Wilders Security Forums  

Go Back   Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning
Reload this Page Hijack This Log
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

Spyware Cleaning Section Closed!!
Notice: The spyware cleaning (HijackThis) section is closed. Wilders Security no longer provides one on one spyware cleaning assistance. Please see this announcement for a list of websites that provide such services.
 
 
Thread Tools Search this Thread
  #1  
Old April 6th, 2004, 02:00 PM
Carlson4 Carlson4 is offline
Infrequent Poster
  
Join Date: Apr 2004
Posts: 3
Default Hijack This Log
I have downloaded and run Adaware. Many shortcuts keep coming up after rebooting that I have no clue about.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\HPZTSB04.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\EXCITE\PLATFORM\EXSHELL.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\HW0NWMAB.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PROFILES\NANCY\MY DOCUMENTS\COPY OF HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jethomepage.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~2\INKWATCH.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SHTCPW] C:\WINDOWS\SYSTEM\SHTCPW.exe
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [HW0NWMAB.EXE] C:\WINDOWS\HW0NWMAB.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [HW0NWMAB.EXE] C:\WINDOWS\HW0NWMAB.EXE /dk
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: WGLY565W.lnk = C:\WINDOWS\wgly565w.exe
O4 - Startup: E4EYZGWA.lnk = C:\WINDOWS\e4eyzgwa.exe
O4 - Startup: O0X08230.lnk = C:\WINDOWS\o0x08230.exe
O4 - Startup: RDI7EVH1.lnk = C:\WINDOWS\rdi7evh1.exe
O4 - Startup: 4B0QLBG8.lnk = C:\WINDOWS\4b0qlbg8.exe
O4 - Startup: HW0NWMAB.lnk = C:\WINDOWS\hw0nwmab.exe
O4 - User Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - User Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - User Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - User Startup: WGLY565W.lnk = C:\WINDOWS\wgly565w.exe
O4 - User Startup: E4EYZGWA.lnk = C:\WINDOWS\e4eyzgwa.exe
O4 - User Startup: O0X08230.lnk = C:\WINDOWS\o0x08230.exe
O4 - User Startup: RDI7EVH1.lnk = C:\WINDOWS\rdi7evh1.exe
O4 - User Startup: 4B0QLBG8.lnk = C:\WINDOWS\4b0qlbg8.exe
O4 - User Startup: HW0NWMAB.lnk = C:\WINDOWS\hw0nwmab.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: EO088O1F.lnk = C:\WINDOWS\eo088o1f.exe
O4 - Global Startup: 03MN0EJ7.lnk = C:\WINDOWS\03mn0ej7.exe
O4 - Global Startup: FVT2K85N.lnk = C:\WINDOWS\fvt2k85n.exe
O4 - Global Startup: ITHL3U07.lnk = C:\WINDOWS\ithl3u07.exe
O4 - Global Startup: 12RLNQPK.lnk = C:\WINDOWS\12rlnqpk.exe
O4 - Global Startup: CP853FBF.lnk = C:\WINDOWS\cp853fbf.exe
O4 - Global Startup: QYFWK9PX.lnk = C:\WINDOWS\qyfwk9px.exe
O4 - Global Startup: 6CX7TL4A.lnk = C:\WINDOWS\6cx7tl4a.exe
O4 - Global Startup: EFGW9C09.lnk = C:\WINDOWS\efgw9c09.exe
O4 - Global Startup: YOOLI06X.lnk = C:\WINDOWS\yooli06x.exe
O4 - Global Startup: X4DW8XIZ.lnk = C:\WINDOWS\x4dw8xiz.exe
O4 - Global Startup: ZQ3Z21FV.lnk = C:\WINDOWS\zq3z21fv.exe
O4 - Global Startup: ZOLLMB8H.lnk = C:\WINDOWS\zollmb8h.exe
O4 - Global Startup: 4B0QLBG8.lnk = C:\WINDOWS\4b0qlbg8.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 5JJT3G5Y.lnk = C:\WINDOWS\5jjt3g5y.exe
O4 - Global Startup: AGQ6XIAL.lnk = C:\WINDOWS\agq6xial.exe
O4 - Global Startup: 9UJXGW9Q.lnk = C:\WINDOWS\9ujxgw9q.exe
O4 - Global Startup: T5VWDULY.lnk = C:\WINDOWS\t5vwduly.exe
O4 - Global Startup: 0HLITKHC.lnk = C:\WINDOWS\0hlitkhc.exe
O4 - Global Startup: 4IMI3UZB.lnk = C:\WINDOWS\4imi3uzb.exe
O4 - Global Startup: O5BMOKLK.lnk = C:\WINDOWS\o5bmoklk.exe
O4 - Global Startup: FYD18FY0.lnk = C:\WINDOWS\fyd18fy0.exe
O4 - Global Startup: WGLY565W.lnk = C:\WINDOWS\wgly565w.exe
O4 - Global Startup: E4EYZGWA.lnk = C:\WINDOWS\e4eyzgwa.exe
O4 - Global Startup: O0X08230.lnk = C:\WINDOWS\o0x08230.exe
O4 - Global Startup: RDI7EVH1.lnk = C:\WINDOWS\rdi7evh1.exe
O4 - Global Startup: HW0NWMAB.lnk = C:\WINDOWS\hw0nwmab.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {1FA643B0-F90E-11D3-BA0B-00C04F384A92} (HomeTsrCtrl Class) - http://image.excite.com/sputnik/dynacat_upload/HOME/ATHMWWW/locationchange.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38012.659525463

disabled smilies - Pieter
  #2  
Old April 6th, 2004, 02:41 PM
dvk01's Avatar
dvk01 dvk01 is offline
Global Moderator
  
Join Date: Oct 2003
Location: Loughton, Essex. UK
Posts: 3,129
Default Re:Hijack This Log
download this file (Adtomi Cleanup.zip).
http://www.wilderssecurity.com/attachments/9x_Adtomi_Cleanup.zip for 98 or ME
or alternatively from
http://www.thespykiller.co.uk/downloads.htm

It was created by Mosaic1 and is available here with her kind permission
And follow the instructions carefully.

First If you have a Script Blocking Program enabled, disable it so the scripts will run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part
--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

In your case the file/ process to stop is : HW0NWMAB.EXE
then press end task or end process and make sure that entry has disapeared from the list.
if you can't stop it running, then DO NOT CONTINUE, please ask for more help first and there might also be morze1 running, if so end that process as well.

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

Make sure all Browser and folder windows are closed and it will do everything automatically for you.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

There will be other things to clear after we fix this one
  #3  
Old April 6th, 2004, 05:57 PM
Carlson4 Carlson4 is offline
Infrequent Poster
  
Join Date: Apr 2004
Posts: 3
Default Re:Hijack This Log
I have not been able to locate the file: HWONWMAB.EXE
So, I haven't been able to remove it. Is there somewhere else to look? Just so you know, I am a complete computer idiot. Help!!
  #4  
Old April 7th, 2004, 02:32 AM
dvk01's Avatar
dvk01 dvk01 is offline
Global Moderator
  
Join Date: Oct 2003
Location: Loughton, Essex. UK
Posts: 3,129
Default Re:Hijack This Log
please post a new hijackthis log in case the file has changed it's name
  #5  
Old April 7th, 2004, 10:51 AM
Carlson4 Carlson4 is offline
Infrequent Poster
  
Join Date: Apr 2004
Posts: 3
Default Re:Hijack This Log
Here is the new Hijack This Log. Thanks.
Logfile of HijackThis v1.97.7
Scan saved at 7:50:44 AM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\CANON CREATIVE\TEXTBRIDGE\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\EXCITE\PLATFORM\EXSHELL.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\INTUIT\QUICKBOOKS PRO\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\LIPCIMPA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0010.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.jethomepage.com/ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.linksummary.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.40.16.218 auto.search.msn.com
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [InkWatch] C:\PROGRA~1\GATEWAY\GATEWA~2\INKWATCH.EXE
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [Excite Platform] C:\PROGRA~1\EXCITE\PLATFORM\ExLaunch.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb04.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\Run: [FD3Q0EJ4.EXE] C:\WINDOWS\FD3Q0EJ4.EXE /dk
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [LIPCIMPA] C:\WINDOWS\SYSTEM\LIPCIMPA.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\CANONC~1\TEXTBR~1\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [FD3Q0EJ4.EXE] C:\WINDOWS\FD3Q0EJ4.EXE /dk
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: WGLY565W.lnk = C:\WINDOWS\wgly565w.exe
O4 - Startup: E4EYZGWA.lnk = C:\WINDOWS\e4eyzgwa.exe
O4 - Startup: O0X08230.lnk = C:\WINDOWS\o0x08230.exe
O4 - Startup: RDI7EVH1.lnk = C:\WINDOWS\rdi7evh1.exe
O4 - Startup: 4B0QLBG8.lnk = C:\WINDOWS\4b0qlbg8.exe
O4 - Startup: HW0NWMAB.lnk = C:\WINDOWS\hw0nwmab.exe
O4 - Startup: FD3Q0EJ4.lnk = C:\WINDOWS\fd3q0ej4.exe
O4 - User Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - User Startup: Update Grokster.lnk = C:\Program Files\Grokster\WiseUpdt.exe
O4 - User Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - User Startup: WGLY565W.lnk = C:\WINDOWS\wgly565w.exe
O4 - User Startup: E4EYZGWA.lnk = C:\WINDOWS\e4eyzgwa.exe
O4 - User Startup: O0X08230.lnk = C:\WINDOWS\o0x08230.exe
O4 - User Startup: RDI7EVH1.lnk = C:\WINDOWS\rdi7evh1.exe
O4 - User Startup: 4B0QLBG8.lnk = C:\WINDOWS\4b0qlbg8.exe
O4 - User Startup: HW0NWMAB.lnk = C:\WINDOWS\hw0nwmab.exe
O4 - User Startup: FD3Q0EJ4.lnk = C:\WINDOWS\fd3q0ej4.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: EO088O1F.lnk = C:\WINDOWS\eo088o1f.exe
O4 - Global Startup: 03MN0EJ7.lnk = C:\WINDOWS\03mn0ej7.exe
O4 - Global Startup: FVT2K85N.lnk = C:\WINDOWS\fvt2k85n.exe
O4 - Global Startup: ITHL3U07.lnk = C:\WINDOWS\ithl3u07.exe
O4 - Global Startup: 12RLNQPK.lnk = C:\WINDOWS\12rlnqpk.exe
O4 - Global Startup: CP853FBF.lnk = C:\WINDOWS\cp853fbf.exe
O4 - Global Startup: QYFWK9PX.lnk = C:\WINDOWS\qyfwk9px.exe
O4 - Global Startup: 6CX7TL4A.lnk = C:\WINDOWS\6cx7tl4a.exe
O4 - Global Startup: EFGW9C09.lnk = C:\WINDOWS\efgw9c09.exe
O4 - Global Startup: YOOLI06X.lnk = C:\WINDOWS\yooli06x.exe
O4 - Global Startup: X4DW8XIZ.lnk = C:\WINDOWS\x4dw8xiz.exe
O4 - Global Startup: ZQ3Z21FV.lnk = C:\WINDOWS\zq3z21fv.exe
O4 - Global Startup: ZOLLMB8H.lnk = C:\WINDOWS\zollmb8h.exe
O4 - Global Startup: 4B0QLBG8.lnk = C:\WINDOWS\4b0qlbg8.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 5JJT3G5Y.lnk = C:\WINDOWS\5jjt3g5y.exe
O4 - Global Startup: AGQ6XIAL.lnk = C:\WINDOWS\agq6xial.exe
O4 - Global Startup: 9UJXGW9Q.lnk = C:\WINDOWS\9ujxgw9q.exe
O4 - Global Startup: T5VWDULY.lnk = C:\WINDOWS\t5vwduly.exe
O4 - Global Startup: 0HLITKHC.lnk = C:\WINDOWS\0hlitkhc.exe
O4 - Global Startup: 4IMI3UZB.lnk = C:\WINDOWS\4imi3uzb.exe
O4 - Global Startup: O5BMOKLK.lnk = C:\WINDOWS\o5bmoklk.exe
O4 - Global Startup: FYD18FY0.lnk = C:\WINDOWS\fyd18fy0.exe
O4 - Global Startup: WGLY565W.lnk = C:\WINDOWS\wgly565w.exe
O4 - Global Startup: E4EYZGWA.lnk = C:\WINDOWS\e4eyzgwa.exe
O4 - Global Startup: O0X08230.lnk = C:\WINDOWS\o0x08230.exe
O4 - Global Startup: RDI7EVH1.lnk = C:\WINDOWS\rdi7evh1.exe
O4 - Global Startup: HW0NWMAB.lnk = C:\WINDOWS\hw0nwmab.exe
O4 - Global Startup: FD3Q0EJ4.lnk = C:\WINDOWS\fd3q0ej4.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {1FA643B0-F90E-11D3-BA0B-00C04F384A92} (HomeTsrCtrl Class) - http://image.excite.com/sputnik/dynacat_upload/HOME/ATHMWWW/locationchange.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38012.659525463

disabled smilies - Pieter
  #6  
Old April 7th, 2004, 03:38 PM
puff-m-d's Avatar
puff-m-d puff-m-d is offline
Massive Poster
  
Join Date: Feb 2002
Location: North Carolina, USA
Posts: 3,625
Default Re:Hijack This Log
Hi Carlson4,

Here is the file you are looking for now to stop the process of:

LIPCIMPA.EXE

Regards,
Kent
__________________
Best regards,
Kent
AX64 Time Machine - Travel in Time
Current Version 1.1.0.996
 

Wilders Security Forums > Browser Hijacks and Spyware Problems > adware, spyware & hijack cleaning « Previous Thread | Next Thread »

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 08:03 AM.

Contact Us - SSL - Wilders Security - Archive - TOS/Privacy - Top

Powered by vBulletin® Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums