Please help...!

Discussion in 'adware, spyware & hijack cleaning' started by kay_timmons, Jun 1, 2004.

Thread Status:
Not open for further replies.
  1. kay_timmons

    kay_timmons Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    4
    I ran ad-aware, spy bot, CWshredder, and still annoying pop-ups come on that starts to load something, my browser's starting page becomes allaboutsearch.com, and sometimes when i'm surfing the net it redirects to spotresults.com or zestyfind...

    Below is my hjt log, any help would be greatly appreciated...

    Logfile of HijackThis v1.97.7
    Scan saved at AM 10:37:53, on 2004/06/01
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\atwtusb.exe
    C:\Program Files\Microangelo\muamgr.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\EzButton\CPLDBL10.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\PROGRA~1\TIMEEX~1\This mags.exe
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Popup Eliminator\Popup Eliminator.exe
    C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    C:\DOCUME~1\OMINAK~1\LOCALS~1\Temp\setup.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\conime.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\AIM95\aim.exe
    C:\Downloads\hjt\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=
    O1 - Hosts: 207.36.196.189 ieautosearch
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - C:\Program Files\Popup Eliminator\PEToolBar490.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Fork glue] C:\PROGRA~1\TIMEEX~1\This mags.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
    O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\Popup Eliminator\Popup Eliminator.exe /min
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    O4 - HKCU\..\Run: [Yahoo!Japan Pager] C:\PROGRA~1\Yahoo!J\MESSEN~1\YPagerJ.exe
    O4 - HKLM\..\RunOnce: [KB837272] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: loader.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: Yahoo! Chat JP 2 - http://cs.chat.yahoo.co.jp/c302/chat.cab
    O16 - DPF: Yahoo! JAPAN Othello - http://yog34.games.mci.yahoo.co.jp/yog/yj/rt1_x.cab
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2C079F28-EE92-4700-A44B-AF5FA285FCCA} (HanGamePluginJP16 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HanGamePluginJP16.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3F55279D-1F21-11D4-8550-005004BBFA86} (ExecProgram Control) - http://gamepot.goo.ne.jp/ActiveX/Exec/JpnExecProgram.ocx
    O16 - DPF: {4A88CB42-BBFE-496A-884F-98E8AC316292} (YJInstStarter Control) - http://dl.msg.yahoo.co.jp/pgdownload/yjinst.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13ca9792196742c76705/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37968.9990393519
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?315
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi kay_timmons,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    O1 - Hosts: 207.36.196.189 ieautosearch

    O4 - HKLM\..\Run: [Fork glue] C:\PROGRA~1\TIMEEX~1\This mags.exe

    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

    O4 - HKLM\..\RunOnce: [KB837272] "C:\WINDOWS\INF\unregmp2.exe" /UpdateWMP

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bitstream.com/tdserver.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13ca9792196742c76705/netzip/RdxIE601.cab

    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

    Then reboot into safe mode and delete:
    C:\Program Files\TV Media <= entire folder
    C:\WINDOWS\System32\msmc.exe
    C:\Program Files\TIMEEX~1 <= entire folder that holds This mags.exe

    Then boot normally and download VX2Finder from this link:
    http://tools.zerosrealm.com/VX2Finder.exe


    Run Vx2Finder click on the *click to find VX2.BetterInternet* button. Then click *make log*.

    Copy and paste the contents of the log into your next reply here.

    Regards,

    Pieter
     
  3. kay_timmons

    kay_timmons Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    4
    thank you for the reply, I ran the file and got this.

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called: GuardianWWFHG
    Asynchronous 000
    DllName C:\WINDOWS\system32\6no4svc.dll
    Impersonate 000
    Logon WinLogon
    Logoff WinLogoff
    Version 124
    ID {A86DF960-4534-4BA4-A739-93CEB1A45237}
    IDex DS3

    User Agent String---
    {A86DF960-4534-4BA4-A739-93CEB1A45237}
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Ow, that's easy. I think No files found o_O

    Stay off the net until all files are deleted (second reboot)

    Open VX2Finder it and click on the *click to find VX2.BetterInternet* button.

    Then select the *Delete these files* button.
    You will be left with notice about one to be deleted on reboot.
    It will ask to reboot on deletion of the last file (do that)

    After that last file is gone go to
    Start > run > type regedit enter and Navigate to :

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GuardianWWFHG

    (Note : the five letters in caps at the end may have changed [WWFHG] but it will still start with Guardian)

    Right click on the GuardianWWFHG key and select delete.
    Close Regedit.
    Reboot.

    Open VX2Finder again and select:
    User Agent$ > yes to confirm delete.
    and then
    Restore Policy

    Exit and reboot.

    Run Vx2Finder once more and click on the *click to find VX2.BetterInternet* button. Then click *make log*.
    Post it here with a fresh HijackThis log please.

    Regards,

    Pieter
     
  5. kay_timmons

    kay_timmons Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    4
    I did as you told and here's my vx2.log

    Log for VX2.BetterInternet File Finder

    Files Found---


    Guardian Key--- is called:

    User Agent String---


    and my hjt log.


    Logfile of HijackThis v1.97.7
    Scan saved at AM 07:00:46, on 2004/06/02
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\atwtusb.exe
    C:\Program Files\Microangelo\muamgr.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\Program Files\EzButton\CPLDBL10.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\HP DVD\Umbrella\DVDTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Popup Eliminator\Popup Eliminator.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\loader.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\DOCUME~1\OMINAK~1\LOCALS~1\Temp\setup.exe
    C:\WINDOWS\System32\conime.exe
    C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Downloads\vx2finder\VX2Finder.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Downloads\hjt\HijackThis.exe
    C:\Program Files\HP DVD\Umbrella\DVDCheck.exe

    F0 - syst>m.ini: Shell=
    F0 - R >ystem.ini: Shel>=
    F0 - R >ystem.ini: UserInit=
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
    O3 - Toolbar: Popup Eliminator - {F50CE767-AE72-45EB-AECD-E8786C240373} - C:\Program Files\Popup Eliminator\PEToolBar490.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
    O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
    O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
    O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [CPLDBL10] C:\Program Files\EzButton\CPLDBL10.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
    O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe" /NOUI
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [PopupEliminator] C:\Program Files\Popup Eliminator\Popup Eliminator.exe /min
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: loader.exe
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Popup Eliminator (HKLM)
    O9 - Extra 'Tools' menuitem: Popup Eliminator (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: Yahoo! Chat JP 2 - http://cs.chat.yahoo.co.jp/c302/chat.cab
    O16 - DPF: Yahoo! JAPAN Othello - http://yog34.games.mci.yahoo.co.jp/yog/yj/rt1_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2C079F28-EE92-4700-A44B-AF5FA285FCCA} (HanGamePluginJP16 Class) - http://down.hangame.co.jp/jp/dist/hgstart/HanGamePluginJP16.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {3F55279D-1F21-11D4-8550-005004BBFA86} (ExecProgram Control) - http://gamepot.goo.ne.jp/ActiveX/Exec/JpnExecProgram.ocx
    O16 - DPF: {4A88CB42-BBFE-496A-884F-98E8AC316292} (YJInstStarter Control) - http://dl.msg.yahoo.co.jp/pgdownload/yjinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37968.9990393519
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?315
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Excellent. Looks like you got rid of the worst problem anyway.

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

    O4 - Global Startup: loader.exe

    Then reboot into safe mode and delete:
    C:\WINDOWS\System32\msmc.exe <= if present

    Then (still in safe mode) use the Disk Cleanup Utility to empty all your Temp folder.

    Regards,

    Pieter
     
  7. kay_timmons

    kay_timmons Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    4
    I did everything that was instructed and I believe my problem is fixed!
    I haven't been redirected to any sites, and no weird pop-ups come on anymore!
    Thank you so much for your time and hard work!
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
Thread Status:
Not open for further replies.