Tech Support Guy banner
Cancel

Several "Problems"

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 10 of 10 Posts
M

· Registered
Joined
·
47 Posts
Discussion Starter · #1 ·
Something seems to be attacking my pc from numerous pop-ups, to installation of ezula program, etc.

When I start up my pc, I get a repeating window saying I'm missing these shortcuts:
morze5.exe
2h7ndy7i.exe
morze1.exe
bdphh02c.exe
3akhel4g.exe

How can I get rid of these messages which stop my log on process?

The following is my hjt log, after running spybot and adaware. Please advise. Thanks!!!

Logfile of HijackThis v1.97.7
Scan saved at 12:31:06 AM, on 03/28/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\N-CASE\MSBB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\WNETG.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
C:\WINDOWS\BPR92CT1.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\BENCEED.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\PROGRAM FILES\LYCOS\SIDESEARCH\SIDESEARCH1211.DLL
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [xsp] C:\WINDOWS\xsp.exe
O4 - HKLM\..\Run: [msbb] c:\program files\n-case\msbb.exe
O4 - HKLM\..\Run: [helsr] C:\WINDOWS\helsr.exe
O4 - HKLM\..\Run: [WNetG] C:\WINDOWS\SYSTEM\WNetG.exe
O4 - HKLM\..\Run: [BPR92CT1.EXE] C:\WINDOWS\BPR92CT1.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [BPR92CT1.EXE] C:\WINDOWS\BPR92CT1.EXE /dk
O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: 2H7NDY7I.lnk = C:\WINDOWS\2h7ndy7i.exe
O4 - Startup: 9UUBP3OG.lnk = C:\WINDOWS\9uubp3og.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 6M5CDEMK.lnk = C:\WINDOWS\6m5cdemk.exe
O4 - Startup: NKPT2BM2.lnk = C:\WINDOWS\nkpt2bm2.exe
O4 - Startup: FJX5GKXD.lnk = C:\WINDOWS\fjx5gkxd.exe
O4 - Startup: BDPHHO2C.lnk = C:\WINDOWS\bdphho2c.exe
O4 - Startup: 3AKHEL4G.lnk = C:\WINDOWS\3akhel4g.exe
O4 - Startup: EI9YX5C5.lnk = C:\WINDOWS\ei9yx5c5.exe
O4 - Startup: G01QZYMF.lnk = C:\WINDOWS\g01qzymf.exe
O4 - Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe
O4 - Startup: BPR92CT1.lnk = C:\WINDOWS\bpr92ct1.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: 2H7NDY7I.lnk = C:\WINDOWS\2h7ndy7i.exe
O4 - Global Startup: 9UUBP3OG.lnk = C:\WINDOWS\9uubp3og.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 6M5CDEMK.lnk = C:\WINDOWS\6m5cdemk.exe
O4 - Global Startup: NKPT2BM2.lnk = C:\WINDOWS\nkpt2bm2.exe
O4 - Global Startup: FJX5GKXD.lnk = C:\WINDOWS\fjx5gkxd.exe
O4 - Global Startup: BDPHHO2C.lnk = C:\WINDOWS\bdphho2c.exe
O4 - Global Startup: 3AKHEL4G.lnk = C:\WINDOWS\3akhel4g.exe
O4 - Global Startup: EI9YX5C5.lnk = C:\WINDOWS\ei9yx5c5.exe
O4 - Global Startup: G01QZYMF.lnk = C:\WINDOWS\g01qzymf.exe
O4 - Global Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe
O4 - Global Startup: BPR92CT1.lnk = C:\WINDOWS\bpr92ct1.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Sidesearch (HKLM)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37950.5700231481
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c9f1e0aa404a8b7d23/netzip/RdxIE601.cab
 
M

· Registered
Joined
·
3,181 Posts
#2 ·
Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de

AdAware 6 from http://www.lavasoft.de/software/adaware/

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. .(Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

then post a new hijackthis log to check what is left
 
M

· Registered
Joined
·
47 Posts
Discussion Starter · #4 ·
I ran spybot & adaware updates and scans, then deleted all found items. I then ran the virus scan you suggested - I need to download the zipped repair program for netsy. I am asked which program to use to open the item - none chosen ie - word, wordpad, will let me view it.
Here is my updated HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 9:02:51 AM, on 03/28/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RYPTDLGC.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
C:\WINDOWS\L5DY2RX9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [xsp] C:\WINDOWS\xsp.exe
O4 - HKLM\..\Run: [helsr] C:\WINDOWS\helsr.exe
O4 - HKLM\..\Run: [RYPTDLGC] C:\WINDOWS\SYSTEM\RYPTDLGC.exe
O4 - HKLM\..\Run: [L5DY2RX9.EXE] C:\WINDOWS\L5DY2RX9.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [L5DY2RX9.EXE] C:\WINDOWS\L5DY2RX9.EXE /dk
O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: 2H7NDY7I.lnk = C:\WINDOWS\2h7ndy7i.exe
O4 - Startup: 9UUBP3OG.lnk = C:\WINDOWS\9uubp3og.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 6M5CDEMK.lnk = C:\WINDOWS\6m5cdemk.exe
O4 - Startup: NKPT2BM2.lnk = C:\WINDOWS\nkpt2bm2.exe
O4 - Startup: FJX5GKXD.lnk = C:\WINDOWS\fjx5gkxd.exe
O4 - Startup: BDPHHO2C.lnk = C:\WINDOWS\bdphho2c.exe
O4 - Startup: 3AKHEL4G.lnk = C:\WINDOWS\3akhel4g.exe
O4 - Startup: EI9YX5C5.lnk = C:\WINDOWS\ei9yx5c5.exe
O4 - Startup: G01QZYMF.lnk = C:\WINDOWS\g01qzymf.exe
O4 - Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe
O4 - Startup: BPR92CT1.lnk = C:\WINDOWS\bpr92ct1.exe
O4 - Startup: I68753DR.lnk = C:\WINDOWS\i68753dr.exe
O4 - Startup: C12U9AMG.lnk = C:\WINDOWS\c12u9amg.exe
O4 - Startup: L5DY2RX9.lnk = C:\WINDOWS\l5dy2rx9.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: 2H7NDY7I.lnk = C:\WINDOWS\2h7ndy7i.exe
O4 - Global Startup: 9UUBP3OG.lnk = C:\WINDOWS\9uubp3og.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 6M5CDEMK.lnk = C:\WINDOWS\6m5cdemk.exe
O4 - Global Startup: NKPT2BM2.lnk = C:\WINDOWS\nkpt2bm2.exe
O4 - Global Startup: FJX5GKXD.lnk = C:\WINDOWS\fjx5gkxd.exe
O4 - Global Startup: BDPHHO2C.lnk = C:\WINDOWS\bdphho2c.exe
O4 - Global Startup: 3AKHEL4G.lnk = C:\WINDOWS\3akhel4g.exe
O4 - Global Startup: EI9YX5C5.lnk = C:\WINDOWS\ei9yx5c5.exe
O4 - Global Startup: G01QZYMF.lnk = C:\WINDOWS\g01qzymf.exe
O4 - Global Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe
O4 - Global Startup: BPR92CT1.lnk = C:\WINDOWS\bpr92ct1.exe
O4 - Global Startup: I68753DR.lnk = C:\WINDOWS\i68753dr.exe
O4 - Global Startup: C12U9AMG.lnk = C:\WINDOWS\c12u9amg.exe
O4 - Global Startup: L5DY2RX9.lnk = C:\WINDOWS\l5dy2rx9.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37950.5700231481
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c9f1e0aa404a8b7d23/netzip/RdxIE601.cab
 
M

· Registered
Joined
·
47 Posts
Discussion Starter · #5 ·
The Global Startup items on my HJT log are the things which come up as "missing shortcut" when I start up my pc. This process freezes me out for a good few minutes while I have to keep clicking on the cancel or X button to get rid of the browse windows.
 
Flrman1

· Registered
Joined
·
46,465 Posts
#6 ·
Now I'm going to ask you to boot to safe mode to do these fixes with HJT so you will need to copy theses instructions to notepad.

Boot to safe mode:

How to start your computer in safe mode.

In safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Now run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)

O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE

O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun

O4 - HKLM\..\Run: [xsp] C:\WINDOWS\xsp.exe

O4 - HKLM\..\Run: [helsr] C:\WINDOWS\helsr.exe

O4 - HKLM\..\Run: [RYPTDLGC] C:\WINDOWS\SYSTEM\RYPTDLGC.exe

O4 - HKLM\..\Run: [L5DY2RX9.EXE] C:\WINDOWS\L5DY2RX9.EXE /dk

O4 - HKCU\..\Run: [L5DY2RX9.EXE] C:\WINDOWS\L5DY2RX9.EXE /dk

O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe

O4 - Startup: 2H7NDY7I.lnk = C:\WINDOWS\2h7ndy7i.exe

O4 - Startup: 9UUBP3OG.lnk = C:\WINDOWS\9uubp3og.exe

O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe

O4 - Startup: 6M5CDEMK.lnk = C:\WINDOWS\6m5cdemk.exe

O4 - Startup: NKPT2BM2.lnk = C:\WINDOWS\nkpt2bm2.exe

O4 - Startup: FJX5GKXD.lnk = C:\WINDOWS\fjx5gkxd.exe

O4 - Startup: BDPHHO2C.lnk = C:\WINDOWS\bdphho2c.exe

O4 - Startup: 3AKHEL4G.lnk = C:\WINDOWS\3akhel4g.exe

O4 - Startup: EI9YX5C5.lnk = C:\WINDOWS\ei9yx5c5.exe

O4 - Startup: G01QZYMF.lnk = C:\WINDOWS\g01qzymf.exe

O4 - Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe

O4 - Startup: BPR92CT1.lnk = C:\WINDOWS\bpr92ct1.exe

O4 - Startup: I68753DR.lnk = C:\WINDOWS\i68753dr.exe

O4 - Startup: C12U9AMG.lnk = C:\WINDOWS\c12u9amg.exe

O4 - Startup: L5DY2RX9.lnk = C:\WINDOWS\l5dy2rx9.exe

O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe

O4 - Global Startup: 2H7NDY7I.lnk = C:\WINDOWS\2h7ndy7i.exe

O4 - Global Startup: 9UUBP3OG.lnk = C:\WINDOWS\9uubp3og.exe

O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe

O4 - Global Startup: 6M5CDEMK.lnk = C:\WINDOWS\6m5cdemk.exe

O4 - Global Startup: NKPT2BM2.lnk = C:\WINDOWS\nkpt2bm2.exe

O4 - Global Startup: FJX5GKXD.lnk = C:\WINDOWS\fjx5gkxd.exe

O4 - Global Startup: BDPHHO2C.lnk = C:\WINDOWS\bdphho2c.exe

O4 - Global Startup: 3AKHEL4G.lnk = C:\WINDOWS\3akhel4g.exe

O4 - Global Startup: EI9YX5C5.lnk = C:\WINDOWS\ei9yx5c5.exe

O4 - Global Startup: G01QZYMF.lnk = C:\WINDOWS\g01qzymf.exe

O4 - Global Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe

O4 - Global Startup: BPR92CT1.lnk = C:\WINDOWS\bpr92ct1.exe

O4 - Global Startup: I68753DR.lnk = C:\WINDOWS\i68753dr.exe

O4 - Global Startup: C12U9AMG.lnk = C:\WINDOWS\c12u9amg.exe

O4 - Global Startup: L5DY2RX9.lnk = C:\WINDOWS\l5dy2rx9.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/25c9f1e...ip/RdxIE601.cab

Now open the C:\Windows folder and find and delete these files:

SYSUPD.EXE
xsp.exe
helsr.exe
L5DY2RX9.EXE
morze5.exe
morze1.exe
l5dy2rx9.exe
2h7ndy7i.exe
9uubp3og.exe
6m5cdemk.exe
nkpt2bm2.exe
fjx5gkxd.exe
bdphho2c.exe
3akhel4g.exe
ei9yx5c5.exe
g01qzymf.exe
0ltcbgbc.exe
bpr92ct1.exe
i68753dr.exe
c12u9amg.exe

Also in the Windows folder find the Temp folder and go to Edit > Select All then Edit > Delete and delete everything in the Temp folder.

Go to the C:\WINDOWS\SYSTEM folder and delete the RYPTDLGC.exe file

Now go to Control Panel > Internet Options and on the General tab under "Temporary Internet Files" Click "Delete Files". In the box that pops up put a check by "Delete offline content" then click OK.

Boot back to normal and post another log please.
 
Save Share
M

· Registered
Joined
·
47 Posts
Discussion Starter · #7 ·
I ran all the suggested steps. Here is my updated HJT log.
Logfile of HijackThis v1.97.7
Scan saved at 3:56:11 PM, on 03/28/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\N-CASE\MSBB.EXE
C:\PROGRAM FILES\BARGAIN BUDDY\BIN2\BARGAINS.EXE
C:\WINDOWS\NUHCROP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
C:\WINDOWS\SYSTEM\IACTFRMD.EXE
C:\WINDOWS\E0T2BW29.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\BIN2\APUC.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [msbb] c:\program files\n-case\msbb.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe
O4 - HKLM\..\Run: [nuhcrop] C:\WINDOWS\nuhcrop.exe
O4 - HKLM\..\Run: [iactfrmd] C:\WINDOWS\SYSTEM\iactfrmd.exe
O4 - HKLM\..\Run: [E0T2BW29.EXE] C:\WINDOWS\E0T2BW29.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [E0T2BW29.EXE] C:\WINDOWS\E0T2BW29.EXE /dk
O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
O4 - Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe
O4 - Startup: 7VXBLKQP.lnk = C:\WINDOWS\7vxblkqp.exe
O4 - Startup: 6PTEGCKB.lnk = C:\WINDOWS\6ptegckb.exe
O4 - Startup: VQC5VJAH.lnk = C:\WINDOWS\vqc5vjah.exe
O4 - Startup: RKXIHD3A.lnk = C:\WINDOWS\rkxihd3a.exe
O4 - Startup: E0T2BW29.lnk = C:\WINDOWS\e0t2bw29.exe
O4 - Global Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe
O4 - Global Startup: 7VXBLKQP.lnk = C:\WINDOWS\7vxblkqp.exe
O4 - Global Startup: 6PTEGCKB.lnk = C:\WINDOWS\6ptegckb.exe
O4 - Global Startup: VQC5VJAH.lnk = C:\WINDOWS\vqc5vjah.exe
O4 - Global Startup: RKXIHD3A.lnk = C:\WINDOWS\rkxihd3a.exe
O4 - Global Startup: E0T2BW29.lnk = C:\WINDOWS\e0t2bw29.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37950.5700231481
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
 
Flrman1

· Registered
Joined
·
46,465 Posts
#8 ·
Boot to safe mode again.

Run Hijack This again in safe mode and put a check by these. Doublecheck and triplecheck to be sure you don't miss anything. Close all windows except HijackThis and click "Fix checked"

O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\BIN2\APUC.DLL

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O4 - HKLM\..\Run: [msbb] c:\program files\n-case\msbb.exe

O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin2\bargains.exe

O4 - HKLM\..\Run: [nuhcrop] C:\WINDOWS\nuhcrop.exe

O4 - HKLM\..\Run: [iactfrmd] C:\WINDOWS\SYSTEM\iactfrmd.exe

O4 - HKLM\..\Run: [E0T2BW29.EXE] C:\WINDOWS\E0T2BW29.EXE /dk

O4 - HKCU\..\Run: [E0T2BW29.EXE] C:\WINDOWS\E0T2BW29.EXE /dk

O4 - Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe

O4 - Startup: 7VXBLKQP.lnk = C:\WINDOWS\7vxblkqp.exe

O4 - Startup: 6PTEGCKB.lnk = C:\WINDOWS\6ptegckb.exe

O4 - Startup: VQC5VJAH.lnk = C:\WINDOWS\vqc5vjah.exe

O4 - Startup: RKXIHD3A.lnk = C:\WINDOWS\rkxihd3a.exe

O4 - Startup: E0T2BW29.lnk = C:\WINDOWS\e0t2bw29.exe

O4 - Global Startup: 0LTCBGBC.lnk = C:\WINDOWS\0ltcbgbc.exe

O4 - Global Startup: 7VXBLKQP.lnk = C:\WINDOWS\7vxblkqp.exe

O4 - Global Startup: 6PTEGCKB.lnk = C:\WINDOWS\6ptegckb.exe

O4 - Global Startup: VQC5VJAH.lnk = C:\WINDOWS\vqc5vjah.exe

O4 - Global Startup: RKXIHD3A.lnk = C:\WINDOWS\rkxihd3a.exe

O4 - Global Startup: E0T2BW29.lnk = C:\WINDOWS\e0t2bw29.exe

Now open the C:\Windows folder and find and delete these files:

0ltcbgbc.exe
7vxblkqp.exe
6ptegckb.exe
vqc5vjah.exe
rkxihd3a.exe
e0t2bw29.exe
nuhcrop.exe

*Note: Also you you see any other files that look similar to these with the random letters and numbers, delete them as well.

Doublecheck and triplecheck to be sure you don't

Also in the Windows folder find the Temp folder and go to Edit > Select All then Edit > Delete and delete everything in the Temp folder.

Also delete:

The C:\program files\n-case folder
The C:\Program Files\Bargain Buddy
The C:\WINDOWS\SYSTEM\iactfrmd.exe file

Now go to Control Panel > Internet Options and on the General tab under "Temporary Internet Files" Click "Delete Files". In the box that pops up put a check by "Delete offline content" then click OK.

Boot back to normal and post another log please.
 
Save Share
M

· Registered
Joined
·
47 Posts
Discussion Starter · #9 ·
I deleted the items I could find. No trace of n-case in c:\program files.
Here's my hjt log per your request. How am I doing?

Logfile of HijackThis v1.97.7
Scan saved at 9:39:55 PM, on 03/28/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP3\WINAMPA.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\WILD FILE\GOBACK\GBMENU.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [3JVH3V30.EXE] C:\WINDOWS\3JVH3V30.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - HKCU\..\Run: [3JVH3V30.EXE] C:\WINDOWS\3JVH3V30.EXE /dk
O4 - Startup: GoBack.lnk = C:\Program Files\Wild File\GoBack\GBMenu.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .hpb: C:\PROGRA~1\INTERN~1\PLUGINS\nphpipb.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37950.5700231481
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
 
Flrman1

· Registered
Joined
·
46,465 Posts
#10 ·
Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [3JVH3V30.EXE] C:\WINDOWS\3JVH3V30.EXE /dk

O4 - HKCU\..\Run: [3JVH3V30.EXE] C:\WINDOWS\3JVH3V30.EXE /dk

Boot to safe mode and delete:

The C:\WINDOWS\3JVH3V30.EXE file
 
Save Share
1 - 10 of 10 Posts
Status
Not open for further replies.
About this Discussion
9 Replies
3 Participants
Last post:
Flrman1
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top