Revop.A/morze1 on Win98SE... HijackThis log posted

Discussion in 'adware, spyware & hijack cleaning' started by drowned_in_milk, Apr 11, 2004.

Thread Status:
Not open for further replies.
  1. drowned_in_milk

    drowned_in_milk Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    5
    I'm nearly certain I've been hijacked by a number of things, including Revop.A; it seems like all the things I've been having trouble with, particularly revop.a and morze1/morez5 are somehow linked to Lycos SideSearch... anyway if you guys could help me fix my comp....

    P.S. I've already run Ad-Aware 6 w/ latest update, a full system scan that took 2 hours. I thought it was gone...



    Logfile of HijackThis v1.97.7
    Scan saved at 11:17:35 PM, on 04/11/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\HPHMON04.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\TEMP\6R0RWH.EXE
    C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    D:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.prodigy.net;enroll.prodigy.net;enroll-isp.prodigy.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\PROGRAM FILES\NETSCAPE\Users\ldolnack\prefs.js)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OEMCLEANUP] C:\windows\OPTIONS\oemreset.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [thread-1g] C:\WINDOWS\SYSTEM\thread-1g.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [FltProcess] C:\WINDOWS\SYSTEM\MSINET.EXE
    O4 - HKCU\..\Run: [G7M92B69.EXE] C:\WINDOWS\G7M92B69.EXE /dk
    O4 - Startup: MKM5Y0LM.lnk = C:\WINDOWS\mkm5y0lm.exe
    O4 - Startup: 0FX4ICTI.lnk = C:\WINDOWS\0fx4icti.exe
    O4 - Startup: B3524ADY.lnk = C:\WINDOWS\b3524ady.exe
    O4 - Startup: OJ0KJ7LO.lnk = C:\WINDOWS\oj0kj7lo.exe
    O4 - Startup: G7M92B69.lnk = C:\WINDOWS\g7m92b69.exe
    O4 - Global Startup: C33YUL49.lnk = C:\WINDOWS\t83dx1d7.exe
    O4 - Global Startup: 0X5GN40F.lnk = C:\WINDOWS\0x5gn40f.exe
    O4 - Global Startup: T83DX1D7.lnk = C:\WINDOWS\t83dx1d7.exe
    O4 - Global Startup: QQ1VVVIQ.lnk = C:\WINDOWS\qq1vvviq.exe
    O4 - Global Startup: TU9TGOFL.lnk = C:\WINDOWS\tu9tgofl.exe
    O4 - Global Startup: Q0R9DIGX.lnk = C:\WINDOWS\q0r9digx.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: B3524ADY.lnk = C:\WINDOWS\b3524ady.exe
    O4 - Global Startup: 51LMF959.lnk = C:\WINDOWS\51lmf959.exe
    O4 - Global Startup: N2ME32L1.lnk = C:\WINDOWS\n2me32l1.exe
    O4 - Global Startup: H46MQDDK.lnk = C:\WINDOWS\h46mqddk.exe
    O4 - Global Startup: RX2AZA3Q.lnk = C:\WINDOWS\rx2aza3q.exe
    O4 - Global Startup: QZ78RH8N.lnk = C:\WINDOWS\qz78rh8n.exe
    O4 - Global Startup: 9D33Z2R6.lnk = C:\WINDOWS\9d33z2r6.exe
    O4 - Global Startup: G11YGZAN.lnk = C:\WINDOWS\g11ygzan.exe
    O4 - Global Startup: IU0BMC53.lnk = C:\WINDOWS\iu0bmc53.exe
    O4 - Global Startup: 0742XURJ.lnk = C:\WINDOWS\0742xurj.exe
    O4 - Global Startup: 50T57FP8.lnk = C:\WINDOWS\50t57fp8.exe
    O4 - Global Startup: MKM5Y0LM.lnk = C:\WINDOWS\mkm5y0lm.exe
    O4 - Global Startup: 0FX4ICTI.lnk = C:\WINDOWS\0fx4icti.exe
    O4 - Global Startup: OJ0KJ7LO.lnk = C:\WINDOWS\oj0kj7lo.exe
    O4 - Global Startup: G7M92B69.lnk = C:\WINDOWS\g7m92b69.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashCapture (HKLM)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
    O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O12 - Plugin for .asp: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
    O12 - Plugin for .asf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Go2CallClient - http://www.go2call.com/maindialer/CallClient.cab
    O16 - DPF: {9AF6E7AE-D248-11D2-BFAA-00805F2392C0} (Smi Class) - http://atwnt333.external.hp.com/bus-nacons/caller/SysQuery.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/lilostitchpinball/install.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://www.comcastsupport.com/sdccommon/download/tgrc.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://atwnt333.external.hp.com/bus-nacons/caller/SysQuery.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4262/mcfscan.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web659.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1060560074820
    O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
     
    drowned_in_milk, Apr 11, 2004
    #1
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    download this file (Adtomi Cleanup.zip).
    https://www.wilderssecurity.com/attachments/9x_Adtomi_Cleanup.zip for 98 or ME
    or alternatively from
    http://www.thespykiller.co.uk/downloads.htm

    It was created by Mosaic1 and is available here with her kind permission
    And follow the instructions carefully.

    First If you have a Script Blocking Program enabled, disable it so the scripts will run.

    Unzip it to C:\Windows

    See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part
    --A web page from Adtomi would appear "-uninstall was succesful!"
    then go off line
    (note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

    next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

    In your case the file/ process to stop is : C:\WINDOWS\G7M92B69.EXE
    then press end task or end process and make sure that entry has disapeared from the list.
    if you can't stop it running, then DO NOT CONTINUE, please ask for more help first and there might also be morze1 running, if so end that process as well.

    Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

    ***Do not Touch the VBS files. The bat file will run the scripts.

    Make sure all Browser and folder windows are closed and it will do everything automatically for you.

    It will remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the BHO
    Start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.
    There is a lot else to clerar up, but this must be done in stages
     
    dvk01, Apr 12, 2004
    #2
  3. Unregistered

    Unregistered Guest

    Thanks a bunch! Note I'm also getting messages about some small.4.bq trojan... but I think i nabbed this NASTY Adtomi thing :) I rebooted and ran HijackThis (I still see that loader.exe though)

    Logfile of HijackThis v1.97.7
    Scan saved at 8:48:51 AM, on 04/12/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\HPHMON04.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
    C:\PROGRAM FILES\TRILLIAN\TRILLIAN.EXE
    D:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.prodigy.net;enroll.prodigy.net;enroll-isp.prodigy.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://searchbar.findthewebsiteyouneed.com/
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\PROGRAM FILES\NETSCAPE\Users\ldolnack\prefs.js)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OEMCLEANUP] C:\windows\OPTIONS\oemreset.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [thread-1g] C:\WINDOWS\SYSTEM\thread-1g.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [ClrSchLoader] \Progra~1\Lycos\IEagent\Loader.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [FltProcess] C:\WINDOWS\SYSTEM\MSINET.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashCapture (HKLM)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
    O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O12 - Plugin for .asp: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
    O12 - Plugin for .asf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: Win32 Classes - file://c:\windows\Java\classes\win32ie4.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Go2CallClient - http://www.go2call.com/maindialer/CallClient.cab
    O16 - DPF: {9AF6E7AE-D248-11D2-BFAA-00805F2392C0} (Smi Class) - http://atwnt333.external.hp.com/bus-nacons/caller/SysQuery.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/lilostitchpinball/install.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://www.comcastsupport.com/sdccommon/download/tgrc.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://atwnt333.external.hp.com/bus-nacons/caller/SysQuery.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4262/mcfscan.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web659.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1060560074820
    O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38


    04/12/2004 8:23:19 AM
    C:\WINDOWS\5xil3fm0.exe
    C:\WINDOWS\kxqydcp7.exe
    C:\WINDOWS\ak6g0wg1.exe
    C:\WINDOWS\lj7vtw0j.exe
    C:\WINDOWS\14efl8pn.exe
    C:\WINDOWS\giw41coy.exe
    C:\WINDOWS\ibyo3638.exe
    C:\WINDOWS\58190w9f.exe
    C:\WINDOWS\ennj17jb.exe
    C:\WINDOWS\51lmf959.exe
    C:\WINDOWS\323w26lj.exe
    C:\WINDOWS\52hcfrzj.exe
    C:\WINDOWS\50t57fp8.exe
    C:\WINDOWS\0fx4icti.exe
    C:\WINDOWS\oj0kj7lo.exe
    C:\WINDOWS\g7m92b69.exe
    C:\WINDOWS\ax2q6cld.exe


    04/12/2004 8:23:42 AM
    No Larger Files Found

    04/12/2004 8:24:15 AM
    C:\WINDOWS\bl6nn0ny.exe
    C:\WINDOWS\ym517jvn.exe
    C:\WINDOWS\ktb0g1nj.exe
    C:\WINDOWS\lli300f0.exe
    C:\WINDOWS\5i54i29j.exe
    C:\WINDOWS\calsdr.exe
    C:\WINDOWS\CS4P028.exe
    C:\WINDOWS\v51ppblm.exe




    Volume in drive C has no label
    Volume Serial Number is 3749-CDEB
    Directory of C:\WINDOWS

    !IC EXE 4 04-18-97 4:39p !ic.exe
    CONTROL EXE 2,112 04-23-99 10:22p CONTROL.EXE
    WINHELP EXE 2,416 04-23-99 10:22p WINHELP.EXE
    WINVER EXE 3,648 04-23-99 10:22p WINVER.EXE
    SCANDSKW EXE 4,896 04-23-99 10:22p SCANDSKW.EXE
    RUNDLL EXE 4,960 04-23-99 10:22p RUNDLL.EXE
    LOADQM EXE 7,536 05-03-00 5:23p LOADQM.EXE
    OEMRESET EXE 9,600 11-24-98 8:02a OEMRESET.EXE
    ITIDMI16 EXE 10,592 03-31-03 7:52p itidmi16.exe
    PROTMAN EXE 14,952 05-11-98 7:01p PROTMAN.EXE
    INSSCR EXE 16,384 04-12-00 1:26a InsScr.exe
    CHARMAP EXE 17,440 04-23-99 10:22p CHARMAP.EXE
    CLIPBRD EXE 18,432 04-23-99 10:22p CLIPBRD.EXE
    SETVER EXE 18,939 10-25-99 8:16a SETVER.EXE
    DC210_UN EXE 19,456 06-19-98 2:37p dc210_un.exe
    PBRUSH EXE 20,480 04-23-99 10:22p PBRUSH.EXE
    WRITE EXE 20,480 04-23-99 10:22p WRITE.EXE
    TRACERT EXE 20,480 04-23-99 10:22p TRACERT.EXE
    WINMINE EXE 24,176 04-23-99 10:22p WINMINE.EXE
    RUNDLL32 EXE 24,576 04-23-99 10:22p RUNDLL32.EXE
    PING EXE 24,576 04-23-99 10:22p PING.EXE
    UNINST~1 EXE 24,576 01-09-99 1:26p uninstaol.exe
    JAVA EXE 24,677 02-20-03 4:42p java.exe
    HH EXE 26,896 05-27-00 6:26a hh.exe
    FREECELL EXE 28,576 04-23-99 10:22p FREECELL.EXE
    ARP EXE 28,672 04-23-99 10:22p ARP.EXE
    TASKMON EXE 28,672 04-23-99 10:22p TASKMON.EXE
    JAVAW EXE 28,775 02-20-03 4:42p javaw.exe
    UNTONK EXE 30,048 09-29-95 8:37p UNTONK.EXE
    MM2ENT EXE 32,768 04-23-99 10:22p MM2ENT.EXE
    ROUTE EXE 32,768 04-23-99 10:22p ROUTE.EXE
    NETSTAT EXE 32,768 04-23-99 10:22p NETSTAT.EXE
    PREINSTT EXE 32,768 02-11-04 1:30p PREINSTT.EXE
    NBTSTAT EXE 34,543 04-23-99 10:22p NBTSTAT.EXE
    QFECHECK EXE 36,864 07-27-98 2:48p QFECHECK.EXE
    ACCSTAT EXE 36,864 04-23-99 10:22p ACCSTAT.EXE
    HPFSCHED EXE 36,864 11-22-02 11:48a hpfsched.exe
    BWUNINST EXE 38,912 06-19-98 11:27a bwUninst.exe
    GRPCONV EXE 40,128 11-05-99 12:00a GRPCONV.EXE
    PIDSET EXE 40,960 04-23-99 10:22p PIDSET.EXE
    RG2CATDB EXE 40,960 04-23-99 10:22p RG2CATDB.EXE
    REGTLIB EXE 40,960 06-01-02 7:31a REGTLIB.EXE
    WININIT EXE 41,973 04-23-99 10:22p WININIT.EXE
    VCMUI EXE 45,056 04-23-99 10:22p VCMUI.EXE
    FTP EXE 45,056 04-23-99 10:22p FTP.EXE
    MSNCREAT EXE 45,056 04-23-99 10:22p MSNCREAT.EXE
    CPQPRINT EXE 45,056 06-06-99 9:59a CpqPrint.exe
    SMARTDRV EXE 45,379 05-20-99 10:22p SMARTDRV.EXE
    UNIFISH3 EXE 45,568 05-29-99 8:08a UniFish3.exe
    TWUNK_16 EXE 48,560 05-11-98 8:01p Twunk_16.exe
    FONTVIEW EXE 49,152 04-23-99 10:22p FONTVIEW.EXE
    TASKMAN EXE 49,152 04-23-99 10:22p TASKMAN.EXE
    UNINS000 EXE 49,664 10-12-99 1:20a unins000.exe
    UNINS001 EXE 49,664 10-12-99 1:20a unins001.exe
    UNINS002 EXE 49,664 10-12-99 1:20a unins002.exe
    UNINS003 EXE 49,664 10-12-99 1:20a unins003.exe
    MSNICON EXE 53,248 05-11-98 7:01p MSNICON.EXE
    NOTEPAD EXE 53,248 04-23-99 10:22p NOTEPAD.EXE
    IPCONFIG EXE 53,248 04-23-99 10:22p IPCONFIG.EXE
    WINIPCFG EXE 53,248 04-23-99 10:22p WINIPCFG.EXE
    NETDDE EXE 56,880 04-23-99 10:22p NETDDE.EXE
    CLSPACK EXE 57,344 04-23-99 10:22p CLSPACK.EXE
    SETDEBUG EXE 57,344 04-23-99 10:22p SETDEBUG.EXE
    UPWIZUN EXE 57,344 04-23-99 10:22p UPWIZUN.EXE
    UNINST~2 EXE 58,368 11-07-01 4:25p Uninstall CDK.exe
    HTML2PDF EXE 59,904 04-19-99 1:28p html2pdf.exe
    BDL94126 EXE 59,904 03-01-04 4:02p bdl94126.exe
    BDL84126 EXE 59,904 03-01-04 4:02p bdl84126.exe
    ASD EXE 61,440 04-23-99 10:22p ASD.EXE
    MSNMGSR1 EXE 65,536 04-23-99 10:22p MSNMGSR1.EXE
    DIALER EXE 68,992 04-23-99 10:22p DIALER.EXE
    DIRECTCC EXE 69,632 04-23-99 10:22p DIRECTCC.EXE
    SNDVOL32 EXE 69,632 04-23-99 10:22p SNDVOL32.EXE
    WUPDMGR EXE 71,168 10-24-01 5:44p wupdmgr.exe
    NETWATCH EXE 73,728 04-23-99 10:22p NETWATCH.EXE
    RAUNINST EXE 76,800 05-29-99 12:38p RAUNINST.exe
    CVTAPLOG EXE 77,824 04-23-99 10:22p CVTAPLOG.EXE
    PACKAGER EXE 77,824 04-23-99 10:22p PACKAGER.EXE
    TELNET EXE 77,824 04-23-99 10:22p TELNET.EXE
    ICFIRE EXE 81,920 12-28-99 9:03a icfire.exe
    SCANREGW EXE 86,016 04-23-99 10:22p SCANREGW.EXE
    UNVISE~1 EXE 86,016 11-10-99 11:05a unvise32qt.exe
    DOSREP EXE 89,147 04-23-99 10:22p DOSREP.EXE
    UNVISE32 EXE 90,112 03-15-03 11:15p unvise32.exe
    TWUNK_32 EXE 90,112 05-11-98 8:01p Twunk_32.exe
    BWUNIN~1 EXE 90,112 02-13-03 6:33p bwUnin-6.1.0.155-8876480L.exe
    NSUNINST EXE 90,832 08-29-02 11:15p NSUninst.exe
    GREUNI~1 EXE 92,880 06-13-03 3:53p GREUninstall.exe
    MOZILL~1 EXE 92,880 06-13-03 3:54p MozillaUninstall.exe
    QTW16DEL EXE 93,504 08-27-96 2:12a QTW16DEL.EXE
    CALC EXE 94,208 04-23-99 10:22p CALC.EXE
    DEZMVMZ EXE 94,208 03-29-04 4:56a dezmvmz.exe
    ATIUPD~1 EXE 100,352 03-29-04 4:44a atiupdate5.exe
    CDPLAYER EXE 106,496 04-23-99 10:22p CDPLAYER.EXE
    HWINFO EXE 110,592 04-23-99 10:22p HWINFO.EXE
    TUNEUP EXE 110,592 04-23-99 10:22p TUNEUP.EXE
    SNDREC32 EXE 110,592 04-23-99 10:22p SNDREC32.EXE
    PROGMAN EXE 113,456 04-23-99 10:22p PROGMAN.EXE
    KODAKPRV EXE 114,688 04-23-99 10:22p KODAKPRV.EXE
    REGEDIT EXE 118,784 04-23-99 10:22p REGEDIT.EXE
    WSCRIPT EXE 118,834 06-01-02 7:31a wscript.exe
    MSHEARTS EXE 122,240 04-23-99 10:22p MSHEARTS.EXE
    A3DSPLSH EXE 122,880 12-08-98 6:08p A3DSplsh.exe
    EMM386 EXE 125,495 04-23-99 10:22p EMM386.EXE
    EZINST~1 EXE 128,277 04-10-04 9:10p eZinstall.exe
    CLEANMGR EXE 131,072 04-23-99 10:22p CLEANMGR.EXE
    SIGVERIF EXE 131,072 04-23-99 10:22p SIGVERIF.EXE
    EXTRAC32 EXE 132,608 08-17-01 12:00a EXTRAC32.EXE
    DRWATSON EXE 139,264 04-23-99 10:22p DRWATSON.EXE
    WINFILE EXE 155,424 04-23-99 10:22p WINFILE.EXE
    MPLAYER EXE 159,744 04-23-99 10:22p MPLAYER.EXE
    SOL EXE 171,392 04-23-99 10:22p SOL.EXE
    WJVIEW EXE 176,128 04-23-99 10:22p WJVIEW.EXE
    JVIEW EXE 180,224 04-23-99 10:22p JVIEW.EXE
    EXPLORER EXE 180,224 04-23-99 10:22p EXPLORER.EXE
    CPQBRAND EXE 183,296 12-10-97 2:00a Cpqbrand.exe
    SILENT EXE 186,458 04-10-04 9:07p silent.exe
    TOUR98 EXE 188,416 04-23-99 10:22p TOUR98.EXE
    0021-B~1 EXE 251,829 04-10-04 9:08p 0021-bdl94126.EXE
    BS5-NT~1 EXE 253,102 04-10-04 9:07p bs5-nt15v.exe
    DEFRAG EXE 253,952 04-23-99 10:22p DEFRAG.EXE
    WELCOME EXE 278,528 04-23-99 10:22p WELCOME.EXE
    IUN503 EXE 286,720 08-20-02 12:32p iun503.exe
    UNINST EXE 299,520 04-08-97 8:08p uninst.exe
    ISUN041E EXE 303,104 01-23-98 1:23p IsUn041e.exe
    UNIN0407 EXE 304,128 12-09-96 9:33p unin0407.exe
    ISUNINST EXE 306,688 10-29-98 4:45p IsUninst.exe
    WINHLP32 EXE 319,488 04-23-99 10:22p WINHLP32.EXE
    AOLUNI~1 EXE 335,411 10-11-00 2:18p Aolunins_us.exe
    AOLUNINS EXE 335,411 10-11-00 2:18p Aolunins.exe
    NET EXE 356,134 04-23-99 10:22p NET.EXE
    FIGHTC~1 EXE 389,228 06-01-03 11:34p Fight Club.exe
    DRVSPACE EXE 404,880 04-23-99 10:22p DRVSPACE.EXE
    EFAXVIEW EXE 410,640 12-30-03 3:01a eFaxview.exe
    WINREP EXE 438,272 04-23-99 10:22p WINREP.EXE
    KODAKIMG EXE 528,384 04-23-99 10:22p KODAKIMG.EXE
    FLASHAX EXE 535,040 12-30-02 1:49p flashax.exe
    PINKFL~1 EXE 603,943 11-22-03 9:04a Pink Floyd.exe
    CD32 EXE 633,992 10-20-98 1:32p cd32.exe
    UNNERO EXE 1,077,248 12-11-02 6:40p Unnero.exe
    PROJCTOR EXE 1,465,911 06-12-97 10:01a PROJCTOR.EXE
    BLINDNS EXE 1,514,989 07-25-95 2:35p BLINDNS.EXE
    RADIOH~1 EXE 1,528,126 03-13-04 5:36p RADIOHEAD.exe
    QTINSTAL EXE 2,037,248 08-27-96 2:12a QTINSTAL.EXE
    MATRIX~1 EXE 2,285,222 12-30-02 1:57p Matrix Code.exe
    PDFFILE EXE 3,735,552 05-03-01 7:32a pdffile.exe
    IMANISVR EXE 5,179,484 07-30-01 10:21a IMANISVR.EXE
    147 file(s) 34,556,923 bytes
    0 dir(s) 75.86 MB free


    What next, dvk01? Thanks again for your help so far!
     
    Unregistered, Apr 12, 2004
    #3
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    next stage is fairly straightforward

    First download CWshredder from http://www.thespykiller.co.uk then Run it
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
    Now as CWS installs via the byte verifier exploit in M$ JavaVM, just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.

    then reboot &
    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware 6 from http://www.lavasoft.de/support/download

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least 01R287 11.04.2004 or a higher number/later date

    Then ........

    Make sure the following settings are made and on -------"ON=GREEN"
    From main window :Click "Start" then " Activate in-depth scan"

    then......

    click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

    then.........

    go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

    then...... click "proceed" to save your settings.

    Now to scan it´s just to click the "Scan" button.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    reboot again

    then post a new hijackthis log to check what is left for us to clear out afterwards
     
    dvk01, Apr 12, 2004
    #4
  5. drowned_in_milk

    drowned_in_milk Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    5
    Done. I think I nabbed Morze1!!! :-D I'm very very happy about this. Alas, I still have small.4.bq and 2 other trojans :-(

    Logfile of HijackThis v1.97.7
    Scan saved at 4:43:43 PM, on 04/13/2004
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\HPHMON04.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\WINWORD.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\TRILLIAN\TRILLIAN.EXE
    D:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080;http=proxy.prodigy.net:8080
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = www.prodigy.net;enroll.prodigy.net;enroll-isp.prodigy.net
    R3 - Default URLSearchHook is missing
    N1 - Netscape 4: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\PROGRAM FILES\NETSCAPE\Users\ldolnack\prefs.js)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OEMCLEANUP] C:\windows\OPTIONS\oemreset.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [thread-1g] C:\WINDOWS\SYSTEM\thread-1g.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [FltProcess] C:\WINDOWS\SYSTEM\MSINET.EXE
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: FlashCapture (HKLM)
    O9 - Extra button: ComcastHSI (HKCU)
    O9 - Extra button: Help (HKCU)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\NPSWF32.dll
    O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
    O12 - Plugin for .asp: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\nppdf32.dll
    O12 - Plugin for .asf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: Go2CallClient - http://www.go2call.com/maindialer/CallClient.cab
    O16 - DPF: {9AF6E7AE-D248-11D2-BFAA-00805F2392C0} (Smi Class) - http://atwnt333.external.hp.com/bus-nacons/caller/SysQuery.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wtgeneric/lilostitchpinball/install.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://www.comcastsupport.com/sdccommon/download/tgrc.cab
    O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/english/PulsePlayerAxWin.cab
    O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://h71025.www7.hp.com/support/sndetect/CSND_AX.CAB
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://atwnt333.external.hp.com/bus-nacons/caller/SysQuery.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4262/mcfscan.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web659.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38089.3069097222
    O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38
     
    drowned_in_milk, Apr 13, 2004
    #5
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    We haven't finished yet

    please find this file and send it to me C:\WINDOWS\SYSTEM\thread-1g.exe
    send to submit@thespykiller.co.uk with a short note pointing to this thread
    then

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    R3 - Default URLSearchHook is missing
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\PROGRAM FILES\MYWAY\SRCHASTT\1.BIN\MYSRCHAS.DLL
    O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL

    O4 - HKLM\..\Run: [thread-1g] C:\WINDOWS\SYSTEM\thread-1g.exe
    O4 - HKCU\..\Run: [FltProcess] C:\WINDOWS\SYSTEM\MSINET.EXE
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...all/install.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web659.cab
    O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.nugs.net/dev/dlControl.CAB
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.9.12/ttinst.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\SYSTEM\thread-1g.exe

    and Delete these folders

    :\PROGRAM FILES\MYWAY
    then
    Reboot normally &

    Run an online antivirus check from at least one and preferably 2 of the following sites
    http://security.symantec.com/default.asp?
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://www3.ca.com/virusinfo/

    then let us know if it's all solved please
     
    dvk01, Apr 13, 2004
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...