Tech Support Guy banner
Cancel

Popups and spyware

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 24 Posts
D

· Registered
Joined
·
108 Posts
Discussion Starter · #1 ·
Hi,

I'd appreciate any help you can give. My Dad's computer is running strangely. He has Windows 98 and NAV. He has recently downloaded a google toolbar and I'm not sure what else. His computer is an hour from here so I have brought home what info I can.

Symptoms: It keeps looking for shortcut files it cannot find. There is an endless variety of them that pop up one after the other. Some names are MORZE1.exe and CY1WXCER.exe. I'm not sure if it keeps repeating the same ones.

When opening IE it looks like one page opens and immediately another opens right over it-that from what I can tell is exactly the same. When he installed the google toolbar, he expected to stop the popups, but they still get by and some are not ones for the kids-.. I can type anything into the address bar, but it won't go there. Just sits. But if I bypass that by going to Favorites I can get where I need to. With lots of popups. And usually s l o w l y .

I ran adaware and found lots of adware/spyware. Also ran Spybot. Ran an older version of HiJack this as he had it on his computer. I'll have to have him run the newer version.

Ran NAV and got no viruses, but in the Log it shows that there is "download.Trojan' in Backup Items. He has liveupdate, but didn't run a scan for about 4 weeks.

I'll attach the HiJack This file and send my Dad instructions on how to run it and send me the results. Thanks for any help!

Logfile of HijackThis v1.94.0
Scan saved at 7:37:22 PM, on 3/28/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast High-Speed Internet
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [KPDP] C:\WINDOWS\SYSTEM\KPDP.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [UCZEXW6A.EXE] C:\WINDOWS\UCZEXW6A.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
O4 - HKCU\..\Run: [UCZEXW6A.EXE] C:\WINDOWS\UCZEXW6A.EXE /dk
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: CY1WXCER.lnk = C:\WINDOWS\cy1wxcer.exe
O4 - Startup: XTCO7OJH.lnk = C:\WINDOWS\xtco7ojh.exe
O4 - Startup: Y5V2KAA1.lnk = C:\WINDOWS\y5v2kaa1.exe
O4 - Startup: HE6TMFPN.lnk = C:\WINDOWS\he6tmfpn.exe
O4 - Startup: UCZEXW6A.lnk = C:\WINDOWS\uczexw6a.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: CY1WXCER.lnk = C:\WINDOWS\cy1wxcer.exe
O4 - Global Startup: XTCO7OJH.lnk = C:\WINDOWS\xtco7ojh.exe
O4 - Global Startup: Y5V2KAA1.lnk = C:\WINDOWS\y5v2kaa1.exe
O4 - Global Startup: HE6TMFPN.lnk = C:\WINDOWS\he6tmfpn.exe
O4 - Global Startup: UCZEXW6A.lnk = C:\WINDOWS\uczexw6a.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.3339583333
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
 
N

· Registered
Joined
·
826 Posts
#2 ·
First of all, that is a really outdated version of HJT. Once you have a chance, pleased download the newest one from the link below.

Download and run CWShredder from here. Before running the program, make sure that all windows besides CWShredder are closed. Open the program, and click on Fix Now and not Scan only.

  1. Download Ad-Aware 6.181 from http://www.lavasoftusa.com/
  2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads 01R277 29.03.2004 (or higher number/date). If it does not, then click here and install the file manually.
  3. Make sure the following settings are turned to ON
    -From the main window click on Start then Activate in-depth scan.
    -Click on Use custom scanning options>Customize and make sure the following options are turned on:
    Scan within archives
    Scan active processes
    Scan registry
    Scan my IE Favorites for banned URL
    Scan my host-files
  4. Click on Settings and make sure the following are enabled:
    Unload recognized processes during scanning
  5. Click on Cleaning engine and make sure that Let windows remove files in use at next reboot is on.
  6. Finally Click Proceed to save your settings.
  7. Click on Scan Now from the main window and select Use Custom Scanning options and click scan.
  8. When scan completes, remove all items, then run another scan but this time select the Perform Smart-System Scan option and then also remove all items it finds.
    [/list=1]

    then
    1. Download Spyboy S&D from this page
    2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.
    3. Run a scan by clicking on Spybot S&D and then clicking Search & Destroy and then Check for problems
    4. When scan completes, remove all items in red by making sure that they are checked and then click Fix selected problems
      [/list=1]

      Then...
      Download HijackThis from here. Make a new folder for the program and then open it, click Scan. When it finishes scanning, do no remove anything but instead save the log and post it here.

      Then try to follow up with another log.
 
winchester73

· Registered
Joined
·
2,440 Posts
#4 ·
BrowserHelper.dll puts a lot of junk on a computer ...

Run AA and SB first, then update the version of HJT and post a new log. There will be some manual clean-up required, but it really is easier to let AA and SB carry some of the load first.
 
P

· Registered
Joined
·
10 Posts
#7 ·
Hello,

This is Dance mom. Registered my Dad as Poppy Golf. Had some trouble with the computer freezing and such. Must have turned it off and on 25 times. Ran all of the above. Below is HJT log.

Thanks!!
Logfile of HijackThis v1.97.7
Scan saved at 12:26:34 PM, on 3/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\MIXER.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS2\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [KPDP] C:\WINDOWS\SYSTEM\KPDP.exe
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [YYAAIQ6J.EXE] C:\WINDOWS\YYAAIQ6J.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
O4 - HKLM\..\RunOnce: [Ad-aware] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE" "+b1"
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: CY1WXCER.lnk = C:\WINDOWS\cy1wxcer.exe
O4 - Startup: XTCO7OJH.lnk = C:\WINDOWS\xtco7ojh.exe
O4 - Startup: Y5V2KAA1.lnk = C:\WINDOWS\y5v2kaa1.exe
O4 - Startup: HE6TMFPN.lnk = C:\WINDOWS\he6tmfpn.exe
O4 - Startup: UCZEXW6A.lnk = C:\WINDOWS\uczexw6a.exe
O4 - Startup: HIBRRUCC.lnk = C:\WINDOWS\hibrrucc.exe
O4 - Startup: NOQIOP9R.lnk = C:\WINDOWS\noqiop9r.exe
O4 - Startup: 3P8F1X3E.lnk = C:\WINDOWS\3p8f1x3e.exe
O4 - Startup: KL78JJTM.lnk = C:\WINDOWS\kl78jjtm.exe
O4 - Startup: DAD56PN6.lnk = C:\WINDOWS\dad56pn6.exe
O4 - Startup: KX4XEVQU.lnk = C:\WINDOWS\kx4xevqu.exe
O4 - Startup: O0ODPYFZ.lnk = C:\WINDOWS\o0odpyfz.exe
O4 - Startup: 38WLQ1YY.lnk = C:\WINDOWS\38wlq1yy.exe
O4 - Startup: Z0OOJUY2.lnk = C:\WINDOWS\z0oojuy2.exe
O4 - Startup: 06ORAAAB.lnk = C:\WINDOWS\06oraaab.exe
O4 - Startup: I2G37H69.lnk = C:\WINDOWS\i2g37h69.exe
O4 - Startup: YYAAIQ6J.lnk = C:\WINDOWS\yyaaiq6j.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: CY1WXCER.lnk = C:\WINDOWS\cy1wxcer.exe
O4 - Global Startup: XTCO7OJH.lnk = C:\WINDOWS\xtco7ojh.exe
O4 - Global Startup: Y5V2KAA1.lnk = C:\WINDOWS\y5v2kaa1.exe
O4 - Global Startup: HE6TMFPN.lnk = C:\WINDOWS\he6tmfpn.exe
O4 - Global Startup: UCZEXW6A.lnk = C:\WINDOWS\uczexw6a.exe
O4 - Global Startup: HIBRRUCC.lnk = C:\WINDOWS\hibrrucc.exe
O4 - Global Startup: NOQIOP9R.lnk = C:\WINDOWS\noqiop9r.exe
O4 - Global Startup: 3P8F1X3E.lnk = C:\WINDOWS\3p8f1x3e.exe
O4 - Global Startup: KL78JJTM.lnk = C:\WINDOWS\kl78jjtm.exe
O4 - Global Startup: DAD56PN6.lnk = C:\WINDOWS\dad56pn6.exe
O4 - Global Startup: KX4XEVQU.lnk = C:\WINDOWS\kx4xevqu.exe
O4 - Global Startup: O0ODPYFZ.lnk = C:\WINDOWS\o0odpyfz.exe
O4 - Global Startup: 38WLQ1YY.lnk = C:\WINDOWS\38wlq1yy.exe
O4 - Global Startup: Z0OOJUY2.lnk = C:\WINDOWS\z0oojuy2.exe
O4 - Global Startup: 06ORAAAB.lnk = C:\WINDOWS\06oraaab.exe
O4 - Global Startup: I2G37H69.lnk = C:\WINDOWS\i2g37h69.exe
O4 - Global Startup: YYAAIQ6J.lnk = C:\WINDOWS\yyaaiq6j.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.3339583333
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
 
P

· Registered
Joined
·
10 Posts
#9 ·
Next question. In Adaware, I got a message that stated c:\windowsbrowserhelper.dll could not be removed and would I like to run Adaware to remove it after restart. I did and it did not find anything.

I hope one of you are listening.... I have to go home soon..
Thanks
 
winchester73

· Registered
Joined
·
2,440 Posts
#10 ·
I'll work on the HJT log shortly ...

To answer your other questions ...

The items in the Ad-Aware quarantine are harmless at the moment ... after the machine is cleaned up, you can delete them if you like.

Yes, a restart was required ... Ad-Aware detected the file was in use, and it needed to remove it during the re-boot.

Does a current scan with Ad-Aware come up clean?
 
winchester73

· Registered
Joined
·
2,440 Posts
#11 ·
This is quite a list, so be sure to doublecheck that you don't miss anything ...

Run HJT again, close all open windows, put a checkmark next to the following items, and press "Fix Checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O4 - HKLM\..\Run: [KPDP] C:\WINDOWS\SYSTEM\KPDP.exe
O4 - HKLM\..\Run: [YYAAIQ6J.EXE] C:\WINDOWS\YYAAIQ6J.EXE /dk
O4 - HKCU\..\Run: [System Soap Pro] C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe min
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: CY1WXCER.lnk = C:\WINDOWS\cy1wxcer.exe
O4 - Startup: XTCO7OJH.lnk = C:\WINDOWS\xtco7ojh.exe
O4 - Startup: Y5V2KAA1.lnk = C:\WINDOWS\y5v2kaa1.exe
O4 - Startup: HE6TMFPN.lnk = C:\WINDOWS\he6tmfpn.exe
O4 - Startup: UCZEXW6A.lnk = C:\WINDOWS\uczexw6a.exe
O4 - Startup: HIBRRUCC.lnk = C:\WINDOWS\hibrrucc.exe
O4 - Startup: NOQIOP9R.lnk = C:\WINDOWS\noqiop9r.exe
O4 - Startup: 3P8F1X3E.lnk = C:\WINDOWS\3p8f1x3e.exe
O4 - Startup: KL78JJTM.lnk = C:\WINDOWS\kl78jjtm.exe
O4 - Startup: DAD56PN6.lnk = C:\WINDOWS\dad56pn6.exe
O4 - Startup: KX4XEVQU.lnk = C:\WINDOWS\kx4xevqu.exe
O4 - Startup: O0ODPYFZ.lnk = C:\WINDOWS\o0odpyfz.exe
O4 - Startup: 38WLQ1YY.lnk = C:\WINDOWS\38wlq1yy.exe
O4 - Startup: Z0OOJUY2.lnk = C:\WINDOWS\z0oojuy2.exe
O4 - Startup: 06ORAAAB.lnk = C:\WINDOWS\06oraaab.exe
O4 - Startup: I2G37H69.lnk = C:\WINDOWS\i2g37h69.exe
O4 - Startup: YYAAIQ6J.lnk = C:\WINDOWS\yyaaiq6j.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: CY1WXCER.lnk = C:\WINDOWS\cy1wxcer.exe
O4 - Global Startup: XTCO7OJH.lnk = C:\WINDOWS\xtco7ojh.exe
O4 - Global Startup: Y5V2KAA1.lnk = C:\WINDOWS\y5v2kaa1.exe
O4 - Global Startup: HE6TMFPN.lnk = C:\WINDOWS\he6tmfpn.exe
O4 - Global Startup: UCZEXW6A.lnk = C:\WINDOWS\uczexw6a.exe
O4 - Global Startup: HIBRRUCC.lnk = C:\WINDOWS\hibrrucc.exe
O4 - Global Startup: NOQIOP9R.lnk = C:\WINDOWS\noqiop9r.exe
O4 - Global Startup: 3P8F1X3E.lnk = C:\WINDOWS\3p8f1x3e.exe
O4 - Global Startup: KL78JJTM.lnk = C:\WINDOWS\kl78jjtm.exe
O4 - Global Startup: DAD56PN6.lnk = C:\WINDOWS\dad56pn6.exe
O4 - Global Startup: KX4XEVQU.lnk = C:\WINDOWS\kx4xevqu.exe
O4 - Global Startup: O0ODPYFZ.lnk = C:\WINDOWS\o0odpyfz.exe
O4 - Global Startup: 38WLQ1YY.lnk = C:\WINDOWS\38wlq1yy.exe
O4 - Global Startup: Z0OOJUY2.lnk = C:\WINDOWS\z0oojuy2.exe
O4 - Global Startup: 06ORAAAB.lnk = C:\WINDOWS\06oraaab.exe
O4 - Global Startup: I2G37H69.lnk = C:\WINDOWS\i2g37h69.exe
O4 - Global Startup: YYAAIQ6J.lnk = C:\WINDOWS\yyaaiq6j.exe


Restart the computer, and post a fresh HJT log to see if we missed anything.

Then there will be a bit of manual cleanup.
 
P

· Registered
Joined
·
10 Posts
#14 ·
I think I see it!!!
Here's the latest:
Logfile of HijackThis v1.94.0
Scan saved at 1:53:58 PM, on 3/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.cnn.com/
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.3339583333
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
 
winchester73

· Registered
Joined
·
2,440 Posts
#15 ·
Do you have two versions of HJT installed on this machine?
Logfile of HijackThis v1.94.0
Scan saved at 1:53:58 PM, on 3/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Click to expand...
That last log is v1.94.0, and the one before is the current (and correct) 1.97.7 ...

If there are two, get rid of 1.94.0.

I need to see a log from 1.97.7 ...
 
P

· Registered
Joined
·
10 Posts
#17 ·
Logfile of HijackThis v1.97.7
Scan saved at 2:11:49 PM, on 3/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\RNATHCHK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS2\HIJACKTHIS.EXE
C:\WINDOWS\DRWATSON.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
F1 - win.ini: load=ptsnoop.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [HC Reminder] hc.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKCU\..\Run: [CPW] C:\Program Files\Comcast\Comcast_Devmon.exe C:\Program Files\Comcast\Comcast Photo Wizard.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.3339583333
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
 
P

· Registered
Joined
·
10 Posts
#19 ·
Yes, he'd like those. He's also thinking he'd like to get rid of the Google tool bar, but I'll deal with that later unless it is something that has created some of his computer problems.

thanks
 
winchester73

· Registered
Joined
·
2,440 Posts
#20 ·
I doubt you will find many of these, but it is worth a look ...

Right click on the Start button, then explore ... in the left window, look in the following paths, and if you see any of these bold-face files, delete them (empty your recycle bin when you are done):

C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
C:\WINDOWS\SYSTEM\KPDP.exe
C:\WINDOWS\YYAAIQ6J.EXE
C:\PROGRAM FILES\SYSTEM SOAP PRO\SOAP.exe

In fact, you can delete the entire IEAGENT folder, as well as the SYSTEM SOAP PRO ...

As for the random-named files that were placed in the Startup and Global Startup by BrowserHelper, check the C:\WINDOWS\ path for the following:

morze1.exe
cy1wxcer.exe
xtco7ojh.exe
y5v2kaa1.exe
he6tmfpn.exe
uczexw6a.exe
hibrrucc.exe
noqiop9r.exe
3p8f1x3e.exe
kl78jjtm.exe
dad56pn6.exe
kx4xevqu.exe
o0odpyfz.exe
38wlq1yy.exe
z0oojuy2.exe
06oraaab.exe
i2g37h69.exe
yyaaiq6j.exe

I doubt you will have much success, but it is certainly worth being sure (after all you have done so far).
 
1 - 20 of 24 Posts
Status
Not open for further replies.
About this Discussion
23 Replies
4 Participants
Last post:
Poppy Golf
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top