Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Not open for further replies.
1 - 8 of 8 Posts

353 Posts
Discussion Starter · #1 ·
I have recently acquired the file HOMM2GOLD-dm.exe which resides in my c:\temp directory. It appears to be accessed on a daily basis and resists deletion. I am unclear as to what the file is for or what it may be doing. The only recent known change to my system is the installation of a Netgear Router. Does anyone know anything about HOMM2GOLD-dm.exe?


Gone but Never Forgotten
17,735 Posts
Hi, It's been seen as TryMedia adware junk- delete it.

If you want to check, post a Hijackthis log:

go to Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Here is a good temp file cleanup tool:

Download ATFCleaner by Atribune & save it to your desktop. DO NOT use it yet. We will use it in Safe Mode, later
As you probably know, deleting Cookies can result in you having to type in your username and passwords at ALL sites that use logins, like this site does, so if you willy nilly delete cookies, which is safe enough to do, you will have to re-establish these cookies and login the first time you visit any site like that.
ATF Cleaner has a way to save those cookies you would like to keep but it will require some time. If you DO KNOW or have saved all your Passwords and login usernames you can delete all cookies.

* Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu"
Use your arrow keys to move to "Safe Mode" and press your Enter key.

Next, start up ATFCleaner:

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart the computer.

353 Posts
Discussion Starter · #3 ·
Thanks Byteman.
I have run ATF-Cleaner, but HOMM2GOLD-dm.exe still resists deletion. I haven't tried running Ad-Aware SE yet but will do so now.

Meantime - Here's my Hijackthis log (Still version 1.99):

[edited by Byteman---hi, you have Word Wrap checked in the Format options of Notepad, please uncheck it so the future HJT logs displayslike this, OK?]

Logfile of HijackThis v1.99.1
Scan saved at 16:50:41, on 28/01/07
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Documents and Settings\bobc\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
N3 - Netscape 7: user_pref("",
(C:\Documents and Settings\bobc\Application
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -
earch & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\bobc\Application Data\My-disgo\MyKey
O4 - Startup: 3DO - Might and Magic VII Registration.lnk = F:\Games\3DO\Might and Magic
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft
O8 - Extra context menu item: &Google Search -
O8 - Extra context menu item: &Save To Palm - c:\Program Files\Palm\HandStoryME.htm
O8 - Extra context menu item: &Translate English Word -
O8 - Extra context menu item: Backward Links -
O8 - Extra context menu item: C&lip To Palm - c:\Program Files\Palm\HandStoryMEC.htm
O8 - Extra context menu item: Cached Snapshot of Page -
O8 - Extra context menu item: Similar Pages -
O8 - Extra context menu item: Translate Page into English -
O9 - Extra button: Save To Palm - {6C8741AB-53B4-476e-BE7C-F519AD8A6494} - c:\Program
O9 - Extra 'Tools' menuitem: &Save To Palm - {6C8741AB-53B4-476e-BE7C-F519AD8A6494} -
c:\Program Files\Palm\HandStoryTE.htm
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software
Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program
Files\Kerio\Personal Firewall 4\kpf4ss.exe
023 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

Gone but Never Forgotten
17,735 Posts
Hi, The former Ewido trojan remover now called AVG Antispyware, will remove that file for you, at least I see where it has, so let's have you try it out.

Save the directions to a Notepad text file to your desktop so you have them to refer to while in Safe Mode, as the Internet and these posts are not available in Safe Mode....

The settings are done during the installation, and there is some buttons to press when you go to scan is all it is- looks complicated but really not. You do the complete scan while in Safe Mode as shown below

You must set the settings as shown, and update the program before you scan with it, and set the items shown exactly as they are in the guide below, OK?

Please read through all this reply before you begin.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security
  • Click on Change state next to Resident shield. It should now change to inactive. (Default should be n/a)
  • Click on Change state next to Automatic updates. It should now change to inactive. (same it should look like n/a)
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit.
  • Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Anti-spyware. Only if you cannot update over the Web!
AVG Antispyware Updates

Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Reboot your computer TO Safe Mode. Here's how:
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan" and
    UNcheck "Only if threats were found".
  • 2. Click the "Scan" tab to return to scanning options.
  • 3.If you were scanning now, you would Click "Complete System Scan" to start.
  • 4. When the scan finished you'd be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
  • 5. Click on "Save Report" to view all completed scans.
  • Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
  • Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • 6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

353 Posts
Discussion Starter · #5 ·
Hi Byteman.
That took a while!
HOMM2GOLD-dm.exe now gone. Also another (Dropper.Small ) that I didn't know was there. Should I worry about what that one might have done? Thanks.
AVG Anti-Spyware - Scan Report

+ Created at: 02:39:41 29/01/07

+ Scan result:

C:\Temp\HOMM2GOLD-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\Trainers\RA2\ -> Dropper.Small : Cleaned with backup (quarantined).

::Report end

Gone but Never Forgotten
17,735 Posts
Hi, Well, usually when something like that is found, we have you do some further scanning- it's only logical to check.

Here are two online antivirus plus scanners...Panda fixes only virus/some trojan but is very good at showing exactly where spy and adware lurks in your computer which is why we use it.

I don't see any need to rush, do these scans when you have some time as they will take a while, similar to

Kaspersky is very good as well.

HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Or this one: Kaspersky
  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  • Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.

Then after we see those results and get anything else fixed, you won't be done until we clean out the old infected System Restore Points--- in case you ever had to use one, it would only put back this malware you worked to remove. We will do that as last step.

Good work by the way!

353 Posts
Discussion Starter · #7 ·
Thanks Byteman.
I'm still using a dial-up so I may wait a while before doing any on line scanning.

Gone but Never Forgotten
17,735 Posts
Hi,, That's OK. Just post back here if anything comes back.

First thing to do, is post the Hijackthis log with a note about what you are getting such as popups, alerts from antivirus etc.
1 - 8 of 8 Posts
Not open for further replies.