HiJackThis Log......Please Help

Discussion in 'adware, spyware & hijack cleaning' started by JayHarp, Mar 27, 2004.

Thread Status:
Not open for further replies.
  1. JayHarp

    JayHarp Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    4
    Here is my log, please look it over for me and let me know what i need to do. I have to use a tmobile sidekick to logon here. ive been having trouble with my whole computer, internet, etc. please email me, as it would be easier for me. my email address is xxxxxxx@tmail.com. heres my log, please help and let me know what i need to do. thanks, heres the log.

    Logfile of HijackThis v1.97.2
    Scan saved at 6:00:22 PM, on 3/27/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/heat
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\CALSDR.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\BIN\APUC.DLL
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [msbb] c:\program files\n-case\msbb.exe
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
    O4 - HKLM\..\Run: [knylsxgp] C:\WINDOWS\knylsxgp.exe
    O4 - HKLM\..\Run: [PHI5GVQN.EXE] C:\WINDOWS\PHI5GVQN.EXE /dk
    O4 - HKLM\..\Run: [LE32O] C:\WINDOWS\SYSTEM\LE32O.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /QS
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
    O4 - HKCU\..\Run: [PHI5GVQN.EXE] C:\WINDOWS\PHI5GVQN.EXE /dk
    O4 - HKCU\..\RunOnce: [eZstub] C:\PROGRAM FILES\EARN\EZNN.EXE
    O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Startup: EDCNAYUF.lnk = C:\WINDOWS\edcnayuf.exe
    O4 - Startup: 38IYB2PQ.lnk = C:\WINDOWS\38iyb2pq.exe
    O4 - Startup: 6UZCA059.lnk = C:\WINDOWS\6uzca059.exe
    O4 - Startup: W81TZ7FJ.lnk = C:\WINDOWS\w81tz7fj.exe
    O4 - Startup: 1H59FBUG.lnk = C:\WINDOWS\1h59fbug.exe
    O4 - Startup: ZWT2V2QL.lnk = C:\WINDOWS\zwt2v2ql.exe
    O4 - Startup: LX7O6GYU.lnk = C:\WINDOWS\lx7o6gyu.exe
    O4 - Startup: GRN0TGGN.lnk = C:\WINDOWS\grn0tggn.exe
    O4 - Startup: YF4LVB8T.lnk = C:\WINDOWS\yf4lvb8t.exe
    O4 - Startup: LPUL4YQL.lnk = C:\WINDOWS\lpul4yql.exe
    O4 - Startup: DZU8OQPZ.lnk = C:\WINDOWS\dzu8oqpz.exe
    O4 - Startup: E4KC2GVC.lnk = C:\WINDOWS\e4kc2gvc.exe
    O4 - Startup: MP6XMMJ8.lnk = C:\WINDOWS\mp6xmmj8.exe
    O4 - Startup: 32OW4L97.lnk = C:\WINDOWS\32ow4l97.exe
    O4 - Startup: G20FTAJU.lnk = C:\WINDOWS\g20ftaju.exe
    O4 - Startup: 6OFMOH9F.lnk = C:\WINDOWS\6ofmoh9f.exe
    O4 - Startup: 3yr0n0k5.lnk = C:\WINDOWS\3yr0n0k5.exe
    O4 - Startup: PHI5GVQN.lnk = C:\WINDOWS\phi5gvqn.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: EDCNAYUF.lnk = C:\WINDOWS\edcnayuf.exe
    O4 - Global Startup: 38IYB2PQ.lnk = C:\WINDOWS\38iyb2pq.exe
    O4 - Global Startup: 6UZCA059.lnk = C:\WINDOWS\6uzca059.exe
    O4 - Global Startup: W81TZ7FJ.lnk = C:\WINDOWS\w81tz7fj.exe
    O4 - Global Startup: 1H59FBUG.lnk = C:\WINDOWS\1h59fbug.exe
    O4 - Global Startup: ZWT2V2QL.lnk = C:\WINDOWS\zwt2v2ql.exe
    O4 - Global Startup: LX7O6GYU.lnk = C:\WINDOWS\lx7o6gyu.exe
    O4 - Global Startup: GRN0TGGN.lnk = C:\WINDOWS\grn0tggn.exe
    O4 - Global Startup: YF4LVB8T.lnk = C:\WINDOWS\yf4lvb8t.exe
    O4 - Global Startup: LPUL4YQL.lnk = C:\WINDOWS\lpul4yql.exe
    O4 - Global Startup: DZU8OQPZ.lnk = C:\WINDOWS\dzu8oqpz.exe
    O4 - Global Startup: MP6XMMJ8.lnk = C:\WINDOWS\mp6xmmj8.exe
    O4 - Global Startup: E4KC2GVC.lnk = C:\WINDOWS\e4kc2gvc.exe
    O4 - Global Startup: G20FTAJU.lnk = C:\WINDOWS\g20ftaju.exe
    O4 - Global Startup: 32OW4L97.lnk = C:\WINDOWS\32ow4l97.exe
    O4 - Global Startup: 6OFMOH9F.lnk = C:\WINDOWS\6ofmoh9f.exe
    O4 - Global Startup: 3yr0n0k5.lnk = C:\WINDOWS\3yr0n0k5.exe
    O4 - Global Startup: PHI5GVQN.lnk = C:\WINDOWS\phi5gvqn.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/3.1.8/Hiwire.cab
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05f185408d8cef2cd205/netzip/RdxIE601.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot3_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38057.9088425926
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab



    removed email addy to hide it from harvesters and spambots- snowbound
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    JayHarp,

    We are trying to come up with a way that is easier to explain for this particular problem. Please disregard the original post and someone will post back as to an easier way to fix it.

    Thanks,
    kent
     
  3. JayHarp

    JayHarp Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    4
    I really didn't understand the 1st to much because my computer is not letting me get online and when it does it logs right back off of AOL. ii try and open IE and about 5 of them popup for some reason. And now its running really slow and sometimes freezes when it first comes on windows. I was thinking I would have to fix this problem in safe mode. Please help with this problem. Thanks in advance
     
  4. JayHarp

    JayHarp Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    4
    Now, when I start my computer up it freezes every time on me. I think I may have to start it in safe mode. Anyone with knowledge of this particular problem, your help would be appreciated. Thanks
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The difficult to remove problem is the adtomi problem with all the funny named files

    first go on line and look on your task bar for yahoo stock

    RightClick on the yahoo stock task bar icon,
    choose remove-while being online!
    A web page from Adtomi would appear
    "-uninstall was succesful!"
    then download

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    then in turn select everything that tds finds in the bottom window and select delete

    we think that running in safe mode while doing the nsan and fixing is the best way to fix this one.

    so after doiing it all, then reboot & post both the tds scanlog and a new hijackthis log as there are also other problems to fix
     
  6. JayHarp

    JayHarp Registered Member

    Joined:
    Mar 27, 2004
    Posts:
    4
    thanks for replying to my post. The thing is I'm having trouble getting online as soon as I load my computer it freezes up. When I logon into safe mode it won't logon to the internet. What should I do now? Last night i had this problem but after getting my login files, I deleted/fixed some of them and it would allow me online for 2minutes max and log right back off. Now I can't logon at all. Since I needed to post a full log file, I had to restore all the files I fixed/deleted and now I can't logon at all.
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden or all files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa

    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_6_0.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\PROGRA~1\COMMON~1\WINTOOLS\BTIEIN.DLL
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\CALSDR.DLL
    O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - C:\WINDOWS\BI.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\BIN\APUC.DLL
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\Run: [msbb] c:\program files\n-case\msbb.exe
    O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
    O4 - HKLM\..\Run: [knylsxgp] C:\WINDOWS\knylsxgp.exe
    O4 - HKLM\..\Run: [PHI5GVQN.EXE] C:\WINDOWS\PHI5GVQN.EXE /dk
    O4 - HKLM\..\Run: [LE32O] C:\WINDOWS\SYSTEM\LE32O.exe
    O4 - HKCU\..\Run: [PHI5GVQN.EXE] C:\WINDOWS\PHI5GVQN.EXE /dk
    O4 - HKCU\..\RunOnce: [eZstub] C:\PROGRAM FILES\EARN\EZNN.EXE
    O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Startup: EDCNAYUF.lnk = C:\WINDOWS\edcnayuf.exe
    O4 - Startup: 38IYB2PQ.lnk = C:\WINDOWS\38iyb2pq.exe
    O4 - Startup: 6UZCA059.lnk = C:\WINDOWS\6uzca059.exe
    O4 - Startup: W81TZ7FJ.lnk = C:\WINDOWS\w81tz7fj.exe
    O4 - Startup: 1H59FBUG.lnk = C:\WINDOWS\1h59fbug.exe
    O4 - Startup: ZWT2V2QL.lnk = C:\WINDOWS\zwt2v2ql.exe
    O4 - Startup: LX7O6GYU.lnk = C:\WINDOWS\lx7o6gyu.exe
    O4 - Startup: GRN0TGGN.lnk = C:\WINDOWS\grn0tggn.exe
    O4 - Startup: YF4LVB8T.lnk = C:\WINDOWS\yf4lvb8t.exe
    O4 - Startup: LPUL4YQL.lnk = C:\WINDOWS\lpul4yql.exe
    O4 - Startup: DZU8OQPZ.lnk = C:\WINDOWS\dzu8oqpz.exe
    O4 - Startup: E4KC2GVC.lnk = C:\WINDOWS\e4kc2gvc.exe
    O4 - Startup: MP6XMMJ8.lnk = C:\WINDOWS\mp6xmmj8.exe
    O4 - Startup: 32OW4L97.lnk = C:\WINDOWS\32ow4l97.exe
    O4 - Startup: G20FTAJU.lnk = C:\WINDOWS\g20ftaju.exe
    O4 - Startup: 6OFMOH9F.lnk = C:\WINDOWS\6ofmoh9f.exe
    O4 - Startup: 3yr0n0k5.lnk = C:\WINDOWS\3yr0n0k5.exe
    O4 - Startup: PHI5GVQN.lnk = C:\WINDOWS\phi5gvqn.exe
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: EDCNAYUF.lnk = C:\WINDOWS\edcnayuf.exe
    O4 - Global Startup: 38IYB2PQ.lnk = C:\WINDOWS\38iyb2pq.exe
    O4 - Global Startup: 6UZCA059.lnk = C:\WINDOWS\6uzca059.exe
    O4 - Global Startup: W81TZ7FJ.lnk = C:\WINDOWS\w81tz7fj.exe
    O4 - Global Startup: 1H59FBUG.lnk = C:\WINDOWS\1h59fbug.exe
    O4 - Global Startup: ZWT2V2QL.lnk = C:\WINDOWS\zwt2v2ql.exe
    O4 - Global Startup: LX7O6GYU.lnk = C:\WINDOWS\lx7o6gyu.exe
    O4 - Global Startup: GRN0TGGN.lnk = C:\WINDOWS\grn0tggn.exe
    O4 - Global Startup: YF4LVB8T.lnk = C:\WINDOWS\yf4lvb8t.exe
    O4 - Global Startup: LPUL4YQL.lnk = C:\WINDOWS\lpul4yql.exe
    O4 - Global Startup: DZU8OQPZ.lnk = C:\WINDOWS\dzu8oqpz.exe
    O4 - Global Startup: MP6XMMJ8.lnk = C:\WINDOWS\mp6xmmj8.exe
    O4 - Global Startup: E4KC2GVC.lnk = C:\WINDOWS\e4kc2gvc.exe
    O4 - Global Startup: G20FTAJU.lnk = C:\WINDOWS\g20ftaju.exe
    O4 - Global Startup: 32OW4L97.lnk = C:\WINDOWS\32ow4l97.exe
    O4 - Global Startup: 6OFMOH9F.lnk = C:\WINDOWS\6ofmoh9f.exe
    O4 - Global Startup: 3yr0n0k5.lnk = C:\WINDOWS\3yr0n0k5.exe
    O4 - Global Startup: PHI5GVQN.lnk = C:\WINDOWS\phi5gvqn.exe


    Delete these files
    all the funny named files above
    then

    these here
    O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Startup: EDCNAYUF.lnk = C:\WINDOWS\edcnayuf.exe
    O4 - Startup: 38IYB2PQ.lnk = C:\WINDOWS\38iyb2pq.exe
    O4 - Startup: 6UZCA059.lnk = C:\WINDOWS\6uzca059.exe
    O4 - Startup: W81TZ7FJ.lnk = C:\WINDOWS\w81tz7fj.exe
    O4 - Startup: 1H59FBUG.lnk = C:\WINDOWS\1h59fbug.exe
    O4 - Startup: ZWT2V2QL.lnk = C:\WINDOWS\zwt2v2ql.exe
    O4 - Startup: LX7O6GYU.lnk = C:\WINDOWS\lx7o6gyu.exe
    O4 - Startup: GRN0TGGN.lnk = C:\WINDOWS\grn0tggn.exe
    O4 - Startup: YF4LVB8T.lnk = C:\WINDOWS\yf4lvb8t.exe
    O4 - Startup: LPUL4YQL.lnk = C:\WINDOWS\lpul4yql.exe
    O4 - Startup: DZU8OQPZ.lnk = C:\WINDOWS\dzu8oqpz.exe
    O4 - Startup: E4KC2GVC.lnk = C:\WINDOWS\e4kc2gvc.exe
    O4 - Startup: MP6XMMJ8.lnk = C:\WINDOWS\mp6xmmj8.exe
    O4 - Startup: 32OW4L97.lnk = C:\WINDOWS\32ow4l97.exe
    O4 - Startup: G20FTAJU.lnk = C:\WINDOWS\g20ftaju.exe
    O4 - Startup: 6OFMOH9F.lnk = C:\WINDOWS\6ofmoh9f.exe
    O4 - Startup: 3yr0n0k5.lnk = C:\WINDOWS\3yr0n0k5.exe
    O4 - Startup: PHI5GVQN.lnk = C:\WINDOWS\phi5gvqn.exe

    Reboot normally &

    try to download the applications we said to in post number 4

    let us know how you get on

    I am posting this in the forum as well as emailing it to you


    EDIT: short explanation to explainthat Jay hs emailed me to say he cannot get online at all with the computer, and is using his mobile phoento send info & er=receive it, so I j=have emailed him with some basic steps as outlined above to try and get him online
     
  8. jharper37

    jharper37 Guest

    jayharp here again,

    thanks to, dvk01 i can now use the internet. i still cannot use my AOL browser for some reason but i can use the IE one. please let me know what i need to do nextto finish this thing up and get everything solved. thanks to all who has helped, this is a great site with very smart people. keep up the good work. heres the new log file. let me know what i need to do now.

    Logfile of HijackThis v1.97.2
    Scan saved at 5:47:26 AM, on 3/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\XF8C1F4W.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/heat
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /QS
    O4 - HKLM\..\Run: [XF8C1F4W.EXE] C:\WINDOWS\XF8C1F4W.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
    O4 - HKCU\..\Run: [XF8C1F4W.EXE] C:\WINDOWS\XF8C1F4W.EXE /dk
    O4 - Startup: BH00DYI2.lnk = C:\WINDOWS\bh00dyi2.exe
    O4 - Startup: XF8C1F4W.lnk = C:\WINDOWS\xf8c1f4w.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: BH00DYI2.lnk = C:\WINDOWS\bh00dyi2.exe
    O4 - Global Startup: XF8C1F4W.lnk = C:\WINDOWS\xf8c1f4w.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/3.1.8/Hiwire.cab
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05f185408d8cef2cd205/netzip/RdxIE601.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot3_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38057.9088425926
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Now we have you working again look at post number 4, and follow the advice there about downloading and running tds3

    then post back and let's see if we can get rid of all your problems

    you will need to do this as well to clear up the other start ups I had you fix by email so at least download them now, and update them so you have them just in case you lose your connection again

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R275 25.03.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Jay

    in case the email doesn't get to you and for others information

    In theory this pest puts an icon in the taskbar, that is the little box in the bottom right corner of the screen

    some users have it, some don't. I think it's only installed in XP not 98 and that is the problem. this affects 98 worse than XP
    if you haven't got one called yahoo stock, then don't worry, just carrry out the rest of the advice
     
  11. jharper37

    jharper37 Guest

    new hijack this log

    Logfile of HijackThis v1.97.2
    Scan saved at 4:20:25 PM, on 3/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/heat
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /QS
    O4 - HKLM\..\Run: [5DXZMTAG.EXE] C:\WINDOWS\5DXZMTAG.EXE /dk
    O4 - HKLM\..\Run: [ro9e0ubv.exe] C:\WINDOWS\ro9e0ubv.exe /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
    O4 - HKCU\..\Run: [5DXZMTAG.EXE] C:\WINDOWS\5DXZMTAG.EXE /dk
    O4 - HKCU\..\Run: [ro9e0ubv.exe] C:\WINDOWS\ro9e0ubv.exe /dk
    O4 - Startup: BH00DYI2.lnk = C:\WINDOWS\bh00dyi2.exe
    O4 - Startup: XF8C1F4W.lnk = C:\WINDOWS\xf8c1f4w.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 2OFVE0HI.lnk = C:\WINDOWS\2ofve0hi.exe
    O4 - Startup: 5DXZMTAG.lnk = C:\WINDOWS\5dxzmtag.exe
    O4 - Startup: ro9e0ubv.lnk = C:\WINDOWS\ro9e0ubv.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Global Startup: BH00DYI2.lnk = C:\WINDOWS\bh00dyi2.exe
    O4 - Global Startup: XF8C1F4W.lnk = C:\WINDOWS\xf8c1f4w.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: 2OFVE0HI.lnk = C:\WINDOWS\2ofve0hi.exe
    O4 - Global Startup: 5DXZMTAG.lnk = C:\WINDOWS\5dxzmtag.exe
    O4 - Global Startup: ro9e0ubv.lnk = C:\WINDOWS\ro9e0ubv.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/3.1.8/Hiwire.cab
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05f185408d8cef2cd205/netzip/RdxIE601.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot3_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38057.9088425926
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab


    TDS logfile

    Scan Control Dumped @ 11:43:20 28-03-04
    Positive identification <Adv>: Possible WebDownloader
    File: c:\do.exe

    Positive identification: Adware.180solutions
    File: c:\windows\knylsxgp.exe
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    right click those entries in tds and select delete

    it hasn't found the others that keep coming back & multiplying

    try the advice on this page
    http://www.wilderssecurity.com/showthread.php?t=25926

    it is working for some people
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    I am walking Jay thru the steps now via AIM and as soon as we finish I will have him reboot and post a new HJT log.

    Regards,
    Kent
     
  14. jharper37

    jharper37 Guest

    heres my new HJT log:

    Logfile of HijackThis v1.97.2
    Scan saved at 8:03:32 PM, on 3/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/heat
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /QS
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/3.1.8/Hiwire.cab
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05f185408d8cef2cd205/netzip/RdxIE601.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot3_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38057.9088425926
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
     
  15. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Jay,

    We got rid of the main one that was causing you the most problems, adtomi.

    I will post the last fixes in just a moment.

    Regards,
    Kent
     
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Jay,

    Hopefully this will do it.....

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

    O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL

    O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50038/QDow.cab

    O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/3.1.8/Hiwire.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/05f185408d8cef2cd205/netzip/RdxIE601.cab

    Then reboot in Safe Mode and delete the following:

    C:\PROGRA~1\LYCOS\ <-- entire folder

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  17. jharper37

    jharper37 Guest

    heres my new log:

    Logfile of HijackThis v1.97.2
    Scan saved at 8:43:24 PM, on 3/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nba.com/heat
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [RegistryMechanic] C:\PROGRAM FILES\REGISTRY MECHANIC\REGMECH.exe /QS
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\SYSTEM\BMUpdate.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,13/mcgdmgr.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members19.clubphoto.com/_img/uploader/atl_uploader.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,64/mcinsctl.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot3_x.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38057.9088425926
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
     
  18. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Congratulations Jay, You are now clean!!!

    Good work!!!

    With all the trouble you have had with this, I am sure you would like some things you can read and check into:

    Some tips and links that will help you stay safe on-line can be found HERE.

    And here is a good read about how to be better protected : Click Me.

    To help keep your system clean, these are also freeware programs that we recommend:
    SpywareBlaster - will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
    SpywareGuard - provides a degree of real-time protection against spyware that is a great addition to SpywareBlaster's protection method.
    IE-Spyad - will put a list of bad domains and sites into the Restricted Site Zone of your IE Browser. This will help protect IE and prevent those drive-by downloads, browser hijacking, ActiveX, Java, popups, cookies, etc, from compromising your computer while you surf.

    And of course, you should have a trusted spyware removal program (I recommend having them both as one may catch what the other may not, since they update at different times):
    Spybot Search&Destroy
    SpybotS&D Setup Tutorial.
    Ad-Aware
    Ad-Aware Setup Tutorial.
    Before scanning with either Ad-Aware or Spybot S&D, remember to bring them up-to-date first.

    Regards,
    Kent
     
  19. jharper37

    jharper37 Guest

    I would just like to take the time to thank EVERYONE on this great site, not just the people who helped me but all for making this whole thing possible. I greatly appreciate it all, and owe you guys a ton. Thanks again, keep up all the good work.
     
Thread Status:
Not open for further replies.