shortcut startup big problems

Discussion in 'adware, spyware & hijack cleaning' started by twotimes, Mar 26, 2004.

Thread Status:
Not open for further replies.
  1. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    I've got big trouble at startup. I ran spybot and ad-aware. My hijack file looks like this: Please HELP!!!!!

    Logfile of HijackThis v1.97.7
    Scan saved at 2:37:18 PM, on 3/26/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\HPZTSB06.EXE
    C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\KODAK\KODAK_DR\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\HJT\HIJACK~1\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
    O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - C:\PROGRAM FILES\MEDIACOM\BBCLIENT\PROGRAMS\SABHO.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.8P.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [BroadbandClient] C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe /admincheck
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
    O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [80472DRQ.EXE] C:\WINDOWS\80472DRQ.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [80472DRQ.EXE] C:\WINDOWS\80472DRQ.EXE /dk
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: E909HJAN.lnk = C:\WINDOWS\e909hjan.exe
    O4 - Startup: JA4UMWQ0.lnk = C:\WINDOWS\ja4umwq0.exe
    O4 - Startup: 40CQ9IPP.lnk = C:\WINDOWS\40cq9ipp.exe
    O4 - Startup: IKPBCU8W.lnk = C:\WINDOWS\ikpbcu8w.exe
    O4 - Startup: 3F9K07PN.lnk = C:\WINDOWS\3f9k07pn.exe
    O4 - Startup: G93U08BD.lnk = C:\WINDOWS\g93u08bd.exe
    O4 - Startup: JW9HWFND.lnk = C:\WINDOWS\jw9hwfnd.exe
    O4 - Startup: 0LUFZ096.lnk = C:\WINDOWS\0lufz096.exe
    O4 - Startup: 2QZNR79J.lnk = C:\WINDOWS\2qznr79j.exe
    O4 - Startup: L7JHU33N.lnk = C:\WINDOWS\l7jhu33n.exe
    O4 - Startup: GH2OG7ET.lnk = C:\WINDOWS\gh2og7et.exe
    O4 - Startup: CTWMU9WJ.lnk = C:\WINDOWS\ctwmu9wj.exe
    O4 - Startup: 2HM27NBJ.lnk = C:\WINDOWS\2hm27nbj.exe
    O4 - Startup: 4A9Q4JQE.lnk = C:\WINDOWS\4a9q4jqe.exe
    O4 - Startup: KC1NF4DA.lnk = C:\WINDOWS\kc1nf4da.exe
    O4 - Startup: J0FUFMPX.lnk = C:\WINDOWS\j0fufmpx.exe
    O4 - Startup: N0709Z1X.lnk = C:\WINDOWS\n0709z1x.exe
    O4 - Startup: 3AXR0JZX.lnk = C:\WINDOWS\3axr0jzx.exe
    O4 - Startup: 80472DRQ.lnk = C:\WINDOWS\80472drq.exe
    O4 - Global Startup: FUG1OZ60.lnk = C:\WINDOWS\fug1oz60.exe
    O4 - Global Startup: KBBI6JN5.lnk = C:\WINDOWS\kbbi6jn5.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: GAU5256T.lnk = C:\WINDOWS\gau5256t.exe
    O4 - Global Startup: 3F9K07PN.lnk = C:\WINDOWS\3f9k07pn.exe
    O4 - Global Startup: N966I0AL.lnk = C:\WINDOWS\n966i0al.exe
    O4 - Global Startup: M62JMWX0.lnk = C:\WINDOWS\m62jmwx0.exe
    O4 - Global Startup: Z5X3M0Z3.lnk = C:\WINDOWS\z5x3m0z3.exe
    O4 - Global Startup: UC7ROH7F.lnk = C:\WINDOWS\uc7roh7f.exe
    O4 - Global Startup: XRJFJIWO.lnk = C:\WINDOWS\xrjfjiwo.exe
    O4 - Global Startup: 265JYA4U.lnk = C:\WINDOWS\265jya4u.exe
    O4 - Global Startup: 0RB5JX6X.lnk = C:\WINDOWS\0rb5jx6x.exe
    O4 - Global Startup: 516VT0GP.lnk = C:\WINDOWS\516vt0gp.exe
    O4 - Global Startup: 0FLYA10M.lnk = C:\WINDOWS\0flya10m.exe
    O4 - Global Startup: 0XYKWN9R.lnk = C:\WINDOWS\0xykwn9r.exe
    O4 - Global Startup: NLD4AT7X.lnk = C:\WINDOWS\nld4at7x.exe
    O4 - Global Startup: PLCQOL60.lnk = C:\WINDOWS\plcqol60.exe
    O4 - Global Startup: 1L0XAZ0H.lnk = C:\WINDOWS\1l0xaz0h.exe
    O4 - Global Startup: V9DI7DT0.lnk = C:\WINDOWS\v9di7dt0.exe
    O4 - Global Startup: J0FUFMPX.lnk = C:\WINDOWS\j0fufmpx.exe
    O4 - Global Startup: 4LXOBT1B.lnk = C:\WINDOWS\4lxobt1b.exe
    O4 - Global Startup: N0709Z1X.lnk = C:\WINDOWS\n0709z1x.exe
    O4 - Global Startup: 01F0B947.lnk = C:\WINDOWS\01f0b947.exe
    O4 - Global Startup: W9VJGEE6.lnk = C:\WINDOWS\w9vjgee6.exe
    O4 - Global Startup: BVMRDQX3.lnk = C:\WINDOWS\bvmrdqx3.exe
    O4 - Global Startup: B90G54QO.lnk = C:\WINDOWS\b90g54qo.exe
    O4 - Global Startup: PBZO590J.lnk = C:\WINDOWS\pbzo590j.exe
    O4 - Global Startup: 2KCE7PTC.lnk = C:\WINDOWS\2kce7ptc.exe
    O4 - Global Startup: 0IBZRZXN.lnk = C:\WINDOWS\0ibzrzxn.exe
    O4 - Global Startup: 2DACW5ZC.lnk = C:\WINDOWS\2dacw5zc.exe
    O4 - Global Startup: XO4E354X.lnk = C:\WINDOWS\xo4e354x.exe
    O4 - Global Startup: E909HJAN.lnk = C:\WINDOWS\e909hjan.exe
    O4 - Global Startup: JA4UMWQ0.lnk = C:\WINDOWS\ja4umwq0.exe
    O4 - Global Startup: 40CQ9IPP.lnk = C:\WINDOWS\40cq9ipp.exe
    O4 - Global Startup: IKPBCU8W.lnk = C:\WINDOWS\ikpbcu8w.exe
    O4 - Global Startup: V7TLCGZM.lnk = C:\WINDOWS\v7tlcgzm.exe
    O4 - Global Startup: X2BA3BZC.lnk = C:\WINDOWS\x2ba3bzc.exe
    O4 - Global Startup: G93U08BD.lnk = C:\WINDOWS\g93u08bd.exe
    O4 - Global Startup: JW9HWFND.lnk = C:\WINDOWS\jw9hwfnd.exe
    O4 - Global Startup: 0LUFZ096.lnk = C:\WINDOWS\0lufz096.exe
    O4 - Global Startup: 2QZNR79J.lnk = C:\WINDOWS\2qznr79j.exe
    O4 - Global Startup: L7JHU33N.lnk = C:\WINDOWS\l7jhu33n.exe
    O4 - Global Startup: GH2OG7ET.lnk = C:\WINDOWS\gh2og7et.exe
    O4 - Global Startup: CTWMU9WJ.lnk = C:\WINDOWS\ctwmu9wj.exe
    O4 - Global Startup: 2HM27NBJ.lnk = C:\WINDOWS\2hm27nbj.exe
    O4 - Global Startup: 4A9Q4JQE.lnk = C:\WINDOWS\4a9q4jqe.exe
    O4 - Global Startup: KC1NF4DA.lnk = C:\WINDOWS\kc1nf4da.exe
    O4 - Global Startup: 3AXR0JZX.lnk = C:\WINDOWS\3axr0jzx.exe
    O4 - Global Startup: 80472DRQ.lnk = C:\WINDOWS\80472drq.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.6559027778
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    OK don't panic it's easy enough to cure it looks worse than it is.

    before fixing them please find and send me this file to the email address on the spykiller site in my signature
    C:\WINDOWS\80472DRQ.EXE
    please zip it if you can
    it's the only really bad one the others are all copies of it with different names normally

    Boot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O4 - HKLM\..\Run: [80472DRQ.EXE] C:\WINDOWS\80472DRQ.EXE /dk
    O4 - HKCU\..\Run: [80472DRQ.EXE] C:\WINDOWS\80472DRQ.EXE /dk
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: E909HJAN.lnk = C:\WINDOWS\e909hjan.exe
    O4 - Startup: JA4UMWQ0.lnk = C:\WINDOWS\ja4umwq0.exe
    O4 - Startup: 40CQ9IPP.lnk = C:\WINDOWS\40cq9ipp.exe
    O4 - Startup: IKPBCU8W.lnk = C:\WINDOWS\ikpbcu8w.exe
    O4 - Startup: 3F9K07PN.lnk = C:\WINDOWS\3f9k07pn.exe
    O4 - Startup: G93U08BD.lnk = C:\WINDOWS\g93u08bd.exe
    O4 - Startup: JW9HWFND.lnk = C:\WINDOWS\jw9hwfnd.exe
    O4 - Startup: 0LUFZ096.lnk = C:\WINDOWS\0lufz096.exe
    O4 - Startup: 2QZNR79J.lnk = C:\WINDOWS\2qznr79j.exe
    O4 - Startup: L7JHU33N.lnk = C:\WINDOWS\l7jhu33n.exe
    O4 - Startup: GH2OG7ET.lnk = C:\WINDOWS\gh2og7et.exe
    O4 - Startup: CTWMU9WJ.lnk = C:\WINDOWS\ctwmu9wj.exe
    O4 - Startup: 2HM27NBJ.lnk = C:\WINDOWS\2hm27nbj.exe
    O4 - Startup: 4A9Q4JQE.lnk = C:\WINDOWS\4a9q4jqe.exe
    O4 - Startup: KC1NF4DA.lnk = C:\WINDOWS\kc1nf4da.exe
    O4 - Startup: J0FUFMPX.lnk = C:\WINDOWS\j0fufmpx.exe
    O4 - Startup: N0709Z1X.lnk = C:\WINDOWS\n0709z1x.exe
    O4 - Startup: 3AXR0JZX.lnk = C:\WINDOWS\3axr0jzx.exe
    O4 - Startup: 80472DRQ.lnk = C:\WINDOWS\80472drq.exe
    O4 - Global Startup: FUG1OZ60.lnk = C:\WINDOWS\fug1oz60.exe
    O4 - Global Startup: KBBI6JN5.lnk = C:\WINDOWS\kbbi6jn5.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: GAU5256T.lnk = C:\WINDOWS\gau5256t.exe
    O4 - Global Startup: 3F9K07PN.lnk = C:\WINDOWS\3f9k07pn.exe
    O4 - Global Startup: N966I0AL.lnk = C:\WINDOWS\n966i0al.exe
    O4 - Global Startup: M62JMWX0.lnk = C:\WINDOWS\m62jmwx0.exe
    O4 - Global Startup: Z5X3M0Z3.lnk = C:\WINDOWS\z5x3m0z3.exe
    O4 - Global Startup: UC7ROH7F.lnk = C:\WINDOWS\uc7roh7f.exe
    O4 - Global Startup: XRJFJIWO.lnk = C:\WINDOWS\xrjfjiwo.exe
    O4 - Global Startup: 265JYA4U.lnk = C:\WINDOWS\265jya4u.exe
    O4 - Global Startup: 0RB5JX6X.lnk = C:\WINDOWS\0rb5jx6x.exe
    O4 - Global Startup: 516VT0GP.lnk = C:\WINDOWS\516vt0gp.exe
    O4 - Global Startup: 0FLYA10M.lnk = C:\WINDOWS\0flya10m.exe
    O4 - Global Startup: 0XYKWN9R.lnk = C:\WINDOWS\0xykwn9r.exe
    O4 - Global Startup: NLD4AT7X.lnk = C:\WINDOWS\nld4at7x.exe
    O4 - Global Startup: PLCQOL60.lnk = C:\WINDOWS\plcqol60.exe
    O4 - Global Startup: 1L0XAZ0H.lnk = C:\WINDOWS\1l0xaz0h.exe
    O4 - Global Startup: V9DI7DT0.lnk = C:\WINDOWS\v9di7dt0.exe
    O4 - Global Startup: J0FUFMPX.lnk = C:\WINDOWS\j0fufmpx.exe
    O4 - Global Startup: 4LXOBT1B.lnk = C:\WINDOWS\4lxobt1b.exe
    O4 - Global Startup: N0709Z1X.lnk = C:\WINDOWS\n0709z1x.exe
    O4 - Global Startup: 01F0B947.lnk = C:\WINDOWS\01f0b947.exe
    O4 - Global Startup: W9VJGEE6.lnk = C:\WINDOWS\w9vjgee6.exe
    O4 - Global Startup: BVMRDQX3.lnk = C:\WINDOWS\bvmrdqx3.exe
    O4 - Global Startup: B90G54QO.lnk = C:\WINDOWS\b90g54qo.exe
    O4 - Global Startup: PBZO590J.lnk = C:\WINDOWS\pbzo590j.exe
    O4 - Global Startup: 2KCE7PTC.lnk = C:\WINDOWS\2kce7ptc.exe
    O4 - Global Startup: 0IBZRZXN.lnk = C:\WINDOWS\0ibzrzxn.exe
    O4 - Global Startup: 2DACW5ZC.lnk = C:\WINDOWS\2dacw5zc.exe
    O4 - Global Startup: XO4E354X.lnk = C:\WINDOWS\xo4e354x.exe
    O4 - Global Startup: E909HJAN.lnk = C:\WINDOWS\e909hjan.exe
    O4 - Global Startup: JA4UMWQ0.lnk = C:\WINDOWS\ja4umwq0.exe
    O4 - Global Startup: 40CQ9IPP.lnk = C:\WINDOWS\40cq9ipp.exe
    O4 - Global Startup: IKPBCU8W.lnk = C:\WINDOWS\ikpbcu8w.exe
    O4 - Global Startup: V7TLCGZM.lnk = C:\WINDOWS\v7tlcgzm.exe
    O4 - Global Startup: X2BA3BZC.lnk = C:\WINDOWS\x2ba3bzc.exe
    O4 - Global Startup: G93U08BD.lnk = C:\WINDOWS\g93u08bd.exe
    O4 - Global Startup: JW9HWFND.lnk = C:\WINDOWS\jw9hwfnd.exe
    O4 - Global Startup: 0LUFZ096.lnk = C:\WINDOWS\0lufz096.exe
    O4 - Global Startup: 2QZNR79J.lnk = C:\WINDOWS\2qznr79j.exe
    O4 - Global Startup: L7JHU33N.lnk = C:\WINDOWS\l7jhu33n.exe
    O4 - Global Startup: GH2OG7ET.lnk = C:\WINDOWS\gh2og7et.exe
    O4 - Global Startup: CTWMU9WJ.lnk = C:\WINDOWS\ctwmu9wj.exe
    O4 - Global Startup: 2HM27NBJ.lnk = C:\WINDOWS\2hm27nbj.exe
    O4 - Global Startup: 4A9Q4JQE.lnk = C:\WINDOWS\4a9q4jqe.exe
    O4 - Global Startup: KC1NF4DA.lnk = C:\WINDOWS\kc1nf4da.exe
    O4 - Global Startup: 3AXR0JZX.lnk = C:\WINDOWS\3axr0jzx.exe
    O4 - Global Startup: 80472DRQ.lnk = C:\WINDOWS\80472drq.exe

    Delete these files
    C:\WINDOWS\80472DRQ.EXE /dk
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\e909hjan.exe
    C:\WINDOWS\ja4umwq0.exe
    C:\WINDOWS\40cq9ipp.exe
    C:\WINDOWS\ikpbcu8w.exe
    C:\WINDOWS\3f9k07pn.exe
    C:\WINDOWS\g93u08bd.exe
    C:\WINDOWS\jw9hwfnd.exe
    C:\WINDOWS\0lufz096.exe
    C:\WINDOWS\2qznr79j.exe
    C:\WINDOWS\l7jhu33n.exe
    C:\WINDOWS\gh2og7et.exe
    C:\WINDOWS\ctwmu9wj.exe
    C:\WINDOWS\2hm27nbj.exe
    C:\WINDOWS\4a9q4jqe.exe
    C:\WINDOWS\kc1nf4da.exe
    C:\WINDOWS\j0fufmpx.exe
    C:\WINDOWS\n0709z1x.exe
    C:\WINDOWS\3axr0jzx.exe
    C:\WINDOWS\80472drq.exe
    C:\WINDOWS\fug1oz60.exe
    C:\WINDOWS\kbbi6jn5.exe
    C:\WINDOWS\morze1.exe
    C:\WINDOWS\gau5256t.exe
    C:\WINDOWS\3f9k07pn.exe
    C:\WINDOWS\n966i0al.exe
    C:\WINDOWS\m62jmwx0.exe
    C:\WINDOWS\z5x3m0z3.exe
    C:\WINDOWS\uc7roh7f.exe
    C:\WINDOWS\xrjfjiwo.exe
    C:\WINDOWS\265jya4u.exe
    C:\WINDOWS\0rb5jx6x.exe
    C:\WINDOWS\516vt0gp.exe
    C:\WINDOWS\0flya10m.exe
    C:\WINDOWS\0xykwn9r.exe
    C:\WINDOWS\nld4at7x.exe
    C:\WINDOWS\plcqol60.exe
    C:\WINDOWS\1l0xaz0h.exe
    C:\WINDOWS\v9di7dt0.exe
    C:\WINDOWS\j0fufmpx.exe
    C:\WINDOWS\4lxobt1b.exe
    C:\WINDOWS\n0709z1x.exe
    C:\WINDOWS\01f0b947.exe
    C:\WINDOWS\w9vjgee6.exe
    C:\WINDOWS\bvmrdqx3.exe
    C:\WINDOWS\b90g54qo.exe
    C:\WINDOWS\pbzo590j.exe
    C:\WINDOWS\2kce7ptc.exe
    C:\WINDOWS\0ibzrzxn.exe
    C:\WINDOWS\2dacw5zc.exe
    C:\WINDOWS\xo4e354x.exe
    C:\WINDOWS\e909hjan.exe
    C:\WINDOWS\ja4umwq0.exe
    C:\WINDOWS\40cq9ipp.exe
    C:\WINDOWS\ikpbcu8w.exe
    C:\WINDOWS\v7tlcgzm.exe
    C:\WINDOWS\x2ba3bzc.exe
    C:\WINDOWS\g93u08bd.exe
    C:\WINDOWS\jw9hwfnd.exe
    C:\WINDOWS\0lufz096.exe
    C:\WINDOWS\2qznr79j.exe
    C:\WINDOWS\l7jhu33n.exe
    C:\WINDOWS\gh2og7et.exe
    C:\WINDOWS\ctwmu9wj.exe
    C:\WINDOWS\2hm27nbj.exe
    C:\WINDOWS\4a9q4jqe.exe
    C:\WINDOWS\kc1nf4da.exe
    C:\WINDOWS\3axr0jzx.exe
    C:\WINDOWS\80472drq.exe


    then
    Reboot normally & post a new log to check
     
  3. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    Thank you DvK, I will be patient!
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    ^^^^^^^^
     
  5. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    i am curious, is this a virus, worm or something completely different? This has me pretty well confused.
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I think it's a trojan/worm that spawns pop ups etc on the computer, but so far in about 30 attempts I still haven't managed to get any copies of the files to examine to see.
     
  7. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    Alright, I have found the file and emailed it to you!

    I'll keep my fingers crossed!
     
  8. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    should i wait to hear back from you before i go into safemode to delete the files you specified?
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    TDS anti trojan detects it as adware adtomi.a

    nothing else detects it
    but at 600k it's quite a big file if you had a large number of copies active it's no wonder it clogs the machine

    I'm sending it on to other developers to look at

    no need to wait just delete all the files i said to please and then post a new log

    if you can send a couple of others of them with random names just to compare them it would be beneficial please
     
  10. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    how did i have so many copies of this thing?
    Also, can i start the safe mode fix now?
    You are a lot of help! Thanks a million!
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    As far as I can tell from previous examples that I have dealt with on this and other forums it changes every time you boot the computer
     
  12. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    Hey, I ran the fixes and another hijack log. Here's what it says: let me know if i'm in the clear!

    Logfile of HijackThis v1.97.7
    Scan saved at 5:18:51 PM, on 3/26/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB06.EXE
    C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\COMMON FILES\KODAK\KODAK_DR\KODAKCCS.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\PROGRAM FILES\POWERPDF\PWRPDFSRV.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\MONEY EXPRESS.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HJT\HIJACK~1\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
    O2 - BHO: (no name) - {058FC709-D5CD-4A95-92DB-59E6488ECDA4} - C:\PROGRAM FILES\MEDIACOM\BBCLIENT\PROGRAMS\SABHO.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.8P.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [BroadbandClient] C:\Program Files\Mediacom\BBClient\Programs\RegCon.exe /admincheck
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [KodakCCS] C:\Program Files\Common Files\KODAK\KODAK_DR\KodakCCS.exe --pdr: "C:\Program Files\Common Files\KODAK\KODAK_DR\dcmnter.pdr"
    O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [pwrpdfprsrv.exe] C:\Program Files\PowerPDF\pwrpdfsrv.exe
    O4 - HKLM\..\Run: [NF646XDP.EXE] C:\WINDOWS\NF646XDP.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [NF646XDP.EXE] C:\WINDOWS\NF646XDP.EXE /dk
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.6559027778
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

    Thanks!
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    you still have a couple of entries trying to start it up again

    lets try the fix that Pieter has in this thread
    http://www.wilderssecurity.com/showthread.php?t=25539

    Download and install Regprot from http://www.diamondcs.com.au/index.php?page=regprot

    Install it and do not allow any startups looking like NF646XDP.EXE (garbled letters and numbers)
    Then check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:
    (And do not allow any new startups that may ask permission after you click Fix checked)

    O4 - HKLM\..\Run: [NF646XDP.EXE] C:\WINDOWS\NF646XDP.EXE /dk

    O4 - HKCU\..\Run: [NF646XDP.EXE] C:\WINDOWS\NF646XDP.EXE /dk

    reboot into safe mode and delete C:\WINDOWS\NF646XDP.EXE


    then reboot normally and post another log to see if we have got it
     
  14. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    It seems to be working ok. But here is the log to be sure.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:15:51 PM, on 3/26/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPZTSB06.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\WINDOWS\SYSTEM\USBMONIT.EXE
    C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
    C:\PROGRAM FILES\POWERPDF\PWRPDFSRV.EXE
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\SYSTEM\CTFMON.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\HJT\HIJACK~1\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mchsi.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Mediacom Online
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.8P.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb06.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [USBMonit.exe] "C:\WINDOWS\SYSTEM\USBMonit.exe"
    O4 - HKLM\..\Run: [pwrpdfprsrv.exe] C:\Program Files\PowerPDF\pwrpdfsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .tif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.mchsi.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
    O16 - DPF: {EBC448F6-3C86-4689-8F5A-088B87E5C725} (Wonderhorse Listener ActiveX Control 1.2) - http://talkradio.alternacast.net/talkradio/clients/listener/bin/whlisten12.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
    O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37883.6559027778
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

    Let me know how it looks.
    Thanks for your help.
    You are very good!
     
  15. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi twotimes,

    It looks like Derek and Pieter figured out how to kill that baddie because your log is now clean!!! Congrats to the three of you!!!

    Regards,
    Kent
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    A more complete way of removal has been figured out by FreeAtLast.

    I copied it here:
    http://www.wilderssecurity.com/showthread.php?t=25926

    Regards,

    Pieter
     
  17. twotimes

    twotimes Registered Member

    Joined:
    Mar 26, 2004
    Posts:
    9
    I just wanted to let you guys know how thankful I am. My computer is running smoothly and I am the happiest person in the world! Derek and Pieter you did a fantastic job! Keep up the good work gang, you're making people very happy!!!
     
Thread Status:
Not open for further replies.