morze1 nightmare

Discussion in 'adware, spyware & hijack cleaning' started by nicoletta, Mar 30, 2004.

Thread Status:
Not open for further replies.
  1. nicoletta

    nicoletta Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    3
    Greetings! Last Thursday, a host of things downloaded on my computer. Everyday, it's worse. My Norton Cleansweep keeps flashing on my computer every 3 or 4 seconds saying that an installation process is being detected. I tried posting my problem on another forum which helped me once before but after several days with no reply, I attempted deleting these startup files and a suspected BrowserHelper.dll file on my own with hijackthis. They keep coming back and have duplicated themselves like rabbits! Additionally, back-up files were automatically created on my desktop. I really don't know understand how to do some of the posts on your board & may need a tutorial link or a clear description. Gosh I'd really appreciate help. My whole business runs on the computer & I have spent countless hours reading forums & trying to figure out what to do on my own. I'm afraid to do anymore than I have as I might damage the computer. These duplicating files are eating up my computer space. PLEASE HELP!
    I have Windows ME. Here's my hijack this log file:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:29:04 AM, on 3/30/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
    C:\PROGRAM FILES\SONY HANDHELD\HOTSYNC.EXE
    C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\SYSTEM\BAR332V.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\4BB2CFTU.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [BAR332V] C:\WINDOWS\SYSTEM\BAR332V.exe
    O4 - HKLM\..\Run: [4BB2CFTU.EXE] C:\WINDOWS\4BB2CFTU.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
    O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
    O4 - HKCU\..\Run: [4BB2CFTU.EXE] C:\WINDOWS\4BB2CFTU.EXE /dk
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: RESOLUTION ASSISTANT.LNK = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Startup: CAMIO VIEWER 3.2.LNK = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Startup: GREETINGS WORKSHOP REMINDERS.LNK = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: CLEANSWEEP SMART SWEEP-INTERNET SWEEP.LNK = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
    O4 - Startup: HOTSYNC MANAGER.LNK = C:\Program Files\Sony Handheld\HOTSYNC.EXE
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: HAQR5MDJ.lnk = C:\WINDOWS\haqr5mdj.exe
    O4 - Startup: GI9DBGWI.lnk = C:\WINDOWS\gi9dbgwi.exe
    O4 - Startup: 77QBHANZ.lnk = C:\WINDOWS\77qbhanz.exe
    O4 - Startup: 0R3IEW80.lnk = C:\WINDOWS\0r3iew80.exe
    O4 - Startup: WEAHBMI4.lnk = C:\WINDOWS\weahbmi4.exe
    O4 - Startup: Z7KM96F9.lnk = C:\WINDOWS\z7km96f9.exe
    O4 - Startup: TZXJRZY0.lnk = C:\WINDOWS\tzxjrzy0.exe
    O4 - Startup: V7F02C3I.lnk = C:\WINDOWS\v7f02c3i.exe
    O4 - Startup: FR1ZHE2J.lnk = C:\WINDOWS\fr1zhe2j.exe
    O4 - Startup: 0DIO94Y8.lnk = C:\WINDOWS\0dio94y8.exe
    O4 - Startup: 4BB2CFTU.lnk = C:\WINDOWS\4bb2cftu.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: HAQR5MDJ.lnk = C:\WINDOWS\haqr5mdj.exe
    O4 - Global Startup: GI9DBGWI.lnk = C:\WINDOWS\gi9dbgwi.exe
    O4 - Global Startup: 77QBHANZ.lnk = C:\WINDOWS\77qbhanz.exe
    O4 - Global Startup: 0R3IEW80.lnk = C:\WINDOWS\0r3iew80.exe
    O4 - Global Startup: WEAHBMI4.lnk = C:\WINDOWS\weahbmi4.exe
    O4 - Global Startup: Z7KM96F9.lnk = C:\WINDOWS\z7km96f9.exe
    O4 - Global Startup: TZXJRZY0.lnk = C:\WINDOWS\tzxjrzy0.exe
    O4 - Global Startup: V7F02C3I.lnk = C:\WINDOWS\v7f02c3i.exe
    O4 - Global Startup: FR1ZHE2J.lnk = C:\WINDOWS\fr1zhe2j.exe
    O4 - Global Startup: 0DIO94Y8.lnk = C:\WINDOWS\0dio94y8.exe
    O4 - Global Startup: 4BB2CFTU.lnk = C:\WINDOWS\4bb2cftu.exe
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Encarta Encyclopedia (HKLM)
    O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
    O9 - Extra button: Define (HKLM)
    O9 - Extra 'Tools' menuitem: Define (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .DImg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com/
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {8F2E4DC6-E858-4EF0-B596-7CD82AA94B0A} (M2AxCtl Class) - http://hometowntrivia.net/towns/corning/game/m2axsvr.dll
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi

    This is the best cure we have found so far

    http://www.wilderssecurity.com/showthread.php?t=25926

    please follow it carefully anmd post back with any problems and queries
     
  3. nicoletta

    nicoletta Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    3
    Okay, sounds good but for starters, where do I find the yahoo stock task bar icon? It doesn't appear to be on my start page.
    THanks so much for your help, Nicoletta
    o_O
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi nicoletta,

    It will be in your system tray/taskbar. It could be any icon you do not recognize.... I know it has shown up there as "??" on a couple of machines.And it mostly shows up on Windows 98, but has appeared on others as well....

    Regards,
    Kent
     
  5. nicoletta

    nicoletta Registered Member

    Joined:
    Mar 30, 2004
    Posts:
    3
    There are no unusual icons or question marks. I did a search for yahoo stock and came up with: FStock.dll & Stocks.dat

    Any suggestions?

    Thanks, Nicoletta
     
  6. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi nicoletta,

    All infections do not include this icon, so you can skip this step and go on to the next one...

    Regards,
    Kent
     
Thread Status:
Not open for further replies.