My PC crashed and I need some serious help!

Discussion in 'adware, spyware & hijack cleaning' started by ZeldaManiac44, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Almost a month ago my PC crashed, basically what happened was I turned the machine on to get this message:

    Primary hard disk drive failure.
    Strike F1 key to continue, F2 to run the setup utility.

    3Com PXE version 0.99n
    Copyright (C) 1997, 1998 Intel Corporation.
    All rights reserved.

    (C) Copyright 1999 Lanworks Technologies Co.
    A subsidiary of 3Com Corporation.

    PXE-E61: Media Test Failure, check cable.
    PXE-MOF: Exiting PXE.

    strike F1 to retry boot, F2 for setup utility.


    The next day, I turned it on and it launched in Safe Mode. The appearance of the wallpaper was in low-res, and black and white, the icons however, were in color and enlarged. I soon overrode the action of the PC booting itself in Safe Mode by hitting the F8 key at startup, changing it to Normal Mode, this was because there was little I could do in Safe Mode. But strangely enough, the low-res appearance maintained.

    Since then the PC crashed once more, showing the "Hard disk drive failure" message at startup, but absolutely nothing changed after the second crash.

    This meant I had to find a way to fix the appearance, as a lot of my programs won't work without 32,000 colors (or 32 bit color). I went into display properties, and the settings tab, but the options there were "16 Colors", "256 Colors" and "High Color (16 bit)", none of which were consistent with True 32-bit Color, which is what my programs like Broderbund 3-D Home Architect need.

    So I turned off the system and removed the monitor connection from the PC unit, let it rest for about an hour then re-connected and restarted. I did all that because a friend of mine who's a Computer Analyst said it might make a difference, as the drivers should reset themselves automatically in doing that procedure. It didn't work.

    So my theory is that something, somewhere is interfering with the drivers, most likely the same thing that caused these crashes, so I'm posting a HTJ log in hopes that it might shine some light on that.

    I was also infected with malware in the days leading up to the crash, I'm not sure if that caused it though, because spyware/malware/adware infection had been an ongoing thing for me, but it never caused anything drastic.

    What I've put here is only the tip of the iceberg; so if you need any more info, just ask.


    Logfile of HijackThis v1.97.7
    Scan saved at 9:53:55 PM, on 7/1/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\DMI\BIN\NODEMNGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\NVHQPD.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS!\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NodeMngr] C:\DMI\bin\NodeMngr.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\NuaK63H.exe
    O4 - HKLM\..\Run: [oluvwnwl] C:\WINDOWS\oluvwnwl.exe
    O4 - HKLM\..\Run: [afrkxuf] C:\WINDOWS\SYSTEM\nvhqpd.exe
    O4 - HKLM\..\Run: [YPELIBT] C:\WINDOWS\SYSTEM\YPELIBT.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE"
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - User Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - User Startup: PowerReg SchedulerV2.exe
    O4 - User Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.6255787037


    Just as forewarning, a few experts have assumed that because of the enumeration of about:blank entries in my start and search pages, they seemingly think that this means a CoolWWWSearch has taking over the pages to make them default to blank (e.g. to prevent one from accessing useful spyware-removal sites). I want to clarify that this is NOT the case with my log, because some people have refrained from assisting me since they suspected CoolWWWSearch as being a threat here, and so they sometimes skip my thread! The only reason why about:blankappears in my log is a very simple one: I’ve commanded all my start and search pages to use no URL address whatsoever, thus leaving MSIE to default them to about:blank. If I wanted to use a homepage I would indicate IE to do so, but I prefer having none.

    In addition, I should note something important about this entry here:

    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\NuaK63H.exe

    The TeaTimer feature integrated into Spybot 1.3 keeps warning me every time I boot-up, that the Global Startup entry of 47MSJ2W3J7PQJE, has a changed value. Here’s the exact message:

    Registry Entry: 47MSJ2W3J7PQJE
    Category: System Startup global entry
    Old value data: C:\WINDOWS\SYSTEM\NuaK63H.exe
    New value data: C:\WINDOWS\SYSTEM\RsaQs5.exe

    So I went to the path specified in Windows Explorer, then I checked the properties for both NuaK63H.exe and RsaQs5.exe, the internal name/original filename of both was wowex32.exe, which refers to the actual product Wowex32 v1.00. Could this be a new spyware variant? I’ve never heard of it, but it seemingly fits the mark of malware. Also, both have hidden and system attributes, and they both state that they were created and modified Monday, March 29, 2004, but those dates don’t really matter right? That’s because if you modify the value of the Registry entry that corresponds with a files properties, that date can be modified for malicious purposes, such as doping people to think it’s legitimate. I’ve encountered on many occasions, files stating they were modified before their creation, if the Registry values weren’t changed to affect that, I can’t imagine what was.

    So far I’ve denied the change every time the TeaTimer notifies me of it, can you tell me why it changes, and what to do with it?
     
  2. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    To further illustrate the Registry change, I restarted my computer, put "allow changes" when asked by the TeaTimer about the changed value, then I passed HijackThis:


    Logfile of HijackThis v1.97.7
    Scan saved at 11:20:41 PM, on 7/1/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\DMI\BIN\NODEMNGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\NVHQPD.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\HPRBFOZ.EXE
    C:\WINDOWS\SYSTEM\YZD84.EXE
    C:\PROGRAM FILES\HIJACKTHIS!\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NodeMngr] C:\DMI\bin\NodeMngr.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\RsaQs5.exe
    O4 - HKLM\..\Run: [oluvwnwl] C:\WINDOWS\oluvwnwl.exe
    O4 - HKLM\..\Run: [afrkxuf] C:\WINDOWS\SYSTEM\nvhqpd.exe
    O4 - HKLM\..\Run: [YPELIBT] C:\WINDOWS\SYSTEM\YPELIBT.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE"
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - User Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - User Startup: PowerReg SchedulerV2.exe
    O4 - User Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.6255787037


    As you can see, when comparing the first log with this new one, the log entry of 47MSJ2W3J7PQJE has RsaQs5.exe specified instead of Nuak63H.exe. At about June 10th, 2004 this same entry specified C:\WINDOWS\SYSTEM\PikqWgd1.exe -- an entirely different file! Obviously, it had changed itself to this new Nuak63H.exe since then, and now it wishes to change to RsaQs5.exe as I’ve demonstrated.
     
  3. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    I'd like to add to what I said before, because after the monitor trick failed, my friend instructed me to do something else, it went something like this:

    This procedure, she told me, should fix the problem in the event that unplugging the monitor wouldn't. But the thing was when I tried Step 2, there wasn't any 256 Colors on the list. Actually, it seemed that the only color option in Safe Mode -- at least in my system's state -- was 16 Colors.

    In Normal Mode however, as I indicated in my starting post, there's 3 options 16 Color, 256 Color, and High Color 16-bit. And the one that should be on there as well (but isn't) is True Color, 32-bit. And don't think I haven't tried changing the Color scheme from Normal Mode! I tried each of the other two selections, in turn, and neither worked, when I restarted, it was back at 16 Colors, there was no way around it.

    And just to clarify, my monitor is fully capable of reaching 32, the monitor's fairly new, it a Dell M780 model.

    I'd also like to remind everybody how my PC's color problem is related to spyware, so as to avoid any confusion.

    I said in the starting post that spyware had been an ongoing problem for me before the most damaging crash, which induced the low color graphics. Yet, even though I was being infected with spyware after almost every online session, the spyware never became such a drastic problem that I would've expected a crash, however, one can never be so sure so I won't rule that out as a cause for the crash, and don't forget, it happened, it was just that the second crash didn't seem to change anything.

    And as I've been explaining the reason why I'm here for two reasons.

    I want to restore the color scheme to it's original state, and I want to purge whatever it was that caused the crash and seemingly this color manifest problem as well.

    One main reason for my need to have the color scheme restored is because several of my programs will not run properly without it, and namely, this so happens to include a diagnostic program I downloaded just two days ago in hopes it would fix the errors on my PC. The irony is that this program, called System Mechanic 4.0i, gave me the message that "it couldn't run under 16 colors, and/or monochrome display modes", which is just my luck! I did was able to access the PopupStopper feature of System Mechanic, as well as the Help Topics, but not the program! So the one thing that might have fixed everything, needs everything to be fixed in order to run, thus creating a very vicious cycle, where I haven't got a clue what to do next. :confused:

    As for the issue of what created all this in the first place, I strongly believe there's something here, that's more than meets the eye, and that is more powerful than spyware, meaning it must be a Trojan, virus, worm, or what have you.

    I also want to bring to attention, an important observation I made on both the HijackThis log I posted, and that I’m anybody reviewed both logs will have realized as well. I’m referring to the fact that besides the 47MSJ2W3J7PQJE entry, there were a couple of notable other differences between the two logs I posted. Take a look at these entries from the running processes at the time of the first scan:

    C:\WINDOWS\SYSTEM\NVHQPD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE


    Now when you compare the first scan with the second, there are two new running processes that had arisen after I restarted my PC, and those are:

    C:\WINDOWS\SYSTEM\HPRBFOZ.EXE
    C:\WINDOWS\SYSTEM\YZD84.EXE


    And in the O4 section of both scan logs, which refers to suspicious autoloading entries, you can see some of the same things, at different ones as well -- take a look:

    O4 - HKLM\..\Run: [oluvwnwl] C:\WINDOWS\oluvwnwl.exe
    O4 - HKLM\..\Run: [afrkxuf] C:\WINDOWS\SYSTEM\nvhqpd.exe
    O4 - HKLM\..\Run: [YPELIBT] C:\WINDOWS\SYSTEM\YPELIBT.exe


    My insinuation is none other than that these entries seem suspicious, and may be spyware carring out some sort of malicious task.

    I can tell you that I'm almost certain I'd never seen the above filenames in Task Manager until after my PC crashed. I'd guess that what ever caused my PC to crash is some in the mentioned entries, I have a fair amount of experience reviewing HijackThis logs, but I'm no expert, and so that's why I need someone who is -- just in case I make a mistake.

    And one thing that’s very strangely, is that this entry once appeared in HTJ a few weeks ago as a suspicious autoloading entry:

    O4 - HKLM\..\Run: [TXDMM] C:\WINDOWS\SYSTEM\TXDMM.exe

    It appeared both as a running process and an autoloading process (at Global Startup). What puzzles me is that it wasn’t listed in these two recent logs, I don’t know why, because I haven’t deleted it in HTJ, or in any other way. As a matter of fact I just went through Windows Explorer to the path, and TXDMM.exe is still in the system folder, I still haven’t done anything to it, perhaps someone here can provide insight on if it still poses a threat, because HTJ doesn’t seem to think so. And there was also an other entry of a present running processes at the time (also from the SYSTEM folder) in HJT logs of weeks past, but that isn’t listed when I do a HJT scan:

    C:\WINDOWS\SYSTEM\WFCRRMM3.EXE

    Do any of these indicate presence of a malicious application at that time? Any advice would be appreciated, thanks.
     
  4. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Before I forget there's one last thing I need to say, you see the spyware infections have still been coming just about every time I log on to the Internet, I know I shouldn't be on the Internet at all after the PC crashed, but it's the only way to get help.

    Well, anyways, the spyware infections don't come so often like they used to, but when they come now, they come in bigger quantities than ever, like 40 at a time! And a lot of the variants appearing are ones that I either haven't seen in a while, or ones that are new, and I haven't seen ever.

    There's been *Apropos, InternetOptimizer, *n-CASE (a.k.a msbb.exe), MoneyTree, Multidial, *ClientMan, *PowerScan, IstBar, SideSearch, Slotchbar, TeenXXX (a.k.a TinyBar), BlazeFind, OutWar Downloader, PopupStop, Twain-Tech, VCatch and vX2-Transponder.

    And all of those are just to name a few! The ones I put an “*” in front of are variants that I've encountered in the past, all others are new to me. n-CASE, for one, isn't a surprise though, I'm a NetZero user, and NetZero is notorious for infecting with that variant. . . Problem was we didn't know that when we set up an account with NetZero, uggh!

    But the worst [online] attack I ever had on my system was on June 9th, 2004.

    What happened was the computer just froze up during an online session, and there were some signs indicating a hacking in progress. I’m not sure how to explain it, but I guess you could say it’s happened so many times before that there’s no mistaking it!

    I switched the PC off. . . When it booted up again one of the strangest things happened: I entered the password corresponding to the Windows User, an so the objects began to load, starting with the Desktop icons and finishing with the small icons on the far right of the taskbar. But just when it stopped, a dialogue appeared stating, “This program performed an illegal operation” you’ve seen these before right? Well then you must know, that for whatever reason, as soon as you close this window, the program you had open at the time will close as well (usually making you lose any unsaved work).

    Yeah, only there wasn’t any programs open, just the basic interface -- the Desktop -- and if you can try to imagine, the Desktop was what closed when I closed the dialogue. To reiterate, everything like rewound itself, so all the taskbars, items, icons, etc. that had just loaded disappeared leaving nothing but empty wallpaper.

    I thought hard about what could’ve caused this. CoolWWWSearch comes in a spyware variant that, quite nastily enough, stops you from using any anti-spyware apps, only this wasn’t just a program that I was being prevented from using -- it was my whole system! :smash:

    So I tried again [to boot-up] this time I rushed to access a diagnostic utility, in this case it was Webroot's Spysweeper, and even though I launched it the “illegal operation” dialogue still appeared, but there was a big difference: Spysweeper remained. I figured whatever had infected me earlier was probably executing this thing on purpose, but for some reason this scam didn’t work on programs you launch yourself, but rather, on autostarting programs. So I ran a sweep of the system, to find very unpleasant results, including 10 adware entries, 3 of which I can call new, but worst of all a Trojan horse called 2nd Thought. It’s spyware, but considered a Trojan nonetheless, my money is on it for having caused the aforesaid glitch at startup.

    To make a long story short, I had to work hard, but I seemingly got rid of it, along with its less threatening adware buddies. I've downloaded SpywareBlaster 3.1 in hopes that it will provide some kind of prevention against something that happening again.
     
  5. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Just a quick question, because on June 11th, 2004 (the day after that violent attack) I passed both Spybot (1.3) and CWShredder (1.59.0) to find several traces of the CoolWWWSearch Trojan, CWShredder even indicated to me that my Windows Media Player executable was infected/corrupted by a CWS variant, so I had to re-install that. But what concerns me more is how this CWS got on my system and how I can prevent from happening again. I looked into this, and CWShredder said it frequently enters through a common exploit in the Microsoft VM for Java, and that there’s a patch available for this, and then I was referred to this article:

    http://www.microsoft.com/technet/security/bulletin/ms03-011.mspx

    I followed all the instructions in this article, such as how to see if my version of Microsoft VM was vulnerable to the exploit, as it turns out, only Microsoft VM build 5.00.3809 or lower builds are prone to the flaw, but mine is build 5.00.3810, so I should be OK, but then how did CWS infect me? Can anyone explain that?

    Also, just for the record, this entry from my HJT logs:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    I know it says restriction are present in the Registry for the Internet Options/IE Control Panel, but it's not something I would worry about, because I'm sure it was caused by my own commands, I checked the option in Spybot S&D making so the IE Control Panel can't be accessed from within.
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    There is no obvious signs of CWS there but you do have a few other hijackers amongst them is the peper trojan

    Start by downloading & running the peper trojan removal tool from the spykiller website in my signature, You must be online and connected to the internet while running it. It will flash up, say downloading temp files then close with no warning. That means it is done.
    Reboot
    then
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O4 - HKLM\..\Run: [47MSJ2W3J7PQJE] C:\WINDOWS\SYSTEM\RsaQs5.exe
    O4 - HKLM\..\Run: [oluvwnwl] C:\WINDOWS\oluvwnwl.exe
    O4 - HKLM\..\Run: [afrkxuf] C:\WINDOWS\SYSTEM\nvhqpd.exe
    O4 - HKLM\..\Run: [YPELIBT] C:\WINDOWS\SYSTEM\YPELIBT.exe
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - User Startup: PowerReg SchedulerV2.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present



    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\SYSTEM\RsaQs5.exe
    C:\WINDOWS\oluvwnwl.exe
    C:\WINDOWS\SYSTEM\nvhqpd.exe
    C:\WINDOWS\SYSTEM\YPELIBT.exe
    C:\WINDOWS\SYSTEM\HPRBFOZ.EXE
    C:\WINDOWS\SYSTEM\YZD84.EXE

    then select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R326 01.07.2004 or a higher number/later date
    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left
     
  7. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Hello dvk01,

    First off, I want to thank you for posting to my thread and helping me out with my troubles. It's been almost a month and a half since my PC crashed on May 13th, and the from what I've gathered there's been a bunch of spyware and other malicious things roaming around since then, it's nice to finally make some progress and eliminate a great deal of them.

    I did this first as you told me, but I can't help but notice a peculiar title of the window that came up, it said "MemoryWatcher: Installing Files". This must be a mistake, it wasn't really trying to infect me with the MemoryWatcher variant was it? Tell me if this is something to be concerned about, or if it's a false alarm.

    I checked exactly the above entries in HijackThis -- except for one difference, the [47MSJ2W3J7PQJE] entry wasn't there anymore, I'd imagine that it was the Peper Trojan, and was removed by the utillity you recommended.

    If I may, what were the other entries called, and how can I prevent them from reinfecting? This is starndard procedure for me, I always keep a record of every spyware that's ever infected me, usually so I can search for preventative measures. In this case, as you must know, it's a special one, because what needs to be done here is to find out what's causing my display errors, which arose after the crash, you havn't forgotten about this, hmm?

    Just so you know, I always keep those setting that you stated in my Folder Options, because at least that way, spyware-installers can't sneak up on my by giving their files hidden attributes.

    I did not find these three files in Safe Mode, so therefore I could not delete them.

    C:\WINDOWS\oluvwnwl.exe
    C:\WINDOWS\SYSTEM\RsaQs5.exe
    C:\WINDOWS\SYSTEM\YPELIBT.exe

    However, I did find this one:

    C:\WINDOWS\SYSTEM\nvhqpd.exe

    It seems to have been created as callinghome.biz, I'm not quite sure if that the original [internal] filename, or if callinghome.biz is the website of the the developer, but if I'd have to guess, I'd say the latter.

    I also found the other two:

    C:\WINDOWS\SYSTEM\HPRBFOZ.EXE
    C:\WINDOWS\SYSTEM\YZD84.EXE

    Yeah, they seem to be twin programs that work in conjunction, although it doesn't look that way at first sight. . . They actually have the same internal filenames of Kern32.exe, obviously a spyware variant, but can you tell me any more about it?

    And as I was deleting those file that I just specified, I came across these four:

    C:\WINDOWS\SYSTEM\Twain_32.dll
    C:\WINDOWS\SYSTEM\TwnLib20.dll
    C:\WINDOWS\SYSTEM\TwnPRO20.dll
    C:\WINDOWS\SYSTEM\TXDMM.exe

    Now the first three in the list have properties indicating they very well might be made by TwainTech, you've heard of TwainTech before haven't you? It's a rather well-known spyware-classified variant, I've had it before in the past. My only problem with deleting these is that I can't determine if it's trying to fool me, or if it's actually the program extension that works together with my HP ScanJet, because there's a folder in C:\WINDOWS that's called Twain_32 only it contains two files that are essential components for my HP ScanJet.

    The very last item on the list is TXDMM.exe and it's internal filename, or product name is "actulice" while it's company's name is "thunderdome". If you re-trace my posts you will see where I've mentioned the fact that this very same entry once appeared in HijackThis, but doesn't anymore, so is it a threat, or isn't it?

    Just to be sure, you did read all my posts, no? Because I mentioned several time that I have Spybot, how else would I access the TeaTimer? And you acted as though you weren't sure if I had SB or AA or any program.

    I have to note that I tried updating Spybot via the integrated "Update" feature, but I was not succesful, when I tried setting up an active Internet connection to do it, my entire system just froze up. This wouldn't be the first time this has happened when attempting to update SB, once before I kept getting an "Parameter is incorrect" dialogue, but I don't believe it's ever worked sucessfully. I don't think it's anything on my system really, it's probably a glitch in Spybot, it would happen in 1.2 as well.

    So I scanned with one of my other spyware-removal programs -- Webroot's SpySweeper. It picked up the following entries:

    IstBar
    PowerScan
    Slotchbar
    TeenXXX (TinyBar)

    All of which I've encountered countless times in the past -- they just don't seem to leave me alone! After doing that I scanned with SB, and found nothing, that isn't really surprising since I'd just passed SpySweeper there wasn't anything for Spybot to find.

    I downloaded Ad-Aware 6 like you told me, and I didn't have it before. I followed all of those last steps to the point, and found 62 entries with Ad-Aware when I was done, among them were CWS at least six different times, and bunches of familiar faces for my, ones whom I was definitely not happy to see. :mad: These nasties included PoepleonPage, MemoryWatcher by the dozens, tons of Ezula/I-lookup, and to top it all off Euniverse, another who I've eliminated before.
     
  8. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Just remember, I primarily started this thread to fix whatever it is going on with my monitor, or with the monitor's device drivers, because as you must realize this prevents me from accessing several of my programs most importantly System Mechanic 4.0i, which in turn might help me along some more. My PC's in a damaged state no doubt, If you follow that link which you provided earlier to show me how to boot into Safe Mode, then you'll find a description of Safe Mode, it boots with only the necessary files to run the OS, and so you gernerally see a low-res quality in the display of Safe Mode, my problem if you recall was that my computer crashed, and, the next booted into Safe Mode indicating something malicious was afoot, heck I'm just glad I didn't lose any data.

    For some reason when I ovorrode the PC to boot into Normal Mode instead, the same low color palette and low-res visuals were maintained no matter which mode I was in, so you see my problem? :doubt:

    Look, if you haven't read this thread fully, please go back and do so. Since the bulk of the baddies are gone we can start finding concentrating on finding a solution for the display problem. This would help, seeing as how I'd finally have my system in it's correct state.

    Here is the HijackThis log that you asked me for, bu there doesn't seem to be anything else left in terms of spyware modules.


    Logfile of HijackThis v1.97.7
    Scan saved at 1:14:41 AM, on 7/4/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\DMI\BIN\NODEMNGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\HIJACKTHIS!\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NodeMngr] C:\DMI\bin\NodeMngr.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE"
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - User Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - User Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.6255787037
     
  9. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Hello again. ;)

    It's been I while since I've posted here, or since anyone's posted here. . . That's understandable seeing as how lots of people need help besides myself, but I hope this can be fixed soon.

    Right now I want to provide a progress report of the problems with my monitor, I recently communicated with my Computer Analyst friend, and she told me the following.

    I spoke with my friend for a good while, the above quote condenses what she said, and this is because I wanted to give a brief explanation here. I followed her instructions to the letter, and when I did a search I found four drivers other than my current one, which by the way my current is called Rage Pro Turbo AGP 2X (English). The four alternatives found were ATI 3D Rage Pro (atir3), All-In-Wonder PRO (atir3), Xpert@Play (atir3), and Xpert@Work (atir3). My friend however, gave me this forewarning on the action of changing the drivers:

    I haven’t tried replacing the driver yet, because of the small risk. I do have some methods of recuperating even if I get a black screen like she said; one of these is a Startup Disk that I created in the Add/Remove Programs section of the Windows Control Panel. The disk, which is created using a standard floppy disk, will allow me to access a number of diagnostic tools in MS-DOS mode that could help in the event that I can’t properly launch Windows 98.

    My question here is if there’s anything any expert here [at Wilders Security] can determine about my display resolution problem by looking at the HijackThis logs I’ve presented, because unfortunately my friend doesn’t have any experience with the logs. She is however, very knowledgeable in all areas of computers nonetheless. So in other words is it possible that one of few entries I’ve been told to remove were actually perpetrators of the crash, and/or the computer monitor’s seeming inability to run at peak performance? If there’s any likelihood, then perhaps if a person can tell me what happened exactly to cause it all, then we could deduce from that, a solution that may be easier than replacing the drivers.

    Any advice would be greatly appreciated. :)
     
  10. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    BUMP! B-B-B-B-BUMP!

    Hee-hee-hee! :)
     
  11. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    I need some help right now with a problem that arose both last night and this morning, but I didn’t even realize it was a problem until now.

    As I’ve mentioned, and as you can see in the last HijackThis log I posted, I haven’t been able to access my shareware version of System Mechanic 4.0i, but I have been able to access the PopupStopper utility it comes with. Last night however, the strangest thing happened, because PopupStopper blocks silently, but it [the taskbar icon] does change color to let you know when it’s doing it, and also, if you hover the cursor over the icon, then it will tell you the exact number of ads that have been blocked. So far it had blocked 110 ads (including banner ads) and all of a sudden last night it went crazy! The numbers started going up at insane speeds; I had just logged in to the Internet when I noticed how it was flashing rapidly, and when I hovered by the icon and it said 500 pop-ups blocked and counting! I logged off the Internet as fast as I could, by that time the pop-up count had reached 587, what could’ve caused it to shoot up so fast? I restarted and logged back on to the Net and I everything seemed OK.

    However, this morning when I turned on the computer it launched itself into Safe Mode, which obviously, would only happen if some sort of malicious new file prevented it from launching in Normal Mode. I recognized this at once and chose to pass HijackThis, and found a couple of entries in the list that seem slightly unusual, one of which is Noou, another is called emsw.exe. I think it’s safe to assume that an attack was waged on my system last night, and the said entries were added without my consent, I fear the worst.

    Having expressed my concern, and the circumstances, here’s is the HijackThis log of this morning for review:


    Logfile of HijackThis v1.97.7
    Scan saved at 11:14:26 AM, on 7/10/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\HIJACKTHIS!\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM/left.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NodeMngr] C:\DMI\bin\NodeMngr.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Noou] C:\WINDOWS\Application Data\ahco.exe
    O4 - HKCU\..\Run: [emsw.exe] C:\WINDOWS\emsw.exe
    O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Default\Client\HelpExp.exe
    O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Default\HXIUL.EXE
    O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38077.6255787037


    As you can see by looking at the running processes, there are very few of them. This of course is consistent with the fact that Safe Mode does not load all processes other than the OS-based ones. Something that puzzles me though, is that I’m able to access the Internet at all in Safe Mode, which is exactly what I’m doing to post this here. I don’t think the Winsock is supposed to be loaded in Safe Mode, but for some reason my system has an indifference to this rule. Can anyone comment?
     
  12. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    I've rebooted my system and it launched in Normal Mode this time, I still don't know what to do with the two suspicious entries though.

    Also, I want to nix the nzsearch/NetZero minisearch from my start/search page entries, and any accompanying files. So can someone please confirm for me what exactly I should delete?

    And just as a reminder, there's still that monitor problem that I need to get fixed.
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Seems like you could have an upcoming hardware problem, I'd backup your data on that hard drive.

    As for the monitor, do you mean the resolution ? Once you are in normal mode again just set it back to what it should be. If you cant then reinstall the drivers, and check the device manager to see if your hardware is all working correctly. I do think you have a hardware problem which we cant help with :(
     
  14. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    You didn't read this whole thread/topic did you? I don't blame you, actually I think the reason my thread hasn't been getting so many responses is because of it's above average length, but you must understand, everything I've said is necessary. So, I must encourage you to read the 7th post of this thread, if you haven't done so already. Afterwards, read all of the subsequent posts in sucession, I'm asking this of you since those posts will help to to get the gist of it all much better, and will be less time consuming than re-reading this thread from the beginning.

    Also, can you tell me if there's anything I should delete in the HTJ log I posted just before your post?

    What makes you say there's likelihood of a hardware failure in the near future? And I don't have a secure way to backup my data; I have no CD-Burner, and no ZIP Disk Drive.

    I suppose that leaves only the option of backup my files by coping them to the Internet. I can think of a few places where this could be done, one of them is Google's innovative new Gmail, which offers a whopping 1GB of storage space, more than enough for my data. But finding a place on the Internet to copy it to isn't the problem, what's an issue is my laughable connection speed of 26.5Kbps, yes, I use dial-up, but it still shouldn't be this slow. My modem's a 56K Data Fax Modem, so I know it can do better -- and at one point, it has -- but because of all the spyware-infection in the past it seems to have damaged my Internet connection speed. Keep in mind that spyware uses your Internet connection to dowload a wide array of things to boost their pop-up ads, and this includes high-bandwith content.

    As for your suggestion of simply changing the settings back to the originals, that's what lead me to inquire whether you read everthing I've said, because an intergral and very perplexing aspect of this topic is that I've tried just that time, and time again to no avail, regardless of whatever mode the computer is in at the time.

    It made me wonder if there's a malicious auto-loading Registry entry (Global Startup) that re-applies the low settings, respectively, at each Startup.

    But I've also tried ticking the preference of "Apply new colors without restarting" under the Advanced button of Settings in the Display Control Panel. And it still refuses to change under any circumstances, which kind of rules out the above theory.

    You told me to "Reinstall the drivers" can you be more specific about that? Do mean reinstall the factory-default device drivers, using the Windows 98 Restore Disc or a similar method?

    If not, I'm not sure what you mean because most devices, whether monitor, printer, or scanner, you simply plug them in and the drivers are created automatically, hence the term "Plug-and-Play".

    Lastly, about the Device Manager, one of the things my Analyst friend told me to look into was the Device Manager and it said everthing was working fine in the case of the Display Adapter, the driver etc. It's very weird, because there's obviously something wrong, but there were some driver-specific Diagnostic Tools that could be of use, I'll check those out in a bit. However, I think the most simple thing right now could very well be replacing the driver with one of my other four, but nobody's given feedback on how that will effect everything, or how good an idea it might be. What do you think?
     
    Last edited: Jul 12, 2004
  15. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I have read all of your post's and the replies. Have you manually changed the resolution back to where it was before the crash? If not I would try it and see what happens. If it will not manually reset for you then I would have to agree that it is probably a hardware failure in the making.
     
  16. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    In answering your question, I'm assuming that by 'manually' you mean going into the Display Properties, the Settings tab, and the Screen Area (Pixels) option, am I correct in saying that?

    That's the only resolution setting that I know of, unless you're talking about the Color Palette setting, which is similar. The Color Palette setting is just to the left of the Screen Area section, in the Colors section of the Settings tab. This is the same Color Palette that currently reads 16 Colors for mine. Now, if we were to speak about this in question, then at this time, it's not possible for me to place the Color Palette at it's setting from before the crash, because that would mean I'd have to place it at True Color (32Bit) and that setting is no longer available!

    Okay, if you're reffering to the Screen Area Pixels as I suspected before, then that Setting seemingly works in harmony with the aforementioned Colors/Color Palette Setting. Allow me to explain, the Colors section currently offers the following selections -- 16 Colors, 256 Colors, and High Color (16Bit). The parallel Screen Area section (to the right) offers the selections of 640x480 Pixels, 800x600 Pixels, and 1024x768 Pixels.

    Now, as I've indicated countless times, any attempt at moving the option in colors to anything other 16 Colors, under any circumstances, and it will simply default back when I press 'OK' and reopen the Dialogue, just as if I'd never touched it. The same applies to the Screen Area settings, it stays at 640x480, and when I move it to the right one setting to read 800x600, the Colors automatically move up one setting as well, to read 256 Colors. If I go further along the Screen Area bar, changing it to 1024x768, then the Colors remain at 256, and continue to remain, even if I move the Screen Area bar all the way back to 640x480.

    Did you get all that? And yes, just to be very clear, whatever changes that I make are seemingly not saved when I press 'OK' and/or when I press 'Apply', and then 'OK'. So that means the Screen Area always defaults back to 640x480.

    In retrospect, I can't change the Colors to their originals since the True Color (32Bit) selection no longer exists, this could very well be because of a hardware problem as you said, my analyst freind seems to lean toward that it's caused by a driver malfunction though, but she's not ruling all else out, because it's a very strange occurence that she's never witnessed before. And the Screen Area resolution can't be changed without defualting back, and yes, the Colors have always defaulted back as well, whenever I try to put something other than 16 Colors.

    The thing isn't if it's either hardware or software related, it's what caused that error/malfunction in the first place, which, obviously also had a role in the crash. Just for the record my monitor is a Dell M780 model running on a Rage Pro Turbo AGP 2X (English), and I know that it's capable of True Color (32Bit) but for some reason won't run at peak performance, it's so frusterating! :doubt:

    And I was also hoping that you -- or anybody for that matter -- would finally tell me what to do with the last HijackThis log I posted, is there anything that should be deleted? Remember that's the one where I explain how the Pop-Up Blocker went crazy the night before the PC decided to launch in Safe Mode which was this past Saturday (the 10th of July) thus indicating that perhaps if there was an attack on the system the night before, that presence was now wreaking havoc. If that's is in fact what happened then you can obviously see why I need to remove whatever that is before it can wreak any more havoc.
     
    Last edited: Jul 15, 2004
  17. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    I am going to have to go with Gavin's diagnosis. I am not a HJT expert so I won't comment on what I see there as it could be my lack of expertise in that area that would give you faulty information. But I would deffinatly check into my video hardware and drivers first.
     
  18. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    I understand. I suppose I'll just ask Gavin, or any other Spyware Fighter, etc. to provide advice on the HJT log.

    Also, I apologize for not replying to this thread for so long, I haven't actually been on the computer hardly at all, and that's probably best, you know what they say -- the only secure computer is one that's turned off, or unplugged. A personal problewm arose that had me occupied for most of last week, and into this one, I'll try to keep up-to-date with this thread now though.
     
  19. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Hello there, just wanted to give a brief update here.

    Unfortunately some problems arose with the payments recieved/not recieved by my ISP, and so now they've seemingly deactivated my account. To make a long story short, I no longer have Internet access from my PC. :doubt:

    I still able to post here/check my threads because I've come to my local library to use the Internet.

    There's isn't much that this changes in terms of the display issues, and/or any other issues that my PC has, the only disadvantage now, is that I can't download things to my computer at home.

    I hope to buy a ZIP disk drive soon, so that I can back-up all my files like you've recommened, I have to ask though, is it a good idea for me to install a new drive, namely, this ZIP drive to my PC when it's in such a damaged state?

    Please reply with an answer as soon as possible, thanks.
     
  20. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    BUMP, BUMP!
     
  21. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    I don't know if I've told you guys this, but I tried using the driver-specific Diagnostics Tools that are in the Windows Device Manager, the same ones I mention in the final paragraph of this post (the 14th of this thread).

    I tried all of the Diagnostics Tools available and I got a 'check' on all of them, in other words I passed all of those tests. The tests I conducted included a Memory Read/Write Test, DAC Read/Write Test, Linear Aperture Memory Pattern Test, and a Linear Aperture Byte Lane Test. There were no other tests available for me to conduct. From what I gather from that, it seems as though the Device Driver does not know that it's damaged, I'm sure if it did, it would try to repair itself, no?

    You both agree in unision that it's likely a hardware problem, and that it's a very good idea to back-up the data that I need. Once again, although I have not yet purchased a ZIP Disk Drive to do just that, I would really like to know before I purchase it, if installing new hardware would worsen the problem, seeing as how you said it all comes down to hardware. The thing is, if buy it and it doesn't work, or if it causes my computer to crash, I'll be $100 short, since that's how much a ZIP Disk Drive costs around here.

    I'd appreciate it if you could give a response on that issue, thank you.
     
    Last edited: Aug 2, 2004
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    CD burners are very cheap these days, wouldn't that be best ?

    I dont know how we can help you further, as much as we would like to ! :(
     
  23. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    I'm not trying to be a pain, I only asked one question: If installing a write-to decive, whether it is a ZIP Disk Drive or a CD-R (burner), will cause any trouble with my computer in it's already-damaged state?

    I'm sorry if that annoys you in some way, but if it helps, try to look at it as an issue seperate from the main one.
     
  24. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi ZeldaManiac44,

    I have read through your thread (yes, it is quite long and involved) and it seems to me that you have since acquired even more problems since your last log, with your recent report that you have been disconnected by your ISP which makes it difficult to continue any kind of spyware removal advice as we would need to see a more recent hijackthis log (and with the newest version of Hijackthis which is 198.1).

    Please also realize that you are in the adware, spyware, hijack cleaning forum, and the staff that can reply to your questions in this particular forum are Spyware Fighters that deal mainly with spyware/malware removal. You may have already read in our Announcement at the top of the forum, that this specific subforum will be closing soon.

    For the other hardware issues or suggestion, it would be better for you to open a new topic in our Software & Services forum, where other knowledgable members will be able to reply with helpful suggestions.

    If you would like to post another hijackthis log here for a last review before the hijack cleaning forum is permanently closed, please use the newest version of Hijackthis, which can be downloaded to a floppy from this link: https://www.wilderssecurity.com/showthread.php?t=12516 and post it here in this thread (do not post it anywhere else in the forum please).

    Regards,

    snap
     
  25. ZeldaManiac44

    ZeldaManiac44 Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    56
    Location:
    TX, United States.
    Snapdragin, thank you very much for posting in my thread. :)

    May I ask why the Spyware/Hijack Cleaning board has been closed here at Wilders Forums? These are one of the most well-known online forums for Spyware Assistance, why would the administrators decide to close it?

    I downloaded the most recent version of HijackThis to a floppy like you instructed. I went home, made a log, then came back to post it here on this thread. You can see it below.

    Also, on a more minor note, when you are finished reviewing my log, could you lock this thread instead of deleting it? That way when I start a thread in the Software and Services board, I can have people refer to this one for more information.


    Logfile of HijackThis v1.98.1
    Scan saved at 5:30:22 PM, on 8/5/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\MOUSE\SYSTEM\EM_EXEC.EXE
    C:\DMI\BIN\NODEMNGR.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE
    C:\PROGRAM FILES\NZSEARCH\HCM.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\FREECELL.EXE
    C:\PROGRAM FILES\HIJACKTHIS!\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\PROGRAM FILES\NZSEARCH\SEARCHENH1.DLL
    O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NodeMngr] C:\DMI\bin\NodeMngr.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 4\POPUPSTOPPER.EXE"
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\hcm.exe" -w
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - User Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - User Startup: Software Kodak EasyShare.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - (no file)
    O9 - Extra button: Dell Home - {6D6E01E0-69DA-11D4-B82C-00B0D077A781} - http://government.dellnet.com/ (file missing) (HKCU)
    O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab
     
    Last edited: Aug 5, 2004
Thread Status:
Not open for further replies.