Tech Support Guy banner
Cancel

PROBLEMS HJT log file inside

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 17 of 17 Posts
J

· Registered
Joined
·
77 Posts
Discussion Starter · #1 ·
Major things happening the last few days. 1) insufferable amount of pop-ups (IE powered by Comcast) 2)over 100 shortcut messages (EXAMPLE: MORZE5.lnk refers to a location that is unavailable) at boot-up that have to be clicked through. I do see these on the HJT log and know you will know how to help. 3) Computer crashes, blue screen, white screen, you name it, several times a day.
What I did BEFORE I ran this log. I updated Adavare 6 and ran then deleted all it said, then ran spybot and that was all clear.
Here is the HJT log:Logfile of HijackThis v1.97.7
Scan saved at 10:49:36 AM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\WINDOWS\SYSTEM\HPZTSB01.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\WBLCG0L5.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MEMTURBO\MEMTURBO.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A0E4-EA6FA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSCUZ2.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
O4 - HKLM\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
O4 - Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
O4 - Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
O4 - Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
O4 - Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
O4 - Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
O4 - Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
O4 - Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
O4 - Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
O4 - Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
O4 - Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
O4 - Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
O4 - Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
O4 - Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
O4 - Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
O4 - Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
O4 - Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
O4 - Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
O4 - Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
O4 - Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
O4 - Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
O4 - Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
O4 - Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
O4 - Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
O4 - Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
O4 - Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
O4 - Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
O4 - Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
O4 - Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
O4 - Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
O4 - Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
O4 - Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
O4 - Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
O4 - Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
O4 - Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
O4 - Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
O4 - Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
O4 - Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
O4 - Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
O4 - Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
O4 - Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
O4 - Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
O4 - Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
O4 - Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
O4 - Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
O4 - Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
O4 - Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
O4 - Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
O4 - Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
O4 - Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
O4 - Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
O4 - Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
O4 - Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
O4 - Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
O4 - Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
O4 - Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
O4 - Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
O4 - Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
O4 - Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
O4 - Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
O4 - Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
O4 - Global Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
O4 - Global Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
O4 - Global Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
O4 - Global Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
O4 - Global Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
O4 - Global Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
O4 - Global Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
O4 - Global Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
O4 - Global Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
O4 - Global Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
O4 - Global Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
O4 - Global Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
O4 - Global Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
O4 - Global Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
O4 - Global Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
O4 - Global Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
O4 - Global Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
O4 - Global Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
O4 - Global Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
O4 - Global Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
O4 - Global Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
O4 - Global Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
O4 - Global Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
O4 - Global Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
O4 - Global Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
O4 - Global Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
O4 - Global Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
O4 - Global Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
O4 - Global Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
O4 - Global Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
O4 - Global Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
O4 - Global Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
O4 - Global Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
O4 - Global Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
O4 - Global Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
O4 - Global Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
O4 - Global Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
O4 - Global Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
O4 - Global Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
O4 - Global Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
O4 - Global Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
O4 - Global Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
O4 - Global Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
O4 - Global Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
O4 - Global Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
O4 - Global Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
O4 - Global Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
O4 - Global Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
O4 - Global Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
O4 - Global Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
O4 - Global Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
O4 - Global Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
O4 - Global Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
O4 - Global Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
O4 - Global Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
O4 - Global Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
O4 - Global Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
O4 - Global Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
O4 - Global Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
O4 - Global Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
O4 - Global Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
O4 - Global Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
O4 - Global Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
 
$teve

· Registered
Joined
·
9,520 Posts
#2 ·
Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about :blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A0E4-EA6FA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSCUZ2.DLL
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE

Re-boot and delete:
C:\PROGRAM FILES\MYWEBSEARCH [FOLDER]

Now Ctrl-Alt-Delete and end task on: WBLCG0L5.EXE
[end its process as many times as it takes till its gone]

Re-run HijackThis and "fix" all these entries:

O4 - HKLM\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
O4 - HKCU\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
O4 - Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
O4 - Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
O4 - Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
O4 - Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
O4 - Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
O4 - Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
O4 - Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
O4 - Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
O4 - Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
O4 - Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
O4 - Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
O4 - Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
O4 - Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
O4 - Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
O4 - Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
O4 - Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
O4 - Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
O4 - Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
O4 - Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
O4 - Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
O4 - Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
O4 - Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
O4 - Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
O4 - Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
O4 - Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
O4 - Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
O4 - Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
O4 - Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
O4 - Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
O4 - Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
O4 - Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
O4 - Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
O4 - Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
O4 - Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
O4 - Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
O4 - Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
O4 - Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
O4 - Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
O4 - Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
O4 - Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
O4 - Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
O4 - Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
O4 - Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
O4 - Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
O4 - Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
O4 - Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
O4 - Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
O4 - Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
O4 - Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
O4 - Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
O4 - Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
O4 - Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
O4 - Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
O4 - Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
O4 - Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
O4 - Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
O4 - Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
O4 - Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
O4 - Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
O4 - Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
O4 - Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
O4 - Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
O4 - Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
O4 - Global Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
O4 - Global Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
O4 - Global Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
O4 - Global Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
O4 - Global Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
O4 - Global Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
O4 - Global Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
O4 - Global Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
O4 - Global Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
O4 - Global Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
O4 - Global Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
O4 - Global Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
O4 - Global Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
O4 - Global Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
O4 - Global Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
O4 - Global Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
O4 - Global Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
O4 - Global Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
O4 - Global Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
O4 - Global Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
O4 - Global Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
O4 - Global Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
O4 - Global Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
O4 - Global Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
O4 - Global Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
O4 - Global Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
O4 - Global Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
O4 - Global Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
O4 - Global Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
O4 - Global Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
O4 - Global Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
O4 - Global Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
O4 - Global Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
O4 - Global Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
O4 - Global Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
O4 - Global Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
O4 - Global Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
O4 - Global Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
O4 - Global Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
O4 - Global Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
O4 - Global Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
O4 - Global Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
O4 - Global Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
O4 - Global Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
O4 - Global Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
O4 - Global Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
O4 - Global Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
O4 - Global Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
O4 - Global Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
O4 - Global Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
O4 - Global Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
O4 - Global Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
O4 - Global Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
O4 - Global Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
O4 - Global Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
O4 - Global Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
O4 - Global Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
O4 - Global Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
O4 - Global Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
O4 - Global Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
O4 - Global Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
O4 - Global Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
O4 - Global Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
Thats ALL the o4 Global startups except SpywareGuard Kodak and MemTurbo

Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Locate and delete:
C:\WINDOWS\WBLCG0L5.EXE
Do a "start/find" and delete any and all references to
BrowserHelper.dll [FILE]

Re-boot once more and post another HijackThis log.

;)
 
Save Share
J

· Registered
Joined
·
77 Posts
Discussion Starter · #3 ·
I did all that you suggested. Here is the new log:
Logfile of HijackThis v1.97.7
Scan saved at 2:23:58 PM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\WINDOWS\SYSTEM\HPZTSB01.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\AAKHVNFD.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MEMTURBO\MEMTURBO.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#4 ·
It has come back as happens in many of these cases
Thsi is a fix that has been proven to work now

download this file here (Adtomi Cleanup.zip).
http://www.wilderssecurity.com/attachments/9x_Adtomi_Cleanup.zip for 98 or ME
http://www.wilderssecurity.com/attachments/XPAdtomi_Cleanup.zip for XP

or alternatively from
http://www.thespykiller.co.uk/downloads.htm

It was created by Mosaic1 and is available here with her kind permission
And follow the instructions.

First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must

be online for this part

--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry)

next press ctrl+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
and there might also be morze1 running, if so end that process as well

In your case the process to stop is AAKHVNFD.EXE

if you don't have any strange named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.
 
J

· Registered
Joined
·
77 Posts
Discussion Starter · #5 ·
OK. I downloaded Adtomi Cleanup and I THINK I followed instructions. I am not sure about the scripts things if I have that disabled or not. How do I check that? I am not sure that any think actually happened when I ran that program. DOS Screen came up and I followed instructions, but I didn't have to create any back up file. Oddly named files???? the one I ended was hpzsta01 (or something very close to that). Here is the new HJT file:
Logfile of HijackThis v1.97.7
Scan saved at 3:08:33 PM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\AAKHVNFD.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
 
$teve

· Registered
Joined
·
9,520 Posts
#6 ·
Nope.............its still hanging around.........thanx to Derek for the links......i had lost my page for Mosaic1`s script so i was trying to do the manual removal.

Run the fix again......but this time,re-boot and do a run>search for "BrowserHelper.dll"
And delete any reference to it.
This is an extremely stubborn parasite to remove......
I will be back in here an an hour or so,but dvk is one of the "top bananas" with this one......your in good hands.
;)
 
Save Share
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#8 ·
before doing anything else, open msconfig and make sure everything is enabled on the start up tab

You have stopped the wrong file running, ignore the files taht start with HP

i said in post 4 the name of the file to stop

C:\WINDOWS\AAKHVNFD.EXE

please do all of what I said in post 4 again but this time stop teh C:\WINDOWS\AAKHVNFD.EXE file running first, otherwise it won't work
 
J

· Registered
Joined
·
77 Posts
Discussion Starter · #9 ·
Trying again! Here is the new. I checked for that odd named file (not there), I made sure ALL of the items were checked under the start-up tab in msconfig, then ran the adtomi, and saved file. Here it is:
Logfile of HijackThis v1.97.7
Scan saved at 4:17:51 PM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\WINDOWS\SYSTEM\HPZTSB01.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MEMTURBO\MEMTURBO.EXE
C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
C:\PROGRAM FILES\PALM\HOTSYNC.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Startup: Reboot.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#10 ·
ok to check what we have cured please go to the C:\Windows\Adtomi Cleanup folder and double click on the adtomi.txt file, when it opens in notepad, copy it's contents and paste here
 
J

· Registered
Joined
·
77 Posts
Discussion Starter · #11 ·
4/1/2004 2:59:00 PM
No Larger Files Found

4/1/2004 2:59:15 PM
No Smaller Files Found

4/1/2004 3:06:11 PM
No Smaller Files Found

4/1/2004 3:06:20 PM
No Larger Files Found

4/1/2004 3:33:29 PM
No Smaller Files Found

4/1/2004 3:33:49 PM
No Larger Files Found

4/1/2004 3:53:10 PM
No Smaller Files Found

4/1/2004 3:53:39 PM
No Larger Files Found

4/1/2004 4:08:57 PM
No Smaller Files Found

4/1/2004 4:09:28 PM
No Larger Files Found
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#12 ·
there should have been a list of files it deleted, since there aren't any, we must assume that all the files are still on the computer

so print out the long list of files in post 2 so you can refer to it

where it has this on the list,
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
O4 - Global Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe

the actual files you are looking for to delete are these
C:\WINDOWS\morze5.exe
C:\WINDOWS\ytej0d4o.exe
C:\WINDOWS\a56lpgi0.exe

and so on all the way down.

and this one C:\WINDOWS\AAKHVNFD.EXE

and delete them all

hopefully you will find that they have been deleted somewhere in the previous steps and it's just that the log didn't register them as being deleted.
 
J

· Registered
Joined
·
77 Posts
Discussion Starter · #13 ·
THANKS for all your help. I couldn't find any of those files so here is another HJT log just for you to hopefully give the all clear. If not OK, I will continue to work on it.
Logfile of HijackThis v1.97.7
Scan saved at 6:41:42 PM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
O4 - Startup: Reboot.exe
O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
 
1 - 17 of 17 Posts
Status
Not open for further replies.
About this Discussion
16 Replies
3 Participants
Last post:
$teve
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top