Help needed to rid BAMMDMA.DLL

Discussion in 'adware, spyware & hijack cleaning' started by Dipsy, Jun 9, 2004.

Thread Status:
Not open for further replies.
  1. Dipsy

    Dipsy Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    6
    trojan horse startpage.6.y

    I have a couple of problems with my pc and I'm hoping someone can help me fix them. Firstly I have 'about:blank' as my homepage and no matter what I do I can't get rid of it. Secondly I have updated and run AVG today and it says I have a trojan horse called startpage.6.Y within my windows system files called BAMMDMA.DLL that it can't delete. I have run ad-aware but it doesn't seem to have any effect on either of these problems. I also have zone alarm set up so I don't understand where I could have picked these viruses up from. Can someone please advise me on how to get rid of them both? This is my log after I ran ad-aware.





    Logfile of HijackThis v1.97.7
    Scan saved at 12:01:23 AM, on 6/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\GREASYPALMUPDATE.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    C:\WINDOWS\SYSTEM\HPZIPM12.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\GNTF6MBH\HIJACKTHIS[1].EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.net/
    O2 - BHO: (no name) - {8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINDOWS\GPALM.DLL
    O2 - BHO: (no name) - {89992281-B0A0-11D8-8067-4445801061DF} - C:\WINDOWS\SYSTEM\BAMMDMA.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Band Class - {8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINDOWS\GPALM.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [GreasyPalmUpdate] C:\WINDOWS\GreasyPalmUpdate.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: Update WinBMD.lnk = C:\Program Files\WinBMD\WiseUpdt.exe
    O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
    O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37891.1852314815
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.133/WebIQ/bin/WebIQ.cab
    O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
    O16 - DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} (GreasyPalmInstallHelper Class) - http://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
     
    Last edited: Jun 10, 2004
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: trojan horse startpage.6.y

    Before you start, please unzip or move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder or in the root of C: or get scattered all over the desktop and we need to empty the temp folders to remove the hijackers

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\SYSTEM\BAMMDMA.DLL/sp.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {89992281-B0A0-11D8-8067-4445801061DF} - C:\WINDOWS\SYSTEM\BAMMDMA.DLL
    O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.133/WebIQ/bin/WebIQ.cab
    O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
    O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\SYSTEM\BAMMDMA.DLL
    reboot &

    download startdreck from http://members.blackbox.net/hp_links/21/nikolaus.rameis/download/startdreck.htm

    and download http://www10.brinkster.com/expl0iter/freeatlast/Win98Fix.zip

    unzipstartdreck to the desktop
    DoubleClick: 'StartDreck.exe'
    Hit: config
    hit: Unmark all
    Check these boxes only:
    Registry->run keys
    System/drivers> Running processes
    hit >ok.

    Check specificly for this entry in the log :

    »Local Machine
    »RunServicesOnce
    **ozkc=rundll32 C:\WINDOWS\SYSTEM\XXXXX.DLL,StreamingDeviceSetup


    After identifying the dll, proceed with :

    use the win9xfix you downloaded earlier, also unzip that to the desktop
    -DoubleClick on: 'RunFix.reg' file, hit 'yes'
    on the prompt!
    -Restart computer!
    -File should be visible!
    -Do 'find files' for dll listed on log, delete.
    *Note: Be sure to Save the StartDreck log before, so
    you you'd be able to find the file later!
    If lost (Since nothing else will find it when not hooked)
    Simply run the included: "who.bat", file
    will be found & listed
    in "Badfile.txt".

    It should be located in C:\WINDOWS\SYSTEM\XXXXX.dll

    any queries post back and we'll talk you through it in small steps
     
    Last edited: Jun 10, 2004
  3. Dipsy

    Dipsy Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    6
    Derek

    thanks for your help, so far I've got as far as downloading startdeck from the link you gave. When I go to the next link you've given I'm unsure what I'm downloading as it says the link has moved. Please can you point me in the right direction again?

    Thanks very much again!!!

    Debbie
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Debbie,

    That site works for me. The program you need to download there is Win98Fix.zip

    Regards,

    Pieter
     
  5. Dipsy

    Dipsy Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    6
    hi

    Thanks for that - I've now downloaded both those and unzipped them succesfully. I've opened startdeck and I can find runservicesonce but the file specified isn't there **ozkc..... am I ok to carry on with the rest of the instructions?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Can you post the StartDreck log, so I can have a look, please?

    Regards,

    Pieter
     
  7. Dipsy

    Dipsy Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    6
    here it is...

    StartDreck (build 2.1.5 public BETA) - 2004-06-10 @ 11:20:45
    Platform: Windows 98 SE (Win 4.10.2222 A)

    »Registry
    »Run Keys
    »Current User
    »Run
    »RunOnce
    »Default User
    »Run
    »RunOnce
    »Local Machine
    »Run
    *ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
    *TaskMonitor=C:\WINDOWS\taskmon.exe
    *SystemTray=SysTray.Exe
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *MicroDialler=C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
    *AdaptecDirectCD="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    *3dfx Tools=rundll32.exe 3dfxCmn.dll,UpdateRegSettings
    *AVG_CC=C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
    *GreasyPalmUpdate=C:\WINDOWS\GreasyPalmUpdate.exe
    *CreateCD50=C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    *Installed=1
    *Installed=1
    *NoChange=1
    *Installed=1
    »RunOnce
    »RunServices
    *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    *SchedulingAgent=mstask.exe
    *Avgserv9.exe=C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    *TrueVector=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    »RunServicesOnce
    »RunOnceEx
    »RunServicesOnceEx
    »Files
    »System/Drivers
    »Running Processes
    *FF0FE411=C:\WINDOWS\SYSTEM\KERNEL32.DLL
    *FFFFB089=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    *FFFFA739=C:\WINDOWS\SYSTEM\MPREXE.EXE
    *FFFE5EF9=C:\WINDOWS\SYSTEM\mmtask.tsk
    *FFFE36C5=C:\WINDOWS\SYSTEM\MSTASK.EXE
    *FFFE3B2D=C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    *FFFE2FB9=C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    *FFFEFBA1=C:\WINDOWS\EXPLORER.EXE
    *FFFC03A1=C:\WINDOWS\TASKMON.EXE
    *FFFC0A51=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    *FFFCFB21=C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
    *FFFCCEC5=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    *FFFB5BA9=C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    *FFFB1875=C:\WINDOWS\SYSTEM\STIMON.EXE
    *FFFB1971=C:\WINDOWS\GREASYPALMUPDATE.EXE
    *FFFB3825=C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    *FFFBE5FD=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    *FFFA3525=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
    *FFFAFAE9=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
    *FFFA8C3D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
    *FFF96965=C:\WINDOWS\SYSTEM\SPOOL32.EXE
    *FFF80AED=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    *FFF89E0D=C:\WINDOWS\SYSTEM\HPZIPM12.EXE
    *FFF90DC1=C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    *FFF814B9=C:\WINDOWS\SYSTEM\DDHELP.EXE
    *FFF70885=C:\WINDOWS\SYSTEM\PSTORES.EXE
    *FFF65339=C:\WINDOWS\SYSTEM\RNAAPP.EXE
    *FFF67BAD=C:\WINDOWS\SYSTEM\TAPISRV.EXE
    *FFF4F06D=C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\OUTLOOK.EXE
    *FFF680F1=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    *FFF21315=C:\STARTDECK\STARTDRECK.EXE
    »Application specific
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    You are right. It is not there (anymore?)

    Could you please reboot, access the internet and then run HijackThis.
    Post that log, so we can check.

    Regards,

    Pieter
     
  9. Dipsy

    Dipsy Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    6
    Pieter this is the new hijackthislog after I rebooted ...

    Logfile of HijackThis v1.97.7
    Scan saved at 11:47:50 AM, on 6/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\GREASYPALMUPDATE.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
    C:\WINDOWS\SYSTEM\HPZIPM12.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
    C:\HIJACK THIS\HIJACKTHIS[1].EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chickstop.co.uk/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://www-cache.freeserve.com:8080
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.freeserve.net/
    O2 - BHO: (no name) - {8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINDOWS\GPALM.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Band Class - {8272B062-BD4D-4EAD-A149-45B3CE3F5CDA} - C:\WINDOWS\GPALM.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,UpdateRegSettings
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [GreasyPalmUpdate] C:\WINDOWS\GreasyPalmUpdate.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: Update WinBMD.lnk = C:\Program Files\WinBMD\WiseUpdt.exe
    O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
    O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37891.1852314815
    O16 - DPF: {4D561B31-49A0-4E2C-8AFF-353468EC669B} (GreasyPalmInstallHelper Class) - http://www.greasypalm.co.uk/bho/update/GreasyPalm.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    Thanks again for all your doing to help!

    Debbie
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  11. Dipsy

    Dipsy Registered Member

    Joined:
    Jun 9, 2004
    Posts:
    6
    Brilliant!!

    Thanks very much Pieter and Derek for sorting that out for me I'm very grateful!

    Cheers
    Debbie
    :)
     
Thread Status:
Not open for further replies.