Trojan Horse Turown.a and revop.a

Discussion in 'adware, spyware & hijack cleaning' started by Dad Repairman, Mar 28, 2004.

Thread Status:
Not open for further replies.
  1. Logfile of HijackThis v1.97.7
    Scan saved at 2:08:42 PM, on 3/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSUPD.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0BBRU815\HIJACKTHIS[1].EXE
    C:\WINDOWS\04ZMLJ1E.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
    R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
    O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\JIFYVW.EXE
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [gpl400j] C:\WINDOWS\SYSTEM\gpl400j.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [JZY5CL50.EXE] C:\WINDOWS\JZY5CL50.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [JZY5CL50.EXE] C:\WINDOWS\JZY5CL50.EXE /dk
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Startup: 1VO6105X.lnk = C:\WINDOWS\1vo6105x.exe
    O4 - Startup: P2ZNRMB4.lnk = C:\WINDOWS\p2znrmb4.exe
    O4 - Startup: YLN0H81R.lnk = C:\WINDOWS\yln0h81r.exe
    O4 - Startup: 7D06DZ94.lnk = C:\WINDOWS\7d06dz94.exe
    O4 - Startup: 1EQYRJ1M.lnk = C:\WINDOWS\1eqyrj1m.exe
    O4 - Startup: 1EOJOOG3.lnk = C:\WINDOWS\1eojoog3.exe
    O4 - Startup: L88VT2C4.lnk = C:\WINDOWS\l88vt2c4.exe
    O4 - Startup: 8FAN8724.lnk = C:\WINDOWS\8fan8724.exe
    O4 - Startup: JZY5CL50.lnk = C:\WINDOWS\jzy5cl50.exe
    O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
    O4 - Global Startup: 1VO6105X.lnk = C:\WINDOWS\1vo6105x.exe
    O4 - Global Startup: P2ZNRMB4.lnk = C:\WINDOWS\p2znrmb4.exe
    O4 - Global Startup: YLN0H81R.lnk = C:\WINDOWS\yln0h81r.exe
    O4 - Global Startup: 7D06DZ94.lnk = C:\WINDOWS\7d06dz94.exe
    O4 - Global Startup: 1EQYRJ1M.lnk = C:\WINDOWS\1eqyrj1m.exe
    O4 - Global Startup: 1EOJOOG3.lnk = C:\WINDOWS\1eojoog3.exe
    O4 - Global Startup: L88VT2C4.lnk = C:\WINDOWS\l88vt2c4.exe
    O4 - Global Startup: 8FAN8724.lnk = C:\WINDOWS\8fan8724.exe
    O4 - Global Startup: JZY5CL50.lnk = C:\WINDOWS\jzy5cl50.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.8513310185
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21dadf012f6971eef422/netzip/RdxIE601.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
     
  2. DadRepairman

    DadRepairman Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    6
    Sorry about the lack of information.

    Found both of the Viruses during AVG (freeware) scan during startup and test.

    Went at own risk and continued and healed revop a. Ran ad-aware updated free version. Am afraid of Webhancer spyware and just choose to ignore. I messed with it once and it took about 8 hours to get it all back. :'(

    Popup blocker from Cox appears to be overrun and losing the battle again.

    Have tried to delete morze1.exe and windows/7dO6dz94 and they keep coming back.

    It is great to have somewhere to go for help. I am spending too many Sundays sitting here doing "repairs"

    Thanks to all the moderators and forum members!!!
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    This seems to work for some people

    http://www.wilderssecurity.com/showthread.php?t=25926

    try it and then post a new hjt log please

    But it is proving very difficult to cure and we have had some successes and some we are still trying with.
     
  4. guest~free

    guest~free Guest

    I can't seem to format anything in "bold" here but here are simpler starter points!
    DO NOT FIX/DELETE ANYTHING IN HIJACKTHIS PRIOR TO THESE STEPS: *puppy*
    ~~~~~~~~~~~~~~~~~~~~~~~~~~
    RightClick on the yahoo stock task bar icon (red-arrow; or 2 grey "??" signs))
    Options are:
    *Open Yahoo Stock
    *Settings
    *Remove<<<---
    *Exit.
    While being ONLINE, choose REMOVE
    and hit YES on the uninstall prompt!
    (e.g.. "Are you sure you want to remove...crap.exe>o_O!!! Nahh,
    I want to keep it! :rolleyes: )
    ..........................
    *A web page from adtomi would appear-
    "uninstall was succesful!"

    *Download this removal key, and UNZIP it:
    http://www10.brinkster.com/freeatlast/adtomi.htm

    * Restart computer in SAFE MODE! O N L Y!!!

    *DoubleClick "remove.reg" file you just downloaded, and hit yes on the prompt.

    *Go to: Start>Find Files:(>'search..' in Win ME)
    Type: browserhelper.dll
    Delete ALL FOUND INSTANCES!
    Whether 1, 2 or more!

    * Run hijackthis:
    Check the 04 sections , both in HKLM.. HKCU:
    Anything that has EXACT match on the following critera -fix checked:
    ----------------------------------------------------------
    -- \run..\ 8 characters exe from C:\windows...
    --ENDING WITH-- /dk<<-- switch!
    -------------------------------------------------------
    *Navigate to **both startup folders&locations in win98/ME:
    1.) C:\WINDOWS\All Users\Start Menu\Programs\StartUp<<--
    2.)C:\WINDOWS\Start Menu\Programs\StartUp<<--

    *Delete from these folders all unknown, 8 characters shortcuts pointing to exe files!
    ================================
    Only thing left is to identify and delete the files THEMSELVES, though they are no longer active and these steps CURE the problem!

    As for the files, I'll get back to you if there are different than originally specified!

    ***The uninstall via 'remove' from the taskbar-REMOVES the main installer, e.g "morze1.exe"***
    and therefor makes it EASIER to deal with the rest! *puppy*
     
  5. DadRepairman--
    You have another, rather *minor problem there.
    Download, unzip and run the following uninst.exe.
    While being ***online!***

    http://www10.brinkster.com/expl0iter/freeatlast/junk/PeperUninstaller.htm

    Hit 'yes' when asked if you want to remove <anything>

    **Disable ***all your filters/blockers/blasters
    during the process, ***AVG as well.
    (in this case they will do no good but interfere *puppy* )
    -------------------------------------------------------------------------------
    ...And a few *real viruses. :doubt:
    That'll be left for the last round...
     
  6. well, I'm happy to say that following the steps above cured the problem instantly!

    I'm skipping some of the basic tech details, providing everyone knows how to rearrange folder by details/size, etc.. otherwise the mods can walk you thru the basics.

    As with all known hazards, some steps may act differently.
    This time the uninstall opened the C:\ folder, but the icon was removed from taskbar.

    All shorcuts in startup folder are 8 characters, with the exception of morze1.exe left behind, in both folders.
    "morze1" files should be deleted as well!

    Once the reg file above was merged, startups fixed with hijackthis and shortcuts deleted as well as the 2!!! copies of browserhelper.dlls,
    --Problem is ***GONE!

    As for the files, I added a pic here to show what they look like:

    http://www10.brinkster.com/freeatlast/adtomi.htm

    There are 2 size groups.
    If in doubt, RightClick and check the properties.

    601kb group-->>614,912 bytes
    681kb-->> 697,344 bytes
    Those should be deleted as last stage!

    DadRepairman,
    good luck! Ya got some package(s) there! :doubt:
     
  7. freeee~guest

    freeee~guest Guest

    Whoops... *puppy* bad link...


    http://www10.brinkster.com/expl0iter/freeatlast/adtomi.htm
     
  8. DadRepairman

    DadRepairman Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    6
    The first directions posted and what I have done.

    --RightClick on the yahoo stock task bar icon,
    choose remove-while being online!
    A web page from Adtomi would appear
    "-uninstall was succesful!"

    (done)

    ---------------------------------------------------------------------
    --Restart computer in safe mode ONLY!

    --Make a new text file, copy and paste this inside:
    REGEDIT4

    [-HKEY_CURRENT_USER\Software\adtomi]

    [-HKEY_CLASSES_ROOT\CLSID\{B549456D-F5D0-4641-BCED-8648A0C13D83}]

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B549456D-F5D0-4641-BCED-8648A0C13D83}]


    --Save it-(Change to "all files" in drop box-)
    As remove.reg
    DoubleClick and hit yes on the prompt!

    (done)
    ___________________________________________


    --In hijackthis or similar startup manager,
    delete any entries with the following pattern:
    In:--HKCU....\Software\Microsoft\Windows\CurrentVersion\Run
    In:--HKLM....\..run...... as well:
    With:....<C:\WINDOWS.....8 characters>
    random, unknown exe
    files, ending with..... /dk
    Example (C:\WINDOWS\IH5B0AKB.EXE /dk )

    --In hijackthis fix the 02 line BHO -if present:
    C:\WINDOWS\BrowserHelper.dll

    Too many abbreviations for me (novice) to try.
    Afraid and did none of this. I need the specific line in HIJACK THIS click on....sorry...


    ____________________________________________
    --Find and delete:
    BrowserHelper.dll from any location(s)
    There seem to be a few...

    (done)

    ____________________________________________

    --Navigate to Windows folder,
    rearrange it by size from menu:
    (view-Details, -Size)
    Inspect files in the 600kb group:
    Files with square plain icon, no info in
    properties and are-- .exe type And...
    600kb (614,912 bytes), 8 characters
    in file name-- DELETE!
    (they may be listed as 601kb)

    --Another size group of files with same pattern:
    681 kb (697,344 bytes ) -DELETE!

    --Go to:
    :\WINDOWS\All Users\Start Menu\Programs\StartUp
    Find and delete any shortcuts with <8 chars.exe>

    --Same for:
    WINDOWS\Start Menu\Programs\StartUp folder.


    (done)


    ____________________________________________

    Now for the FREEEEE advice...the links were bad and every time my computer attempted to open the zip file as a PDF fileo_Oo_O?

    *Download this removal key, and UNZIP it:
    http://www10.brinkster.com/freeatlast/adtomi.htm
    Kept attempting to open as PDF
    ____________________________________________

    You have another, rather *minor problem there.
    Download, unzip and run the following uninst.exe.
    While being ***online!***

    http://www10.brinkster.com/expl0iter/freeatlast/junk/PeperUninstaller.htm

    Hit 'yes' when asked if you want to remove <anything>


    Link would not open and computer thought I was opending PDF file.
    ___________________________________________

    Run hijackthis:
    Check the 04 sections , both in HKLM.. HKCU:
    Anything that has EXACT match on the following critera -fix checked:
    ----------------------------------------------------------
    -- \run..\ 8 characters exe from C:\windows...
    --ENDING WITH-- /dk<<-- switch!
    -------------------------------------------------------
    Again..I did not do this...did not really understand.

    Wow I am sorry ..you guys are great...we are all humble as you fix our flying machines.
     
  9. DadRepairman

    DadRepairman Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    6
    Thought I would include this.

    Also any thoughts on the follwing
    Webhancer

    Also there were some other.exe files that arrived about the same time as the others.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:26:01 PM, on 3/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\SYSTEM\A.EXE
    C:\WINDOWS\SYSUPD.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
    R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
    O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\JIFYVW.EXE
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [gpl400j] C:\WINDOWS\SYSTEM\gpl400j.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.8513310185
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21dadf012f6971eef422/netzip/RdxIE601.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
     
  10. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi DadRepairman,

    Welcome to Wilders.

    Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)

    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)

    O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\JIFYVW.EXE
    O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
    O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [gpl400j] C:\WINDOWS\SYSTEM\gpl400j.exe

    O4 - HKLM\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk

    O4 - HKCU\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21dadf012f6971eef422/netzip/RdxIE601.cab

    The download this Zip File. Unzip it and run being sure you are connected to the internet.

    Then reboot in Safe Mode and delete the following:

    C:\PROGRAM FILES\WEBHANCER\
    C:\WINDOWS\SYSTEM\JIFYVW.EXE
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
    C:\WINDOWS\SYSTEM\A.EXE
    C:\WINDOWS\SYSUPD.EXE
    C:\WINDOWS\R9JL3762.EXE
    C:\WINDOWS\morze1.exe

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  11. DadRepairman

    DadRepairman Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    6
    OK.
    I did not fix 02 involving Webhancer. the last time I messed with this...I lost the internet and dont have a 98 SE disk to reboot and get back Winsock. Webhancer is nasty....

    So I also did nothing to webhancer in Windows.

    I cannot open the link that was posted. My computer continues to want open this as a PDF file.

    Thanks for everyone's time.

    Logfile of HijackThis v1.97.7
    Scan saved at 9:02:39 PM, on 3/28/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSGLOOP.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\MSG32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\DP-K13W13.EXE
    C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE
    C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
    C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\AIM\AIM.EXE
    C:\WINDOWS\APPLICATION DATA\OCSR.EXE
    C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
    R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
    O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
    O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.DLL
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-K13W13.EXE
    O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE"
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Oota] C:\WINDOWS\Application Data\ocsr.exe
    O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
    O9 - Extra button: AIM (HKLM)
    O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.8513310185
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
     
  12. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
  13. Right on!
    Don't fix it!
    Please check in Add/remove programs and
    uninstall it!
    It should be listed there and the uninstaller DOES work!
    It is not *nasty in the sense that it would harn your connection-intentionally!
    But if removed incorrectly-it may...

    Read instructions here:
    http://www.webhancer.com/support/index.asp?s=34
    They work! *puppy*

    For the other problem, if you still can't download anything, go here:

    http://www.memorywatcher.com/remove.aspx

    And follow instructions to the letter while being online!

    You need a zip/unzip tool probably.
    Try this tool:
    JustZipIt!

    And you seem to have loads of new problems there.
    I suggest when you are done with these, run Ad-Aware and SpyBot first.
    Though looks like the 'adtomi' problem is resolved! *puppy*
     
  14. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    lol fal :D

    Thnx for stepping in :)

    Cheers,
     
  15. Scott Bain

    Scott Bain Guest

  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Scott
    Thanks for posting, but we now have an auomatic fix for the problem

    http://www.wilderssecurity.com/showthread.php?t=25926
     
Thread Status:
Not open for further replies.