morze1 nightmare

Discussion in 'adware, spyware & hijack cleaning' started by nicoletta, Mar 30, 2004.

Thread Status:
Not open for further replies.
  1. nicoletta

    nicoletta Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    3
    Greetings! Last Thursday, a host of things downloaded on my computer. Everyday, it's worse. My Norton Cleansweep keeps flashing on my computer every 3 or 4 seconds saying that an installation process is being detected. I tried posting my problem on another forum which helped me once before but after several days with no reply, I attempted deleting these startup files and a suspected BrowserHelper.dll file on my own with hijackthis. They keep coming back and have duplicated themselves like rabbits! Additionally, back-up files were automatically created on my desktop. I really don't know understand how to do some of the posts on your board & may need a tutorial link or a clear description. Gosh I'd really appreciate help. My whole business runs on the computer & I have spent countless hours reading forums & trying to figure out what to do on my own. I'm afraid to do anymore than I have as I might damage the computer. These duplicating files are eating up my computer space. PLEASE HELP!
    I have Windows ME. Here's my hijack this log file:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:29:04 AM, on 3/30/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\SYSTEM\BAR332V.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\4BB2CFTU.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BAR332V] C:\WINDOWS\SYSTEM\BAR332V.exe
    O4 - HKLM\..\Run: [4BB2CFTU.EXE] C:\WINDOWS\4BB2CFTU.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
    O4 - HKCU\..\Run: [4BB2CFTU.EXE] C:\WINDOWS\4BB2CFTU.EXE /dk
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: RESOLUTION ASSISTANT.LNK = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Startup: CAMIO VIEWER 3.2.LNK = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Startup: GREETINGS WORKSHOP REMINDERS.LNK = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: CLEANSWEEP SMART SWEEP-INTERNET SWEEP.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: HOTSYNC MANAGER.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: HAQR5MDJ.lnk = C:\WINDOWS\haqr5mdj.exe
    O4 - Startup: GI9DBGWI.lnk = C:\WINDOWS\gi9dbgwi.exe
    O4 - Startup: 77QBHANZ.lnk = C:\WINDOWS\77qbhanz.exe
    O4 - Startup: 0R3IEW80.lnk = C:\WINDOWS\0r3iew80.exe
    O4 - Startup: WEAHBMI4.lnk = C:\WINDOWS\weahbmi4.exe
    O4 - Startup: Z7KM96F9.lnk = C:\WINDOWS\z7km96f9.exe
    O4 - Startup: TZXJRZY0.lnk = C:\WINDOWS\tzxjrzy0.exe
    O4 - Startup: V7F02C3I.lnk = C:\WINDOWS\v7f02c3i.exe
    O4 - Startup: FR1ZHE2J.lnk = C:\WINDOWS\fr1zhe2j.exe
    O4 - Startup: 0DIO94Y8.lnk = C:\WINDOWS\0dio94y8.exe
    O4 - Startup: 4BB2CFTU.lnk = C:\WINDOWS\4bb2cftu.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: HAQR5MDJ.lnk = C:\WINDOWS\haqr5mdj.exe
    O4 - Global Startup: GI9DBGWI.lnk = C:\WINDOWS\gi9dbgwi.exe
    O4 - Global Startup: 77QBHANZ.lnk = C:\WINDOWS\77qbhanz.exe
    O4 - Global Startup: 0R3IEW80.lnk = C:\WINDOWS\0r3iew80.exe
    O4 - Global Startup: WEAHBMI4.lnk = C:\WINDOWS\weahbmi4.exe
    O4 - Global Startup: Z7KM96F9.lnk = C:\WINDOWS\z7km96f9.exe
    O4 - Global Startup: TZXJRZY0.lnk = C:\WINDOWS\tzxjrzy0.exe
    O4 - Global Startup: V7F02C3I.lnk = C:\WINDOWS\v7f02c3i.exe
    O4 - Global Startup: FR1ZHE2J.lnk = C:\WINDOWS\fr1zhe2j.exe
    O4 - Global Startup: 0DIO94Y8.lnk = C:\WINDOWS\0dio94y8.exe
    O4 - Global Startup: 4BB2CFTU.lnk = C:\WINDOWS\4bb2cftu.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {8F2E4DC6-E858-4EF0-B596-7CD82AA94B0A} (M2AxCtl Class) - http://hometowntrivia.net/towns/corning/game/m2axsvr.dll
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
     
    nicoletta, Mar 30, 2004
    #1
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi

    This is the best cure we have found so far

    http://www.wilderssecurity.com/showthread.php?t=25926

    please follow it carefully anmd post back with any problems and queries
     
    dvk01, Mar 30, 2004
    #2
  3. nicoletta

    nicoletta Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    3
    Okay, sounds good but for starters, where do I find the yahoo stock task bar icon? It doesn't appear to be on my start page.
    THanks so much for your help, Nicoletta
    o_O
     
    nicoletta, Mar 30, 2004
    #3
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi nicoletta,

    It will be in your system tray/taskbar. It could be any icon you do not recognize.... I know it has shown up there as "??" on a couple of machines.And it mostly shows up on Windows 98, but has appeared on others as well....

    Regards,
    Kent
     
    puff-m-d, Mar 30, 2004
    #4
  5. nicoletta

    nicoletta Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    3
    There are no unusual icons or question marks. I did a search for yahoo stock and came up with: FStock.dll & Stocks.dat

    Any suggestions?

    Thanks, Nicoletta
     
    nicoletta, Mar 30, 2004
    #5
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi nicoletta,

    All infections do not include this icon, so you can skip this step and go on to the next one...

    Regards,
    Kent
     
    puff-m-d, Mar 30, 2004
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...