check next to these, click "fix checked" and reboot.

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O4 - HKLM\..\Run: [SOUNDD] C:\WINDOWS\SYSTEM\SOUNDD.exe
O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\Sfze5lMu.exe
Delete SOUNDD.exe
Good luck

Response Number 9

Name: mesich
Date: April 27, 2004 at 03:22:41 Pacific

Reply:

Hello everyone,
Nanci,
Remove these items using hijackthis.
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O4 - HKLM\..\Run: [REWARDS NETWORK] C:\Program Files\Rewards Network\brntray.exe
O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\Sfze5lMu.exe
O4 - Startup: MySoftware NewsFlash.lnk = C:\Program Files\Common Files\MySoftware\NewsFlsh.exe
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://scrisapidemo.seagatesoftware.com/viewer/activeXViewer/activexviewer.cab
The first item above is why I wanted you to check Add/Remove Programs for Twain Tech. It appears that the program was removed by Ad-Aware or Spybot but the BHO entry above was just left behind.
The second entry [Rewards Network], I am not sure exactly what it is however, I am certain is doesn't need to load at StartUp.
The third item that keeps coming back after removal, with a different set of random characters or the above is very odd. Remove it and then we need to find where it is loading from. It's not loading from the registry so we shall look elsewhere.
The fourth item is loading the Newsflash program you mentioned. Delete it using hijack this so it doesn't load at StartUp and we will remove it completely later.
The last item I'm not sure of. The url is not valid and the ActiveX Object is most likely not needed. If at some point need you the ActiveX Object it will install next time you need it.
Delete these files also before restarting the computer if they exist.
C:\WINDOWS\TWAINTEC.DLL
C:\WINDOWS\SYSTEM\Sfze5lMu.exe
C:\WINDOWS\SYSTEM\BpaEG.exe
Take the 6 files that were downloaded and place them into the Recycle Bin. Don't empty the Recycle Bin just yet.
Restart the computer and run Hijackthis again.
Did the Startup Items, either,
O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\Sfze5lMu.exe or
O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\BpaEG.exe come back?
Send me the o.bat file that was placed on the desktop. You may have to rename it to something like o.old as my provider does not allow .bat files as an attatchment.
Best Regards,
Mesich

Response Number 10

Name: Abnormal
Date: April 27, 2004 at 16:52:12 Pacific

Reply:

Nanci, you can ignor this for now, unless
you know what it is, I only can find
3 others that have it.
O4 - HKLM\..\Run: [SOUNDD] C:\WINDOWS\SYSTEM\SOUNDD.exe
This is to confirm that I did not give
you something bad to download, for your peper trojan removal.
http://www.mjc1.com/files/peperpage/

Response Number 11

Name: Nanci
Date: April 28, 2004 at 22:38:53 Pacific

Reply:

<<O4 - HKLM\..\Run: [4GCEQYJ44SEQ6W] C:\WINDOWS\SYSTEM\BpaEG.exe come back?
It is still there...
I am currently trying to run the peper trojan uninstaller...
So far my computer seems to be working faster. Thanks everyone!! I will report back probably tomorrow after I run the peper trojan uninstall.
Thanks!
Nanci

Response Number 12

Name: Nanci
Date: May 2, 2004 at 19:48:03 Pacific

Reply:

THANK YOU, THANK YOU, THANK YOU, one and all!!! Yes, I am shouting!! Tiffany Too, thanks for the referral to the AVG6 download site. It found 10 viruses and cleaned them up. My computer has not run this fast in so long I can't even remember when it was! I was actually going to buy a new computer because I thought the processor was the problem. (That's what the guy who installed the cable modem told me.)
I cannot tell you all how grateful I am.
Take care,
Nanci

Response Number 13

Name: Dan Penny
Date: May 3, 2004 at 01:08:41 Pacific

Reply:

Great news. Shout it from the rooftops. ;>)

Sponsored Link

Ads by Google

Hard Drive

Formating PC - Backup pos...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Windows 95/98 Forum Home

Sponsored links

Ads by Google

Results for: Hijacked! New exe programs downloa

need wordpad.exe program or downloa

Summary

www.computing.net/answers/windows-95/need-wordpadexe-program-or-downloa/159345.html

winsvrc.exe program

Summary

www.computing.net/answers/windows-95/winsvrcexe-program-/57235.html

missing MSIMN.EXE. program

Summary

www.computing.net/answers/windows-95/missing-msimnexe-program/69267.html

From the Geek Dictionary
50dkp minus - being a dumba**

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes Today.
Discuss in The Lounge
Poll History

Recent Posts
Toshiba Satellite A200 - Black Screen

Logical: I can dir but cannot set def to it

Sony SXRD TV & My Computer

google links redirecting

Outlook Express 6 and Windows LIVE Mail

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

iPhone Consumes 50% World's Mobile Data Traffic

TV Market to Launch Cross-Platform App Store

Microsoft Working on XBL Help, FAQ System?

Used ATM Machines for Sale on Craigslist

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE