little problem

Hi,

I ran Spybot S&D because I kept getting [GLOW]clientman[/GLOW].
I fixed this from Spybot S&D.
Then when I go to shutdown or restart there it is again.
Anytime I shutdown I 've got to kill [GLOW]WAPISVSU.exe [/GLOW] in the application windows (ctrl+alt+sup) to close my pc.
And the last one is the window's blue screen indicating the
[GLOW]VMM (06) + 00001705 ERREUR : OE : 0028 : C0224705[/GLOW] error anytime i'm launching an application or openning an internet window.
So it makes 3 troubleshooting.
Any suggestions on how I can repair my pc.
You will find hereafter HijackThis Logfile
thank you for your time and help

Logfile of HijackThis v1.97.7
Scan saved at 19:56:40, on 12/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCPFW.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\POP3TRAP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\VVSN\VVSN.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE
C:\WINDOWS\CY_BG.EXE
C:\WINDOWS\DHBRWSR.EXE
C:\WINDOWS\APPLICATION DATA\EAEH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RUNDLL32.EXE
D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\SPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://mycpworld.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\DEALHLPR.DLL
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\SYSTEM\MSNKMI.DLL
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\SYSTEM\MSEGGO.GIF
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\SYSTEM\MSGLJI.GIF
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\DEALHLPR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sxklcd] C:\WINDOWS\sxklcd.exe
O4 - HKLM\..\Run: [bytyh] C:\WINDOWS\bytyh.exe
O4 - HKLM\..\Run: [mferefol] C:\WINDOWS\mferefol.exe
O4 - HKLM\..\Run: [jej] C:\WINDOWS\jej.exe
O4 - HKLM\..\Run: [styhqrer] C:\WINDOWS\styhqrer.exe
O4 - HKLM\..\Run: [cbuxwtap] C:\WINDOWS\cbuxwtap.exe
O4 - HKLM\..\Run: [pghglgr] C:\WINDOWS\pghglgr.exe
O4 - HKLM\..\Run: [gjyz] C:\WINDOWS\gjyz.exe
O4 - HKLM\..\Run: [mxap] C:\WINDOWS\mxap.exe
O4 - HKLM\..\Run: [gbabmv] C:\WINDOWS\gbabmv.exe
O4 - HKLM\..\Run: [srarmzgd] C:\WINDOWS\srarmzgd.exe
O4 - HKLM\..\Run: [cdwpozin] C:\WINDOWS\cdwpozin.exe
O4 - HKLM\..\Run: [izehsp] C:\WINDOWS\izehsp.exe
O4 - HKLM\..\Run: [wbihsl] C:\WINDOWS\wbihsl.exe
O4 - HKLM\..\Run: [tih] C:\WINDOWS\tih.exe
O4 - HKLM\..\Run: [ixkpuz] C:\WINDOWS\ixkpuz.exe
O4 - HKLM\..\Run: [etgj] C:\WINDOWS\etgj.exe
O4 - HKLM\..\Run: [lyd] C:\WINDOWS\lyd.exe
O4 - HKLM\..\Run: [yngx] C:\WINDOWS\yngx.exe
O4 - HKLM\..\Run: [ngb] C:\WINDOWS\ngb.exe
O4 - HKLM\..\Run: [lkj] C:\WINDOWS\lkj.exe
O4 - HKLM\..\Run: [ludmt] C:\WINDOWS\ludmt.exe
O4 - HKLM\..\Run: [bqlqxav] C:\WINDOWS\bqlqxav.exe
O4 - HKLM\..\Run: [ytgn] C:\WINDOWS\ytgn.exe
O4 - HKLM\..\Run: [SpyBlocker] D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\spyblocker.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [VVSN] C:\PROGRAM FILES\VVSN\VVSN.EXE
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Swcr] C:\WINDOWS\Application Data\eaeh.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msgked.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmbacklinks.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt503/fr/win/QuickTimeInstaller.exe
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: Interface Chat Voila - http://chat9.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002112801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15ffaebd121223d96b19/netzip/RdxIE601_fr.cab
O16 - DPF: {C771B05E-E725-4516-97A5-4CE5EB163CFB} - http://kit.carpediem.fr/15239/xgratos.exe
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38094.5217361111
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

Hello buck danny,

Run Hijackthis again with all browsers closed and check these items and then on Fix:

O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\DEALHLPR.DLL
O2 - BHO: (no name) - {FCADDC14-BD46-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\SYSTEM\MSNKMI.DLL
O2 - BHO: (no name) - {25F7FA20-3FC3-11D7-B487-00D05990014C} - C:\WINDOWS\SYSTEM\MSEGGO.GIF
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - C:\WINDOWS\SYSTEM\MSGLJI.GIF

O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\DEALHLPR.DLL

O4 - HKLM\..\Run: [sxklcd] C:\WINDOWS\sxklcd.exe
O4 - HKLM\..\Run: [bytyh] C:\WINDOWS\bytyh.exe
O4 - HKLM\..\Run: [mferefol] C:\WINDOWS\mferefol.exe
O4 - HKLM\..\Run: [jej] C:\WINDOWS\jej.exe
O4 - HKLM\..\Run: [styhqrer] C:\WINDOWS\styhqrer.exe
O4 - HKLM\..\Run: [cbuxwtap] C:\WINDOWS\cbuxwtap.exe
O4 - HKLM\..\Run: [pghglgr] C:\WINDOWS\pghglgr.exe
O4 - HKLM\..\Run: [gjyz] C:\WINDOWS\gjyz.exe
O4 - HKLM\..\Run: [mxap] C:\WINDOWS\mxap.exe
O4 - HKLM\..\Run: [gbabmv] C:\WINDOWS\gbabmv.exe
O4 - HKLM\..\Run: [srarmzgd] C:\WINDOWS\srarmzgd.exe
O4 - HKLM\..\Run: [cdwpozin] C:\WINDOWS\cdwpozin.exe
O4 - HKLM\..\Run: [izehsp] C:\WINDOWS\izehsp.exe
O4 - HKLM\..\Run: [wbihsl] C:\WINDOWS\wbihsl.exe
O4 - HKLM\..\Run: [tih] C:\WINDOWS\tih.exe
O4 - HKLM\..\Run: [ixkpuz] C:\WINDOWS\ixkpuz.exe
O4 - HKLM\..\Run: [etgj] C:\WINDOWS\etgj.exe
O4 - HKLM\..\Run: [lyd] C:\WINDOWS\lyd.exe
O4 - HKLM\..\Run: [yngx] C:\WINDOWS\yngx.exe
O4 - HKLM\..\Run: [ngb] C:\WINDOWS\ngb.exe
O4 - HKLM\..\Run: [lkj] C:\WINDOWS\lkj.exe
O4 - HKLM\..\Run: [ludmt] C:\WINDOWS\ludmt.exe
O4 - HKLM\..\Run: [bqlqxav] C:\WINDOWS\bqlqxav.exe
O4 - HKLM\..\Run: [ytgn] C:\WINDOWS\ytgn.exe
O4 - HKLM\..\Run: [WhenUSearch] "C:\Program Files\WhenUSearch\Search.exe"
O4 - HKLM\..\Run: [VVSN] C:\PROGRAM FILES\VVSN\VVSN.EXE
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
O4 - HKCU\..\Run: [Swcr] C:\WINDOWS\Application Data\eaeh.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msgked.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15ffaebd121223...RdxIE601_fr.cab
O16 - DPF: {C771B05E-E725-4516-97A5-4CE5EB163CFB} - http://kit.carpediem.fr/15239/xgratos.exe

Reboot the computer into safe mode

Make sure you can view all hidden files and folders

Find and delete these files/folders:if you don't find them, that is ok)

C:\WINDOWS\sxklcd.exe
C:\WINDOWS\bytyh.exe
C:\WINDOWS\mferefol.exe
C:\WINDOWS\jej.exe
C:\WINDOWS\styhqrer.exe
C:\WINDOWS\cbuxwtap.exe
C:\WINDOWS\pghglgr.exe
C:\WINDOWS\gjyz.exe
C:\WINDOWS\mxap.exe
C:\WINDOWS\gbabmv.exe
C:\WINDOWS\srarmzgd.exe
C:\WINDOWS\cdwpozin.exe
C:\WINDOWS\izehsp.exe
C:\WINDOWS\wbihsl.exe
C:\WINDOWS\tih.exe
C:\WINDOWS\ixkpuz.exe
C:\WINDOWS\etgj.exe
C:\WINDOWS\lyd.exe
C:\WINDOWS\yngx.exe
C:\WINDOWS\ngb.exe
C:\WINDOWS\lkj.exe
C:\WINDOWS\ludmt.exe
C:\WINDOWS\bqlqxav.exe
C:\WINDOWS\ytgn.exe
C:\Program Files\WhenUSearch ......................Folder
C:\PROGRAM FILES\VVSN ...................Folder
C:\WINDOWS\DHUpdt.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\Application Data\eaeh.exe
C:\WINDOWS\SYSTEM\msgked.exe

Reboot the computer and run Hijackthis again and post a new log here.

 

Hi,

I follow every step and as you aked me, here is the new log.
Thanks for your help



Logfile of HijackThis v1.97.7
Scan saved at 16:29:40, on 13/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCPFW.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\POP3TRAP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\CY_BG.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\SPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://mycpworld.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SpyBlocker] D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\spyblocker.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msgked.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmbacklinks.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt503/fr/win/QuickTimeInstaller.exe
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: Interface Chat Voila - http://chat9.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002112801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38094.5217361111
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

Hello,

Looking better.

This one needs to go away though. Try it this way:

Reboot into safe mode again. Run Hijack this again, and with all other windows closed and check this one. If you are unable to delete the file, and get a message that the file may be in use, open Task manager (CTRL-ALT-DEL), and end task on the msmc process. Then delete the file.


O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msgked.exe

Then, WITHOUT rebooting, delete the file C:\WINDOWS\SYSTEM\msgked.exe

Reboot, empty the recycle bin, rescan with Hijack this, and post a fresh log.

 

Hi,
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 22:54:13, on 14/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCPFW.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\POP3TRAP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\CY_BG.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE10\EXCEL.EXE
D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\SPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://mycpworld.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SpyBlocker] D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\spyblocker.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmbacklinks.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt503/fr/win/QuickTimeInstaller.exe
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: Interface Chat Voila - http://chat9.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002112801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38094.5217361111
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

Hello,

Looking pretty good. How are things working for you? Any problems?

 

Yes everything is working fine, thank you.
But I've got a new thing hapening, an error message appears in a window, if I close it, my pc shutdowns.
This tells that explorer made an error hapenning in ~6972858775.TMP...
If I delete this file from temp repertory this isn't possible, in a normal mode. In safe mode this works but the error window comes back when I restart my computer. A computer backup can't be led to its end ... so help me please, it will be nice of you if you could solve this. I enclose the detail of hijack it can help you.

Logfile of HijackThis v1.97.7
Scan saved at 10:48:22, on 19/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCPFW.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCGUIDE.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\PCCCLIENT.EXE
C:\PROGRAM FILES\TREND MICRO\PC-CILLIN 9\POP3TRAP.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\CY_BG.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\SPYWARE\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://mycpworld.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 9\pccguide.exe"
O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 9\Pop3trap.exe"
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SpyBlocker] D:\DOWNLOAD\DOWNLOAD\NICO\INTERNET EXPLORER\spyblocker.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\CY_BG.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\PC-cillin 9\PCCIOMON.exe"
O4 - HKLM\..\RunServices: [PCCPFW] C:\Program Files\Trend Micro\PC-cillin 9\PCCPFW.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR4.DLL/cmbacklinks.html
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt503/fr/win/QuickTimeInstaller.exe
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: Interface Chat Voila - http://chat9.x-echo.com/Applet/vchatsign.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002112801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: teleir_cert - https://static.ir.dgi.minefi.gouv.fr/secure/connexion/archives/ie4n4/teleir_cert.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38094.5217361111
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

Hello,

I see something popped up back in your log, so,

Run Hijackthis again and check this item and then on Fix:

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

Reboot into safe mode and find and delete this file:

C:\WINDOWS\SYSTEM\msmc.exe

Reboot.

Also, give me the details of the error message you are getting.