Please help me exorcise my hijacker demons

Discussion in 'adware, spyware & hijack cleaning' started by julio, Jun 13, 2004.

Thread Status:
Not open for further replies.
  1. julio

    julio Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    5
    Hey Julio here,

    My homepage keeps returning to greatsearch.biz. I ran spybot search and destroy and it tells me dso exploit. I tell it to fix it but it says it has but it has not. I downloaded cwshredder and tried that and it did some good I think but my homepage is still greatsearch.biz please help. Here is my Hijackthis scan log.

    p.s. Also if you could please give me some tips or recommend somebooks or websites on optimizing windows 98 I would greatly apprectiate it.
    Thank you very very much.

    Logfile of HijackThis v1.97.7
    Scan saved at 5:34:27 PM, on 6/13/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
    C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\FLATBED.EXE
    C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMON32.EXE
    C:\WINDOWS\WELCOME.EXE
    C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\WINGAUGE\WGPRO32.EXE
    C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 4.0 SE\CALCHECK.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CRASHMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\FACPRMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FAMONHKW.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\RESMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FADSKMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FASMTMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CMCP16.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\avconsol.exe /minimize
    O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [CyberMedia Agent] "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMon32.exe
    O4 - HKLM\..\Run: [Welcome] C:\WINDOWS\Welcome.exe /R
    O4 - HKLM\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [rmmon] c:\windows\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\SYSTEM\reminder.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Image & Restore.lnk = C:\Program Files\McAfee\McAfee Office\Nuts & Bolts\IMAGE32.exe
    O4 - Startup: McAfee WinGauge.lnk = C:\Program Files\McAfee\McAfee Shared Components\WinGauge\wgpro32.exe
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O4 - Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://vivo.real.com/dldv2/vvweb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central1.clevercontent.com/cccabs/CleverContent.cab
    O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.9613078704
     
  2. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    It's 'likely' caused by a file called system32.dll - but I' like to be sure.
    Post the StartupList log (in HJT use Config > Misc Tools, put a check in "show minor sections" and then click "Generate Startuplist").
     
  3. julio

    julio Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    5
    Below is the HijackThis log as you requested. Before you read that I also thought I would include the spybot error message below and a few comments about when things started downhill. Here it is

    The below line is from the spybot file that says a problem was found.

    DSO Exploit: Data source object exploit (Registry change, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

    I also would like to take this opportunity if I may to say that when I noticed the problems starting and I would reboot I got these messages in windows.
    IExplore.exe Setup has detected that you are running a version of windows that already includes the updated files or enhancements that you are attempting to install.
    The details screen said. You are attempting to install internet explorer version 5 or earlier on windows 98. Internet explorer is already part of the windows 98 operating system. Installing an earlier version of internet explorer will not allow the operating system to function properly.

    IEXPLORE.EXE Access to the specified device, path or file is denied

    By the way I had updated to internet explorer 6, months before this had ever happened and I was not trying to install anything when these messages started.

    Here is another message.
    Desktop
    Could not load or run IEXPLORE.exe specified in the Win.ini file. Make sure the file exists on your computer or remove the reference to it in the Win.ini file

    I opened my Win.ini file and remarked out the line that said
    run=C:\WINDOWS\SYSTEM\IEXPLORE.EXE

    That has taken care of the error messages poping up but my homepage is still hijacked.

    By the way I searched for all the IEXPLORER.exe files on my computer and found one at C:\Windows\System\ iexplorer.exe (this one had a date of creation on the day my troubles started and was 4 kb.)

    I also found one at C:\Program files\Internet Explorer\iexplorer.exe (this one had a date of 8/29/02 and was 89 kb.)

    Now when I search for all the iexplorer.exe files the one at C:\Windows\System\ iexplorer.exe is gone perhaps a anti spyware program has zapped it ?


    Logfile of HijackThis v1.97.7
    Scan saved at 1:02:23 AM, on 6/15/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
    C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\FLATBED.EXE
    C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMON32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CRASHMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\FACPRMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FAMONHKW.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\RESMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FADSKMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FASMTMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CMCP16.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARUPLD32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://greatsearch.biz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://greatsearch.biz/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://greatsearch.biz/
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\avconsol.exe /minimize
    O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [CyberMedia Agent] "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMon32.exe
    O4 - HKLM\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [rmmon] c:\windows\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\SYSTEM\reminder.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Image & Restore.lnk = C:\Program Files\McAfee\McAfee Office\Nuts & Bolts\IMAGE32.exe
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://vivo.real.com/dldv2/vvweb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central1.clevercontent.com/cccabs/CleverContent.cab
    O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.9613078704
     
  4. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    I'm afraid that that isn't the list from HijackThis which I need
    Try following the instructions for the StartupListLog list I gave again.
    HijackThis is capable of producing more than one list.

    There are a lot of trojans using %system%\iexplorer.exe unfortunately
    It might be gema?
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.gema.html

    though I doubt it. It's probably a cool web search variant starting up with ShellServiceObjectDelayLoads

    When you said system\iexplore.exe and system\iexplorer.exe - you refer to 2 different files ?
     
  5. julio

    julio Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    5
    o_O oops ! sorry I made a mistake.
    Yes when this first started I found the iexplore in the two different places described in my last post. I started out by running a antispyware program I downloaded from cnet then I went to the pcworld site and downloaded spybot I think and also a antibrowser hijacker that I could not tell did anything or anything happened the I found this website and downloaded cwshredder and ran it after reading some posts. It did somethings and my system seems better some but the homepage is still hijacked. I just did a fastfind search to confirm that now there is only one iexplore.exe on my computer and it is at C:\program files\internet explorer\iexplore.exe


    I sure appreciate your help. :)

    StartupList report, 6/15/04, 11:26:52 AM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    Detected: Windows 98 Gold (Win9x 4.10.199:cool:
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
    C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\FLATBED.EXE
    C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMON32.EXE
    C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CRASHMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\FACPRMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FAMONHKW.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\RESMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FADSKMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FASMTMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CMCP16.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    Image & Restore.lnk = C:\Program Files\McAfee\McAfee Office\Nuts & Bolts\IMAGE32.exe
    RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = c:\windows\scanregw.exe /autorun
    TaskMonitor = c:\windows\taskmon.exe
    SystemTray = SysTray.Exe
    EnsoniqMixer = starter.exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    mmpti = c:\windows\SYSTEM\m1mmpti.exe
    AvconsoleEXE = C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\avconsol.exe /minimize
    VsStatEXE = C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    McAfee Guardian = "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    CyberMedia Agent = "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
    Adaptec DirectCD = C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    McAfeeWebScanX = C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    PP3100b = C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
    AccessRampMonitor = C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMon32.exe
    RealJukeboxSystray = C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    rmmon = c:\windows\SYSTEM\mprmmon.exe
    McAfeeWebScanX = C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    Reminder = C:\Program Files\Microsoft Money\SYSTEM\reminder.exe
    SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {89820200-ECBD-11cf-8B85-00AA005B4383}

    [PerUser_LinkBar_URLs] *
    StubPath = c:\windows\COMMAND\sulfnbk.exe /L

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

    [{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = rundll32.exeadvpack.dll

    [>IEPerUser] *
    StubPath = RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    C:\PROGRA~1\MCAFEE\MCAFEE~1\MCAFEE~1\SCAN.EXE C:\
    IF ERRORLEVEL 1 PAUSE
    SET BLASTER=A220 I7 D1 T2
    SET SNDSCAPE=C:\WINDOWS
    SET PATH=%PATH%;C:\PROGRA~1\MCAFEE\MCAFEE~1\MCAFEE~1

    --------------------------------------------------

    C:\CONFIG.SYS listing:

    DEVICE=C:\WINDOWS\HIMEM.SYS
    DEVICE=C:\WINDOWS\EMM386.EXE NOEMS D=64
    DEVICEHIGH=C:\WINDOWS\COMMAND\TAISATAP.SYS /D:MSCD000 /N:1

    --------------------------------------------------

    C:\WINDOWS\DOSSTART.BAT listing:

    C:\WINDOWS\M1INIT.COM
    C:\SBAPC64V\APINIT.COM
    LH C:\MOUSE\MOUSE /Q
    LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MSCD000 /L:E

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_Default.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft Search Settings Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SEARCHSETTINGS.OCX
    CODEBASE = http://home.microsoft.com/search/lobby/searchsettings.cab

    [VivoActive Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\VVWEB.OCX
    CODEBASE = http://vivo.real.com/dldv2/vvweb.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\SWFLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [MSNBC News Menu Control 3.0]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NEWSM30.OCX
    CODEBASE = http://www.msnbc.com/download/nm0713.cab

    [InstallFromTheWeb ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\IFTW.OCX
    CODEBASE = http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab

    [CscClnt Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CSCCTRL.DLL
    CODEBASE = http://central1.clevercontent.com/cccabs/CleverContent.cab

    [MSNBC News Menu Control 3.01]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NEWSM301.OCX
    CODEBASE = http://www.msnbc.com/download/nm1228.cab

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R712/V31Controls/x86/w98/en/actsetup.cab

    [InstallShield International Setup Player]
    InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
    CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.9613078704

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:



    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 9,780 bytes
    Report generated in 0.482 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  6. julio

    julio Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    5
    Any ideas what I should do now please ?
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Sorry I had to go away for a while :(
    I'm still betting on it being system32.dll - but I can't see it in the log
    The log however seems suspicious
    has too many blank lines in it for the way merijn formats that I think

    Can you boot (reboot) to DOS and try to find and delete the file manually ?
     
  8. julio

    julio Registered Member

    Joined:
    Jun 13, 2004
    Posts:
    5
    Glad you are back. I ran cwshredder before I read your last post. Does it look like I got all the crud or should I do the dos thing ?

    Thanks, Julio

    StartupList report, 6/29/04, 1:39:48 AM
    StartupList version: 1.52
    Started from : C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    Detected: Windows 98 Gold (Win9x 4.10.199:cool:
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
    C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\FLATBED.EXE
    C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMON32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CRASHMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\FACPRMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FAMONHKW.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\RESMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FADSKMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FASMTMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CMCP16.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\WUCRTUPD.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    Image & Restore.lnk = C:\Program Files\McAfee\McAfee Office\Nuts & Bolts\IMAGE32.exe
    RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = c:\windows\scanregw.exe /autorun
    TaskMonitor = c:\windows\taskmon.exe
    SystemTray = SysTray.Exe
    EnsoniqMixer = starter.exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    mmpti = c:\windows\SYSTEM\m1mmpti.exe
    AvconsoleEXE = C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\avconsol.exe /minimize
    VsStatEXE = C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    McAfee Guardian = "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    CyberMedia Agent = "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
    Adaptec DirectCD = C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    McAfeeWebScanX = C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe
    StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
    PP3100b = C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
    AccessRampMonitor = C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMon32.exe
    RealJukeboxSystray = C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    CriticalUpdate = c:\windows\SYSTEM\wucrtupd.exe -startup

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    rmmon = c:\windows\SYSTEM\mprmmon.exe
    McAfeeWebScanX = C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    Reminder = C:\Program Files\Microsoft Money\SYSTEM\reminder.exe
    SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 24/6/2004, 3:13:2)

    [Rename]
    NUL=C:\WINDOWS\SYSTEM\WININET.DLL
    C:\WINDOWS\SYSTEM\WININET.DLL=C:\WINDOWS\SYSTEM\SETC236.TMP
    c:\windows\SYSTEM\javart.dll=c:\windows\SYSTEM\javart.001
    c:\windows\SYSTEM\msjava.dll=c:\windows\SYSTEM\msjava.001
    c:\windows\SYSTEM\vmhelper.dll=c:\windows\SYSTEM\vmhelper.001
    c:\windows\SYSTEM\jit.dll=c:\windows\SYSTEM\jit.001

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    C:\PROGRA~1\MCAFEE\MCAFEE~1\MCAFEE~1\SCAN.EXE C:\
    IF ERRORLEVEL 1 PAUSE
    SET BLASTER=A220 I7 D1 T2
    SET SNDSCAPE=C:\WINDOWS
    SET PATH=%PATH%;C:\PROGRA~1\MCAFEE\MCAFEE~1\MCAFEE~1

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    {D34F18B0-576E-11D0-B28C-00C04FD7CD22}_Default.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft Search Settings Control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\SEARCHSETTINGS.OCX
    CODEBASE = http://home.microsoft.com/search/lobby/searchsettings.cab

    [VivoActive Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\VVWEB.OCX
    CODEBASE = http://vivo.real.com/dldv2/vvweb.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\SWFLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [MSNBC News Menu Control 3.0]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NEWSM30.OCX
    CODEBASE = http://www.msnbc.com/download/nm0713.cab

    [InstallFromTheWeb ActiveX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\IFTW.OCX
    CODEBASE = http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab

    [CscClnt Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\CSCCTRL.DLL
    CODEBASE = http://central1.clevercontent.com/cccabs/CleverContent.cab

    [MSNBC News Menu Control 3.01]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NEWSM301.OCX
    CODEBASE = http://www.msnbc.com/download/nm1228.cab

    [CV3 Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
    CODEBASE = http://windowsupdate.microsoft.com/R712/V31Controls/x86/w98/en/actsetup.cab

    [InstallShield International Setup Player]
    InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUPML.DLL
    CODEBASE = http://ftp.hp.com/pub/automatic/player/isetupML.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.9613078704

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
    CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 8,314 bytes
    Report generated in 0.398 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
    Logfile of HijackThis v1.97.7
    Scan saved at 1:54:40 AM, on 6/29/04
    Platform: Windows 98 Gold (Win9x 4.10.199:cool:
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPRMMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WEBSCANX.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\M2AUDMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\VSSTAT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\STARTER.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
    C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE
    C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\TWAIN_32\PAPRPORT\3100B\FLATBED.EXE
    C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMON32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CRASHMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\FACPRMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FAMONHKW.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\RESMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FADSKMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\FIRST AID\FASMTMON.EXE
    C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\CRASH PROTECTOR\CMCP16.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCONNECT.EXE
    C:\PROGRAM FILES\AT&T\WNCLIENT\PROGRAMS\WNCSMSERVER.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.worldnet.att.net/ie4/search/index.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [mmpti] c:\windows\SYSTEM\m1mmpti.exe
    O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\avconsol.exe /minimize
    O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\McAfee\McAfee Office\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
    O4 - HKLM\..\Run: [McAfee Guardian] "C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU
    O4 - HKLM\..\Run: [CyberMedia Agent] "C:\PROGRAM FILES\CYBERMEDIA\CMAGENT.EXE" /SU
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\CD-WRI~1\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [PP3100b] C:\WINDOWS\twain_32\paprport\3100b\flatbed.exe
    O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\MINDSPRING\ACCESSRAMP\ARMon32.exe
    O4 - HKLM\..\Run: [RealJukeboxSystray] C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [rmmon] c:\windows\SYSTEM\mprmmon.exe
    O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE OFFICE\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\SYSTEM\reminder.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Image & Restore.lnk = C:\Program Files\McAfee\McAfee Office\Nuts & Bolts\IMAGE32.exe
    O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsoft.com/search/lobby/searchsettings.cab
    O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://vivo.real.com/dldv2/vvweb.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {2FF18E10-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.0) - http://www.msnbc.com/download/nm0713.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://auinst.duc.auburn.edu/auinst/cabfiles/iftwv2.cab
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://central1.clevercontent.com/cccabs/CleverContent.cab
    O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nm1228.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38145.9613078704
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
     
  9. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    Looks ok except for the NZDD.DLL reference

    You might try AdAware for that:
    --------
    Download the latest version of Ad-Aware at http://www.lavasoftusa.com/support/download/
    After installing AAW, and before running the program, you NEED to FIRST update the reference file following these instructions.
    Now do the following:
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
    check: "Unload recognized processes during scanning."
    - Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
    Check: "Let Windows remove files in use after reboot."

    Press "Scan Now"
    - Check option "Use Custom scanning options"
    - Check option "Activate In-Depth Scan"
    - Press "Select drives\folders to scan"
    - Select the active partition which is usually C:

    Now press "Next" to let Ad-aware scan your drives...
    It will find a number of "bad" files and registry keys.
    Right-click in that pane and choose "select all"

    Now press "Next" again.
    It will ask you whether you'd like to remove all checked items. Click OK.

    Finally, close Ad-Aware, and reboot.
    ---------

    Let me know if it comes back - or if you find the file I referred to.
     
Thread Status:
Not open for further replies.