Help Wanted: Hijack This log Attached

Discussion in 'adware, spyware & hijack cleaning' started by Ulric, Jun 2, 2004.

Thread Status:
Not open for further replies.
  1. Ulric

    Ulric Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    3
    Location:
    Minnesota, USA
    Here is my story:

    I have kept my PC relatively clean from scumware for some time. For a long time I have owned and use Adaware. Recently I was on the web and my eTrust EZ Antivirus started giving me lots of warnings about Trojans. I turned off the router but I think it was too late. After running Adaware I found: CW Search, When U..., Turbo Download, Promulgate, and VX2 Better Internet. I deleted all that pluss a lot more, but the PC was still showing that it wanted to connect to the web and download things automaticaly. Next, I tried CW Shredder because of the CW thing, but the PC is still showing signs of a hijack (trying to download GAIN, and toolbar stuff)

    Now that leads me to here. Is it true that you guys fight evil and scum in the world and will look at my hijack this log? (I forgot to mention that I did download hijack this and the log is pasted below.) I would be very much appreciative if one of you could look at this log and tell me what to do next. Thanks!

    *****

    Logfile of HijackThis v1.97.7
    Scan saved at 10:14:48 PM, on 6/2/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\INTEL\ANYPOINT\APSERVER.EXE
    C:\PROGRAM FILES\INTEL\ANYPOINT\BLACKD.EXE
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\VETMSG9X.EXE
    C:\PROGRAM FILES\INOCULATEIT PE\VETTRAY.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\WINDOWS\TEMP\XZ.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\QUICKENW\QWDLLS.EXE
    C:\PROGRAM FILES\INTEL\ANYPOINT\DSHMAP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\QBOOKSW\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\MRTMNGR.EXE
    C:\WINDOWS\SYSTEM\GSDJX6.EXE
    C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
    C:\WINDOWS\SYSTEM\EBWQSH.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startribune.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0BAF19A2.hta
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\INOCUL~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [Xz] C:\WINDOWS\TEMP\XZ.EXE
    O4 - HKLM\..\Run: [DBCBCPO] C:\WINDOWS\SYSTEM\DBCBCPO.exe
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Qxcn74j.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [atqcrpul] C:\WINDOWS\SYSTEM\yxpmim.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [ENSApServer2_0] C:\Program Files\Intel\AnyPoint\APSERVER.EXE
    O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Intel\AnyPoint\blackd.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [DictionaryToGo] C:\PROGRA~1\LEARNI~1\DICTIO~1\Stub32.exe -tugak:init
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
    O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
    O4 - Startup: Sharing and Mapping Software.lnk = C:\Program Files\Intel\AnyPoint\DShmap.exe
    O4 - Startup: Wireless Control Panel.lnk = C:\Program Files\Intel\AnyPoint\wcpanel.exe
    O4 - Startup: HumanClick.lnk = C:\Program Files\HumanClick\hc.exe
    O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2001.exe
    O4 - Startup: Internet Sharing Server.lnk = C:\Program Files\Intel\AnyPoint\iss_srvr.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\NewShortcut1.exe
    O4 - Startup: Gator eWallet.lnk = ?
    O4 - Startup: KODAK Software Updater.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}\Backweb.exe
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yahoo.com/dl/toolbar/yiebio2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/controls/iexplorer/x86/ielabel.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/navclient/data/deleon/1.1.44-deleon/GoogleNav.cab
    O16 - DPF: Yahoo! Chess - http://download.yahoo.com/games/clients/y/cr1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.yahoo.com/games/clients/y/dor1_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.yahoo.com/games/clients/y/jr2_x.cab
    O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://www.weightwatchers.com/download/CfxIEAx.cab
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ecabinetry.com/Products/product.asp?DSFID=236
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kontiki/kontiki/current/kdx.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = qwest.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.147.80.5,204.147.80.1
     
    Last edited: Jun 2, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Ulric,

    Download and run: http://www.memorywatcher.com/uninst.exe
    The program needs internet access to finish.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    R3 - Default URLSearchHook is missing

    O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0BAF19A2.hta

    O4 - HKLM\..\Run: [Xz] C:\WINDOWS\TEMP\XZ.EXE
    O4 - HKLM\..\Run: [DBCBCPO] C:\WINDOWS\SYSTEM\DBCBCPO.exe
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Qxcn74j.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE
    O4 - HKLM\..\Run: [atqcrpul] C:\WINDOWS\SYSTEM\yxpmim.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O4 - Startup: Gator eWallet.lnk = ?
    O4 - Startup: KODAK Software Updater.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}\Backweb.exe

    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content-g.kontiki.com/kdx/v2.10/kontiki/kontiki/current/kdx.cab

    O16 - DPF: {ABD45F35-2E4C-44C0-A075-6EF1DE75398E} - http://www.riversoftware.net/x0ff.cab

    Then reboot into safe mode and delete:
    C:\Program Files\Common files\WinTools <= entire folder
    C:\WINDOWS\SYSTEM\yxpmim.exe

    Could you open C:\WINDOWS\SYSTEM\0BAF19A2.hta in notepad and post the content please?
    NOTE: do not doubleclick it, but rightclick and choose Open with>>>> Notepad

    Regards,

    Pieter
     
  3. Ulric

    Ulric Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    3
    Location:
    Minnesota, USA
    Pieter:

    Thanks for the guidance.

    I followed your instructions accordingly and everything seemed to work as planned except for the following:

    1) You asked that I check the file "04-HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\Qxcn74j.exe" and include it with the list of files to be "fixed" however, as much as I looked and looked, I could not find this file in the High Jack This list.

    2) After rebooting in safe mode, I was able to find and delete the entire Win Tools folder, however, I could not find (hence I could not delete) C:\WINDOWS\SYSTEM\yxpmim.exe.

    3) I cannot display for you the contents of C:\WINDOWS\SYSTEM\0BAF19A2.hta because, again, I could not locate this file in Windows Explorer.

    While searching for the files mentioned above, I tried sorting by name, and by file type, but to no avail. I even used the find tool in the Windows Explorer "Tools" menu, but still I cannot find these files. Is it possible that some other action I may have taken in the last 24 hours could have caused the files to disappear from the Windows\system folder? If these files are truly gone, then should I be at all concerned?

    Incidentally, I failed to mention that between the time you posted your advice for me and the time I attempted the recommended fixes, I did update my Windows Internet Explorer for security updates.

    As far as everything else is concerned, the computer is running, much, much better and there are less delays at the start-up.

    Thanks for all you advice, and please let me know if there are additional steps to be taking, to make sure my PC is rid of all that scum that was lurking within.

    Thanks.
    Ulric
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Ulric,

    Post a new HijackThis log, so we can see if everything is at least disabled that was pestering you.

    Regards,

    Pieter
     
  5. Ulric

    Ulric Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    3
    Location:
    Minnesota, USA
    Here is my latest log...

    Logfile of HijackThis v1.97.7
    Scan saved at 11:38:05 PM, on 6/6/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\INTEL\ANYPOINT\APSERVER.EXE
    C:\PROGRAM FILES\INTEL\ANYPOINT\BLACKD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\VETMSG9X.EXE
    C:\PROGRAM FILES\INOCULATEIT PE\VETTRAY.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PALM\HOTSYNC.EXE
    C:\QUICKENW\QWDLLS.EXE
    C:\PROGRAM FILES\INTEL\ANYPOINT\DSHMAP.EXE
    C:\PROGRAM FILES\HUMANCLICK\HC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\QBOOKSW\COMPONENTS\QBAGENT\QBDAGENT2001.EXE
    C:\WINDOWS\SYSTEM\MRTMNGR.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startribune.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F1 - win.ini: run=hpfsched
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Vet Alert] C:\WINDOWS\System\VetMsg9x.exe
    O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\INOCUL~1\VETTRAY.EXE
    O4 - HKLM\..\Run: [KodakCCS] c:\windows\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [ENSApServer2_0] C:\Program Files\Intel\AnyPoint\APSERVER.EXE
    O4 - HKLM\..\RunServices: [LoadBlackD] C:\Program Files\Intel\AnyPoint\blackd.exe
    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [DictionaryToGo] C:\PROGRA~1\LEARNI~1\DICTIO~1\Stub32.exe -tugak:init
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: SoftStuff Wallpaper Changer.lnk = C:\Softstuf\softstrt.exe
    O4 - Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
    O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
    O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
    O4 - Startup: Sharing and Mapping Software.lnk = C:\Program Files\Intel\AnyPoint\DShmap.exe
    O4 - Startup: Wireless Control Panel.lnk = C:\Program Files\Intel\AnyPoint\wcpanel.exe
    O4 - Startup: HumanClick.lnk = C:\Program Files\HumanClick\hc.exe
    O4 - Startup: QuickBooks 2001 Delivery Agent.lnk = C:\QBOOKSW\Components\QBAgent\qbdagent2001.exe
    O4 - Startup: Internet Sharing Server.lnk = C:\Program Files\Intel\AnyPoint\iss_srvr.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}\NewShortcut1.exe
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://download.yahoo.com/dl/toolbar/yiebio2.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir8d205.cab
    O16 - DPF: {0C98419E-324F-11D3-9A23-00C04FF40D52} (McAfee Clinic AV Installer Control) - http://download.mcafee.com/molbin/clinic/virusscan/mgavinst.cab
    O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {99B42120-6EC7-11CF-A6C7-00AA00A47DD2} (Label Object) - http://activex.microsoft.com/controls/iexplorer/x86/ielabel.cab
    O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/navclient/data/deleon/1.1.44-deleon/GoogleNav.cab
    O16 - DPF: Yahoo! Chess - http://download.yahoo.com/games/clients/y/cr1_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.yahoo.com/games/clients/y/dor1_x.cab
    O16 - DPF: Yahoo! Blackjack - http://download.yahoo.com/games/clients/y/jr2_x.cab
    O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://www.weightwatchers.com/download/CfxIEAx.cab
    O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...ecabinetry.com/Products/product.asp?DSFID=236
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: LiveWorld EZTalk 3.0 - http://live.liveworld.com/java/ezmed/ezmed.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnview95.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38142.7657523148
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = qwest.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 204.147.80.5,204.147.80.1
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Ulric,

    Just some leftovers.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    O4 - HKLM\..\RunServices: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

    Please read: Why did I get infected in the first place

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.