Trojan Horse downloader Revop.A again, please help

Discussion in 'adware, spyware & hijack cleaning' started by Flight, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. Flight

    Flight Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    8
    I have read other users experience the exact same problems I have had with this. I used adware to delete the files, but every time I boot up my computer I start getting 'missing shortcut' messages with strange filenames like morze5.exe and other random jumbles of characters. Thank you in advance for any help you can give me. This is my hijackthis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 10:53:39 AM, on 3/28/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FAWGRD32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FA_GD32.EXE
    C:\PROGRAM FILES\FIRSTAID 98\RTFIXM32.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\_WINBKUP\DESKTOP\MEEP1\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.efinder.cc/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.efinder.cc/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2wire.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.efinder.cc/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.efinder.cc/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.efinder.cc/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.efinder.cc/hp/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.efinder.cc/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.efinder.cc/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.efinder.cc/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.efinder.cc/search/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.efinder.cc/search/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.efinder.cc/search/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 208.29.180.114:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com




    ;<local>
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.efinder.cc/search/
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series-MackEd] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P30 "EPSON Stylus C62 Series-MackEd" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [sys] regedit -s sys.reg
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [CTXPVEAD.EXE] C:\WINDOWS\CTXPVEAD.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - HKCU\..\Run: [CTXPVEAD.EXE] C:\WINDOWS\CTXPVEAD.EXE /dk
    O4 - HKCU\..\RunServices: [AddClass] C:\WINDOWS\ADDCLASS.EXE
    O4 - HKCU\..\RunServices: [CTXPVEAD.EXE] C:\WINDOWS\CTXPVEAD.EXE /dk
    O4 - Startup: Windows Guardian.lnk = C:\Program Files\FirstAid 98\Fawgrd32.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD0.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Startup: 01FAZQN9.lnk = C:\WINDOWS\01fazqn9.exe
    O4 - Startup: C4V9DJ0I.lnk = C:\WINDOWS\c4v9dj0i.exe
    O4 - Startup: DLZ0H0V0.lnk = C:\WINDOWS\dlz0h0v0.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: X9ZT9VTA.lnk = C:\WINDOWS\x9zt9vta.exe
    O4 - Startup: 9I2LX0EQ.lnk = C:\WINDOWS\9i2lx0eq.exe
    O4 - Startup: CTXPVEAD.lnk = C:\WINDOWS\ctxpvead.exe
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: 01FAZQN9.lnk = C:\WINDOWS\01fazqn9.exe
    O4 - Global Startup: C4V9DJ0I.lnk = C:\WINDOWS\c4v9dj0i.exe
    O4 - Global Startup: DLZ0H0V0.lnk = C:\WINDOWS\dlz0h0v0.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: X9ZT9VTA.lnk = C:\WINDOWS\x9zt9vta.exe
    O4 - Global Startup: 9I2LX0EQ.lnk = C:\WINDOWS\9i2lx0eq.exe
    O4 - Global Startup: CTXPVEAD.lnk = C:\WINDOWS\ctxpvead.exe
    O13 - WWW. Prefix: http://ehttp.cc/?
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
     
    Flight, Mar 28, 2004
    #1
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi Flight,

    Could you please download and run CWShredder
    Use the Fix button and follow the instructions provided by the program.

    Then reboot, run HijackThis agains and post a new log. I'll have the next step ready for you by then.

    Regards,

    Pieter
     
    Pieter_Arntz, Mar 28, 2004
    #2
  3. Flight

    Flight Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    8
    Did as you requested, here is the new log.
    By the way, wasn't it Heinlein that said the technology of any sufficiently advanced species would appear to be magic to the layman? I'm already there in laymanland. This stuff is complete magic to me, so I again reiterate my appreciation for your help.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:42:38 PM, on 3/28/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\902OPNIQ.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FAWGRD32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FA_GD32.EXE
    C:\PROGRAM FILES\FIRSTAID 98\RTFIXM32.EXE
    C:\_WINBKUP\DESKTOP\MEEP1\HIJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2wire.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 208.29.180.114:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com




    ;<local>
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series-MackEd] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P30 "EPSON Stylus C62 Series-MackEd" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [902OPNIQ.EXE] C:\WINDOWS\902OPNIQ.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [902OPNIQ.EXE] C:\WINDOWS\902OPNIQ.EXE /dk
    O4 - Startup: Windows Guardian.lnk = C:\Program Files\FirstAid 98\Fawgrd32.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD0.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Startup: 01FAZQN9.lnk = C:\WINDOWS\01fazqn9.exe
    O4 - Startup: C4V9DJ0I.lnk = C:\WINDOWS\c4v9dj0i.exe
    O4 - Startup: DLZ0H0V0.lnk = C:\WINDOWS\dlz0h0v0.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: X9ZT9VTA.lnk = C:\WINDOWS\x9zt9vta.exe
    O4 - Startup: 9I2LX0EQ.lnk = C:\WINDOWS\9i2lx0eq.exe
    O4 - Startup: CTXPVEAD.lnk = C:\WINDOWS\ctxpvead.exe
    O4 - Startup: 902OPNIQ.lnk = C:\WINDOWS\902opniq.exe
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: 01FAZQN9.lnk = C:\WINDOWS\01fazqn9.exe
    O4 - Global Startup: C4V9DJ0I.lnk = C:\WINDOWS\c4v9dj0i.exe
    O4 - Global Startup: DLZ0H0V0.lnk = C:\WINDOWS\dlz0h0v0.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: X9ZT9VTA.lnk = C:\WINDOWS\x9zt9vta.exe
    O4 - Global Startup: 9I2LX0EQ.lnk = C:\WINDOWS\9i2lx0eq.exe
    O4 - Global Startup: CTXPVEAD.lnk = C:\WINDOWS\ctxpvead.exe
    O4 - Global Startup: 902OPNIQ.lnk = C:\WINDOWS\902opniq.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
     
    Flight, Mar 28, 2004
    #3
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    try the fix here
    http://www.wilderssecurity.com/showthread.php?t=25926

    it works for some and not for others

    post another hijackthis log when done
     
    dvk01, Mar 28, 2004
    #4
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Some more will need to be done:

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

    Then reboot and continue with the instructions at dvk01's link.

    Keep us posted,

    Pieter
     
    Pieter_Arntz, Mar 28, 2004
    #5
  6. Flight

    Flight Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    8
    Wow! These fixes seemed to clear up:

    1) The 'missing shortcut' problems on startup
    2) The random ads popping up every time I load a new webpage
    3) A random homepage hijacker that I've actually had for about 5 months now but just used to.
    4) Some random hard-drive whirrings and slowdowns

    I can't thank you guys enough for your help.
     
    Flight, Mar 29, 2004
    #6
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    please post a new hijackthis log as I'm sure there will still be few left overs to fix
     
    dvk01, Mar 29, 2004
    #7
  8. Flight

    Flight Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    8
    Here's my new log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:26:51 PM, on 3/30/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\ENCOMPASS\MONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\REAL\REALONE PLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\E_S0BIC1.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FAWGRD32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\FIRSTAID 98\FA_GD32.EXE
    C:\PROGRAM FILES\FIRSTAID 98\RTFIXM32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\_WINBKUP\DESKTOP\MEEP1\HIJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.2wire.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 208.29.180.114:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com




    ;<local>
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [VoyetraTray] C:\PROGRAM FILES\AUDIO VIDEO SUITE\VTRAY.EXE /s
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealOne Player\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series-MackEd] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P30 "EPSON Stylus C62 Series-MackEd" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - Startup: Windows Guardian.lnk = C:\Program Files\FirstAid 98\Fawgrd32.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD0.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
     
    Flight, Mar 30, 2004
    #8
  9. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi Flight,

    You have just a couple more items to remove.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
    puff-m-d, Mar 30, 2004
    #9
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...