Trojan Horse Turown.a and revop.a

Logfile of HijackThis v1.97.7
Scan saved at 2:08:42 PM, on 3/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSUPD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\0BBRU815\HIJACKTHIS[1].EXE
C:\WINDOWS\04ZMLJ1E.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\JIFYVW.EXE
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [gpl400j] C:\WINDOWS\SYSTEM\gpl400j.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [JZY5CL50.EXE] C:\WINDOWS\JZY5CL50.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [JZY5CL50.EXE] C:\WINDOWS\JZY5CL50.EXE /dk
O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 1VO6105X.lnk = C:\WINDOWS\1vo6105x.exe
O4 - Startup: P2ZNRMB4.lnk = C:\WINDOWS\p2znrmb4.exe
O4 - Startup: YLN0H81R.lnk = C:\WINDOWS\yln0h81r.exe
O4 - Startup: 7D06DZ94.lnk = C:\WINDOWS\7d06dz94.exe
O4 - Startup: 1EQYRJ1M.lnk = C:\WINDOWS\1eqyrj1m.exe
O4 - Startup: 1EOJOOG3.lnk = C:\WINDOWS\1eojoog3.exe
O4 - Startup: L88VT2C4.lnk = C:\WINDOWS\l88vt2c4.exe
O4 - Startup: 8FAN8724.lnk = C:\WINDOWS\8fan8724.exe
O4 - Startup: JZY5CL50.lnk = C:\WINDOWS\jzy5cl50.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 1VO6105X.lnk = C:\WINDOWS\1vo6105x.exe
O4 - Global Startup: P2ZNRMB4.lnk = C:\WINDOWS\p2znrmb4.exe
O4 - Global Startup: YLN0H81R.lnk = C:\WINDOWS\yln0h81r.exe
O4 - Global Startup: 7D06DZ94.lnk = C:\WINDOWS\7d06dz94.exe
O4 - Global Startup: 1EQYRJ1M.lnk = C:\WINDOWS\1eqyrj1m.exe
O4 - Global Startup: 1EOJOOG3.lnk = C:\WINDOWS\1eojoog3.exe
O4 - Global Startup: L88VT2C4.lnk = C:\WINDOWS\l88vt2c4.exe
O4 - Global Startup: 8FAN8724.lnk = C:\WINDOWS\8fan8724.exe
O4 - Global Startup: JZY5CL50.lnk = C:\WINDOWS\jzy5cl50.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.8513310185
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21dadf012f6971eef422/netzip/RdxIE601.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

 

Sorry about the lack of information.

Found both of the Viruses during AVG (freeware) scan during startup and test.

Went at own risk and continued and healed revop a. Ran ad-aware updated free version. Am afraid of Webhancer spyware and just choose to ignore. I messed with it once and it took about 8 hours to get it all back.

Popup blocker from Cox appears to be overrun and losing the battle again.

Have tried to delete morze1.exe and windows/7dO6dz94 and they keep coming back.

It is great to have somewhere to go for help. I am spending too many Sundays sitting here doing "repairs"

Thanks to all the moderators and forum members!!!

 

I can't seem to format anything in "bold" here but here are simpler starter points!
DO NOT FIX/DELETE ANYTHING IN HIJACKTHIS PRIOR TO THESE STEPS:
~~~~~~~~~~~~~~~~~~~~~~~~~~
RightClick on the yahoo stock task bar icon (red-arrow; or 2 grey "??" signs))
Options are:
*Open Yahoo Stock
*Settings
*Remove<<<---
*Exit.
While being ONLINE, choose REMOVE
and hit YES on the uninstall prompt!
(e.g.. "Are you sure you want to remove...crap.exe>!!! Nahh,
I want to keep it! )
..........................
*A web page from adtomi would appear-
"uninstall was succesful!"

*Download this removal key, and UNZIP it:
http://www10.brinkster.com/freeatlast/adtomi.htm

* Restart computer in SAFE MODE! O N L Y!!!

*DoubleClick "remove.reg" file you just downloaded, and hit yes on the prompt.

*Go to: Start>Find Files>'search..' in Win ME)
Type: browserhelper.dll
Delete ALL FOUND INSTANCES!
Whether 1, 2 or more!

* Run hijackthis:
Check the 04 sections , both in HKLM.. HKCU:
Anything that has EXACT match on the following critera -fix checked:
----------------------------------------------------------
-- \run..\ 8 characters exe from C:\windows...
--ENDING WITH-- /dk<<-- switch!
-------------------------------------------------------
*Navigate to **both startup folders&locations in win98/ME:
1.) C:\WINDOWS\All Users\Start Menu\Programs\StartUp<<--
2.)C:\WINDOWS\Start Menu\Programs\StartUp<<--

*Delete from these folders all unknown, 8 characters shortcuts pointing to exe files!
================================
Only thing left is to identify and delete the files THEMSELVES, though they are no longer active and these steps CURE the problem!

As for the files, I'll get back to you if there are different than originally specified!

***The uninstall via 'remove' from the taskbar-REMOVES the main installer, e.g "morze1.exe"***
and therefor makes it EASIER to deal with the rest!

 

DadRepairman--
You have another, rather *minor problem there.
Download, unzip and run the following uninst.exe.
While being ***online!***

http://www10.brinkster.com/expl0iter/freeatlast/junk/PeperUninstaller.htm

Hit 'yes' when asked if you want to remove <anything>

**Disable ***all your filters/blockers/blasters
during the process, ***AVG as well.
(in this case they will do no good but interfere )
-------------------------------------------------------------------------------
...And a few *real viruses.
That'll be left for the last round...

 

well, I'm happy to say that following the steps above cured the problem instantly!

I'm skipping some of the basic tech details, providing everyone knows how to rearrange folder by details/size, etc.. otherwise the mods can walk you thru the basics.

As with all known hazards, some steps may act differently.
This time the uninstall opened the C:\ folder, but the icon was removed from taskbar.

All shorcuts in startup folder are 8 characters, with the exception of morze1.exe left behind, in both folders.
"morze1" files should be deleted as well!

Once the reg file above was merged, startups fixed with hijackthis and shortcuts deleted as well as the 2!!! copies of browserhelper.dlls,
--Problem is ***GONE!

As for the files, I added a pic here to show what they look like:

http://www10.brinkster.com/freeatlast/adtomi.htm

There are 2 size groups.
If in doubt, RightClick and check the properties.

601kb group-->>614,912 bytes
681kb-->> 697,344 bytes
Those should be deleted as last stage!

DadRepairman,
good luck! Ya got some package(s) there!

 

Whoops... bad link...


http://www10.brinkster.com/expl0iter/freeatlast/adtomi.htm

 

The first directions posted and what I have done.

--RightClick on the yahoo stock task bar icon,
choose remove-while being online!
A web page from Adtomi would appear
"-uninstall was succesful!"

(done)

---------------------------------------------------------------------
--Restart computer in safe mode ONLY!

--Make a new text file, copy and paste this inside:
REGEDIT4

[-HKEY_CURRENT_USER\Software\adtomi]

[-HKEY_CLASSES_ROOT\CLSID\{B549456D-F5D0-4641-BCED-8648A0C13D83}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B549456D-F5D0-4641-BCED-8648A0C13D83}]


--Save it-(Change to "all files" in drop box-)
As remove.reg
DoubleClick and hit yes on the prompt!

(done)
___________________________________________


--In hijackthis or similar startup manager,
delete any entries with the following pattern:
In:--HKCU....\Software\Microsoft\Windows\CurrentVersion\Run
In:--HKLM....\..run...... as well:
With:....<C:\WINDOWS.....8 characters>
random, unknown exe
files, ending with..... /dk
Example (C:\WINDOWS\IH5B0AKB.EXE /dk )

--In hijackthis fix the 02 line BHO -if present:
C:\WINDOWS\BrowserHelper.dll

Too many abbreviations for me (novice) to try.
Afraid and did none of this. I need the specific line in HIJACK THIS click on....sorry...


____________________________________________
--Find and delete:
BrowserHelper.dll from any location(s)
There seem to be a few...

(done)

____________________________________________

--Navigate to Windows folder,
rearrange it by size from menu:
(view-Details, -Size)
Inspect files in the 600kb group:
Files with square plain icon, no info in
properties and are-- .exe type And...
600kb (614,912 bytes), 8 characters
in file name-- DELETE!
(they may be listed as 601kb)

--Another size group of files with same pattern:
681 kb (697,344 bytes ) -DELETE!

--Go to:
:\WINDOWS\All Users\Start Menu\Programs\StartUp
Find and delete any shortcuts with <8 chars.exe>

--Same for:
WINDOWS\Start Menu\Programs\StartUp folder.


(done)


____________________________________________

Now for the FREEEEE advice...the links were bad and every time my computer attempted to open the zip file as a PDF file?

*Download this removal key, and UNZIP it:
http://www10.brinkster.com/freeatlast/adtomi.htm
Kept attempting to open as PDF
____________________________________________

You have another, rather *minor problem there.
Download, unzip and run the following uninst.exe.
While being ***online!***

http://www10.brinkster.com/expl0iter/freeatlast/junk/PeperUninstaller.htm

Hit 'yes' when asked if you want to remove <anything>


Link would not open and computer thought I was opending PDF file.
___________________________________________

Run hijackthis:
Check the 04 sections , both in HKLM.. HKCU:
Anything that has EXACT match on the following critera -fix checked:
----------------------------------------------------------
-- \run..\ 8 characters exe from C:\windows...
--ENDING WITH-- /dk<<-- switch!
-------------------------------------------------------
Again..I did not do this...did not really understand.

Wow I am sorry ..you guys are great...we are all humble as you fix our flying machines.

 

Thought I would include this.

Also any thoughts on the follwing
Webhancer

Also there were some other.exe files that arrived about the same time as the others.

Logfile of HijackThis v1.97.7
Scan saved at 7:26:01 PM, on 3/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\A.EXE
C:\WINDOWS\SYSUPD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\JIFYVW.EXE
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [gpl400j] C:\WINDOWS\SYSTEM\gpl400j.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk
O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.8513310185
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21dadf012f6971eef422/netzip/RdxIE601.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

 

Hi DadRepairman,

Welcome to Wilders.

Before you start, please unzip or move HijackThis to a separate folder. The program will make backups in the folder it's in. These easily get lost in a temporary folder.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)

O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)

O4 - HKLM\..\Run: [42HNQFX5S@X5SW] C:\WINDOWS\SYSTEM\JIFYVW.EXE
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL",Load
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [gpl400j] C:\WINDOWS\SYSTEM\gpl400j.exe

O4 - HKLM\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk

O4 - HKCU\..\Run: [R9JL3762.EXE] C:\WINDOWS\R9JL3762.EXE /dk

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21dadf012f6971eef422/netzip/RdxIE601.cab

The download this Zip File. Unzip it and run being sure you are connected to the internet.

Then reboot in Safe Mode and delete the following:

C:\PROGRAM FILES\WEBHANCER\
C:\WINDOWS\SYSTEM\JIFYVW.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\BRIDGE.DLL
C:\WINDOWS\SYSTEM\A.EXE
C:\WINDOWS\SYSUPD.EXE
C:\WINDOWS\R9JL3762.EXE
C:\WINDOWS\morze1.exe

Reboot and then post a fresh HijackThis log.

Regards,
Kent

 

OK.
I did not fix 02 involving Webhancer. the last time I messed with this...I lost the internet and dont have a 98 SE disk to reboot and get back Winsock. Webhancer is nasty....

So I also did nothing to webhancer in Windows.

I cannot open the link that was posted. My computer continues to want open this as a PDF file.

Thanks for everyone's time.

Logfile of HijackThis v1.97.7
Scan saved at 9:02:39 PM, on 3/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DP-K13W13.EXE
C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE
C:\WINDOWS\SYSTEM32\PCS\PCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\APPLICATION DATA\OCSR.EXE
C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - URLSearchHook: {0000031A-0000-0000-C000-000000000046} - - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_5_0.DLL
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
O2 - BHO: CheckIt 86 - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\PROGRAM FILES\CHECKIT\86\CHECKIT86.DLL
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiKey] Atitask.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-K13W13.EXE
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\WINDOWS\TEMP\~COMPOUNDINST0\AUTO_UPDATE_LOADER.EXE"
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] C:\PROGRAM FILES\COMMON FILES\DPI\DPI.EXE
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Oota] C:\WINDOWS\Application Data\ocsr.exe
O4 - Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CHECKIT\86\AddToTrustList.js
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: CheckIt &86 (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38002.8513310185
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

 

Try this link instead.....

Download and run this file to fix Peper Trojan:
http://www.memorywatcher.com/uninst.exe

Regards,
Kent

 

Right on!
Don't fix it!
Please check in Add/remove programs and
uninstall it!
It should be listed there and the uninstaller DOES work!
It is not *nasty in the sense that it would harn your connection-intentionally!
But if removed incorrectly-it may...

Read instructions here:
http://www.webhancer.com/support/index.asp?s=34
They work!

For the other problem, if you still can't download anything, go here:

http://www.memorywatcher.com/remove.aspx

And follow instructions to the letter while being online!

You need a zip/unzip tool probably.
Try this tool:
JustZipIt!

And you seem to have loads of new problems there.
I suggest when you are done with these, run Ad-Aware and SpyBot first.
Though looks like the 'adtomi' problem is resolved!

 

lol fal

Thnx for stepping in

Cheers,

 

On the Morze1.exe issue, the following actually worked for me:

http://groups.google.com/groups?q=Morze1.exe&hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&selm=9d782a2.0403280023.77cb59f1%40posting.google.com&rnum=2

Thanks so much to the poster. This one was really dogging me, and now it's completely gone!

-S-

edited by dvk01 to add url tags to the link