I need help

sudee7 · Mar 21, 2004

This log was done by Hijackthis. I used Spybot S & D.

My computer has been locking up. Adding things to my desk top. Pop-ups all the time. When I try to use one of my programs like Creatacard or Photostyler, it gives me a low resources warning or says it cannot find part of the program to run it, then I have to reboot in safe mode to scan for mistakes. I have been rebooting a LOT. I do know that somewhere along the way some things have been deleted because I had Super Collapse 11 and it wouldn't start in the first level, it would always go to level four.

ANY help will be appreciated.
God bless,
sudee7

Logfile of HijackThis v1.97.7
Scan saved at 9:48:48 PM, on 3/20/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: 64JumpBold - {E9FCA65F-0703-6935-4344-C8145900DB46} - C:\PROGRAM FILES\SKIPSTORELOVE\BIBPLUS.DLL
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [vga enc] C:\PROGRA~1\WMATRA~1\deleteholedrive.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - Startup: DLHelperEXE.exe
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Searchalot (HKCU)
O9 - Extra button: Downloads (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://www.tinkerfcu.org
O15 - Trusted Zone: http://seb.shaklee.net
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.0.0.0.0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_274.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

Pieter_Arntz · Mar 21, 2004

Hi sudee7,

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~2\BHO\INCFIN~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O3 - Toolbar: (no name) - {CA0B9B71-C2AF-11D3-B376-0800460222F0} - (no file)
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: 64JumpBold - {E9FCA65F-0703-6935-4344-C8145900DB46} - C:\PROGRAM FILES\SKIPSTORELOVE\BIBPLUS.DLL
O3 - Toolbar: (no name) - {57E69D5A-6539-4d7d-9637-775DE8A385B4} - (no file)

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_274.cab

Then download and run CWShredder

Please download, unzip and run: http://www.computercops.biz/zx/phoenix22/cws.zip
Use the Fix button and follow the instructions provided by the program.

Then reboot preferably into safe mode and delete:
C:\WINDOWS\system32\pcs <= entire folder
C:\DP-B23011805.EXE
c:\Program Files\AutoUpdate <= entire folder

Then download and run LSPfix from http://www.cexx.org/lspfix.htm and use it to remove every instance of inetadpt.dll and ONLY that one from your winsock.

Regards,

Pieter

sudee7 · Mar 21, 2004

Pieter,
I was able to everything but could not find
CP-B23011805.exe to delete. Should I go ahead and go to your last step and download and run the cess.org file?

I can see a difference in my computer proformance already!

You are a doll!
sudee7

puff-m-d · Mar 21, 2004

Hi sudee7,

That file may be hidden. See HERE for how to show hidden files. If you still cannot find that file after doing this, go ahead with the LSPfix.

Regards,
Kent

sudee7 · Mar 21, 2004

Kent,
Never could find that one .exe file to delete. But have downloaded and ran Ispfix.

Everyone has been a tremendous help.

Thanks and God bless.
sudee

sudee7 · Mar 24, 2004

Well, I am still having issues with my computer. Now when I reboot it says it is looking for
Morze2.exe
m3kbcgig.exe
vg4m6urj.exe
043dq3wn.exe.

I keep getting the "illegal warning" and "low resources warning"

Any suggestions?

Thanks sudee

Pieter_Arntz · Mar 24, 2004

Hi sudee7,

Could you make a new HijackThis log and post it please?

Regards,

Pieter

sudee7 · Mar 24, 2004

I am really having a time with this computer. I just tried to access your site and got a pop up that said it wasn't available. I am getting so many pop-ups, I can't go anywhere. I had to reboot and it kept searching for a long list of things it couldn't find.

This Hijackthis list was made before rebooting:
Logfile of HijackThis v1.97.7
Scan saved at 6:29:45 PM, on 3/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\WAST.EXE
C:\WINDOWS\YQAWCI4C.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [vga enc] C:\PROGRA~1\WMATRA~1\deleteholedrive.exe
O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
O4 - HKLM\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
O4 - HKLM\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
O4 - HKLM\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
O4 - HKCU\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
O4 - HKCU\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk
O4 - Startup: DLHelperEXE.exe
O4 - Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
O4 - Startup: RG4M6URJ.lnk = C:\WINDOWS\rg4m6urj.exe
O4 - Startup: O43DQ3WN.lnk = C:\WINDOWS\o43dq3wn.exe
O4 - Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
O4 - Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
O4 - Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
O4 - Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
O4 - Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe
O4 - Global Startup: MORZE2.lnk = C:\WINDOWS\m3kbcgig.exe
O4 - Global Startup: RG4M6URJ.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Global Startup: O43DQ3WN.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Global Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
O4 - Global Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Global Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
O4 - Global Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
O4 - Global Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
O4 - Global Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Searchalot (HKCU)
O9 - Extra button: Downloads (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://www.tinkerfcu.org
O15 - Trusted Zone: http://seb.shaklee.net
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.0.0.0.0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

Pieter_Arntz · Mar 25, 2004

Wow. You really hit the jackpot this round.

Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot
Allow the startups that are already present.

Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL

O3 - Toolbar: Band Class - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINDOWS\ADROAR.DLL

O4 - HKLM\..\Run: [vga enc] C:\PROGRA~1\WMATRA~1\deleteholedrive.exe
O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
O4 - HKLM\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
O4 - HKLM\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
O4 - HKLM\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk
O4 - HKLM\..\Run: [AdRoarUpdate] C:\WINDOWS\ARUpdate.exe

O4 - HKCU\..\Run: [RM6U31IB.EXE] C:\WINDOWS\RM6U31IB.EXE /dk
O4 - HKCU\..\Run: [YQAWCI4C.EXE] C:\WINDOWS\YQAWCI4C.EXE /dk
O4 - HKCU\..\Run: [8fdo98tx.exe] C:\WINDOWS\8fdo98tx.exe /dk

O4 - Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
O4 - Startup: RG4M6URJ.lnk = C:\WINDOWS\rg4m6urj.exe
O4 - Startup: O43DQ3WN.lnk = C:\WINDOWS\o43dq3wn.exe
O4 - Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
O4 - Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
O4 - Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
O4 - Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
O4 - Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe
O4 - Global Startup: MORZE2.lnk = C:\WINDOWS\m3kbcgig.exe
O4 - Global Startup: RG4M6URJ.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Global Startup: O43DQ3WN.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Global Startup: M3KBCGIG.lnk = C:\WINDOWS\m3kbcgig.exe
O4 - Global Startup: WE4N2R9T.lnk = C:\WINDOWS\we4n2r9t.exe
O4 - Global Startup: KI0D7GWO.lnk = C:\WINDOWS\ki0d7gwo.exe
O4 - Global Startup: RM6U31IB.lnk = C:\WINDOWS\rm6u31ib.exe
O4 - Global Startup: YQAWCI4C.lnk = C:\WINDOWS\yqawci4c.exe
O4 - Global Startup: 8fdo98tx.lnk = C:\WINDOWS\8fdo98tx.exe

O9 - Extra button: Searchalot (HKCU)

Then click Fix checked. After you did that any prompts by Regprot should be answered with No.

Reboot into safe mode
and delete:
C:\WINDOWS\YQAWCI4C.EXE

Then download LSPfix here: http://www.cexx.org/lspfix.htm
Launch the application, and click the "I know what I'm doing" checkbox.
Check all instances of inetadpt.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish.

Then post a new HijackThis log please.

Regards,

Pieter

sudee7 · Mar 25, 2004

I could not find C:\Windows\yqawc14c.exe to delete.

Here is the last Hijackthis scan:
Logfile of HijackThis v1.97.7
Scan saved at 10:13:27 AM, on 3/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\E2OPOEAC.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk
O4 - Startup: DLHelperEXE.exe
O4 - Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
O4 - Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
O4 - Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
O4 - Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
O4 - Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
O4 - Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
O4 - Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
O4 - Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
O4 - Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
O4 - Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
O4 - Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
O4 - Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
O4 - Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe
O4 - Global Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
O4 - Global Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
O4 - Global Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
O4 - Global Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
O4 - Global Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
O4 - Global Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
O4 - Global Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
O4 - Global Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
O4 - Global Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
O4 - Global Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
O4 - Global Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
O4 - Global Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Downloads (HKCU)
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://www.tinkerfcu.org
O15 - Trusted Zone: http://seb.shaklee.net
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.0.0.0.0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

puff-m-d · Mar 25, 2004

Hi sudee7,

Welcome to Wilders.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O4 - HKLM\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk

O4 - HKCU\..\Run: [E2OPOEAC.EXE] C:\WINDOWS\E2OPOEAC.EXE /dk
O4 - Startup: DLHelperEXE.exe
O4 - Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
O4 - Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
O4 - Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
O4 - Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
O4 - Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
O4 - Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
O4 - Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
O4 - Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
O4 - Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
O4 - Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
O4 - Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
O4 - Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
O4 - Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe
O4 - Global Startup: E2OPOEAC.lnk = C:\WINDOWS\e2opoeac.exe
O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
O4 - Global Startup: WUNQZPUN.lnk = C:\WINDOWS\wunqzpun.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: U4AX3ZIK.lnk = C:\WINDOWS\u4ax3zik.exe
O4 - Global Startup: 4FGO5NOY.lnk = C:\WINDOWS\4fgo5noy.exe
O4 - Global Startup: 00LV39HR.lnk = C:\WINDOWS\00lv39hr.exe
O4 - Global Startup: CYFVPGL1.lnk = C:\WINDOWS\cyfvpgl1.exe
O4 - Global Startup: LPEYVKD8.lnk = C:\WINDOWS\lpeyvkd8.exe
O4 - Global Startup: T3ULEF2O.lnk = C:\WINDOWS\t3ulef2o.exe
O4 - Global Startup: QMT8KZVD.lnk = C:\WINDOWS\qmt8kzvd.exe
O4 - Global Startup: 3IW7U8Z3.lnk = C:\WINDOWS\3iw7u8z3.exe
O4 - Global Startup: 3YNGOKB1.lnk = C:\WINDOWS\3yngokb1.exe
O4 - Global Startup: P9OZENHE.lnk = C:\WINDOWS\p9ozenhe.exe
O4 - Global Startup: U20CTF2B.lnk = C:\WINDOWS\u20ctf2b.exe

O15 - Trusted Zone: http://*.0.0.0.0

There also may be hidden files. See HERE for how to show hidden files.

Then reboot into safe mode and delete the following:

C:\WINDOWS\BrowserHelper.dll
DLHelperEXE.exe <-- You may have to do a search for this file.
C:\WINDOWS\d85uun1j.exe
C:\WINDOWS\wunqzpun.exe
C:\WINDOWS\morze1.exe
C:\WINDOWS\u4ax3zik.exe
C:\WINDOWS\4fgo5noy.exe
C:\WINDOWS\00lv39hr.exe
C:\WINDOWS\cyfvpgl1.exe
C:\WINDOWS\lpeyvkd8.exe
C:\WINDOWS\t3ulef2o.exe
C:\WINDOWS\qmt8kzvd.exe
C:\WINDOWS\3iw7u8z3.exe
C:\WINDOWS\3yngokb1.exe
C:\WINDOWS\p9ozenhe.exe
C:\WINDOWS\u20ctf2b.exe

Reboot and then post a fresh HijackThis log.

Regards,
Kent

sudee7 · Mar 25, 2004

It seems like when I get rid of some things, that others take their places.

Here is the latest Hijackthis log:
Logfile of HijackThis v1.97.7
Scan saved at 2:50:02 PM, on 3/25/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\GECQ9E05.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk
O4 - Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
O4 - Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
O4 - Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
O4 - Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
O4 - Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
O4 - Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
O4 - Global Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
O4 - Global Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
O4 - Global Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
O4 - Global Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
O4 - Global Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
O4 - Global Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Downloads (HKCU)
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://www.tinkerfcu.org
O15 - Trusted Zone: http://seb.shaklee.net
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.0.0.0.0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://temp36.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

puff-m-d · Mar 25, 2004

Hi sudee7,

Let's try this one more time.....

Read thru the following and go to all the links that I highlghted in blue. Be sure you understand everything before you proceed. If you have any questions, ask them now as if you miss any of the items below, we are back to square one. Do not power down your machine until told to do so because if you do, all of the file names will change and we will have to start over.

Check the following items only in HijackThis.
Please doublecheck your entries before you click FIX....
Close ALL OTHER WINDOWS except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O4 - HKLM\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk

O4 - HKCU\..\Run: [GECQ9E05.EXE] C:\WINDOWS\GECQ9E05.EXE /dk
O4 - Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
O4 - Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
O4 - Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
O4 - Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
O4 - Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
O4 - Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
O4 - Global Startup: 0ZWGUD9O.lnk = C:\WINDOWS\0zwgud9o.exe
O4 - Global Startup: R1FLAMFW.lnk = C:\WINDOWS\r1flamfw.exe
O4 - Global Startup: 5XA810HG.lnk = C:\WINDOWS\5xa810hg.exe
O4 - Global Startup: YWPEUDH4.lnk = C:\WINDOWS\ywpeudh4.exe
O4 - Global Startup: QACT2JDE.lnk = C:\WINDOWS\qact2jde.exe
O4 - Global Startup: IN5JP42K.lnk = C:\WINDOWS\in5jp42k.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: GECQ9E05.lnk = C:\WINDOWS\gecq9e05.exe
O4 - Global Startup: D85UUN1J.lnk = C:\WINDOWS\d85uun1j.exe

O15 - Trusted Zone: http://*.0.0.0.0

There also may be hidden files. See HERE for how to show hidden files. Click on the blue HERE for instructions on how to do it.....

Then reboot into safe mode and delete the following:
Now this is very important, if you do not know how to boot to safe mode, click on the blue safe mode above.

To delete these files, you need to open Windows Explorer, go to the files location, right click the file, then click delete.
Now let's delete the following files:

C:\WINDOWS\BrowserHelper.dll
C:\WINDOWS\GECQ9E05.EXE
C:\WINDOWS\0zwgud9o.exe
C:\WINDOWS\morze1.exe
C:\WINDOWS\r1flamfw.exe
C:\WINDOWS\5xa810hg.exe
C:\WINDOWS\ywpeudh4.exe
C:\WINDOWS\qact2jde.exe
C:\WINDOWS\in5jp42k.exe
C:\WINDOWS\gecq9e05.exe

It is CRUCIAL That all of these files be deleted or when you reboot, everything will come back.
Once you are positive that all these files have been deleted, then reboot and post a new HJT log.

Regards,
Kent

sudee7 · Mar 26, 2004

It appears that I cannot delete that http://*.0.0.0.0

Also, I searched through "find" for two of the listed .exe files and could not find them.
C:\WINDOWS\ywpeudh4.exe
and
C:\WINDOWS\in5jp42k.exe

Since I was in safe mode I could not ask your advise.

Here is the latest log:
Logfile of HijackThis v1.97.7
Scan saved at 12:12:18 AM, on 3/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Downloads (HKCU)
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://www.tinkerfcu.org
O15 - Trusted Zone: http://seb.shaklee.net
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.0.0.0.0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

Thanks for the help, I am just getting too frustrated.

Sudee7

dvk01 · Mar 26, 2004

can you reboot again to check that the files won't come back, once or twice i've seen this happen.

then to remove the 0.0.0. from trusted zones

open IE/tools/options/security/click on trusted sites and select the 0.0.0. entry and press remove

puff-m-d · Mar 26, 2004

quoting: dvk01 link=board=17;threadid=25307;start=0#msg149969 date=1080289035]
can you reboot again to check that the files won't come back, once or twice i've seen this happen.

then to remove the 0.0.0. from trusted zones

open IE/tools/options/security/click on trusted sites and select the 0.0.0. entry and press remove
Click to expand...

Hi sudee7,

It can get frustrating for sure, but you are almost there (good work!!), Just hang in there, and finish up the things dvk01 asks. It is just that with some of these new spyware variants, if you miss anything, they come right back after you...

Regards,
Kent

sudee7 · Mar 26, 2004

Well, some o them are back. Just as you suspected. I wish I could have found those last two things to delete.

I am attaching another log, hope it looks better than the others. Thanks for everything. I did go in and get out the 0.0.0. file. I tried sending a log earlier but my computer froze up. So will try again.

sudee7

Logfile of HijackThis v1.97.7
Scan saved at 10:48:52 PM, on 3/26/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\WINDOWS\WAST.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\PROGRAM FILES\SYSAI\SYSAI.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Downloads (HKCU)
O15 - Trusted Zone: http://www.tinkerfcu.org
O15 - Trusted Zone: http://seb.shaklee.net
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.0.0.0.0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

puff-m-d · Mar 27, 2004

Hi sudee7,

Very good. It looks like you got the main baddie that kept coming back. Hopefully, this time should do it.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\PROGRAM FILES\SYSAI\APROPOSPLUGIN.DLL

O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [PGStub.exe] C:\DP-B23011805.EXE
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

Then reboot in Safe Mode and delete the following:

C:\PROGRAM FILES\SYSAI\ <-- entire folder
C:\WINDOWS\WAST
C:\WINDOWS\WAST.EXE
c:\Program Files\AutoUpdate\ <-- entire folder
C:\DP-B23011805.EXE
C:\WINDOWS\system32\pcs\ <-- entire folder

Reboot and then post a fresh HijackThis log.

Regards,
Kent

sudee7 · Mar 27, 2004

Hi Kent,
I did everything you said except I couldn't find C:\DP-B23011805.exe.

While I was in safe mode I went looking around in the *.exe. Found some things that have been added in the last few days. I copied them to notepad and saved them. I tried attaching it to a post but it wouldn't take it. I would like for you to take a look at them, could I e-mail them to you?

Thanks a million for all the help and may God bless.
sudee7

Here is the latest scan from hjt

Logfile of HijackThis v1.97.7
Scan saved at 1:25:01 PM, on 3/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\SYSTEM\HPSJVXD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPPPT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP PRECISIONSCAN\PRECISIONSCAN\HPLAMP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.60.172.62:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = host

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [HPSCANMonitor] C:\WINDOWS\SYSTEM\hpsjvxd.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O9 - Extra 'Tools' menuitem: Search the Internet (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O9 - Extra button: Downloads (HKCU)
O15 - Trusted Zone: http://www.tinkerfcu.org
O15 - Trusted Zone: http://seb.shaklee.net
O15 - Trusted Zone: http://www.paypal.com
O15 - Trusted Zone: http://*.0.0.0.0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq.com/falco/SysQuery.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLHelper/version7/DLHelper.cab
O16 - DPF: {82202BE7-C56A-487E-9E55-D84BDC1A5776} (AnarkClient Class) - http://install.anark.com/client/version1/windows-ie/en/AMClient.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.5305324074
O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://wcs00180.egain.net/wcsapp/weblib/Javascript/messaging/ie/SecMgr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/318/webolr/OCX/FlashAX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: Buckaroo Blackjack TM by pogo.com - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo.com - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
O16 - DPF: Poppit! TM by pogo.com - http://poppit02.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: Showbiz Slots 2 by pogo.com - http://temp35.pogo.com/applet/slots/showbiz2-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet/freecell/freecell-ob-assets.cab
O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet/videoblackjack/videoblackjack-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/wordriot-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit25.pogo.com/applet/poppit/poppit-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire43.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://slots.pogo.com/applet/slots/alibaba-ob-assets.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet/superbingo/superbingo-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab

puff-m-d · Mar 27, 2004

Hi sudee7,

Believe it or not, I only see 1 bad item left.

Have HJT fix it.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.zestyfind.com/

And post a new log to be sure everything is finally gone.

Feel free to email me the info. My address is in my profile.

Kent

sudee7 · Mar 27, 2004

WOW!
I can fix that in a jiffy. It came from a pop-up when my computer locked up trying to send a previous scan. That is why some of these items I found worry me. Now I will always be on the look out for anything and everything suspicious. Am I getting paranoid or what

Thanks again for all the work everyone has done trying to get my computer cleaned up.

God bless,
sudee7

puff-m-d · Mar 27, 2004

Hi sudee7,

Below is some things you should look over. Some of it might be repetitive to you, but there is a lot of good info there. As you have now experienced first hand, it can be a nightmare sometimes getting all of the adware and spyware off of your system. Prevention is the key, not letting them get on your system in the first place. I hope some of the info below will help you in the future in keeping your system clean.

Some things you should read and check into:

Some tips and links that will help you stay safe on-line can be found HERE.

And here is a good read about how to be better protected : Click Me.

To help keep your system clean, these are also freeware programs that we recommend:
SpywareBlaster - will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects.
SpywareGuard - provides a degree of real-time protection against spyware that is a great addition to SpywareBlaster's protection method.
IE-Spyad - will put a list of bad domains and sites into the Restricted Site Zone of your IE Browser. This will help protect IE and prevent those drive-by downloads, browser hijacking, ActiveX, Java, popups, cookies, etc, from compromising your computer while you surf.

And of course, you should have a trusted spyware removal program (I recommend having them both as one may catch what the other may not, since they update at different times):
Spybot Search&Destroy
SpybotS&D Setup Tutorial.
Ad-Aware
Ad-Aware Setup Tutorial.
Before scanning with either Ad-Aware or Spybot S&D, remember to bring them up-to-date first.

Regards,
Kent

dvk01 · Mar 27, 2004

I think seeing zestyfind has appeared we should do this, I've got a sneaking suspician that L2M is hidden away waiting to pounce

http://download.broadbandmedic.com/VbStuff/KillBox.zip

UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click find then find msg.dll, then on the little pop up window, that says killbox file list, press file/create log and a pop up says do you want to create a log in notepad, say yes and then save as usual in notepad and copy & paste the resulting list here

Log in or Sign up

I need help

sudee7 Registered Member

Pieter_Arntz Spyware Veteran

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

sudee7 Registered Member

Pieter_Arntz Spyware Veteran

sudee7 Registered Member

Pieter_Arntz Spyware Veteran

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

dvk01 Global Moderator

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

dvk01 Global Moderator

Log in or Sign up

I need help

sudee7 Registered Member

Pieter_Arntz Spyware Veteran

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

sudee7 Registered Member

Pieter_Arntz Spyware Veteran

sudee7 Registered Member

Pieter_Arntz Spyware Veteran

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

dvk01 Global Moderator

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

sudee7 Registered Member

puff-m-d Registered Member

dvk01 Global Moderator

Useful Searches