I need help

Discussion in 'adware, spyware & hijack cleaning' started by sudee7, Mar 21, 2004.

Thread Status:
Not open for further replies.
  1. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    This log was done by Hijackthis. I used Spybot S & D.

    My computer has been locking up. Adding things to my desk top. Pop-ups all the time. When I try to use one of my programs like Creatacard or Photostyler, it gives me a low resources warning or says it cannot find part of the program to run it, then I have to reboot in safe mode to scan for mistakes. I have been rebooting a LOT. :mad: I do know that somewhere along the way some things have been deleted because I had Super Collapse 11 and it wouldn't start in the first level, it would always go to level four.

    ANY help will be appreciated.
    God bless,
    sudee7

    Logfile of HijackThis v1.97.7
    Scan saved at 9:48:48 PM, on 3/20/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - (no file)
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
    O3 - Toolbar: 64JumpBold - {E9FCA65F-0703-6935-4344-C8145900DB46} - C:\PROGRAM FILES\SKIPSTORELOVE\BIBPLUS.DLL
    O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [vga enc] C:\PROGRA~1\WMATRA~1\deleteholedrive.exe
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - Startup: DLHelperEXE.exe
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O9 - Extra button: Searchalot (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O14 - IERESET.INF: START_PAGE_URL=
    O15 - Trusted Zone: http://www.tinkerfcu.org
    O15 - Trusted Zone: http://seb.shaklee.net
    O15 - Trusted Zone: http://www.paypal.com
    O15 - Trusted Zone: http://*.0.0.0.0
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_274.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi sudee7,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

    O3 - Toolbar: (no name) - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - (no file)
    O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
    O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
    O3 - Toolbar: 64JumpBold - {E9FCA65F-0703-6935-4344-C8145900DB46} - C:\PROGRAM FILES\SKIPSTORELOVE\BIBPLUS.DLL
    O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)

    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

    O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_274.cab

    Then download and run CWShredder

    Please download, unzip and run: http://www.computercops.biz/zx/phoenix22/cws.zip
    Use the Fix button and follow the instructions provided by the program.

    Then reboot preferably into safe mode and delete:
    C:\WINDOWS\system32\pcs <= entire folder
    C:\DP-B23011805.EXE
    c:\Program Files\AutoUpdate <= entire folder

    Then download and run LSPfix from http://www.cexx.org/lspfix.htm and use it to remove every instance of inetadpt.dll and ONLY that one from your winsock.

    Regards,

    Pieter
     
  3. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    Pieter,
    I was able to everything but could not find
    C:DP-B23011805.exe to delete. Should I go ahead and go to your last step and download and run the cess.org file?

    I can see a difference in my computer proformance already! :)

    You are a doll!
    sudee7
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sudee7,

    That file may be hidden. See HERE for how to show hidden files. If you still cannot find that file after doing this, go ahead with the LSPfix.

    Regards,
    Kent
     
  5. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    Kent,
    Never could find that one .exe file to delete. But have downloaded and ran Ispfix.

    Everyone has been a tremendous help.

    Thanks and God bless.
    sudee
     
  6. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    Well, I am still having issues with my computer. Now when I reboot it says it is looking for
    Morze2.exe
    m3kbcgig.exe
    vg4m6urj.exe
    043dq3wn.exe.

    I keep getting the "illegal warning" and "low resources warning"

    Any suggestions?

    Thanks sudee
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi sudee7,

    Could you make a new HijackThis log and post it please?

    Regards,

    Pieter
     
  8. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    I am really having a time with this computer. I just tried to access your site and got a pop up that said it wasn't available. I am getting so many pop-ups, I can't go anywhere. I had to reboot and it kept searching for a long list of things it couldn't find.

    This Hijackthis list was made before rebooting:
    Logfile of HijackThis v1.97.7
    Scan saved at 6:29:45 PM, on 3/24/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\WAST.EXE
    C:\WINDOWS\YQAWCI4C.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [vga enc] C:\PROGRA~1\WMATRA~1\deleteholedrive.exe
    O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
    O4 - HKLM\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
    O4 - HKLM\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
    O4 - HKLM\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk
    O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
    O4 - HKCU\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
    O4 - HKCU\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk
    O4 - Startup: DLHelperEXE.exe
    O4 - Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
    O4 - Startup: RG4M6URJ.lnk = C:\WINDOWS\rg4m6urj.exe
    O4 - Startup: O43DQ3WN.lnk = C:\WINDOWS\o43dq3wn.exe
    O4 - Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
    O4 - Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
    O4 - Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
    O4 - Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
    O4 - Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe
    O4 - Global Startup: MORZE2.lnk = C:\WINDOWS\m3kbcgig.exe
    O4 - Global Startup: RG4M6URJ.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Global Startup: O43DQ3WN.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Global Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
    O4 - Global Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Global Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
    O4 - Global Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
    O4 - Global Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
    O4 - Global Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O9 - Extra button: Searchalot (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O14 - IERESET.INF: START_PAGE_URL=
    O15 - Trusted Zone: http://www.tinkerfcu.org
    O15 - Trusted Zone: http://seb.shaklee.net
    O15 - Trusted Zone: http://www.paypal.com
    O15 - Trusted Zone: http://*.0.0.0.0
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Wow. You really hit the jackpot this round. :doubt:

    Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot
    Allow the startups that are already present.

    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL

    O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL

    O4 - HKLM\..\Run: [vga enc] C:\PROGRA~1\WMATRA~1\deleteholedrive.exe
    O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
    O4 - HKLM\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
    O4 - HKLM\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
    O4 - HKLM\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk
    O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

    O4 - HKCU\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
    O4 - HKCU\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
    O4 - HKCU\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk

    O4 - Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
    O4 - Startup: RG4M6URJ.lnk = C:\WINDOWS\rg4m6urj.exe
    O4 - Startup: O43DQ3WN.lnk = C:\WINDOWS\o43dq3wn.exe
    O4 - Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
    O4 - Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
    O4 - Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
    O4 - Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
    O4 - Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe
    O4 - Global Startup: MORZE2.lnk = C:\WINDOWS\m3kbcgig.exe
    O4 - Global Startup: RG4M6URJ.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Global Startup: O43DQ3WN.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Global Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
    O4 - Global Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
    O4 - Global Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
    O4 - Global Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
    O4 - Global Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
    O4 - Global Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe

    O9 - Extra button: Searchalot (HKCU)

    Then click Fix checked. After you did that any prompts by Regprot should be answered with No.

    Reboot into safe mode
    and delete:
    C:\WINDOWS\YQAWCI4C.EXE

    Then download LSPfix here: http://www.cexx.org/lspfix.htm
    Launch the application, and click the "I know what I'm doing" checkbox.
    Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
    Then click Finish.

    Then post a new HijackThis log please.

    Regards,

    Pieter
     
  10. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    I could not find C:\Windows\yqawc14c.exe to delete.

    Here is the last Hijackthis scan:
    Logfile of HijackThis v1.97.7
    Scan saved at 10:13:27 AM, on 3/25/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\E2OPOEAC.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk
    O4 - Startup: DLHelperEXE.exe
    O4 - Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
    O4 - Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
    O4 - Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
    O4 - Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
    O4 - Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
    O4 - Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
    O4 - Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
    O4 - Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
    O4 - Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
    O4 - Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
    O4 - Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
    O4 - Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
    O4 - Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe
    O4 - Global Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
    O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
    O4 - Global Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
    O4 - Global Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
    O4 - Global Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
    O4 - Global Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
    O4 - Global Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
    O4 - Global Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
    O4 - Global Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
    O4 - Global Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
    O4 - Global Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
    O4 - Global Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
    O4 - Global Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=
    O15 - Trusted Zone: http://www.tinkerfcu.org
    O15 - Trusted Zone: http://seb.shaklee.net
    O15 - Trusted Zone: http://www.paypal.com
    O15 - Trusted Zone: http://*.0.0.0.0
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
     
  11. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sudee7,

    Welcome to Wilders.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

    O4 - HKLM\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk

    O4 - HKCU\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk
    O4 - Startup: DLHelperEXE.exe
    O4 - Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
    O4 - Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
    O4 - Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
    O4 - Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
    O4 - Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
    O4 - Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
    O4 - Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
    O4 - Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
    O4 - Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
    O4 - Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
    O4 - Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
    O4 - Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
    O4 - Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe
    O4 - Global Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
    O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
    O4 - Global Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
    O4 - Global Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
    O4 - Global Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
    O4 - Global Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
    O4 - Global Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
    O4 - Global Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
    O4 - Global Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
    O4 - Global Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
    O4 - Global Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
    O4 - Global Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
    O4 - Global Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe

    O15 - Trusted Zone: http://*.0.0.0.0

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete the following:

    C:\WINDOWS\BrowserHelper.dll
    DLHelperEXE.exe <-- You may have to do a search for this file.
    C:\WINDOWS\d85uun1j.exe
    C:\WINDOWS\wunqzpun.exe
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\u4ax3zik.exe
    C:\WINDOWS\4fgo5noy.exe
    C:\WINDOWS\00lv39hr.exe
    C:\WINDOWS\cyfvpgl1.exe
    C:\WINDOWS\lpeyvkd8.exe
    C:\WINDOWS\t3ulef2o.exe
    C:\WINDOWS\qmt8kzvd.exe
    C:\WINDOWS\3iw7u8z3.exe
    C:\WINDOWS\3yngokb1.exe
    C:\WINDOWS\p9ozenhe.exe
    C:\WINDOWS\u20ctf2b.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  12. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    It seems like when I get rid of some things, that others take their places. :mad:

    Here is the latest Hijackthis log:
    Logfile of HijackThis v1.97.7
    Scan saved at 2:50:02 PM, on 3/25/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\GECQ9E05.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKCU\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk
    O4 - Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
    O4 - Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
    O4 - Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
    O4 - Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
    O4 - Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
    O4 - Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
    O4 - Global Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
    O4 - Global Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
    O4 - Global Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
    O4 - Global Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
    O4 - Global Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
    O4 - Global Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
    O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=
    O15 - Trusted Zone: http://www.tinkerfcu.org
    O15 - Trusted Zone: http://seb.shaklee.net
    O15 - Trusted Zone: http://www.paypal.com
    O15 - Trusted Zone: http://*.0.0.0.0
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
     
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sudee7,

    Let's try this one more time.....

    Read thru the following and go to all the links that I highlghted in blue. Be sure you understand everything before you proceed. If you have any questions, ask them now as if you miss any of the items below, we are back to square one. Do not power down your machine until told to do so because if you do, all of the file names will change and we will have to start over.

    Check the following items only in HijackThis.
    Please doublecheck your entries before you click FIX....
    Close ALL OTHER WINDOWS except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

    O4 - HKLM\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk

    O4 - HKCU\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk
    O4 - Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
    O4 - Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
    O4 - Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
    O4 - Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
    O4 - Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
    O4 - Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
    O4 - Global Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
    O4 - Global Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
    O4 - Global Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
    O4 - Global Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
    O4 - Global Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
    O4 - Global Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
    O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe

    O15 - Trusted Zone: http://*.0.0.0.0

    There also may be hidden files. See HERE for how to show hidden files. Click on the blue HERE for instructions on how to do it.....

    Then reboot into safe mode and delete the following:
    Now this is very important, if you do not know how to boot to safe mode, click on the blue safe mode above.

    To delete these files, you need to open Windows Explorer, go to the files location, right click the file, then click delete.
    Now let's delete the following files:

    C:\WINDOWS\BrowserHelper.dll
    C:\WINDOWS\GECQ9E05.EXE
    C:\WINDOWS\0zwgud9o.exe
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\r1flamfw.exe
    C:\WINDOWS\5xa810hg.exe
    C:\WINDOWS\ywpeudh4.exe
    C:\WINDOWS\qact2jde.exe
    C:\WINDOWS\in5jp42k.exe
    C:\WINDOWS\gecq9e05.exe

    It is CRUCIAL That all of these files be deleted or when you reboot, everything will come back.
    Once you are positive that all these files have been deleted, then reboot and post a new HJT log.

    Regards,
    Kent
     
  14. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    It appears that I cannot delete that http://*.0.0.0.0

    Also, I searched through "find" for two of the listed .exe files and could not find them.
    C:\WINDOWS\ywpeudh4.exe
    and
    C:\WINDOWS\in5jp42k.exe

    Since I was in safe mode I could not ask your advise.

    Here is the latest log:
    Logfile of HijackThis v1.97.7
    Scan saved at 12:12:18 AM, on 3/26/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=
    O15 - Trusted Zone: http://www.tinkerfcu.org
    O15 - Trusted Zone: http://seb.shaklee.net
    O15 - Trusted Zone: http://www.paypal.com
    O15 - Trusted Zone: http://*.0.0.0.0
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

    Thanks for the help, I am just getting too frustrated.

    Sudee7
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    can you reboot again to check that the files won't come back, once or twice i've seen this happen.

    then to remove the 0.0.0. from trusted zones

    open IE/tools/options/security/click on trusted sites and select the 0.0.0. entry and press remove
     
  16. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sudee7,

    It can get frustrating for sure, but you are almost there (good work!!), Just hang in there, and finish up the things dvk01 asks. It is just that with some of these new spyware variants, if you miss anything, they come right back after you...

    Regards,
    Kent
     
  17. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    Well, some o them are back. Just as you suspected. I wish I could have found those last two things to delete.

    I am attaching another log, hope it looks better than the others. Thanks for everything. I did go in and get out the 0.0.0. file. I tried sending a log earlier but my computer froze up. So will try again.

    sudee7

    Logfile of HijackThis v1.97.7
    Scan saved at 10:48:52 PM, on 3/26/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\WINDOWS\WAST.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
    C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
    C:\PROGRAM FILES\SYSAI\SYSAI.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O15 - Trusted Zone: http://www.tinkerfcu.org
    O15 - Trusted Zone: http://seb.shaklee.net
    O15 - Trusted Zone: http://www.paypal.com
    O15 - Trusted Zone: http://*.0.0.0.0
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
     
  18. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sudee7,

    Very good. It looks like you got the main baddie that kept coming back. Hopefully, this time should do it.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL

    O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

    Then reboot in Safe Mode and delete the following:

    C:\PROGRAM FILES\SYSAI\ <-- entire folder
    C:\WINDOWS\WAST
    C:\WINDOWS\WAST.EXE
    c:\Program Files\AutoUpdate\ <-- entire folder
    C:\DP-B23011805.EXE
    C:\WINDOWS\system32\pcs\ <-- entire folder

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  19. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    Hi Kent,
    I did everything you said except I couldn't find C:\DP-B23011805.exe.

    While I was in safe mode I went looking around :rolleyes: in the *.exe. Found some things that have been added in the last few days. I copied them to notepad and saved them. I tried attaching it to a post but it wouldn't take it. I would like for you to take a look at them, could I e-mail them to youo_O?

    Thanks a million for all the help and may God bless.
    sudee7

    Here is the latest scan from hjt

    Logfile of HijackThis v1.97.7
    Scan saved at 1:25:01 PM, on 3/27/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
    C:\WINDOWS\SYSTEM\HPSJVXD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
    O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
    O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: WeatherBug (HKCU)
    O9 - Extra button: Downloads (HKCU)
    O15 - Trusted Zone: http://www.tinkerfcu.org
    O15 - Trusted Zone: http://seb.shaklee.net
    O15 - Trusted Zone: http://www.paypal.com
    O15 - Trusted Zone: http://*.0.0.0.0
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
    O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
    O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
    O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
     
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sudee7,

    Believe it or not, I only see 1 bad item left.

    Have HJT fix it.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/

    And post a new log to be sure everything is finally gone.

    Feel free to email me the info. My address is in my profile.

    Kent
     
  21. sudee7

    sudee7 Registered Member

    Joined:
    Mar 20, 2004
    Posts:
    12
    Location:
    Oklahoma City, OK
    WOW!
    I can fix that in a jiffy. It came from a pop-up when my computer locked up trying to send a previous scan. That is why some of these items I found worry me. Now I will always be on the look out for anything and everything suspicious. ;) Am I getting paranoid or what o_O

    Thanks again for all the work everyone has done trying to get my computer cleaned up.

    God bless,
    sudee7
     
  22. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi sudee7,

    Below is some things you should look over. Some of it might be repetitive to you, but there is a lot of good info there. As you have now experienced first hand, it can be a nightmare sometimes getting all of the adware and spyware off of your system. Prevention is the key, not letting them get on your system in the first place. I hope some of the info below will help you in the future in keeping your system clean.

    Some things you should read and check into:

    Some tips and links that will help you stay safe on-line can be found HERE.

    And here is a good read about how to be better protected : Click Me.

    To help keep your system clean, these are also freeware programs that we recommend:
    SpywareBlaster - will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
    SpywareGuard - provides a degree of real-time protection against spyware that is a great addition to SpywareBlaster's protection method.
    IE-Spyad - will put a list of bad domains and sites into the Restricted Site Zone of your IE Browser. This will help protect IE and prevent those drive-by downloads, browser hijacking, ActiveX, Java, popups, cookies, etc, from compromising your computer while you surf.

    And of course, you should have a trusted spyware removal program (I recommend having them both as one may catch what the other may not, since they update at different times):
    Spybot Search&Destroy
    SpybotS&D Setup Tutorial.
    Ad-Aware
    Ad-Aware Setup Tutorial.
    Before scanning with either Ad-Aware or Spybot S&D, remember to bring them up-to-date first.

    Regards,
    Kent
     
  23. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I think seeing zestyfind has appeared we should do this, I've got a sneaking suspician that L2M is hidden away waiting to pounce

    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click find then find msg.dll, then on the little pop up window, that says killbox file list, press file/create log and a pop up says do you want to create a log in notepad, say yes and then save as usual in notepad and copy & paste the resulting list here
     
Thread Status:
Not open for further replies.