Internal generation

Discussion in 'adware, spyware & hijack cleaning' started by Hal, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. Hal

    Hal Guest

    I am running Spybot and Spywareblaster. My Startup file is being modified even when I am off-line with what appear to be strings of random alpha-numeric characters which reference exe files in the Windows directory which load spyware (Look2Me, BookedSpace, PeopleOnPage, etc.). If I modify the Startup list it crashes the system. If I modify it in "safe mode" it simply replace the strings on next boot. I can erase the exe files, which brings up a "can't locate shortcut" error when I boot up. And, of course, it creates more exe files. I've done "find file" searches of the registry, but to no avail. Can someone help?
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Hal,

    Welcome to Wilder's!!!!!

    It seems you have been Hijacked.... Go HERE and follow the instructions.

    Regards,
    Kent
     
  3. Harold Young

    Harold Young Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    5
    I went through that exercise yesterday but I guess there was a misunderstanding about how to get the log posted. I won't go through that now. Here is what was in the post:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:03:23 PM, on 3/23/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IDRIVE\FILO\IDRIVEPROXY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\EPSON\INK MONITOR\INKMONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\IEFEATURES.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\Z7ZH80CX.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [idriveServer] C:\WINDOWS\SYSTEM\idrive\Filo\idriveproxy.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKLM\..\Run: [l_I420X] C:\WINDOWS\SYSTEM\l_I420X.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
    O4 - HKLM\..\Run: [LVIMZDNU] C:\WINDOWS\LVIMZDNU.exe
    O4 - HKLM\..\Run: [ADG] C:\WINDOWS\ADG.exe
    O4 - HKLM\..\Run: [ICGJMPT] C:\WINDOWS\ICGJMPT.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [Z7ZH80CX.EXE] C:\WINDOWS\Z7ZH80CX.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKCU\..\Run: [Z7ZH80CX.EXE] C:\WINDOWS\Z7ZH80CX.EXE /dk
    O4 - Startup: FNYLNF5V.lnk = C:\WINDOWS\fnylnf5v.exe
    O4 - Startup: 14BC9H20.lnk = C:\WINDOWS\14bc9h20.exe
    O4 - Startup: 94XQCZR1.lnk = C:\WINDOWS\94xqczr1.exe
    O4 - Startup: C20R35DG.lnk = C:\WINDOWS\c20r35dg.exe
    O4 - Startup: U2B4PLWV.lnk = C:\WINDOWS\u2b4plwv.exe
    O4 - Startup: 8OMEIAC1.lnk = C:\WINDOWS\8omeiac1.exe
    O4 - Startup: Z7006XYF.lnk = C:\WINDOWS\z7006xyf.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: Z7ZH80CX.lnk = C:\WINDOWS\z7zh80cx.exe
    O4 - Global Startup: ZXBVTUR7.lnk = C:\WINDOWS\zxbvtur7.exe
    O4 - Global Startup: FNYLNF5V.lnk = C:\WINDOWS\fnylnf5v.exe
    O4 - Global Startup: 14BC9H20.lnk = C:\WINDOWS\14bc9h20.exe
    O4 - Global Startup: 94XQCZR1.lnk = C:\WINDOWS\94xqczr1.exe
    O4 - Global Startup: C20R35DG.lnk = C:\WINDOWS\c20r35dg.exe
    O4 - Global Startup: U2B4PLWV.lnk = C:\WINDOWS\u2b4plwv.exe
    O4 - Global Startup: 8OMEIAC1.lnk = C:\WINDOWS\8omeiac1.exe
    O4 - Global Startup: Z7006XYF.lnk = C:\WINDOWS\z7006xyf.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: Z7ZH80CX.lnk = C:\WINDOWS\z7zh80cx.exe
    O8 - Extra context menu item: Bookmark to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\bookmark.htm
    O8 - Extra context menu item: Clip Page to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\scrapbook.htm
    O8 - Extra context menu item: Save Image to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadImage.htm
    O8 - Extra context menu item: Save Target to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadTarget.htm
    O8 - Extra context menu item: Logoff i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\Logoff.htm
    O9 - Extra button: Clip to i-drive (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra 'Tools' menuitem: Filo (tm) Properties... (HKCU)
    O9 - Extra 'Tools' menuitem: Uninstall Filo (tm) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.msn.com/search/lobby/searchsettings.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab
    O16 - DPF: {D1D6534D-197A-11D3-8039-00500471A15D} (FunctionProxy Class) - https://www.idrive.com/site/download/WinFilo.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/3rdPartyContent/dnastudios/harrypotter/wtinst.cab
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
    O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://host.interactual.com/whv/hpotter/iaieplay.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06de32a816176905cb05/netzip/RdxIE2.cab
    O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://fad- 08.mtl4.targetnet.com/ad/id=teenchatJ&opt=htj&pt= 13777098605455150863&pfin=1HQ40I1AXFPRJ&cv=210&uid=489157266&url=
    http://www.NetpalOffers.net/NetpalOffers/DMO1/mamc0m.cab

    Thanks, Hal


    edited by dvk01 to prevent the sideways scrolling
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Harold Young,

    Welcome to Wilders.

    First, download these 2 programs. We will need them later.
    LSPfix
    CWShredder

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)

    O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe

    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKLM\..\Run: [l_I420X] C:\WINDOWS\SYSTEM\l_I420X.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
    O4 - HKLM\..\Run: [LVIMZDNU] C:\WINDOWS\LVIMZDNU.exe
    O4 - HKLM\..\Run: [ADG] C:\WINDOWS\ADG.exe
    O4 - HKLM\..\Run: [ICGJMPT] C:\WINDOWS\ICGJMPT.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [Z7ZH80CX.EXE] C:\WINDOWS\Z7ZH80CX.EXE /dk

    O4 - Startup: FNYLNF5V.lnk = C:\WINDOWS\fnylnf5v.exe
    O4 - Startup: 14BC9H20.lnk = C:\WINDOWS\14bc9h20.exe
    O4 - Startup: 94XQCZR1.lnk = C:\WINDOWS\94xqczr1.exe
    O4 - Startup: C20R35DG.lnk = C:\WINDOWS\c20r35dg.exe
    O4 - Startup: U2B4PLWV.lnk = C:\WINDOWS\u2b4plwv.exe
    O4 - Startup: 8OMEIAC1.lnk = C:\WINDOWS\8omeiac1.exe
    O4 - Startup: Z7006XYF.lnk = C:\WINDOWS\z7006xyf.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: Z7ZH80CX.lnk = C:\WINDOWS\z7zh80cx.exe
    O4 - Global Startup: ZXBVTUR7.lnk = C:\WINDOWS\zxbvtur7.exe
    O4 - Global Startup: FNYLNF5V.lnk = C:\WINDOWS\fnylnf5v.exe
    O4 - Global Startup: 14BC9H20.lnk = C:\WINDOWS\14bc9h20.exe
    O4 - Global Startup: 94XQCZR1.lnk = C:\WINDOWS\94xqczr1.exe
    O4 - Global Startup: C20R35DG.lnk = C:\WINDOWS\c20r35dg.exe
    O4 - Global Startup: U2B4PLWV.lnk = C:\WINDOWS\u2b4plwv.exe
    O4 - Global Startup: 8OMEIAC1.lnk = C:\WINDOWS\8omeiac1.exe
    O4 - Global Startup: Z7006XYF.lnk = C:\WINDOWS\z7006xyf.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: Z7ZH80CX.lnk = C:\WINDOWS\z7zh80cx.exe

    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll

    O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06de32a816176905cb05/netzip/RdxIE2.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://fad-408.mtl4.targetnet.com/ad/id=teenchatJ&opt=htj&pt=13777098605455150863&pfin=
    1HQ40I1AXFPRJ&cv=210&uid=489157266&url=http://www.NetpalOffers.net/NetpalOffers/DMO1/mamc0m.cab

    Run CWShredder that you downloaded above. Be sure ALL other windows are closed use the Fix button and follow the instructions you will receive.

    Run LSPfix that you downloaded above. Use it to remove all instances of inetadpt.dll.

    Then reboot in Safe Mode and delete the following:

    C:\PROGRA~1\INCRED~1\
    C:\WINDOWS\BrowserHelper.dll
    C:\PROGRAM FILES\DASHBAR\
    C:\WINDOWS\MSCCN32.EXE
    C:\WINDOWS\SYSTEM\l_I420X.exe
    C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    C:\WINDOWS\SYSTEM\IEFEATURES.exe
    C:\WINDOWS\LVIMZDNU.exe
    C:\WINDOWS\ADG.exe
    C:\WINDOWS\ICGJMPT.exe
    C:\WINDOWS\BXXS5.DLL,DllRun
    C:\WINDOWS\Z7ZH80CX.EXE /dk
    C:\WINDOWS\fnylnf5v.exe
    C:\WINDOWS\14bc9h20.exe
    C:\WINDOWS\94xqczr1.exe
    C:\WINDOWS\c20r35dg.exe
    C:\WINDOWS\u2b4plwv.exe
    C:\WINDOWS\8omeiac1.exe
    C:\WINDOWS\z7006xyf.exe
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\z7zh80cx.exe
    C:\WINDOWS\zxbvtur7.exe
    C:\WINDOWS\fnylnf5v.exe
    C:\WINDOWS\14bc9h20.exe
    C:\WINDOWS\94xqczr1.exe
    C:\WINDOWS\c20r35dg.exe
    C:\WINDOWS\u2b4plwv.exe
    C:\WINDOWS\8omeiac1.exe
    C:\WINDOWS\z7006xyf.exe
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\z7zh80cx.exe
    c:\windows\system\inetadpt.dll

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent


    edited: by dvk01 to prevent the sideways scrolling
     
  5. Harold Young

    Harold Young Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    5
    Thanks a million!

    I'm obviously not there yet, but on my way. Here is the new log.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:34:29 PM, on 3/24/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IDRIVE\FILO\IDRIVEPROXY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\EPSON\INK MONITOR\INKMONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\YC599ZE0.EXE
    C:\DOWNLOADS\SPYBOT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnav.com
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [idriveServer] C:\WINDOWS\SYSTEM\idrive\Filo\idriveproxy.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [YC599ZE0.EXE] C:\WINDOWS\YC599ZE0.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKCU\..\Run: [YC599ZE0.EXE] C:\WINDOWS\YC599ZE0.EXE /dk
    O4 - Startup: N4W3CZVB.lnk = C:\WINDOWS\n4w3czvb.exe
    O4 - Startup: N758Z18Y.lnk = C:\WINDOWS\n758z18y.exe
    O4 - Startup: ELZ0RXME.lnk = C:\WINDOWS\elz0rxme.exe
    O4 - Startup: 85NGTTY9.lnk = C:\WINDOWS\85ngtty9.exe
    O4 - Startup: YC599ZE0.lnk = C:\WINDOWS\yc599ze0.exe
    O4 - Global Startup: N4W3CZVB.lnk = C:\WINDOWS\n4w3czvb.exe
    O4 - Global Startup: N758Z18Y.lnk = C:\WINDOWS\n758z18y.exe
    O4 - Global Startup: 85NGTTY9.lnk = C:\WINDOWS\85ngtty9.exe
    O4 - Global Startup: ELZ0RXME.lnk = C:\WINDOWS\elz0rxme.exe
    O4 - Global Startup: YC599ZE0.lnk = C:\WINDOWS\yc599ze0.exe
    O8 - Extra context menu item: Bookmark to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\bookmark.htm
    O8 - Extra context menu item: Clip Page to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\scrapbook.htm
    O8 - Extra context menu item: Save Image to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadImage.htm
    O8 - Extra context menu item: Save Target to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadTarget.htm
    O8 - Extra context menu item: Logoff i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\Logoff.htm
    O9 - Extra button: Clip to i-drive (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra 'Tools' menuitem: Filo (tm) Properties... (HKCU)
    O9 - Extra 'Tools' menuitem: Uninstall Filo (tm) (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.msn.com/search/lobby/searchsettings.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab
    O16 - DPF: {D1D6534D-197A-11D3-8039-00500471A15D} (FunctionProxy Class) - https://www.idrive.com/site/download/WinFilo.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/3rdPartyContent/dnastudios/harrypotter/wtinst.cab
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://host.interactual.com/whv/hpotter/iaieplay.dll
    O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab

    CIAO!
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Harold Young,

    You are off to a good start. Let's try to get the rest of them this time.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchnav.com
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

    O4 - HKLM\..\Run: [WAST] C:\WINDOWS\WAST
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [YC599ZE0.EXE] C:\WINDOWS\YC599ZE0.EXE /dk

    O4 - HKCU\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKCU\..\Run: [YC599ZE0.EXE] C:\WINDOWS\YC599ZE0.EXE /dk
    O4 - Startup: N4W3CZVB.lnk = C:\WINDOWS\n4w3czvb.exe
    O4 - Startup: N758Z18Y.lnk = C:\WINDOWS\n758z18y.exe
    O4 - Startup: ELZ0RXME.lnk = C:\WINDOWS\elz0rxme.exe
    O4 - Startup: 85NGTTY9.lnk = C:\WINDOWS\85ngtty9.exe
    O4 - Startup: YC599ZE0.lnk = C:\WINDOWS\yc599ze0.exe
    O4 - Global Startup: N4W3CZVB.lnk = C:\WINDOWS\n4w3czvb.exe
    O4 - Global Startup: N758Z18Y.lnk = C:\WINDOWS\n758z18y.exe
    O4 - Global Startup: 85NGTTY9.lnk = C:\WINDOWS\85ngtty9.exe
    O4 - Global Startup: ELZ0RXME.lnk = C:\WINDOWS\elz0rxme.exe
    O4 - Global Startup: YC599ZE0.lnk = C:\WINDOWS\yc599ze0.exe

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete the following:

    C:\WINDOWS\BrowserHelper.dll
    C:\WINDOWS\BXXS5.DLL
    C:\WINDOWS\WAST <-- entire folder
    C:\WINDOWS\YC599ZE0.EXE
    C:\WINDOWS\MSCCN32.EXE
    C:\WINDOWS\n4w3czvb.exe
    C:\WINDOWS\n758z18y.exe
    C:\WINDOWS\elz0rxme.exe
    C:\WINDOWS\85ngtty9.exe
    C:\WINDOWS\yc599ze0.exe
    C:\WINDOWS\85ngtty9.exe
    C:\WINDOWS\yc599ze0.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  7. Harold Young

    Harold Young Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    5
    When I got back on line I seem to have gotten two new "friends". One is called Ad Destroyer and the other Vijrtual Bouncer. I asume these aren't friendly. They keep trying to change my security settings.

    Here is the current Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 12:39:44 PM, on 3/25/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IDRIVE\FILO\IDRIVEPROXY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
    C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\09H9WLOK.EXE
    C:\BDL14117.EXE
    C:\DOWNLOADS\SPYBOT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [idriveServer] C:\WINDOWS\SYSTEM\idrive\Filo\idriveproxy.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKLM\..\Run: [l_I420X] C:\WINDOWS\SYSTEM\l_I420X.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
    O4 - HKLM\..\Run: [LVIMZDNU] C:\WINDOWS\LVIMZDNU.exe
    O4 - HKLM\..\Run: [ADG] C:\WINDOWS\ADG.exe
    O4 - HKLM\..\Run: [ICGJMPT] C:\WINDOWS\ICGJMPT.exe
    O4 - HKLM\..\Run: [09H9WLOK.EXE] C:\WINDOWS\09H9WLOK.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [09H9WLOK.EXE] C:\WINDOWS\09H9WLOK.EXE /dk
    O4 - Startup: JW70ZUN8.lnk = C:\WINDOWS\jw70zun8.exe
    O4 - Startup: VM8KDNOF.lnk = C:\WINDOWS\vm8kdnof.exe
    O4 - Startup: AdDestroyer.lnk = C:\PROGRA~1\ADDEST~1\AdDestroyer.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - Startup: DJ04XKVV.lnk = C:\WINDOWS\dj04xkvv.exe
    O4 - Startup: 75HP3GCL.lnk = C:\WINDOWS\75hp3gcl.exe
    O4 - Startup: BB20FUE1.lnk = C:\WINDOWS\bb20fue1.exe
    O4 - Startup: EQ6IAE6K.lnk = C:\WINDOWS\eq6iae6k.exe
    O4 - Startup: ATCA40QL.lnk = C:\WINDOWS\atca40ql.exe
    O4 - Startup: ZUWQUD60.lnk = C:\WINDOWS\zuwqud60.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 09H9WLOK.lnk = C:\WINDOWS\09h9wlok.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: JW70ZUN8.lnk = C:\WINDOWS\jw70zun8.exe
    O4 - Global Startup: VM8KDNOF.lnk = C:\WINDOWS\vm8kdnof.exe
    O4 - Global Startup: DJ04XKVV.lnk = C:\WINDOWS\dj04xkvv.exe
    O4 - Global Startup: 09H9WLOK.lnk = C:\WINDOWS\09h9wlok.exe
    O4 - Global Startup: 75HP3GCL.lnk = C:\WINDOWS\75hp3gcl.exe
    O4 - Global Startup: BB20FUE1.lnk = C:\WINDOWS\bb20fue1.exe
    O4 - Global Startup: EQ6IAE6K.lnk = C:\WINDOWS\eq6iae6k.exe
    O4 - Global Startup: ATCA40QL.lnk = C:\WINDOWS\atca40ql.exe
    O4 - Global Startup: ZUWQUD60.lnk = C:\WINDOWS\zuwqud60.exe
    O8 - Extra context menu item: Bookmark to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\bookmark.htm
    O8 - Extra context menu item: Clip Page to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\scrapbook.htm
    O8 - Extra context menu item: Save Image to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadImage.htm
    O8 - Extra context menu item: Save Target to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadTarget.htm
    O8 - Extra context menu item: Logoff i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\Logoff.htm
    O9 - Extra button: Clip to i-drive (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra 'Tools' menuitem: Filo (tm) Properties... (HKCU)
    O9 - Extra 'Tools' menuitem: Uninstall Filo (tm) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.msn.com/search/lobby/searchsettings.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab
    O16 - DPF: {D1D6534D-197A-11D3-8039-00500471A15D} (FunctionProxy Class) - https://www.idrive.com/site/download/WinFilo.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/3rdPartyContent/dnastudios/harrypotter/wtinst.cab
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
    O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://host.interactual.com/whv/hpotter/iaieplay.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06de32a816176905cb05/netzip/RdxIE2.cab
    O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://fad-408.mtl4.targetnet.com/ad/id=teenchatJ&opt=htj&pt=
    13777098605455150863&pfin=1HQ40I1AXFPRJ&cv=210&uid=489157266&url=
    http://www.NetpalOffers.net/NetpalOffers/DMO1/mamc0m.cab

    Thanks again

    Harold


    edited by dvk01 to prevent the sideways scrolling
     
  8. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi Hal,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

    O3 - Toolbar: DashBar Toolbar - {CC90CDA0-74A0-45b4-80EF-D89CA8C249B8} - C:\PROGRAM FILES\DASHBAR\DASHBAR15.DLL (file missing)

    O4 - HKLM\..\Run: [l_I420X] C:\WINDOWS\SYSTEM\l_I420X.exe
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\SYSTEM\IEFEATURES.exe
    O4 - HKLM\..\Run: [LVIMZDNU] C:\WINDOWS\LVIMZDNU.exe
    O4 - HKLM\..\Run: [ADG] C:\WINDOWS\ADG.exe
    O4 - HKLM\..\Run: [ICGJMPT] C:\WINDOWS\ICGJMPT.exe
    O4 - HKLM\..\Run: [09H9WLOK.EXE] C:\WINDOWS\09H9WLOK.EXE /dk

    O4 - HKCU\..\Run: [09H9WLOK.EXE] C:\WINDOWS\09H9WLOK.EXE /dk
    O4 - Startup: JW70ZUN8.lnk = C:\WINDOWS\jw70zun8.exe
    O4 - Startup: VM8KDNOF.lnk = C:\WINDOWS\vm8kdnof.exe
    O4 - Startup: AdDestroyer.lnk = C:\PROGRA~1\ADDEST~1\AdDestroyer.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
    O4 - Startup: DJ04XKVV.lnk = C:\WINDOWS\dj04xkvv.exe
    O4 - Startup: 75HP3GCL.lnk = C:\WINDOWS\75hp3gcl.exe
    O4 - Startup: BB20FUE1.lnk = C:\WINDOWS\bb20fue1.exe
    O4 - Startup: EQ6IAE6K.lnk = C:\WINDOWS\eq6iae6k.exe
    O4 - Startup: ATCA40QL.lnk = C:\WINDOWS\atca40ql.exe
    O4 - Startup: ZUWQUD60.lnk = C:\WINDOWS\zuwqud60.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 09H9WLOK.lnk = C:\WINDOWS\09h9wlok.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: JW70ZUN8.lnk = C:\WINDOWS\jw70zun8.exe
    O4 - Global Startup: VM8KDNOF.lnk = C:\WINDOWS\vm8kdnof.exe
    O4 - Global Startup: DJ04XKVV.lnk = C:\WINDOWS\dj04xkvv.exe
    O4 - Global Startup: 09H9WLOK.lnk = C:\WINDOWS\09h9wlok.exe
    O4 - Global Startup: 75HP3GCL.lnk = C:\WINDOWS\75hp3gcl.exe
    O4 - Global Startup: BB20FUE1.lnk = C:\WINDOWS\bb20fue1.exe
    O4 - Global Startup: EQ6IAE6K.lnk = C:\WINDOWS\eq6iae6k.exe
    O4 - Global Startup: ATCA40QL.lnk = C:\WINDOWS\atca40ql.exe
    O4 - Global Startup: ZUWQUD60.lnk = C:\WINDOWS\zuwqud60.exe

    Download CWShredder and run. Be sure ALL other windows are closed use the Fix button and follow the instructions you will receive.

    Download this PROGRAM and run it following the instructions given.

    Then reboot in Safe Mode and delete the following:

    C:\PROGRA~1\INCRED~1\ <-- entire folder
    C:\WINDOWS\BrowserHelper.dll
    C:\WINDOWS\SYSTEM\l_I420X.exe
    C:\WINDOWS\SYSTEM\INTERNETFEATURES.exe
    C:\WINDOWS\SYSTEM\IEFEATURES.exe
    C:\WINDOWS\LVIMZDNU.exe
    C:\WINDOWS\ADG.exe
    C:\WINDOWS\ICGJMPT.exe
    C:\WINDOWS\09H9WLOK.EXE
    C:\WINDOWS\jw70zun8.exe
    C:\WINDOWS\vm8kdnof.exe
    C:\PROGRA~1\ADDEST~1\ <-- entire folder
    C:\PROGRA~1\VBOUNCER\ <-- entire folder
    C:\WINDOWS\dj04xkvv.exe
    C:\WINDOWS\75hp3gcl.exe
    C:\WINDOWS\bb20fue1.exe
    C:\WINDOWS\eq6iae6k.exe
    C:\WINDOWS\atca40ql.exe
    C:\WINDOWS\zuwqud60.exe
    C:\WINDOWS\morze1.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  9. Harold Young

    Harold Young Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    5
    I think I see a light at the end of the tunnel:

    Here's my current Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 8:15:53 AM, on 3/26/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IDRIVE\FILO\IDRIVEPROXY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\EPSON\INK MONITOR\INKMONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\BOOB CURB COPY\LICENSE EACH.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
    C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
    C:\PROGRAM FILES\ZING\EXES\HSTITIAL.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\BG35Q07X.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\DOWNLOADS\SPYBOT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {58341AD5-6E04-E2D4-6779-51D2A5DA1CE4} - C:\PROGRAM FILES\GPLLOGHOPE\MEAL WAVE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O3 - Toolbar: Loud Site - {9D0E6452-CEB5-9750-CFAC-781A989EF4EB} - C:\PROGRAM FILES\GPLLOGHOPE\MEAL WAVE.DLL
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [idriveServer] C:\WINDOWS\SYSTEM\idrive\Filo\idriveproxy.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKLM\..\Run: [Dale joy] C:\PROGRA~1\boob curb copy\LICENSE EACH.exe
    O4 - HKLM\..\Run: [winactive] C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
    O4 - HKLM\..\Run: [BG35Q07X.EXE] C:\WINDOWS\BG35Q07X.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [BG35Q07X.EXE] C:\WINDOWS\BG35Q07X.EXE /dk
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: QGCOEF0B.lnk = C:\WINDOWS\qgcoef0b.exe
    O4 - Startup: LW41054F.lnk = C:\WINDOWS\lw41054f.exe
    O4 - Startup: ZWKI00JU.lnk = C:\WINDOWS\zwki00ju.exe
    O4 - Startup: I54IL9B3.lnk = C:\WINDOWS\i54il9b3.exe
    O4 - Startup: OI0LYU4W.lnk = C:\WINDOWS\oi0lyu4w.exe
    O4 - Startup: T37LKQ5J.lnk = C:\WINDOWS\t37lkq5j.exe
    O4 - Startup: BG35Q07X.lnk = C:\WINDOWS\bg35q07x.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
    O4 - Global Startup: ZingViewer.lnk = C:\Program Files\ZING\Exes\HStitial.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: QGCOEF0B.lnk = C:\WINDOWS\qgcoef0b.exe
    O4 - Global Startup: LW41054F.lnk = C:\WINDOWS\lw41054f.exe
    O4 - Global Startup: ZWKI00JU.lnk = C:\WINDOWS\zwki00ju.exe
    O4 - Global Startup: I54IL9B3.lnk = C:\WINDOWS\i54il9b3.exe
    O4 - Global Startup: OI0LYU4W.lnk = C:\WINDOWS\oi0lyu4w.exe
    O4 - Global Startup: T37LKQ5J.lnk = C:\WINDOWS\t37lkq5j.exe
    O4 - Global Startup: BG35Q07X.lnk = C:\WINDOWS\bg35q07x.exe
    O8 - Extra context menu item: Bookmark to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\bookmark.htm
    O8 - Extra context menu item: Clip Page to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\scrapbook.htm
    O8 - Extra context menu item: Save Image to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadImage.htm
    O8 - Extra context menu item: Save Target to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadTarget.htm
    O8 - Extra context menu item: Logoff i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\Logoff.htm
    O9 - Extra button: Clip to i-drive (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra 'Tools' menuitem: Filo (tm) Properties... (HKCU)
    O9 - Extra 'Tools' menuitem: Uninstall Filo (tm) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.msn.com/search/lobby/searchsettings.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab
    O16 - DPF: {D1D6534D-197A-11D3-8039-00500471A15D} (FunctionProxy Class) - https://www.idrive.com/site/download/WinFilo.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/3rdPartyContent/dnastudios/harrypotter/wtinst.cab
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
    O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://host.interactual.com/whv/hpotter/iaieplay.dll
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06de32a816176905cb05/netzip/RdxIE2.cab
    O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://fad-408.mtl4.targetnet.com/ad/id=teenchatJ&opt=
    htj&pt=13777098605455150863&pfin=1HQ40I1AXFPRJ&cv=210&uid=489157266&url=
    http://www.NetpalOffers.net/NetpalOffers/DMO1/mamc0m.cab


    Thanks again,

    Harold




    edited by dvk01 to prevent the sideways scrolling
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    First Download LSPfix here: http://www.cexx.org/lspfix.htm and place it on the desktop where you can get to it easily, YOU WILL need it a bit later

    Let's try a slightly different approach, to prevent the strange named files coming back, you need to start in safe mode first and perform all steps whilst in safe mode so :

    Boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show all files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearching.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = allaboutsearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearching.com/searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearching.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
    O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O2 - BHO: (no name) - {58341AD5-6E04-E2D4-6779-51D2A5DA1CE4} - C:\PROGRAM FILES\GPLLOGHOPE\MEAL WAVE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O3 - Toolbar: Loud Site - {9D0E6452-CEB5-9750-CFAC-781A989EF4EB} - C:\PROGRAM FILES\GPLLOGHOPE\MEAL WAVE.DLL
    O4 - HKLM\..\Run: [zzzHPSETUP] E:\Setup.exe
    O4 - HKLM\..\Run: [System Tray] C:\WINDOWS\MSCCN32.EXE
    O4 - HKLM\..\Run: [Dale joy] C:\PROGRA~1\boob curb copy\LICENSE EACH.exe
    O4 - HKLM\..\Run: [winactive] C:\PROGRAM FILES\WINDOW ACTIVE\WINACTIVE.EXE
    O4 - HKLM\..\Run: [BG35Q07X.EXE] C:\WINDOWS\BG35Q07X.EXE /dk
    O4 - HKCU\..\Run: [BG35Q07X.EXE] C:\WINDOWS\BG35Q07X.EXE /dk
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: QGCOEF0B.lnk = C:\WINDOWS\qgcoef0b.exe
    O4 - Startup: LW41054F.lnk = C:\WINDOWS\lw41054f.exe
    O4 - Startup: ZWKI00JU.lnk = C:\WINDOWS\zwki00ju.exe
    O4 - Startup: I54IL9B3.lnk = C:\WINDOWS\i54il9b3.exe
    O4 - Startup: OI0LYU4W.lnk = C:\WINDOWS\oi0lyu4w.exe
    O4 - Startup: T37LKQ5J.lnk = C:\WINDOWS\t37lkq5j.exe
    O4 - Startup: BG35Q07X.lnk = C:\WINDOWS\bg35q07x.exe

    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: QGCOEF0B.lnk = C:\WINDOWS\qgcoef0b.exe
    O4 - Global Startup: LW41054F.lnk = C:\WINDOWS\lw41054f.exe
    O4 - Global Startup: ZWKI00JU.lnk = C:\WINDOWS\zwki00ju.exe
    O4 - Global Startup: I54IL9B3.lnk = C:\WINDOWS\i54il9b3.exe
    O4 - Global Startup: OI0LYU4W.lnk = C:\WINDOWS\oi0lyu4w.exe
    O4 - Global Startup: T37LKQ5J.lnk = C:\WINDOWS\t37lkq5j.exe
    O4 - Global Startup: BG35Q07X.lnk = C:\WINDOWS\bg35q07x.exe
    O9 - Extra button: Whistle (HKLM)
    O10 - Unknown file in Winsock LSP: c:\windows\system\inetadpt.dll
    O16 - DPF: {E389B374-BB5A-4A73-ACF4-3CE63E4C1DE9} (Brxpdf5 Control) - http://a19.g.akamai.net/7/19/7125/1239/ftp.coupons.com/brxpdf5.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06de32a816176905cb05/netzip/RdxIE2.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/FN/FN.cab
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://fad-408.mtl4.targetnet.com/ad/id=teenchatJ&opt= tj&pt=13777098605455150863&pfin= 1HQ40I1AXFPRJ&cv=210&uid=489157266&url=
    http://www.NetpalOffers.net/NetpalOffers/DMO1/mamc0m.cab


    Delete these files
    c:\windows\system\inetadpt.dll
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\qgcoef0b.exe
    C:\WINDOWS\lw41054f.exe
    C:\WINDOWS\zwki00ju.exe
    C:\WINDOWS\i54il9b3.exe
    C:\WINDOWS\oi0lyu4w.exe
    C:\WINDOWS\t37lkq5j.exe
    C:\WINDOWS\bg35q07x.exe
    C:\WINDOWS\MSCCN32.EXE
    C:\WINDOWS\BG35Q07X.EXE /dk
    C:\WINDOWS\BG35Q07X.EXE /dk
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\qgcoef0b.exe
    C:\WINDOWS\lw41054f.exe
    C:\WINDOWS\zwki00ju.exe
    C:\WINDOWS\i54il9b3.exe
    C:\WINDOWS\oi0lyu4w.exe
    C:\WINDOWS\t37lkq5j.exe
    C:\WINDOWS\bg35q07x.exe

    and Delete these folders

    C:\PROGRA~1\boob curb copy\
    C:\PROGRAM FILES\WINDOW ACTIVE\
    C:\PROGRAM FILES\GPLLOGHOPE
    C:\PROGRAM FILES\TOOLBAR

    then
    Reboot normally &

    run LSP FIX, you will see a list of files in the left hand pane and possibly some in the right hand pane. tick the "I know what i'm doing" box & select any instances of inetadpt.dll that are in the left hand pane and only those files DO NOT SELECT ANY OTHERS, then move it/them to the right hand remove pane by using the little right pointed arrow then press finish and the program will do anything necessary

    Reboot again &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R275 25.03.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  11. Harold Young

    Harold Young Registered Member

    Joined:
    Mar 23, 2004
    Posts:
    5
    Thanks again, here's the log:

    Logfile of HijackThis v1.97.7
    Scan saved at 3:12:19 PM, on 3/26/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CGMENU.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\IDRIVE\FILO\IDRIVEPROXY.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\EPSON\INK MONITOR\INKMONITOR.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\NORTON CRASHGUARD\CG16EH.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\DP-B23011805.EXE
    C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\PROGRAM FILES\DIAMOND\INCONTROL TOOLS 98\DMHKEY.EXE
    C:\PROGRAM FILES\ZING\EXES\HSTITIAL.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\7P7W4P8R.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\DOWNLOADS\SPYBOT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {B9FB31A0-7F2E-11D8-B66B-444553540000} - C:\WINDOWS\SYSTEM\WNASPTI32.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
    O4 - HKLM\..\Run: [Norton CrashGuard Monitor] "C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [idriveServer] C:\WINDOWS\SYSTEM\idrive\Filo\idriveproxy.exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [PGStub.exe] C:\WINDOWS\DP-B23011805.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [7P7W4P8R.EXE] C:\WINDOWS\7P7W4P8R.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKCU\..\Run: [7P7W4P8R.EXE] C:\WINDOWS\7P7W4P8R.EXE /dk
    O4 - Startup: WMTNYKP0.lnk = C:\WINDOWS\wmtnykp0.exe
    O4 - Startup: 42GXTXR3.lnk = C:\WINDOWS\42gxtxr3.exe
    O4 - Startup: C67WXRQQ.lnk = C:\WINDOWS\c67wxrqq.exe
    O4 - Startup: X3KJ9B5W.lnk = C:\WINDOWS\x3kj9b5w.exe
    O4 - Startup: E5NII3RT.lnk = C:\WINDOWS\e5nii3rt.exe
    O4 - Startup: 8IWDMRPT.lnk = C:\WINDOWS\8iwdmrpt.exe
    O4 - Startup: NKD0GZ74.lnk = C:\WINDOWS\nkd0gz74.exe
    O4 - Startup: ZDEKG8D8.lnk = C:\WINDOWS\zdekg8d8.exe
    O4 - Startup: 4FRGQA2U.lnk = C:\WINDOWS\4frgqa2u.exe
    O4 - Startup: GCB2GTV1.lnk = C:\WINDOWS\gcb2gtv1.exe
    O4 - Startup: AI8ELAZQ.lnk = C:\WINDOWS\ai8elazq.exe
    O4 - Startup: XZOP4X3I.lnk = C:\WINDOWS\xzop4x3i.exe
    O4 - Startup: J4DZFGL2.lnk = C:\WINDOWS\j4dzfgl2.exe
    O4 - Startup: D6YEAHG5.lnk = C:\WINDOWS\d6yeahg5.exe
    O4 - Startup: 7P7W4P8R.lnk = C:\WINDOWS\7p7w4p8r.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: InControl Desktop Manager.lnk = C:\Program Files\Diamond\InControl Tools 98\DMHKEY.EXE
    O4 - Global Startup: ZingViewer.lnk = C:\Program Files\ZING\Exes\HStitial.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: WMTNYKP0.lnk = C:\WINDOWS\wmtnykp0.exe
    O4 - Global Startup: 42GXTXR3.lnk = C:\WINDOWS\42gxtxr3.exe
    O4 - Global Startup: C67WXRQQ.lnk = C:\WINDOWS\c67wxrqq.exe
    O4 - Global Startup: X3KJ9B5W.lnk = C:\WINDOWS\x3kj9b5w.exe
    O4 - Global Startup: E5NII3RT.lnk = C:\WINDOWS\e5nii3rt.exe
    O4 - Global Startup: 8IWDMRPT.lnk = C:\WINDOWS\8iwdmrpt.exe
    O4 - Global Startup: NKD0GZ74.lnk = C:\WINDOWS\nkd0gz74.exe
    O4 - Global Startup: ZDEKG8D8.lnk = C:\WINDOWS\zdekg8d8.exe
    O4 - Global Startup: 4FRGQA2U.lnk = C:\WINDOWS\4frgqa2u.exe
    O4 - Global Startup: GCB2GTV1.lnk = C:\WINDOWS\gcb2gtv1.exe
    O4 - Global Startup: AI8ELAZQ.lnk = C:\WINDOWS\ai8elazq.exe
    O4 - Global Startup: XZOP4X3I.lnk = C:\WINDOWS\xzop4x3i.exe
    O4 - Global Startup: J4DZFGL2.lnk = C:\WINDOWS\j4dzfgl2.exe
    O4 - Global Startup: D6YEAHG5.lnk = C:\WINDOWS\d6yeahg5.exe
    O4 - Global Startup: 7P7W4P8R.lnk = C:\WINDOWS\7p7w4p8r.exe
    O8 - Extra context menu item: Bookmark to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\bookmark.htm
    O8 - Extra context menu item: Clip Page to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\scrapbook.htm
    O8 - Extra context menu item: Save Image to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadImage.htm
    O8 - Extra context menu item: Save Target to i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\sideloadTarget.htm
    O8 - Extra context menu item: Logoff i-drive - C:\WINDOWS\SYSTEM\idrive\Filo\Logoff.htm
    O9 - Extra button: Clip to i-drive (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: Filo (tm) Properties... (HKCU)
    O9 - Extra 'Tools' menuitem: Uninstall Filo (tm) (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.msn.com/search/lobby/searchsettings.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {B2BE75F3-9197-11CF-ABF4-08000996E931} (Autodesk WHIP! Control) - ftp://ftp.autodesk.com/pub/whip/english/whip.cab
    O16 - DPF: {D1D6534D-197A-11D3-8039-00500471A15D} (FunctionProxy Class) - https://www.idrive.com/site/download/WinFilo.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/Z4/heartbeat.cab
    O16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtangent.com/install/wdriver/3rdPartyContent/dnastudios/harrypotter/wtinst.cab
    O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20011223/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://host.interactual.com/whv/hpotter/iaieplay.dll
    O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt1_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
    O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This is getting weird, I've never seen this before, normally a safe mode fix and delete works, but you are getting other baddies downloaded as well

    give us a while we think about this please
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Harold Young,

    Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

    Install it and do not allow any startups looking like i54il9b3.exe (garbled letters and numbers)
    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    (And do not allow any new startups that may ask permission after you click Fix checked)

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {B9FB31A0-7F2E-11D8-B66B-444553540000} - C:\WINDOWS\SYSTEM\WNASPTI32.DLL

    O4 - HKLM\..\Run: [PGStub.exe] C:\WINDOWS\DP-B23011805.EXE
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [7P7W4P8R.EXE] C:\WINDOWS\7P7W4P8R.EXE /dk

    O4 - HKCU\..\Run: [7P7W4P8R.EXE] C:\WINDOWS\7P7W4P8R.EXE /dk
    O4 - Startup: WMTNYKP0.lnk = C:\WINDOWS\wmtnykp0.exe
    O4 - Startup: 42GXTXR3.lnk = C:\WINDOWS\42gxtxr3.exe
    O4 - Startup: C67WXRQQ.lnk = C:\WINDOWS\c67wxrqq.exe
    O4 - Startup: X3KJ9B5W.lnk = C:\WINDOWS\x3kj9b5w.exe
    O4 - Startup: E5NII3RT.lnk = C:\WINDOWS\e5nii3rt.exe
    O4 - Startup: 8IWDMRPT.lnk = C:\WINDOWS\8iwdmrpt.exe
    O4 - Startup: NKD0GZ74.lnk = C:\WINDOWS\nkd0gz74.exe
    O4 - Startup: ZDEKG8D8.lnk = C:\WINDOWS\zdekg8d8.exe
    O4 - Startup: 4FRGQA2U.lnk = C:\WINDOWS\4frgqa2u.exe
    O4 - Startup: GCB2GTV1.lnk = C:\WINDOWS\gcb2gtv1.exe
    O4 - Startup: AI8ELAZQ.lnk = C:\WINDOWS\ai8elazq.exe
    O4 - Startup: XZOP4X3I.lnk = C:\WINDOWS\xzop4x3i.exe
    O4 - Startup: J4DZFGL2.lnk = C:\WINDOWS\j4dzfgl2.exe
    O4 - Startup: D6YEAHG5.lnk = C:\WINDOWS\d6yeahg5.exe
    O4 - Startup: 7P7W4P8R.lnk = C:\WINDOWS\7p7w4p8r.exe


    Then reboot into safe mode and delete:
    All the funny looking links that are left in C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\WINDOWS\system32\pcs <= entire folder

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.