Huge Hijack log -I'd really appreciate your help

Discussion in 'adware, spyware & hijack cleaning' started by scarfish, Apr 15, 2004.

Thread Status:
Not open for further replies.
  1. scarfish

    scarfish Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    5
    I ran AdAware just before scanning.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:43:39 PM, on 4/15/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.rr.com/flash/index.cfm?division=30
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {05495B02-DBEA-495C-E2ED-783E686531F6} - C:\PROGRAM FILES\MEMO OPTION NURB\PROXYMFCD.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [creativemp3] C:\PROGRA~1\Open ford\sixthmetabyte.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRAM FILES\AGNITUM\TAUSCAN 1.7\TAUMON.EXE
    O4 - HKLM\..\Run: [5630ED0N.EXE] C:\WINDOWS\5630ED0N.EXE /dk
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [5630ED0N.EXE] C:\WINDOWS\5630ED0N.EXE /dk
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Startup: NKZ1XRU3.lnk = C:\WINDOWS\nkz1xru3.exe
    O4 - Startup: 2G61U4G4.lnk = C:\WINDOWS\2g61u4g4.exe
    O4 - Startup: 7Z6KU85Z.lnk = C:\WINDOWS\7z6ku85z.exe
    O4 - Startup: 7P056173.lnk = C:\WINDOWS\7p056173.exe
    O4 - Startup: EFQM9ECT.lnk = C:\WINDOWS\efqm9ect.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: HQK7NNM1.lnk = C:\WINDOWS\hqk7nnm1.exe
    O4 - Startup: 3E94G8H1.lnk = C:\WINDOWS\3e94g8h1.exe
    O4 - Startup: T8FXWCQX.lnk = C:\WINDOWS\t8fxwcqx.exe
    O4 - Startup: MZN7M6GQ.lnk = C:\WINDOWS\mzn7m6gq.exe
    O4 - Startup: N8YAW500.lnk = C:\WINDOWS\n8yaw500.exe
    O4 - Startup: Y0NY3N92.lnk = C:\WINDOWS\y0ny3n92.exe
    O4 - Startup: V6T38ZTI.lnk = C:\WINDOWS\v6t38zti.exe
    O4 - Startup: UGR4BK3I.lnk = C:\WINDOWS\ugr4bk3i.exe
    O4 - Startup: 624ZQD7Q.lnk = C:\WINDOWS\624zqd7q.exe
    O4 - Startup: NQV3PZTM.lnk = C:\WINDOWS\nqv3pztm.exe
    O4 - Startup: TZ2EP830.lnk = C:\WINDOWS\tz2ep830.exe
    O4 - Startup: HILU43QP.lnk = C:\WINDOWS\hilu43qp.exe
    O4 - Startup: G4DV04YU.lnk = C:\WINDOWS\g4dv04yu.exe
    O4 - Startup: CRZ163FR.lnk = C:\WINDOWS\crz163fr.exe
    O4 - Startup: AQW6EK3J.lnk = C:\WINDOWS\aqw6ek3j.exe
    O4 - Startup: YXJEVEIJ.lnk = C:\WINDOWS\yxjeveij.exe
    O4 - Startup: MU5C23WE.lnk = C:\WINDOWS\mu5c23we.exe
    O4 - Startup: 92DU1UYV.lnk = C:\WINDOWS\92du1uyv.exe
    O4 - Startup: T72Q954O.lnk = C:\WINDOWS\t72q954o.exe
    O4 - Startup: 5C5NXO7G.lnk = C:\WINDOWS\5c5nxo7g.exe
    O4 - Startup: RNK30F9F.lnk = C:\WINDOWS\rnk30f9f.exe
    O4 - Startup: HG8L5424.lnk = C:\WINDOWS\hg8l5424.exe
    O4 - Startup: 2HRAOIHI.lnk = C:\WINDOWS\2hraoihi.exe
    O4 - Startup: EUYR1PW2.lnk = C:\WINDOWS\euyr1pw2.exe
    O4 - Startup: NEN00XAV.lnk = C:\WINDOWS\nen00xav.exe
    O4 - Startup: 68WTI9G6.lnk = C:\WINDOWS\68wti9g6.exe
    O4 - Startup: 1Y7ZVQ1L.lnk = C:\WINDOWS\1y7zvq1l.exe
    O4 - Startup: JX5RI0JQ.lnk = C:\WINDOWS\jx5ri0jq.exe
    O4 - Startup: 6LTTC96N.lnk = C:\WINDOWS\6lttc96n.exe
    O4 - Startup: ICVE843Z.lnk = C:\WINDOWS\icve843z.exe
    O4 - Startup: XA05OIHQ.lnk = C:\WINDOWS\xa05oihq.exe
    O4 - Startup: FYOUP73X.lnk = C:\WINDOWS\fyoup73x.exe
    O4 - Startup: 12I0YL5B.lnk = C:\WINDOWS\12i0yl5b.exe
    O4 - Startup: 0JVH98EA.lnk = C:\WINDOWS\0jvh98ea.exe
    O4 - Startup: A8HNMUT6.lnk = C:\WINDOWS\a8hnmut6.exe
    O4 - Startup: E1NG0MOT.lnk = C:\WINDOWS\e1ng0mot.exe
    O4 - Startup: 0I5W1HRF.lnk = C:\WINDOWS\0i5w1hrf.exe
    O4 - Startup: 8CLQ3PO1.lnk = C:\WINDOWS\8clq3po1.exe
    O4 - Startup: Z2L54V2H.lnk = C:\WINDOWS\z2l54v2h.exe
    O4 - Startup: ID5ZN20A.lnk = C:\WINDOWS\id5zn20a.exe
    O4 - Startup: K1HT02BD.lnk = C:\WINDOWS\k1ht02bd.exe
    O4 - Startup: X8TH40NY.lnk = C:\WINDOWS\x8th40ny.exe
    O4 - Startup: 00626R35.lnk = C:\WINDOWS\00626r35.exe
    O4 - Startup: EOU8A042.lnk = C:\WINDOWS\eou8a042.exe
    O4 - Startup: 70VBO64B.lnk = C:\WINDOWS\70vbo64b.exe
    O4 - Startup: DYTHA7I2.lnk = C:\WINDOWS\dytha7i2.exe
    O4 - Startup: 4AGVF9CJ.lnk = C:\WINDOWS\4agvf9cj.exe
    O4 - Startup: R2J9AR0G.lnk = C:\WINDOWS\r2j9ar0g.exe
    O4 - Startup: 7CWJN9XA.lnk = C:\WINDOWS\7cwjn9xa.exe
    O4 - Startup: ETW1G48F.lnk = C:\WINDOWS\etw1g48f.exe
    O4 - Startup: GXD3FDHY.lnk = C:\WINDOWS\gxd3fdhy.exe
    O4 - Startup: KZE95U4H.lnk = C:\WINDOWS\kze95u4h.exe
    O4 - Startup: DBHNFQMC.lnk = C:\WINDOWS\dbhnfqmc.exe
    O4 - Startup: 01RRWIEX.lnk = C:\WINDOWS\01rrwiex.exe
    O4 - Startup: LD50Z4FR.lnk = C:\WINDOWS\ld50z4fr.exe
    O4 - Startup: DDXUR2HT.lnk = C:\WINDOWS\ddxur2ht.exe
    O4 - Startup: U00915CI.lnk = C:\WINDOWS\u00915ci.exe
    O4 - Startup: FUX816LV.lnk = C:\WINDOWS\fux816lv.exe
    O4 - Startup: 4M4BZH79.lnk = C:\WINDOWS\4m4bzh79.exe
    O4 - Startup: Q5FINN0J.lnk = C:\WINDOWS\q5finn0j.exe
    O4 - Startup: EIJHQFY9.lnk = C:\WINDOWS\eijhqfy9.exe
    O4 - Startup: W5OPYPI9.lnk = C:\WINDOWS\w5opypi9.exe
    O4 - Startup: 5HYTD0H3.lnk = C:\WINDOWS\5hytd0h3.exe
    O4 - Startup: I832NJ9Y.lnk = C:\WINDOWS\i832nj9y.exe
    O4 - Startup: 3U8HB5QG.lnk = C:\WINDOWS\3u8hb5qg.exe
    O4 - Startup: U0L4J51O.lnk = C:\WINDOWS\u0l4j51o.exe
    O4 - Startup: L0IRY1EI.lnk = C:\WINDOWS\l0iry1ei.exe
    O4 - Startup: QAGQMI68.lnk = C:\WINDOWS\qagqmi68.exe
    O4 - Startup: MR3I5GO2.lnk = C:\WINDOWS\mr3i5go2.exe
    O4 - Startup: H0ILLR61.lnk = C:\WINDOWS\h0illr61.exe
    O4 - Startup: GB080CO0.lnk = C:\WINDOWS\gb080co0.exe
    O4 - Startup: CKR3M1T7.lnk = C:\WINDOWS\ckr3m1t7.exe
    O4 - Startup: YLBXVKZ5.lnk = C:\WINDOWS\ylbxvkz5.exe
    O4 - Startup: PMKW9HVW.lnk = C:\WINDOWS\pmkw9hvw.exe
    O4 - Startup: FRJQMEGQ.lnk = C:\WINDOWS\frjqmegq.exe
    O4 - Startup: 9088G0RI.lnk = C:\WINDOWS\9088g0ri.exe
    O4 - Startup: 63FO2W8P.lnk = C:\WINDOWS\63fo2w8p.exe
    O4 - Startup: KIIZ6DAD.lnk = C:\WINDOWS\kiiz6dad.exe
    O4 - Startup: PTBJR0YV.lnk = C:\WINDOWS\ptbjr0yv.exe
    O4 - Startup: IVPIYLHA.lnk = C:\WINDOWS\ivpiylha.exe
    O4 - Startup: F96O271D.lnk = C:\WINDOWS\f96o271d.exe
    O4 - Startup: W0KIUGV3.lnk = C:\WINDOWS\w0kiugv3.exe
    O4 - Startup: E8UMPKRI.lnk = C:\WINDOWS\e8umpkri.exe
    O4 - Startup: A71BBBXY.lnk = C:\WINDOWS\a71bbbxy.exe
    O4 - Startup: 7EEJMV0R.lnk = C:\WINDOWS\7eejmv0r.exe
    O4 - Startup: 8DR0LK6H.lnk = C:\WINDOWS\8dr0lk6h.exe
    O4 - Startup: 9D962GIL.lnk = C:\WINDOWS\9d962gil.exe
    O4 - Startup: FLPIPI5X.lnk = C:\WINDOWS\flpipi5x.exe
    O4 - Startup: VTBB7HTF.lnk = C:\WINDOWS\vtbb7htf.exe
    O4 - Startup: V0PFEDWE.lnk = C:\WINDOWS\v0pfedwe.exe
    O4 - Startup: R50DUBNV.lnk = C:\WINDOWS\r50dubnv.exe
    O4 - Startup: 6BYLDG8L.lnk = C:\WINDOWS\6byldg8l.exe
    O4 - Startup: B6Z9QTZB.lnk = C:\WINDOWS\b6z9qtzb.exe
    O4 - Startup: 2JYOC4FE.lnk = C:\WINDOWS\2jyoc4fe.exe
    O4 - Startup: 9A0XYZVZ.lnk = C:\WINDOWS\9a0xyzvz.exe
    O4 - Startup: 430IHG38.lnk = C:\WINDOWS\430ihg38.exe
    O4 - Startup: PZE0LYNW.lnk = C:\WINDOWS\pze0lynw.exe
    O4 - Startup: RYGMDB00.lnk = C:\WINDOWS\rygmdb00.exe
    O4 - Startup: EUE8U10D.lnk = C:\WINDOWS\eue8u10d.exe
    O4 - Startup: QCBC5FIB.lnk = C:\WINDOWS\qcbc5fib.exe
    O4 - Startup: 6AR6QIJN.lnk = C:\WINDOWS\6ar6qijn.exe
    O4 - Startup: F6JOLQ9R.lnk = C:\WINDOWS\f6jolq9r.exe
    O4 - Startup: GGHZ2XWM.lnk = C:\WINDOWS\gghz2xwm.exe
    O4 - Startup: AMYQR8AN.lnk = C:\WINDOWS\amyqr8an.exe
    O4 - Startup: LFXFZ1ZN.lnk = C:\WINDOWS\lfxfz1zn.exe
    O4 - Startup: 7IPD0OT0.lnk = C:\WINDOWS\7ipd0ot0.exe
    O4 - Startup: ZTLWQ65T.lnk = C:\WINDOWS\ztlwq65t.exe
    O4 - Startup: 730ON27K.lnk = C:\WINDOWS\730on27k.exe
    O4 - Startup: 0E800VPO.lnk = C:\WINDOWS\0e800vpo.exe
    O4 - Startup: 6O00Q1I0.lnk = C:\WINDOWS\6o00q1i0.exe
    O4 - Startup: 0F8R4OEP.lnk = C:\WINDOWS\0f8r4oep.exe
    O4 - Startup: V2OY2965.lnk = C:\WINDOWS\v2oy2965.exe
    O4 - Startup: Q1DUYU2B.lnk = C:\WINDOWS\q1duyu2b.exe
    O4 - Startup: KLW046EU.lnk = C:\WINDOWS\klw046eu.exe
    O4 - Startup: 65RIKF1V.lnk = C:\WINDOWS\65rikf1v.exe
    O4 - Startup: E61YQV0K.lnk = C:\WINDOWS\e61yqv0k.exe
    O4 - Startup: IY474000.lnk = C:\WINDOWS\iy474000.exe
    O4 - Startup: DVH2G0CJ.lnk = C:\WINDOWS\dvh2g0cj.exe
    O4 - Startup: CART18WT.lnk = C:\WINDOWS\cart18wt.exe
    O4 - Startup: ZG00CQTY.lnk = C:\WINDOWS\zg00cqty.exe
    O4 - Startup: DVCHMOQP.lnk = C:\WINDOWS\dvchmoqp.exe
    O4 - Startup: WQ000OR9.lnk = C:\WINDOWS\wq000or9.exe
    O4 - Startup: BKLUZXWH.lnk = C:\WINDOWS\bkluzxwh.exe
    O4 - Startup: 6XM5IP00.lnk = C:\WINDOWS\6xm5ip00.exe
    O4 - Startup: 100FZ3W6.lnk = C:\WINDOWS\100fz3w6.exe
    O4 - Startup: RPJ50K0P.lnk = C:\WINDOWS\rpj50k0p.exe
    O4 - Startup: CB0GB54R.lnk = C:\WINDOWS\cb0gb54r.exe
    O4 - Startup: 7OL95Q45.lnk = C:\WINDOWS\7ol95q45.exe
    O4 - Startup: 5AC88Q2U.lnk = C:\WINDOWS\5ac88q2u.exe
    O4 - Startup: RP0F0431.lnk = C:\WINDOWS\rp0f0431.exe
    O4 - Startup: UI343TE5.lnk = C:\WINDOWS\ui343te5.exe
    O4 - Startup: IPP5VK6P.lnk = C:\WINDOWS\ipp5vk6p.exe
    O4 - Startup: 91ILKFUU.lnk = C:\WINDOWS\91ilkfuu.exe
    O4 - Startup: FRWPVKC9.lnk = C:\WINDOWS\frwpvkc9.exe
    O4 - Startup: AT5AL0J4.lnk = C:\WINDOWS\at5al0j4.exe
    O4 - Startup: 0PLYWONE.lnk = C:\WINDOWS\0plywone.exe
    O4 - Startup: 19DM8EFZ.lnk = C:\WINDOWS\19dm8efz.exe
    O4 - Startup: 5JRTR3BL.lnk = C:\WINDOWS\5jrtr3bl.exe
    O4 - Startup: 5WBNCRWX.lnk = C:\WINDOWS\5wbncrwx.exe
    O4 - Startup: LWWTMN8Z.lnk = C:\WINDOWS\lwwtmn8z.exe
    O4 - Startup: 0AI00J96.lnk = C:\WINDOWS\0ai00j96.exe
    O4 - Startup: 814IWZGP.lnk = C:\WINDOWS\814iwzgp.exe
    O4 - Startup: GHUUIUJH.lnk = C:\WINDOWS\ghuuiujh.exe
    O4 - Startup: OLX8XLOU.lnk = C:\WINDOWS\olx8xlou.exe
    O4 - Startup: FK5EQX2M.lnk = C:\WINDOWS\fk5eqx2m.exe
    O4 - Startup: 6V24RC1J.lnk = C:\WINDOWS\6v24rc1j.exe
    O4 - Startup: WXUU05DT.lnk = C:\WINDOWS\wxuu05dt.exe
    O4 - Startup: F5P8BVZL.lnk = C:\WINDOWS\f5p8bvzl.exe
    O4 - Startup: 9GN08FO0.lnk = C:\WINDOWS\9gn08fo0.exe
    O4 - Startup: R65KVQJZ.lnk = C:\WINDOWS\r65kvqjz.exe
    O4 - Startup: UK1N1OEL.lnk = C:\WINDOWS\uk1n1oel.exe
    O4 - Startup: YDRL5I68.lnk = C:\WINDOWS\ydrl5i68.exe
    O4 - Startup: TYTFA3QT.lnk = C:\WINDOWS\tytfa3qt.exe
    O4 - Startup: E8058OGR.lnk = C:\WINDOWS\e8058ogr.exe
    O4 - Startup: 2TFW3GE9.lnk = C:\WINDOWS\2tfw3ge9.exe
    O4 - Startup: POATIYTN.lnk = C:\WINDOWS\poatiytn.exe
    O4 - Startup: J92WREML.lnk = C:\WINDOWS\j92wreml.exe
    O4 - Startup: 1J409VKJ.lnk = C:\WINDOWS\1j409vkj.exe
    O4 - Startup: H8G0MJLW.lnk = C:\WINDOWS\h8g0mjlw.exe
    O4 - Startup: RIGOT7CQ.lnk = C:\WINDOWS\rigot7cq.exe
    O4 - Startup: W6KR010G.lnk = C:\WINDOWS\w6kr010g.exe
    O4 - Startup: NYBE43X0.lnk = C:\WINDOWS\nybe43x0.exe
    O4 - Startup: Q4FQZWN7.lnk = C:\WINDOWS\q4fqzwn7.exe
    O4 - Startup: HH66XNFJ.lnk = C:\WINDOWS\hh66xnfj.exe
    O4 - Startup: UWU37NH9.lnk = C:\WINDOWS\uwu37nh9.exe
    O4 - Startup: MCBRL5P2.lnk = C:\WINDOWS\mcbrl5p2.exe
    O4 - Startup: YMHIKR70.lnk = C:\WINDOWS\ymhikr70.exe
    O4 - Startup: K8V5BQ3I.lnk = C:\WINDOWS\k8v5bq3i.exe
    O4 - Startup: MRHQKFE1.lnk = C:\WINDOWS\mrhqkfe1.exe
    O4 - Startup: 0BZCECA0.lnk = C:\WINDOWS\0bzceca0.exe
    O4 - Startup: BQ8TRPG0.lnk = C:\WINDOWS\bq8trpg0.exe
    O4 - Startup: Y0O4Y4TX.lnk = C:\WINDOWS\y0o4y4tx.exe
    O4 - Startup: 7IA4G1UV.lnk = C:\WINDOWS\7ia4g1uv.exe
    O4 - Startup: ULAIIRCC.lnk = C:\WINDOWS\ulaiircc.exe
    O4 - Startup: E1DJ9TRK.lnk = C:\WINDOWS\e1dj9trk.exe
    O4 - Startup: EQ8IHT9K.lnk = C:\WINDOWS\eq8iht9k.exe
    O4 - Startup: T1BT0W1M.lnk = C:\WINDOWS\t1bt0w1m.exe
    O4 - Startup: KUPCGJTZ.lnk = C:\WINDOWS\kupcgjtz.exe
    O4 - Startup: MM5WRK74.lnk = C:\WINDOWS\mm5wrk74.exe
    O4 - Startup: DKP3CZH1.lnk = C:\WINDOWS\dkp3czh1.exe
    O4 - Startup: INVHHXJW.lnk = C:\WINDOWS\invhhxjw.exe
    O4 - Startup: B08AHGEZ.lnk = C:\WINDOWS\b08ahgez.exe
    O4 - Startup: NCKBXDXT.lnk = C:\WINDOWS\nckbxdxt.exe
    O4 - Startup: T5BTE232.lnk = C:\WINDOWS\t5bte232.exe
    O4 - Startup: FO9V3ZU3.lnk = C:\WINDOWS\fo9v3zu3.exe
    O4 - Startup: 9REPJ0TT.lnk = C:\WINDOWS\9repj0tt.exe
    O4 - Startup: K50IDKW8.lnk = C:\WINDOWS\k50idkw8.exe
    O4 - Startup: 758VRQVL.lnk = C:\WINDOWS\758vrqvl.exe
    O4 - Startup: LCXJAG00.lnk = C:\WINDOWS\lcxjag00.exe
    O4 - Startup: 0LNAQ141.lnk = C:\WINDOWS\0lnaq141.exe
    O4 - Startup: 8EGQ32U9.lnk = C:\WINDOWS\8egq32u9.exe
    O4 - Startup: MZN0A6I9.lnk = C:\WINDOWS\mzn0a6i9.exe
    O4 - Startup: 8IKBFQM8.lnk = C:\WINDOWS\8ikbfqm8.exe
    O4 - Startup: A6RIHP5O.lnk = C:\WINDOWS\a6rihp5o.exe
    O4 - Startup: YLV2PFMY.lnk = C:\WINDOWS\ylv2pfmy.exe
    O4 - Startup: QI9NMPG8.lnk = C:\WINDOWS\qi9nmpg8.exe
    O4 - Startup: G5WEYTJW.lnk = C:\WINDOWS\g5weytjw.exe
    O4 - Startup: 0CVF6QQ7.lnk = C:\WINDOWS\0cvf6qq7.exe
    O4 - Startup: RI3OYKFZ.lnk = C:\WINDOWS\ri3oykfz.exe
    O4 - Startup: HEJBEY0B.lnk = C:\WINDOWS\hejbey0b.exe
    O4 - Startup: A7BFRJ88.lnk = C:\WINDOWS\a7bfrj88.exe
    O4 - Startup: WATAFEB7.lnk = C:\WINDOWS\watafeb7.exe
    O4 - Startup: RMITAGPK.lnk = C:\WINDOWS\rmitagpk.exe
    O4 - Startup: CU55NB28.lnk = C:\WINDOWS\cu55nb28.exe
    O4 - Startup: ME83XIK3.lnk = C:\WINDOWS\me83xik3.exe
    O4 - Startup: HZ89MKNB.lnk = C:\WINDOWS\hz89mknb.exe
    O4 - Startup: 0J5031D0.lnk = C:\WINDOWS\0j5031d0.exe
    O4 - Startup: 83A3Y7VA.lnk = C:\WINDOWS\83a3y7va.exe
    O4 - Startup: TN3R6RJM.lnk = C:\WINDOWS\tn3r6rjm.exe
    O4 - Startup: IUP90D6V.lnk = C:\WINDOWS\iup90d6v.exe
    O4 - Startup: LFPFELPV.lnk = C:\WINDOWS\lfpfelpv.exe
    O4 - Startup: P3M7K0B8.lnk = C:\WINDOWS\p3m7k0b8.exe
    O4 - Startup: G86YPAMK.lnk = C:\WINDOWS\g86ypamk.exe
    O4 - Startup: W24YYV65.lnk = C:\WINDOWS\w24yyv65.exe
    O4 - Startup: NH51Y648.lnk = C:\WINDOWS\nh51y648.exe
    O4 - Startup: BXOQCJDP.lnk = C:\WINDOWS\bxoqcjdp.exe
    O4 - Startup: 0OQTHH2C.lnk = C:\WINDOWS\0oqthh2c.exe
    O4 - Startup: NWQVEH9U.lnk = C:\WINDOWS\nwqveh9u.exe
    O4 - Startup: 35IC95PZ.lnk = C:\WINDOWS\35ic95pz.exe
    O4 - Startup: Z4EP3P6A.lnk = C:\WINDOWS\z4ep3p6a.exe
    O4 - Startup: BGTVKF0I.lnk = C:\WINDOWS\bgtvkf0i.exe
    O4 - Startup: 8RNJ0VCZ.lnk = C:\WINDOWS\8rnj0vcz.exe
    O4 - Startup: 8Q2YELYC.lnk = C:\WINDOWS\8q2yelyc.exe
    O4 - Startup: Y6WL5U8E.lnk = C:\WINDOWS\y6wl5u8e.exe
    O4 - Startup: ZVJG2H06.lnk = C:\WINDOWS\zvjg2h06.exe
    O4 - Startup: 70E0J08X.lnk = C:\WINDOWS\70e0j08x.exe
    O4 - Startup: Y670CJ6L.lnk = C:\WINDOWS\y670cj6l.exe
    O4 - Startup: 0J5K5JE5.lnk = C:\WINDOWS\0j5k5je5.exe
    O4 - Startup: EHZ6ALNG.lnk = C:\WINDOWS\ehz6alng.exe
    O4 - Startup: 05YYJBWI.lnk = C:\WINDOWS\05yyjbwi.exe
    O4 - Startup: 33XD0WQO.lnk = C:\WINDOWS\33xd0wqo.exe
    O4 - Startup: DHM0BW0Y.lnk = C:\WINDOWS\dhm0bw0y.exe
    O4 - Startup: 8OWQ807I.lnk = C:\WINDOWS\8owq807i.exe
    O4 - Startup: U493HFBG.lnk = C:\WINDOWS\u493hfbg.exe
    O4 - Startup: 3213U07N.lnk = C:\WINDOWS\3213u07n.exe
    O4 - Startup: ZQ9YVOD3.lnk = C:\WINDOWS\zq9yvod3.exe
    O4 - Startup: 06OUCR02.lnk = C:\WINDOWS\06oucr02.exe
    O4 - Startup: P5JWA188.lnk = C:\WINDOWS\p5jwa188.exe
    O4 - Startup: PA5MTF69.lnk = C:\WINDOWS\pa5mtf69.exe
    O4 - Startup: NWOFKPWA.lnk = C:\WINDOWS\nwofkpwa.exe
    O4 - Startup: 2A7A03UV.lnk = C:\WINDOWS\2a7a03uv.exe
    O4 - Startup: 600INM1P.lnk = C:\WINDOWS\600inm1p.exe
    O4 - Startup: 3YZ79G88.lnk = C:\WINDOWS\3yz79g88.exe
    O4 - Startup: RMW3M7DM.lnk = C:\WINDOWS\rmw3m7dm.exe
    O4 - Startup: 9J5DAHDV.lnk = C:\WINDOWS\9j5dahdv.exe
    O4 - Startup: RX2408H0.lnk = C:\WINDOWS\rx2408h0.exe
    O4 - Startup: 823G1970.lnk = C:\WINDOWS\823g1970.exe
    O4 - Startup: UNNUZ0PV.lnk = C:\WINDOWS\unnuz0pv.exe
    O4 - Startup: Q009FKKM.lnk = C:\WINDOWS\q009fkkm.exe
    O4 - Startup: 9XYLVWIW.lnk = C:\WINDOWS\9xylvwiw.exe
    O4 - Startup: 17KBKO90.lnk = C:\WINDOWS\17kbko90.exe
    O4 - Startup: 2LJ3B22H.lnk = C:\WINDOWS\2lj3b22h.exe
    O4 - Startup: 66ID990W.lnk = C:\WINDOWS\66id990w.exe
    O4 - Startup: PFT8J8GC.lnk = C:\WINDOWS\pft8j8gc.exe
    O4 - Startup: DYEVYLXH.lnk = C:\WINDOWS\dyevylxh.exe
    O4 - Startup: O5TIN34K.lnk = C:\WINDOWS\o5tin34k.exe
    O4 - Startup: R4J7MXMI.lnk = C:\WINDOWS\r4j7mxmi.exe
    O4 - Startup: QTCL1AR4.lnk = C:\WINDOWS\qtcl1ar4.exe
    O4 - Startup: 277BNZMB.lnk = C:\WINDOWS\277bnzmb.exe
    O4 - Startup: P52BNZ2P.lnk = C:\WINDOWS\p52bnz2p.exe
    O4 - Startup: H9BZBJZN.lnk = C:\WINDOWS\h9bzbjzn.exe
    O4 - Startup: 5IXEYO93.lnk = C:\WINDOWS\5ixeyo93.exe
    O4 - Startup: NOWC4JCY.lnk = C:\WINDOWS\nowc4jcy.exe
    O4 - Startup: 5RY8Z3Q8.lnk = C:\WINDOWS\5ry8z3q8.exe
    O4 - Startup: MUMDY7PR.lnk = C:\WINDOWS\mumdy7pr.exe
    O4 - Startup: XGXTIRX0.lnk = C:\WINDOWS\xgxtirx0.exe
    O4 - Startup: FVZLWIWU.lnk = C:\WINDOWS\fvzlwiwu.exe
    O4 - Startup: 3W5VXOUG.lnk = C:\WINDOWS\3w5vxoug.exe
    O4 - Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
    O4 - Startup: HCMZ0UZR.lnk = C:\WINDOWS\hcmz0uzr.exe
    O4 - Startup: MF7O20LN.lnk = C:\WINDOWS\mf7o20ln.exe
    O4 - Startup: AI0TYTRI.lnk = C:\WINDOWS\ai0tytri.exe
    O4 - Startup: EQD6XA4K.lnk = C:\WINDOWS\eqd6xa4k.exe
    O4 - Startup: BWNWTCPO.lnk = C:\WINDOWS\bwnwtcpo.exe
    O4 - Startup: OUBMKO6U.lnk = C:\WINDOWS\oubmko6u.exe
    O4 - Startup: 30YHPWCV.lnk = C:\WINDOWS\30yhpwcv.exe
    O4 - Startup: P4DJG4WH.lnk = C:\WINDOWS\p4djg4wh.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: 5630ED0N.lnk = C:\WINDOWS\5630ed0n.exe
    O4 - Global Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
    O4 - Global Startup: RYAEI9T1.lnk = C:\WINDOWS\ryaei9t1.exe
    O4 - Global Startup: 7Z6KU85Z.lnk = C:\WINDOWS\7z6ku85z.exe
    O4 - Global Startup: 7P056173.lnk = C:\WINDOWS\7p056173.exe
    O4 - Global Startup: EFQM9ECT.lnk = C:\WINDOWS\efqm9ect.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: HQK7NNM1.lnk = C:\WINDOWS\hqk7nnm1.exe
    O4 - Global Startup: 3E94G8H1.lnk = C:\WINDOWS\3e94g8h1.exe
    O4 - Global Startup: T8FXWCQX.lnk = C:\WINDOWS\t8fxwcqx.exe
    O4 - Global Startup: MZN7M6GQ.lnk = C:\WINDOWS\mzn7m6gq.exe
    O4 - Global Startup: N8YAW500.lnk = C:\WINDOWS\n8yaw500.exe
    O4 - Global Startup: Y0NY3N92.lnk = C:\WINDOWS\y0ny3n92.exe
    O4 - Global Startup: V6T38ZTI.lnk = C:\WINDOWS\v6t38zti.exe
    O4 - Global Startup: UGR4BK3I.lnk = C:\WINDOWS\ugr4bk3i.exe
    O4 - Global Startup: 624ZQD7Q.lnk = C:\WINDOWS\624zqd7q.exe
    O4 - Global Startup: NQV3PZTM.lnk = C:\WINDOWS\nqv3pztm.exe
    O4 - Global Startup: TZ2EP830.lnk = C:\WINDOWS\tz2ep830.exe
    O4 - Global Startup: HILU43QP.lnk = C:\WINDOWS\hilu43qp.exe
    O4 - Global Startup: G4DV04YU.lnk = C:\WINDOWS\g4dv04yu.exe
    O4 - Global Startup: CRZ163FR.lnk = C:\WINDOWS\crz163fr.exe
    O4 - Global Startup: AQW6EK3J.lnk = C:\WINDOWS\aqw6ek3j.exe
    O4 - Global Startup: YXJEVEIJ.lnk = C:\WINDOWS\yxjeveij.exe
    O4 - Global Startup: MU5C23WE.lnk = C:\WINDOWS\mu5c23we.exe
    O4 - Global Startup: 92DU1UYV.lnk = C:\WINDOWS\92du1uyv.exe
    O4 - Global Startup: T72Q954O.lnk = C:\WINDOWS\t72q954o.exe
    O4 - Global Startup: 5C5NXO7G.lnk = C:\WINDOWS\5c5nxo7g.exe
    O4 - Global Startup: RNK30F9F.lnk = C:\WINDOWS\rnk30f9f.exe
    O4 - Global Startup: HG8L5424.lnk = C:\WINDOWS\hg8l5424.exe
    O4 - Global Startup: 2HRAOIHI.lnk = C:\WINDOWS\2hraoihi.exe
    O4 - Global Startup: EUYR1PW2.lnk = C:\WINDOWS\euyr1pw2.exe
    O4 - Global Startup: NEN00XAV.lnk = C:\WINDOWS\nen00xav.exe
    O4 - Global Startup: 68WTI9G6.lnk = C:\WINDOWS\68wti9g6.exe
    O4 - Global Startup: 1Y7ZVQ1L.lnk = C:\WINDOWS\1y7zvq1l.exe
    O4 - Global Startup: JX5RI0JQ.lnk = C:\WINDOWS\jx5ri0jq.exe
    O4 - Global Startup: 6LTTC96N.lnk = C:\WINDOWS\6lttc96n.exe
    O4 - Global Startup: ICVE843Z.lnk = C:\WINDOWS\icve843z.exe
    O4 - Global Startup: XA05OIHQ.lnk = C:\WINDOWS\xa05oihq.exe
    O4 - Global Startup: FYOUP73X.lnk = C:\WINDOWS\fyoup73x.exe
    O4 - Global Startup: 12I0YL5B.lnk = C:\WINDOWS\12i0yl5b.exe
    O4 - Global Startup: 0JVH98EA.lnk = C:\WINDOWS\0jvh98ea.exe
    O4 - Global Startup: A8HNMUT6.lnk = C:\WINDOWS\a8hnmut6.exe
    O4 - Global Startup: E1NG0MOT.lnk = C:\WINDOWS\e1ng0mot.exe
    O4 - Global Startup: 0I5W1HRF.lnk = C:\WINDOWS\0i5w1hrf.exe
    O4 - Global Startup: 8CLQ3PO1.lnk = C:\WINDOWS\8clq3po1.exe
    O4 - Global Startup: Z2L54V2H.lnk = C:\WINDOWS\z2l54v2h.exe
    O4 - Global Startup: ID5ZN20A.lnk = C:\WINDOWS\id5zn20a.exe
    O4 - Global Startup: K1HT02BD.lnk = C:\WINDOWS\k1ht02bd.exe
    O4 - Global Startup: X8TH40NY.lnk = C:\WINDOWS\x8th40ny.exe
    O4 - Global Startup: 00626R35.lnk = C:\WINDOWS\00626r35.exe
    O4 - Global Startup: EOU8A042.lnk = C:\WINDOWS\eou8a042.exe
    O4 - Global Startup: 70VBO64B.lnk = C:\WINDOWS\70vbo64b.exe
    O4 - Global Startup: DYTHA7I2.lnk = C:\WINDOWS\dytha7i2.exe
    O4 - Global Startup: 4AGVF9CJ.lnk = C:\WINDOWS\4agvf9cj.exe
    O4 - Global Startup: R2J9AR0G.lnk = C:\WINDOWS\r2j9ar0g.exe
    O4 - Global Startup: 7CWJN9XA.lnk = C:\WINDOWS\7cwjn9xa.exe
    O4 - Global Startup: ETW1G48F.lnk = C:\WINDOWS\etw1g48f.exe
    O4 - Global Startup: GXD3FDHY.lnk = C:\WINDOWS\gxd3fdhy.exe
    O4 - Global Startup: KZE95U4H.lnk = C:\WINDOWS\kze95u4h.exe
    O4 - Global Startup: DBHNFQMC.lnk = C:\WINDOWS\dbhnfqmc.exe
    O4 - Global Startup: 01RRWIEX.lnk = C:\WINDOWS\01rrwiex.exe
    O4 - Global Startup: LD50Z4FR.lnk = C:\WINDOWS\ld50z4fr.exe
    O4 - Global Startup: DDXUR2HT.lnk = C:\WINDOWS\ddxur2ht.exe
    O4 - Global Startup: U00915CI.lnk = C:\WINDOWS\u00915ci.exe
    O4 - Global Startup: FUX816LV.lnk = C:\WINDOWS\fux816lv.exe
    O4 - Global Startup: 4M4BZH79.lnk = C:\WINDOWS\4m4bzh79.exe
    O4 - Global Startup: Q5FINN0J.lnk = C:\WINDOWS\q5finn0j.exe
    O4 - Global Startup: EIJHQFY9.lnk = C:\WINDOWS\eijhqfy9.exe
    O4 - Global Startup: W5OPYPI9.lnk = C:\WINDOWS\w5opypi9.exe
    O4 - Global Startup: 5HYTD0H3.lnk = C:\WINDOWS\5hytd0h3.exe
    O4 - Global Startup: I832NJ9Y.lnk = C:\WINDOWS\i832nj9y.exe
    O4 - Global Startup: 3U8HB5QG.lnk = C:\WINDOWS\3u8hb5qg.exe
    O4 - Global Startup: U0L4J51O.lnk = C:\WINDOWS\u0l4j51o.exe
    O4 - Global Startup: L0IRY1EI.lnk = C:\WINDOWS\l0iry1ei.exe
    O4 - Global Startup: QAGQMI68.lnk = C:\WINDOWS\qagqmi68.exe
    O4 - Global Startup: MR3I5GO2.lnk = C:\WINDOWS\mr3i5go2.exe
    O4 - Global Startup: H0ILLR61.lnk = C:\WINDOWS\h0illr61.exe
    O4 - Global Startup: GB080CO0.lnk = C:\WINDOWS\gb080co0.exe
    O4 - Global Startup: CKR3M1T7.lnk = C:\WINDOWS\ckr3m1t7.exe
    O4 - Global Startup: YLBXVKZ5.lnk = C:\WINDOWS\ylbxvkz5.exe
    O4 - Global Startup: PMKW9HVW.lnk = C:\WINDOWS\pmkw9hvw.exe
    O4 - Global Startup: FRJQMEGQ.lnk = C:\WINDOWS\frjqmegq.exe
    O4 - Global Startup: 9088G0RI.lnk = C:\WINDOWS\9088g0ri.exe
    O4 - Global Startup: 63FO2W8P.lnk = C:\WINDOWS\63fo2w8p.exe
    O4 - Global Startup: KIIZ6DAD.lnk = C:\WINDOWS\kiiz6dad.exe
    O4 - Global Startup: PTBJR0YV.lnk = C:\WINDOWS\ptbjr0yv.exe
    O4 - Global Startup: IVPIYLHA.lnk = C:\WINDOWS\ivpiylha.exe
    O4 - Global Startup: F96O271D.lnk = C:\WINDOWS\f96o271d.exe
    O4 - Global Startup: W0KIUGV3.lnk = C:\WINDOWS\w0kiugv3.exe
    O4 - Global Startup: E8UMPKRI.lnk = C:\WINDOWS\e8umpkri.exe
    O4 - Global Startup: A71BBBXY.lnk = C:\WINDOWS\a71bbbxy.exe
    O4 - Global Startup: 7EEJMV0R.lnk = C:\WINDOWS\7eejmv0r.exe
    O4 - Global Startup: 8DR0LK6H.lnk = C:\WINDOWS\8dr0lk6h.exe
    O4 - Global Startup: 9D962GIL.lnk = C:\WINDOWS\9d962gil.exe
    O4 - Global Startup: FLPIPI5X.lnk = C:\WINDOWS\flpipi5x.exe
    O4 - Global Startup: VTBB7HTF.lnk = C:\WINDOWS\vtbb7htf.exe
    O4 - Global Startup: V0PFEDWE.lnk = C:\WINDOWS\v0pfedwe.exe
    O4 - Global Startup: R50DUBNV.lnk = C:\WINDOWS\r50dubnv.exe
    O4 - Global Startup: 6BYLDG8L.lnk = C:\WINDOWS\6byldg8l.exe
    O4 - Global Startup: B6Z9QTZB.lnk = C:\WINDOWS\b6z9qtzb.exe
    O4 - Global Startup: 2JYOC4FE.lnk = C:\WINDOWS\2jyoc4fe.exe
    O4 - Global Startup: 9A0XYZVZ.lnk = C:\WINDOWS\9a0xyzvz.exe
    O4 - Global Startup: 430IHG38.lnk = C:\WINDOWS\430ihg38.exe
    O4 - Global Startup: PZE0LYNW.lnk = C:\WINDOWS\pze0lynw.exe
    O4 - Global Startup: RYGMDB00.lnk = C:\WINDOWS\rygmdb00.exe
    O4 - Global Startup: EUE8U10D.lnk = C:\WINDOWS\eue8u10d.exe
    O4 - Global Startup: QCBC5FIB.lnk = C:\WINDOWS\qcbc5fib.exe
    O4 - Global Startup: 6AR6QIJN.lnk = C:\WINDOWS\6ar6qijn.exe
    O4 - Global Startup: F6JOLQ9R.lnk = C:\WINDOWS\f6jolq9r.exe
    O4 - Global Startup: GGHZ2XWM.lnk = C:\WINDOWS\gghz2xwm.exe
    O4 - Global Startup: AMYQR8AN.lnk = C:\WINDOWS\amyqr8an.exe
    O4 - Global Startup: LFXFZ1ZN.lnk = C:\WINDOWS\lfxfz1zn.exe
    O4 - Global Startup: 7IPD0OT0.lnk = C:\WINDOWS\7ipd0ot0.exe
    O4 - Global Startup: ZTLWQ65T.lnk = C:\WINDOWS\ztlwq65t.exe
    O4 - Global Startup: 730ON27K.lnk = C:\WINDOWS\730on27k.exe
    O4 - Global Startup: 0E800VPO.lnk = C:\WINDOWS\0e800vpo.exe
    O4 - Global Startup: 6O00Q1I0.lnk = C:\WINDOWS\6o00q1i0.exe
    O4 - Global Startup: 0F8R4OEP.lnk = C:\WINDOWS\0f8r4oep.exe
    O4 - Global Startup: V2OY2965.lnk = C:\WINDOWS\v2oy2965.exe
    O4 - Global Startup: Q1DUYU2B.lnk = C:\WINDOWS\q1duyu2b.exe
    O4 - Global Startup: KLW046EU.lnk = C:\WINDOWS\klw046eu.exe
    O4 - Global Startup: 65RIKF1V.lnk = C:\WINDOWS\65rikf1v.exe
    O4 - Global Startup: E61YQV0K.lnk = C:\WINDOWS\e61yqv0k.exe
    O4 - Global Startup: IY474000.lnk = C:\WINDOWS\iy474000.exe
    O4 - Global Startup: DVH2G0CJ.lnk = C:\WINDOWS\dvh2g0cj.exe
    O4 - Global Startup: CART18WT.lnk = C:\WINDOWS\cart18wt.exe
    O4 - Global Startup: ZG00CQTY.lnk = C:\WINDOWS\zg00cqty.exe
    O4 - Global Startup: DVCHMOQP.lnk = C:\WINDOWS\dvchmoqp.exe
    O4 - Global Startup: WQ000OR9.lnk = C:\WINDOWS\wq000or9.exe
    O4 - Global Startup: BKLUZXWH.lnk = C:\WINDOWS\bkluzxwh.exe
    O4 - Global Startup: 6XM5IP00.lnk = C:\WINDOWS\6xm5ip00.exe
    O4 - Global Startup: 100FZ3W6.lnk = C:\WINDOWS\100fz3w6.exe
    O4 - Global Startup: RPJ50K0P.lnk = C:\WINDOWS\rpj50k0p.exe
    O4 - Global Startup: CB0GB54R.lnk = C:\WINDOWS\cb0gb54r.exe
    O4 - Global Startup: 7OL95Q45.lnk = C:\WINDOWS\7ol95q45.exe
    O4 - Global Startup: 5AC88Q2U.lnk = C:\WINDOWS\5ac88q2u.exe
    O4 - Global Startup: RP0F0431.lnk = C:\WINDOWS\rp0f0431.exe
    O4 - Global Startup: UI343TE5.lnk = C:\WINDOWS\ui343te5.exe
    O4 - Global Startup: IPP5VK6P.lnk = C:\WINDOWS\ipp5vk6p.exe
    O4 - Global Startup: 91ILKFUU.lnk = C:\WINDOWS\91ilkfuu.exe
    O4 - Global Startup: FRWPVKC9.lnk = C:\WINDOWS\frwpvkc9.exe
    O4 - Global Startup: AT5AL0J4.lnk = C:\WINDOWS\at5al0j4.exe
    O4 - Global Startup: 0PLYWONE.lnk = C:\WINDOWS\0plywone.exe
    O4 - Global Startup: 19DM8EFZ.lnk = C:\WINDOWS\19dm8efz.exe
    O4 - Global Startup: 5JRTR3BL.lnk = C:\WINDOWS\5jrtr3bl.exe
    O4 - Global Startup: 5WBNCRWX.lnk = C:\WINDOWS\5wbncrwx.exe
    O4 - Global Startup: LWWTMN8Z.lnk = C:\WINDOWS\lwwtmn8z.exe
    O4 - Global Startup: 0AI00J96.lnk = C:\WINDOWS\0ai00j96.exe
    O4 - Global Startup: 814IWZGP.lnk = C:\WINDOWS\814iwzgp.exe
    O4 - Global Startup: GHUUIUJH.lnk = C:\WINDOWS\ghuuiujh.exe
    O4 - Global Startup: OLX8XLOU.lnk = C:\WINDOWS\olx8xlou.exe
    O4 - Global Startup: FK5EQX2M.lnk = C:\WINDOWS\fk5eqx2m.exe
    O4 - Global Startup: 6V24RC1J.lnk = C:\WINDOWS\6v24rc1j.exe
    O4 - Global Startup: WXUU05DT.lnk = C:\WINDOWS\wxuu05dt.exe
    O4 - Global Startup: F5P8BVZL.lnk = C:\WINDOWS\f5p8bvzl.exe
    O4 - Global Startup: 9GN08FO0.lnk = C:\WINDOWS\9gn08fo0.exe
    O4 - Global Startup: R65KVQJZ.lnk = C:\WINDOWS\r65kvqjz.exe
    O4 - Global Startup: UK1N1OEL.lnk = C:\WINDOWS\uk1n1oel.exe
    O4 - Global Startup: YDRL5I68.lnk = C:\WINDOWS\ydrl5i68.exe
    O4 - Global Startup: TYTFA3QT.lnk = C:\WINDOWS\tytfa3qt.exe
    O4 - Global Startup: E8058OGR.lnk = C:\WINDOWS\e8058ogr.exe
    O4 - Global Startup: 2TFW3GE9.lnk = C:\WINDOWS\2tfw3ge9.exe
    O4 - Global Startup: POATIYTN.lnk = C:\WINDOWS\poatiytn.exe
    O4 - Global Startup: J92WREML.lnk = C:\WINDOWS\j92wreml.exe
    O4 - Global Startup: 1J409VKJ.lnk = C:\WINDOWS\1j409vkj.exe
    O4 - Global Startup: H8G0MJLW.lnk = C:\WINDOWS\h8g0mjlw.exe
    O4 - Global Startup: RIGOT7CQ.lnk = C:\WINDOWS\rigot7cq.exe
    O4 - Global Startup: W6KR010G.lnk = C:\WINDOWS\w6kr010g.exe
    O4 - Global Startup: NYBE43X0.lnk = C:\WINDOWS\nybe43x0.exe
    O4 - Global Startup: Q4FQZWN7.lnk = C:\WINDOWS\q4fqzwn7.exe
    O4 - Global Startup: HH66XNFJ.lnk = C:\WINDOWS\hh66xnfj.exe
    O4 - Global Startup: UWU37NH9.lnk = C:\WINDOWS\uwu37nh9.exe
    O4 - Global Startup: MCBRL5P2.lnk = C:\WINDOWS\mcbrl5p2.exe
    O4 - Global Startup: YMHIKR70.lnk = C:\WINDOWS\ymhikr70.exe
    O4 - Global Startup: K8V5BQ3I.lnk = C:\WINDOWS\k8v5bq3i.exe
    O4 - Global Startup: MRHQKFE1.lnk = C:\WINDOWS\mrhqkfe1.exe
    O4 - Global Startup: 0BZCECA0.lnk = C:\WINDOWS\0bzceca0.exe
    O4 - Global Startup: BQ8TRPG0.lnk = C:\WINDOWS\bq8trpg0.exe
    O4 - Global Startup: Y0O4Y4TX.lnk = C:\WINDOWS\y0o4y4tx.exe
    O4 - Global Startup: 7IA4G1UV.lnk = C:\WINDOWS\7ia4g1uv.exe
    O4 - Global Startup: ULAIIRCC.lnk = C:\WINDOWS\ulaiircc.exe
    O4 - Global Startup: E1DJ9TRK.lnk = C:\WINDOWS\e1dj9trk.exe
    O4 - Global Startup: EQ8IHT9K.lnk = C:\WINDOWS\eq8iht9k.exe
    O4 - Global Startup: T1BT0W1M.lnk = C:\WINDOWS\t1bt0w1m.exe
    O4 - Global Startup: KUPCGJTZ.lnk = C:\WINDOWS\kupcgjtz.exe
    O4 - Global Startup: MM5WRK74.lnk = C:\WINDOWS\mm5wrk74.exe
    O4 - Global Startup: DKP3CZH1.lnk = C:\WINDOWS\dkp3czh1.exe
    O4 - Global Startup: INVHHXJW.lnk = C:\WINDOWS\invhhxjw.exe
    O4 - Global Startup: B08AHGEZ.lnk = C:\WINDOWS\b08ahgez.exe
    O4 - Global Startup: NCKBXDXT.lnk = C:\WINDOWS\nckbxdxt.exe
    O4 - Global Startup: T5BTE232.lnk = C:\WINDOWS\t5bte232.exe
    O4 - Global Startup: FO9V3ZU3.lnk = C:\WINDOWS\fo9v3zu3.exe
    O4 - Global Startup: 9REPJ0TT.lnk = C:\WINDOWS\9repj0tt.exe
    O4 - Global Startup: K50IDKW8.lnk = C:\WINDOWS\k50idkw8.exe
    O4 - Global Startup: 758VRQVL.lnk = C:\WINDOWS\758vrqvl.exe
    O4 - Global Startup: LCXJAG00.lnk = C:\WINDOWS\lcxjag00.exe
    O4 - Global Startup: 0LNAQ141.lnk = C:\WINDOWS\0lnaq141.exe
    O4 - Global Startup: 8EGQ32U9.lnk = C:\WINDOWS\8egq32u9.exe
    O4 - Global Startup: MZN0A6I9.lnk = C:\WINDOWS\mzn0a6i9.exe
    O4 - Global Startup: 8IKBFQM8.lnk = C:\WINDOWS\8ikbfqm8.exe
    O4 - Global Startup: A6RIHP5O.lnk = C:\WINDOWS\a6rihp5o.exe
    O4 - Global Startup: YLV2PFMY.lnk = C:\WINDOWS\ylv2pfmy.exe
    O4 - Global Startup: QI9NMPG8.lnk = C:\WINDOWS\qi9nmpg8.exe
    O4 - Global Startup: G5WEYTJW.lnk = C:\WINDOWS\g5weytjw.exe
    O4 - Global Startup: 0CVF6QQ7.lnk = C:\WINDOWS\0cvf6qq7.exe
    O4 - Global Startup: RI3OYKFZ.lnk = C:\WINDOWS\ri3oykfz.exe
    O4 - Global Startup: HEJBEY0B.lnk = C:\WINDOWS\hejbey0b.exe
    O4 - Global Startup: A7BFRJ88.lnk = C:\WINDOWS\a7bfrj88.exe
    O4 - Global Startup: WATAFEB7.lnk = C:\WINDOWS\watafeb7.exe
    O4 - Global Startup: RMITAGPK.lnk = C:\WINDOWS\rmitagpk.exe
    O4 - Global Startup: CU55NB28.lnk = C:\WINDOWS\cu55nb28.exe
    O4 - Global Startup: ME83XIK3.lnk = C:\WINDOWS\me83xik3.exe
    O4 - Global Startup: HZ89MKNB.lnk = C:\WINDOWS\hz89mknb.exe
    O4 - Global Startup: 0J5031D0.lnk = C:\WINDOWS\0j5031d0.exe
    O4 - Global Startup: 83A3Y7VA.lnk = C:\WINDOWS\83a3y7va.exe
    O4 - Global Startup: TN3R6RJM.lnk = C:\WINDOWS\tn3r6rjm.exe
    O4 - Global Startup: IUP90D6V.lnk = C:\WINDOWS\iup90d6v.exe
    O4 - Global Startup: LFPFELPV.lnk = C:\WINDOWS\lfpfelpv.exe
    O4 - Global Startup: P3M7K0B8.lnk = C:\WINDOWS\p3m7k0b8.exe
    O4 - Global Startup: G86YPAMK.lnk = C:\WINDOWS\g86ypamk.exe
    O4 - Global Startup: W24YYV65.lnk = C:\WINDOWS\w24yyv65.exe
    O4 - Global Startup: NH51Y648.lnk = C:\WINDOWS\nh51y648.exe
    O4 - Global Startup: BXOQCJDP.lnk = C:\WINDOWS\bxoqcjdp.exe
    O4 - Global Startup: 0OQTHH2C.lnk = C:\WINDOWS\0oqthh2c.exe
    O4 - Global Startup: NWQVEH9U.lnk = C:\WINDOWS\nwqveh9u.exe
    O4 - Global Startup: 35IC95PZ.lnk = C:\WINDOWS\35ic95pz.exe
    O4 - Global Startup: Z4EP3P6A.lnk = C:\WINDOWS\z4ep3p6a.exe
    O4 - Global Startup: BGTVKF0I.lnk = C:\WINDOWS\bgtvkf0i.exe
    O4 - Global Startup: 8RNJ0VCZ.lnk = C:\WINDOWS\8rnj0vcz.exe
    O4 - Global Startup: 8Q2YELYC.lnk = C:\WINDOWS\8q2yelyc.exe
    O4 - Global Startup: Y6WL5U8E.lnk = C:\WINDOWS\y6wl5u8e.exe
    O4 - Global Startup: ZVJG2H06.lnk = C:\WINDOWS\zvjg2h06.exe
    O4 - Global Startup: 70E0J08X.lnk = C:\WINDOWS\70e0j08x.exe
    O4 - Global Startup: Y670CJ6L.lnk = C:\WINDOWS\y670cj6l.exe
    O4 - Global Startup: 0J5K5JE5.lnk = C:\WINDOWS\0j5k5je5.exe
    O4 - Global Startup: EHZ6ALNG.lnk = C:\WINDOWS\ehz6alng.exe
    O4 - Global Startup: 05YYJBWI.lnk = C:\WINDOWS\05yyjbwi.exe
    O4 - Global Startup: 33XD0WQO.lnk = C:\WINDOWS\33xd0wqo.exe
    O4 - Global Startup: DHM0BW0Y.lnk = C:\WINDOWS\dhm0bw0y.exe
    O4 - Global Startup: 8OWQ807I.lnk = C:\WINDOWS\8owq807i.exe
    O4 - Global Startup: U493HFBG.lnk = C:\WINDOWS\u493hfbg.exe
    O4 - Global Startup: 3213U07N.lnk = C:\WINDOWS\3213u07n.exe
    O4 - Global Startup: ZQ9YVOD3.lnk = C:\WINDOWS\zq9yvod3.exe
    O4 - Global Startup: 06OUCR02.lnk = C:\WINDOWS\06oucr02.exe
    O4 - Global Startup: P5JWA188.lnk = C:\WINDOWS\p5jwa188.exe
    O4 - Global Startup: PA5MTF69.lnk = C:\WINDOWS\pa5mtf69.exe
    O4 - Global Startup: NWOFKPWA.lnk = C:\WINDOWS\nwofkpwa.exe
    O4 - Global Startup: 2A7A03UV.lnk = C:\WINDOWS\2a7a03uv.exe
    O4 - Global Startup: 600INM1P.lnk = C:\WINDOWS\600inm1p.exe
    O4 - Global Startup: 3YZ79G88.lnk = C:\WINDOWS\3yz79g88.exe
    O4 - Global Startup: RMW3M7DM.lnk = C:\WINDOWS\rmw3m7dm.exe
    O4 - Global Startup: 9J5DAHDV.lnk = C:\WINDOWS\9j5dahdv.exe
    O4 - Global Startup: RX2408H0.lnk = C:\WINDOWS\rx2408h0.exe
    O4 - Global Startup: 823G1970.lnk = C:\WINDOWS\823g1970.exe
    O4 - Global Startup: UNNUZ0PV.lnk = C:\WINDOWS\unnuz0pv.exe
    O4 - Global Startup: Q009FKKM.lnk = C:\WINDOWS\q009fkkm.exe
    O4 - Global Startup: 9XYLVWIW.lnk = C:\WINDOWS\9xylvwiw.exe
    O4 - Global Startup: 17KBKO90.lnk = C:\WINDOWS\17kbko90.exe
    O4 - Global Startup: 2LJ3B22H.lnk = C:\WINDOWS\2lj3b22h.exe
    O4 - Global Startup: 66ID990W.lnk = C:\WINDOWS\66id990w.exe
    O4 - Global Startup: PFT8J8GC.lnk = C:\WINDOWS\pft8j8gc.exe
    O4 - Global Startup: DYEVYLXH.lnk = C:\WINDOWS\dyevylxh.exe
    O4 - Global Startup: O5TIN34K.lnk = C:\WINDOWS\o5tin34k.exe
    O4 - Global Startup: R4J7MXMI.lnk = C:\WINDOWS\r4j7mxmi.exe
    O4 - Global Startup: QTCL1AR4.lnk = C:\WINDOWS\qtcl1ar4.exe
    O4 - Global Startup: 277BNZMB.lnk = C:\WINDOWS\277bnzmb.exe
    O4 - Global Startup: P52BNZ2P.lnk = C:\WINDOWS\p52bnz2p.exe
    O4 - Global Startup: H9BZBJZN.lnk = C:\WINDOWS\h9bzbjzn.exe
    O4 - Global Startup: 5IXEYO93.lnk = C:\WINDOWS\5ixeyo93.exe
    O4 - Global Startup: NOWC4JCY.lnk = C:\WINDOWS\nowc4jcy.exe
    O4 - Global Startup: 5RY8Z3Q8.lnk = C:\WINDOWS\5ry8z3q8.exe
    O4 - Global Startup: NKZ1XRU3.lnk = C:\WINDOWS\nkz1xru3.exe
    O4 - Global Startup: 2G61U4G4.lnk = C:\WINDOWS\2g61u4g4.exe
    O4 - Global Startup: MUMDY7PR.lnk = C:\WINDOWS\mumdy7pr.exe
    O4 - Global Startup: XGXTIRX0.lnk = C:\WINDOWS\xgxtirx0.exe
    O4 - Global Startup: FVZLWIWU.lnk = C:\WINDOWS\fvzlwiwu.exe
    O4 - Global Startup: 3W5VXOUG.lnk = C:\WINDOWS\3w5vxoug.exe
    O4 - Global Startup: HCMZ0UZR.lnk = C:\WINDOWS\hcmz0uzr.exe
    O4 - Global Startup: MF7O20LN.lnk = C:\WINDOWS\mf7o20ln.exe
    O4 - Global Startup: AI0TYTRI.lnk = C:\WINDOWS\ai0tytri.exe
    O4 - Global Startup: EQD6XA4K.lnk = C:\WINDOWS\eqd6xa4k.exe
    O4 - Global Startup: BWNWTCPO.lnk = C:\WINDOWS\bwnwtcpo.exe
    O4 - Global Startup: OUBMKO6U.lnk = C:\WINDOWS\oubmko6u.exe
    O4 - Global Startup: 30YHPWCV.lnk = C:\WINDOWS\30yhpwcv.exe
    O4 - Global Startup: P4DJG4WH.lnk = C:\WINDOWS\p4djg4wh.exe
    O4 - Global Startup: 5630ED0N.lnk = C:\WINDOWS\5630ed0n.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\websearch\System\Temp\ebateswebsavings_script0.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1991c6b6004c20d14703/netzip/RdxIE601.cab
     
    scarfish, Apr 15, 2004
    #1
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi scarfish,

    You have a version of Adtomi on your system.
    Follow the instructions below to fix it.

    Download the appropiate file below (Adtomi Cleanup.zip):
    For 98 or ME or For XP.
    It was created by Mosaic1 and is available here with her kind permission.

    Then if you have a Script Blocking Program enabled, disable it first so the scripts may run.

    Unzip the file downloaded above to C:\Windows.

    See if there is an Adtomi or yahoo stocks icon in your system tray, it might be red ?? and if so right click and select remove (you must be online for this part).
    A web page from Adtomi would appear "-uninstall was succesful!".
    Then go off line. (Note that all infections may not have this icon, so if it isn't there then don't worry.)

    Next press CTRL >> ALT >> DEL once to bring up task manager and stop the running process on the funny named file with 8 assorted, random letters & numbers.
    There also might be morze1 running, if so end that process as well.
    If you don't have any starnge named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first.

    Now locate and double click Cleanup.bat that is in the folder you unzipped (C:\Windows\Adtomi Cleanup).
    ***Do not touch the VBS files. The bat file will run the scripts.
    It will remove the Adtomi spyware files from the windows folder, clean the startup folders, create backups of the Adtomi exe files it deletes and save them in this folder, create a list of all oddly named files deleted from the windows folder, uninstall the BHO, and start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

    Regards,
    Kent
     
    puff-m-d, Apr 15, 2004
    #2
  3. scarfish

    scarfish Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    5
    I don't have any strange things to stop the running process on - I just have Explorer and Ccap running, what should I do?
     
    scarfish, Apr 15, 2004
    #3
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Just continue on with the next step then.

    Regards,
    Kent
     
    puff-m-d, Apr 15, 2004
    #4
  5. scarfish

    scarfish Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    5
    Alright, my log is much smaller now, but there are still some unknown BHOs on there.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:32:04 PM, on 4/16/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\OPEN FORD\SIXTHMETABYTE.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://www.rr.com/flash/index.cfm?division=30
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {05495B02-DBEA-495C-E2ED-783E686531F6} - C:\PROGRAM FILES\MEMO OPTION NURB\DOG WINDOW.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: WinWipe - {A2106FDE-753B-9DE8-0142-67AC6F67EC84} - C:\PROGRAM FILES\MEMO OPTION NURB\DOG WINDOW.DLL
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [creativemp3] C:\PROGRA~1\Open ford\sixthmetabyte.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRAM FILES\AGNITUM\TAUSCAN 1.7\TAUMON.EXE
    O4 - HKLM\..\Run: [G699G6XM.EXE] C:\WINDOWS\G699G6XM.EXE /dk
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [G699G6XM.EXE] C:\WINDOWS\G699G6XM.EXE /dk
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\websearch\System\Temp\ebateswebsavings_script0.htm
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1991c6b6004c20d14703/netzip/RdxIE601.cab
     
    scarfish, Apr 16, 2004
    #5
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hi scarfish,

    Download LSPfix as you will need it in a later step.

    Before you start, please unzip or move HijackThis to a separate folder of its own. The program will make backups to the folder it's in. These easily get lost in a temporary folder or a folder with other programs.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passth...cfm?division=30
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

    O2 - BHO: (no name) - {05495B02-DBEA-495C-E2ED-783E686531F6} - C:\PROGRAM FILES\MEMO OPTION NURB\DOG WINDOW.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

    O3 - Toolbar: WinWipe - {A2106FDE-753B-9DE8-0142-67AC6F67EC84} - C:\PROGRAM FILES\MEMO OPTION NURB\DOG WINDOW.DLL

    O4 - HKLM\..\Run: [creativemp3] C:\PROGRA~1\Open ford\sixthmetabyte.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

    O4 - HKLM\..\Run: [G699G6XM.EXE] C:\WINDOWS\G699G6XM.EXE /dk

    O4 - HKCU\..\Run: [G699G6XM.EXE] C:\WINDOWS\G699G6XM.EXE /dk

    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/1991c6b...ip/RdxIE601.cab

    Run LSPfix. Check "I know what I am doing" and move ALL instances of "inetadpt.dll", and ONLY "inetadpt.dll" to the remove pane and click finish.

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\WINDOWS\TWAINTEC.DLL
    C:\PROGRAM FILES\MEMO OPTION NURB\ <-- entire folder
    C:\WINDOWS\BXXS5.DLL
    C:\PROGRA~1\Open ford\ <-- entire folder
    c:\Program Files\AutoUpdate\ <-- entire folder
    C:\WINDOWS\G699G6XM.EXE
    c:\windows\system\inetadpt.dll

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
    puff-m-d, Apr 16, 2004
    #6
  7. scarfish

    scarfish Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    5
    Alright, I did everything. I've got a couple of questions though.
    1. In the LSP scan results, there was also a msafd.dll and a rsvpsp.dll; I should leave those?
    2. After I exited Safe Mode and rebooted, a windows prompt told me "windows detected inconsistencies..." and that they would be corrected the next time I reboot. What are they talking about? Hopefully not everything I just did.
    3. While deleting files in safe mode, I could not locate Autoupdate in Program Files, and BXXS5.DLL or G699G6X.EXE in Windows.

    Here are my current HijackThis results

    Logfile of HijackThis v1.97.7
    Scan saved at 11:36:42 AM, on 4/17/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
    C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\TPPALDR.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
    C:\WINDOWS\WJVIEW.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=30
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {05495B02-DBEA-495C-E2ED-783E686531F6} - C:\PROGRAM FILES\MEMO OPTION NURB\DOG WINDOW.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [creativemp3] C:\PROGRA~1\OPENFO~1\sixthmetabyte.exe
    O4 - HKLM\..\Run: [EanthologyApp] C:\PROGRA~1\COMMON~1\EACCEL~1\EANTHO~1.EXE /b Startup
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [babeie] rundll32 "C:\Program Files\CommonName\Toolbar\CNBabe.dll",DllStartup
    O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [SENTRY] C:\WINDOWS\SENTRY.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
    O4 - HKLM\..\Run: [SaveNow] C:\Program Files\SaveNow\SaveNow.exe
    O4 - HKLM\..\Run: [WinStart] C:\WINDOWS\System\WinStart.exe -boot
    O4 - HKLM\..\Run: [Winkjpc] C:\WINDOWS\SYSTEM\Winkjpc.exe
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [WINSTART001.EXE] C:\WINDOWS\System\WINSTART001.EXE -b
    O4 - HKLM\..\Run: [msbb] C:\WINDOWS\SYSTEM\MSBB.EXE
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
    O4 - HKLM\..\Run: [BEHKO] C:\WINDOWS\BEHKO.exe
    O4 - HKLM\..\Run: [Winknm] C:\WINDOWS\SYSTEM\Winknm.exe
    O4 - HKLM\..\Run: [Winkmv] C:\WINDOWS\SYSTEM\Winkmv.exe
    O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\RUNDLL16.EXE
    O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\SYSTEM\MSIEFR40.DLL,DllRunServer
    O4 - HKLM\..\Run: [websearch] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\SYSTEM\STLBUPDT.DLL,DllRunMain
    O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
    O4 - HKCU\..\Run: [msbb] C:\WINDOWS\SYSTEM\MSBB.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Startup: Scour.lnk = C:\Program Files\Scour\DesktopClient.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
    scarfish, Apr 17, 2004
    #7
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    removing those has allowed the rest of the rubbish to show up

    now do this please

    I must warn you that while you haev KAzaa instaled in the computerr you will have major problems with trojans/viruses/spyware etc. I strongly advise you to uninstall it. After removing all the spyware that these applications will do Kazaa will not work properly if at all


    First download CWshredder from https://www.wilderssecurity.com/showthread.php?t=14086 then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.

    Reboot After running cwshredder and as soon as possible follow this advice:
    Now as CWS Hijacks are normally installed via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then reboot &
    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R296 16.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
    dvk01, Apr 17, 2004
    #8
  9. scarfish

    scarfish Registered Member

    Joined:
    Apr 15, 2004
    Posts:
    5
    I cannot get AdAware to delete the 1091 objects it found in my last scan. It will go as far as to check them, and begin to quarantine them, but then it stops. I've done this 3 times now.

    Also, I thought that I was completely rid of Kazaa, which I eliminated months ago. How should I go about getting rid of the rest of Kazaa?

    Here is my HJT! log as of now. I must thank everyone here once again for all you've done.

    Logfile of HijackThis v1.97.7
    Scan saved at 10:47:21 PM, on 4/17/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
    C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\TPPALDR.EXE
    C:\WINDOWS\FSSCRCTL.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=30
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://sidebar.smarter.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.smarter.com/index.php?sidebar=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smarter.com/index.php?sidebar=1
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.smarter.com/index.php?sidebar=1
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {05495B02-DBEA-495C-E2ED-783E686531F6} - C:\PROGRAM FILES\MEMO OPTION NURB\DOG WINDOW.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [creativemp3] C:\PROGRA~1\OPENFO~1\sixthmetabyte.exe
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [KAZAA] C:\PROGRAM FILES\KAZAA\KAZAA.EXE /SYSTRAY
    O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\TPPALDR.EXE
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [BEHKO] C:\WINDOWS\BEHKO.exe
    O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C2-5297EF71F44B}] rundll32.exe C:\WINDOWS\SYSTEM\STLBUPDT.DLL,DllRunMain
    O4 - HKLM\..\Run: [TB_setup] C:\WINDOWS\TEMP\TB_ANI~1.EXE /dcheck
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O4 - Startup: Scour.lnk = C:\Program Files\Scour\DesktopClient.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38094.4658680556
     
    scarfish, Apr 17, 2004
    #9
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    do the adaaware deletion/quarantine in stages

    run adaware then at the end select a few items to delete.

    normally adaware lists them in family groups so select 1 or 2 families at a time & then repeat as needed

    that is probably the only way to fix an infection of that magnitude

    then after adaware has fixed it's bit's post a new log

    make sure you are disconnected from the net while cleaning as the autoupdters are reinstalling the junk quicker than you can remove it
     
    dvk01, Apr 18, 2004
    #10
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...