Help Wanted: Hijack This log Attached

Here is my story:

I have kept my PC relatively clean from scumware for some time. For a long time I have owned and use Adaware. Recently I was on the web and my eTrust EZ Antivirus started giving me lots of warnings about Trojans. I turned off the router but I think it was too late. After running Adaware I found: CW Search, When U..., Turbo Download, Promulgate, and VX2 Better Internet. I deleted all that pluss a lot more, but the PC was still showing that it wanted to connect to the web and download things automaticaly. Next, I tried CW Shredder because of the CW thing, but the PC is still showing signs of a hijack (trying to download GAIN, and toolbar stuff)

Now that leads me to here. Is it true that you guys fight evil and scum in the world and will look at my hijack this log? (I forgot to mention that I did download hijack this and the log is pasted below.) I would be very much appreciative if one of you could look at this log and tell me what to do next. Thanks!

*****

Logfile of HijackThis v1.97.7
Scan saved at 10:14:48 PM, on 6/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\INTEL\ANYPOINT\APSERVER.EXE
C:\PROGRAM FILES\INTEL\ANYPOINT\BLACKD.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\INOCULATEIT PE\VETTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\WINDOWS\TEMP\XZ.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\INTEL\ANYPOINT\DSHMAP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\QBOOKSW\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\GSDJX6.EXE
C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
C:\WINDOWS\SYSTEM\EBWQSH.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startribune.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0BAF19A2.hta
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\INOCUL~1\VETTRAY.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [Xz] C:\WINDOWS\TEMP\XZ.EXE
O4 - HKLM\..\Run: [DBCBCPO] C:\WINDOWS\SYSTEM\DBCBCPO.exe
O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Qxcn74j.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [atqcrpul] C:\WINDOWS\SYSTEM\yxpmim.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ENSApServer2_0] C:\Program Files\Intel\AnyPoint\APSERVER.EXE
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Intel\AnyPoint\blackd.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DictionaryToGo] C:\PROGRA~1\LEARNI~1\DICTIO~1\Stub32.exe -tugak:init
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Sharing and Mapping Software.lnk = C:\Program Files\Intel\AnyPoint\DShmap.exe
O4 - Startup: Wireless Control Panel.lnk = C:\Program Files\Intel\AnyPoint\wcpanel.exe
O4 - Startup: HumanClick.lnk = C:\Program Files\HumanClick\hc.exe
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2001.exe
O4 - Startup: Internet Sharing Server.lnk = C:\Program Files\Intel\AnyPoint\iss_srvr.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\NewShortcut1.exe
O4 - Startup: Gator eWallet.lnk = ?
O4 - Startup: KODAK Software Updater.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}\Backweb.exe
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yahoo.com/dl/toolbar/yiebio2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/controls/iexplorer/x86/ielabel.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/navclient/data/deleon/1.1.44-deleon/GoogleNav.cab
O16 - DPF: Yahoo! Chess - http://download.yahoo.com/games/clients/y/cr1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yahoo.com/games/clients/y/dor1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.yahoo.com/games/clients/y/jr2_x.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://www.weightwatchers.com/download/CfxIEAx.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ecabinetry.com/Products/product.asp?DSFID=236
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kontiki/kontiki/current/kdx.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = qwest.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.147.80.5,204.147.80.1

 

Hi Ulric,

Download and run: http://www.memorywatcher.com/uninst.exe
The program needs internet access to finish.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0BAF19A2.hta

O4 - HKLM\..\Run: [Xz] C:\WINDOWS\TEMP\XZ.EXE
O4 - HKLM\..\Run: [DBCBCPO] C:\WINDOWS\SYSTEM\DBCBCPO.exe
O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Qxcn74j.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
O4 - HKLM\..\Run: [atqcrpul] C:\WINDOWS\SYSTEM\yxpmim.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - Startup: Gator eWallet.lnk = ?
O4 - Startup: KODAK Software Updater.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}\Backweb.exe

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kontiki/kontiki/current/kdx.cab

O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

Then reboot into safe mode and delete:
C:\Program Files\Common files\WinTools <= entire folder
C:\WINDOWS\SYSTEM\yxpmim.exe

Could you open C:\WINDOWS\SYSTEM\0BAF19A2.hta in notepad and post the content please?
NOTE: do not doubleclick it, but rightclick and choose Open with>>>> Notepad

Regards,

Pieter

 

Pieter:

Thanks for the guidance.

I followed your instructions accordingly and everything seemed to work as planned except for the following:

1) You asked that I check the file "04-HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Qxcn74j.exe" and include it with the list of files to be "fixed" however, as much as I looked and looked, I could not find this file in the High Jack This list.

2) After rebooting in safe mode, I was able to find and delete the entire Win Tools folder, however, I could not find (hence I could not delete) C:\WINDOWS\SYSTEM\yxpmim.exe.

3) I cannot display for you the contents of C:\WINDOWS\SYSTEM\0BAF19A2.hta because, again, I could not locate this file in Windows Explorer.

While searching for the files mentioned above, I tried sorting by name, and by file type, but to no avail. I even used the find tool in the Windows Explorer "Tools" menu, but still I cannot find these files. Is it possible that some other action I may have taken in the last 24 hours could have caused the files to disappear from the Windows\system folder? If these files are truly gone, then should I be at all concerned?

Incidentally, I failed to mention that between the time you posted your advice for me and the time I attempted the recommended fixes, I did update my Windows Internet Explorer for security updates.

As far as everything else is concerned, the computer is running, much, much better and there are less delays at the start-up.

Thanks for all you advice, and please let me know if there are additional steps to be taking, to make sure my PC is rid of all that scum that was lurking within.

Thanks.
Ulric

 

Hi Ulric,

Post a new HijackThis log, so we can see if everything is at least disabled that was pestering you.

Regards,

Pieter

 

Here is my latest log...

Logfile of HijackThis v1.97.7
Scan saved at 11:38:05 PM, on 6/6/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\INTEL\ANYPOINT\APSERVER.EXE
C:\PROGRAM FILES\INTEL\ANYPOINT\BLACKD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\VETMSG9X.EXE
C:\PROGRAM FILES\INOCULATEIT PE\VETTRAY.EXE
C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PALM\HOTSYNC.EXE
C:\QUICKENW\QWDLLS.EXE
C:\PROGRAM FILES\INTEL\ANYPOINT\DSHMAP.EXE
C:\PROGRAM FILES\HUMANCLICK\HC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\QBOOKSW\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startribune.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F1 - win.ini: run=hpfsched
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\INOCUL~1\VETTRAY.EXE
O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ENSApServer2_0] C:\Program Files\Intel\AnyPoint\APSERVER.EXE
O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Intel\AnyPoint\blackd.exe
O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [DictionaryToGo] C:\PROGRA~1\LEARNI~1\DICTIO~1\Stub32.exe -tugak:init
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: Sharing and Mapping Software.lnk = C:\Program Files\Intel\AnyPoint\DShmap.exe
O4 - Startup: Wireless Control Panel.lnk = C:\Program Files\Intel\AnyPoint\wcpanel.exe
O4 - Startup: HumanClick.lnk = C:\Program Files\HumanClick\hc.exe
O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2001.exe
O4 - Startup: Internet Sharing Server.lnk = C:\Program Files\Intel\AnyPoint\iss_srvr.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\NewShortcut1.exe
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Dell Home (HKCU)
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yahoo.com/dl/toolbar/yiebio2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab
O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/controls/iexplorer/x86/ielabel.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/navclient/data/deleon/1.1.44-deleon/GoogleNav.cab
O16 - DPF: Yahoo! Chess - http://download.yahoo.com/games/clients/y/cr1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.yahoo.com/games/clients/y/dor1_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.yahoo.com/games/clients/y/jr2_x.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://www.weightwatchers.com/download/CfxIEAx.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ecabinetry.com/Products/product.asp?DSFID=236
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38142.7657523148
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = qwest.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.147.80.5,204.147.80.1

 

Hi Ulric,

Just some leftovers.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

Please read: Why did I get infected in the first place

Regards,

Pieter