Tech Support Guy banner
Cancel

Spyware problem - VERY slow! Help

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 19 of 19 Posts
S

· Registered
Joined
·
14 Posts
Discussion Starter · #1 ·
Hi,

I'm new here! I''m having a few problems so i'm really glad I came across your site!!! Ok, to my query:-

I belive there is alot of spyware/adware on my computer. Even though i have 'popup-zapper' its still managing to come through! Websites takes ages to load sometimes not at all. It has never been this bad. All this started to happen a week or so ago when i visited Microsoft's update site to install patches etc... they were supposed to help and protect my system, not ruin it (perhaps it isnt this thats causing the problem)
I even run spyware killer which i purchased last year, but this has not been much use. I have downloaded Hijack this in the past and i understand that forums ask us to post them in order to help resolve these problems. I am not hugely computer literate so i would be very grateful for you help! I have no idea what to delete from the hijack this log. Thank for your time!

Logfile of HijackThis v1.97.7
Scan saved at 02:24:04, on 13/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMON32A.EXE
C:\WINDOWS\SYSTEM\APIVR.EXE
C:\WINDOWS\NTXU.EXE
C:\WINDOWS\SYSNM.EXE
C:\WINDOWS\CRIG32.EXE
C:\WINDOWS\APPCC32.EXE
C:\WINDOWS\APPOD32.EXE
C:\WINDOWS\MFCQY32.EXE
C:\WINDOWS\SYSTEM\WINYT.EXE
C:\WINDOWS\SYSTEM\MFCFR32.EXE
C:\WINDOWS\SYSTEM\WINTR32.EXE
C:\WINDOWS\NTQI.EXE
C:\WINDOWS\IPGT32.EXE
C:\WINDOWS\IPWY32.EXE
C:\WINDOWS\SYSTEM\D3BB.EXE
C:\WINDOWS\SYSTEM\NTHW32.EXE
C:\WINDOWS\IPBZ.EXE
C:\WINDOWS\CRAS.EXE
C:\WINDOWS\SYSTEM\SDKOW.EXE
C:\WINDOWS\JAVAEU.EXE
C:\WINDOWS\NTXW32.EXE
C:\WINDOWS\ADDWJ.EXE
C:\WINDOWS\SYSTEM\ADDEJ.EXE
C:\WINDOWS\JAVAWW.EXE
C:\WINDOWS\NETFM.EXE
C:\WINDOWS\NETIC32.EXE
C:\WINDOWS\IPPU.EXE
C:\WINDOWS\JAVATG.EXE
C:\WINDOWS\SYSTEM\SYSQB32.EXE
C:\WINDOWS\SYSTEM\MSID.EXE
C:\WINDOWS\SDKYT.EXE
C:\WINDOWS\D3ED32.EXE
C:\WINDOWS\APPKY.EXE
C:\WINDOWS\SYSTEM\MFCIC32.EXE
C:\WINDOWS\IEWX32.EXE
C:\WINDOWS\CRHZ.EXE
C:\WINDOWS\CRPW32.EXE
C:\WINDOWS\MSYY32.EXE
C:\WINDOWS\NETXO.EXE
C:\WINDOWS\IPYT.EXE
C:\WINDOWS\SDKCH.EXE
C:\WINDOWS\JAVABT32.EXE
C:\WINDOWS\NETSP32.EXE
C:\WINDOWS\SYSTEM\WINZU.EXE
C:\WINDOWS\SYSTEM\IEZT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DR_S\DR_S.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\WINDOWS\SYSTEM\MFCIC32.EXE
C:\WINDOWS\IEMZ.EXE
C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SDKCH.EXE
C:\WINDOWS\SDKCH.EXE
C:\WINDOWS\CRCD32.EXE
C:\WINDOWS\DESKTOP\SPYWARE & ZIP PROGRAMS\HIJACKTHIS1977.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
O2 - BHO: (no name) - {41C43085-B29C-E651-7F49-3DE3897C2CDA} - C:\WINDOWS\SYSTEM\MFCGU32.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUpld32.exe" -l
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMon32a.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [APIVR.EXE] C:\WINDOWS\SYSTEM\APIVR.EXE
O4 - HKLM\..\RunServices: [SYSNM.EXE] C:\WINDOWS\SYSNM.EXE
O4 - HKLM\..\RunServices: [WINTR32.EXE] C:\WINDOWS\SYSTEM\WINTR32.EXE
O4 - HKLM\..\RunServices: [APPOD32.EXE] C:\WINDOWS\APPOD32.EXE
O4 - HKLM\..\RunServices: [MFCQY32.EXE] C:\WINDOWS\MFCQY32.EXE
O4 - HKLM\..\RunServices: [MFCFR32.EXE] C:\WINDOWS\SYSTEM\MFCFR32.EXE
O4 - HKLM\..\RunServices: [NTXU.EXE] C:\WINDOWS\NTXU.EXE
O4 - HKLM\..\RunServices: [NTQI.EXE] C:\WINDOWS\NTQI.EXE
O4 - HKLM\..\RunServices: [CRIG32.EXE] C:\WINDOWS\CRIG32.EXE
O4 - HKLM\..\RunServices: [IPGT32.EXE] C:\WINDOWS\IPGT32.EXE
O4 - HKLM\..\RunServices: [APPCC32.EXE] C:\WINDOWS\APPCC32.EXE
O4 - HKLM\..\RunServices: [WINYT.EXE] C:\WINDOWS\SYSTEM\WINYT.EXE
O4 - HKLM\..\RunServices: [IPWY32.EXE] C:\WINDOWS\IPWY32.EXE
O4 - HKLM\..\RunServices: [NTHW32.EXE] C:\WINDOWS\SYSTEM\NTHW32.EXE
O4 - HKLM\..\RunServices: [D3BB.EXE] C:\WINDOWS\SYSTEM\D3BB.EXE
O4 - HKLM\..\RunServices: [IPBZ.EXE] C:\WINDOWS\IPBZ.EXE
O4 - HKLM\..\RunServices: [CRAS.EXE] C:\WINDOWS\CRAS.EXE
O4 - HKLM\..\RunServices: [SDKOW.EXE] C:\WINDOWS\SYSTEM\SDKOW.EXE
O4 - HKLM\..\RunServices: [JAVAEU.EXE] C:\WINDOWS\JAVAEU.EXE
O4 - HKLM\..\RunServices: [NTXW32.EXE] C:\WINDOWS\NTXW32.EXE
O4 - HKLM\..\RunServices: [ADDWJ.EXE] C:\WINDOWS\ADDWJ.EXE
O4 - HKLM\..\RunServices: [ADDEJ.EXE] C:\WINDOWS\SYSTEM\ADDEJ.EXE
O4 - HKLM\..\RunServices: [NETFM.EXE] C:\WINDOWS\NETFM.EXE
O4 - HKLM\..\RunServices: [JAVAWW.EXE] C:\WINDOWS\JAVAWW.EXE
O4 - HKLM\..\RunServices: [NETIC32.EXE] C:\WINDOWS\NETIC32.EXE
O4 - HKLM\..\RunServices: [SYSQB32.EXE] C:\WINDOWS\SYSTEM\SYSQB32.EXE
O4 - HKLM\..\RunServices: [JAVATG.EXE] C:\WINDOWS\JAVATG.EXE
O4 - HKLM\..\RunServices: [IPPU.EXE] C:\WINDOWS\IPPU.EXE
O4 - HKLM\..\RunServices: [MSID.EXE] C:\WINDOWS\SYSTEM\MSID.EXE
O4 - HKLM\..\RunServices: [SDKYT.EXE] C:\WINDOWS\SDKYT.EXE
O4 - HKLM\..\RunServices: [D3ED32.EXE] C:\WINDOWS\D3ED32.EXE
O4 - HKLM\..\RunServices: [APPKY.EXE] C:\WINDOWS\APPKY.EXE
O4 - HKLM\..\RunServices: [MFCIC32.EXE] C:\WINDOWS\SYSTEM\MFCIC32.EXE
O4 - HKLM\..\RunServices: [CRHZ.EXE] C:\WINDOWS\CRHZ.EXE
O4 - HKLM\..\RunServices: [IEWX32.EXE] C:\WINDOWS\IEWX32.EXE
O4 - HKLM\..\RunServices: [CRPW32.EXE] C:\WINDOWS\CRPW32.EXE
O4 - HKLM\..\RunServices: [NETXO.EXE] C:\WINDOWS\NETXO.EXE
O4 - HKLM\..\RunServices: [IPYT.EXE] C:\WINDOWS\IPYT.EXE
O4 - HKLM\..\RunServices: [MSYY32.EXE] C:\WINDOWS\MSYY32.EXE
O4 - HKLM\..\RunServices: [SDKCH.EXE] C:\WINDOWS\SDKCH.EXE
O4 - HKLM\..\RunServices: [JAVABT32.EXE] C:\WINDOWS\JAVABT32.EXE
O4 - HKLM\..\RunServices: [NETSP32.EXE] C:\WINDOWS\NETSP32.EXE
O4 - HKLM\..\RunServices: [WINZU.EXE] C:\WINDOWS\SYSTEM\WINZU.EXE
O4 - HKLM\..\RunServices: [IEZT.EXE] C:\WINDOWS\SYSTEM\IEZT.EXE
O4 - HKLM\..\RunServices: [IEMZ.EXE] C:\WINDOWS\IEMZ.EXE
O4 - HKLM\..\RunServices: [CRCD32.EXE] C:\WINDOWS\CRCD32.EXE
O4 - HKCU\..\Run: [Popup Zapper] C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\1200USB\WATCH.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38357.787974537

sing2loud :
 
S

· Registered
Joined
·
14 Posts
Discussion Starter · #4 ·
New log as requested -

Logfile of HijackThis v1.99.0
Scan saved at 02:37:24, on 13/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMON32A.EXE
C:\WINDOWS\SYSTEM\APIVR.EXE
C:\WINDOWS\NTXU.EXE
C:\WINDOWS\SYSNM.EXE
C:\WINDOWS\CRIG32.EXE
C:\WINDOWS\APPCC32.EXE
C:\WINDOWS\APPOD32.EXE
C:\WINDOWS\MFCQY32.EXE
C:\WINDOWS\SYSTEM\WINYT.EXE
C:\WINDOWS\SYSTEM\MFCFR32.EXE
C:\WINDOWS\SYSTEM\WINTR32.EXE
C:\WINDOWS\NTQI.EXE
C:\WINDOWS\IPGT32.EXE
C:\WINDOWS\IPWY32.EXE
C:\WINDOWS\SYSTEM\D3BB.EXE
C:\WINDOWS\SYSTEM\NTHW32.EXE
C:\WINDOWS\IPBZ.EXE
C:\WINDOWS\CRAS.EXE
C:\WINDOWS\SYSTEM\SDKOW.EXE
C:\WINDOWS\JAVAEU.EXE
C:\WINDOWS\NTXW32.EXE
C:\WINDOWS\ADDWJ.EXE
C:\WINDOWS\SYSTEM\ADDEJ.EXE
C:\WINDOWS\JAVAWW.EXE
C:\WINDOWS\NETFM.EXE
C:\WINDOWS\NETIC32.EXE
C:\WINDOWS\IPPU.EXE
C:\WINDOWS\JAVATG.EXE
C:\WINDOWS\SYSTEM\SYSQB32.EXE
C:\WINDOWS\SYSTEM\MSID.EXE
C:\WINDOWS\SDKYT.EXE
C:\WINDOWS\D3ED32.EXE
C:\WINDOWS\APPKY.EXE
C:\WINDOWS\SYSTEM\MFCIC32.EXE
C:\WINDOWS\IEWX32.EXE
C:\WINDOWS\CRHZ.EXE
C:\WINDOWS\CRPW32.EXE
C:\WINDOWS\MSYY32.EXE
C:\WINDOWS\NETXO.EXE
C:\WINDOWS\IPYT.EXE
C:\WINDOWS\SDKCH.EXE
C:\WINDOWS\JAVABT32.EXE
C:\WINDOWS\NETSP32.EXE
C:\WINDOWS\SYSTEM\WINZU.EXE
C:\WINDOWS\SYSTEM\IEZT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\DR_S\DR_S.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\WINDOWS\SYSTEM\MFCIC32.EXE
C:\WINDOWS\IEMZ.EXE
C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SDKCH.EXE
C:\WINDOWS\SDKCH.EXE
C:\WINDOWS\CRCD32.EXE
C:\WINDOWS\CRCD32.EXE
C:\WINDOWS\D3OM32.EXE
C:\WINDOWS\SDKCH.EXE
C:\WINDOWS\SYSUU32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {955B9DB3-7108-B908-AE91-BA9DA144B035} - C:\WINDOWS\SYSTEM\APIIG.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUpld32.exe" -l
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMon32a.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [APIVR.EXE] C:\WINDOWS\SYSTEM\APIVR.EXE
O4 - HKLM\..\RunServices: [SYSNM.EXE] C:\WINDOWS\SYSNM.EXE
O4 - HKLM\..\RunServices: [WINTR32.EXE] C:\WINDOWS\SYSTEM\WINTR32.EXE
O4 - HKLM\..\RunServices: [APPOD32.EXE] C:\WINDOWS\APPOD32.EXE
O4 - HKLM\..\RunServices: [MFCQY32.EXE] C:\WINDOWS\MFCQY32.EXE
O4 - HKLM\..\RunServices: [MFCFR32.EXE] C:\WINDOWS\SYSTEM\MFCFR32.EXE
O4 - HKLM\..\RunServices: [NTXU.EXE] C:\WINDOWS\NTXU.EXE
O4 - HKLM\..\RunServices: [NTQI.EXE] C:\WINDOWS\NTQI.EXE
O4 - HKLM\..\RunServices: [CRIG32.EXE] C:\WINDOWS\CRIG32.EXE
O4 - HKLM\..\RunServices: [IPGT32.EXE] C:\WINDOWS\IPGT32.EXE
O4 - HKLM\..\RunServices: [APPCC32.EXE] C:\WINDOWS\APPCC32.EXE
O4 - HKLM\..\RunServices: [WINYT.EXE] C:\WINDOWS\SYSTEM\WINYT.EXE
O4 - HKLM\..\RunServices: [IPWY32.EXE] C:\WINDOWS\IPWY32.EXE
O4 - HKLM\..\RunServices: [NTHW32.EXE] C:\WINDOWS\SYSTEM\NTHW32.EXE
O4 - HKLM\..\RunServices: [D3BB.EXE] C:\WINDOWS\SYSTEM\D3BB.EXE
O4 - HKLM\..\RunServices: [IPBZ.EXE] C:\WINDOWS\IPBZ.EXE
O4 - HKLM\..\RunServices: [CRAS.EXE] C:\WINDOWS\CRAS.EXE
O4 - HKLM\..\RunServices: [SDKOW.EXE] C:\WINDOWS\SYSTEM\SDKOW.EXE
O4 - HKLM\..\RunServices: [JAVAEU.EXE] C:\WINDOWS\JAVAEU.EXE
O4 - HKLM\..\RunServices: [NTXW32.EXE] C:\WINDOWS\NTXW32.EXE
O4 - HKLM\..\RunServices: [ADDWJ.EXE] C:\WINDOWS\ADDWJ.EXE
O4 - HKLM\..\RunServices: [ADDEJ.EXE] C:\WINDOWS\SYSTEM\ADDEJ.EXE
O4 - HKLM\..\RunServices: [NETFM.EXE] C:\WINDOWS\NETFM.EXE
O4 - HKLM\..\RunServices: [JAVAWW.EXE] C:\WINDOWS\JAVAWW.EXE
O4 - HKLM\..\RunServices: [NETIC32.EXE] C:\WINDOWS\NETIC32.EXE
O4 - HKLM\..\RunServices: [SYSQB32.EXE] C:\WINDOWS\SYSTEM\SYSQB32.EXE
O4 - HKLM\..\RunServices: [JAVATG.EXE] C:\WINDOWS\JAVATG.EXE
O4 - HKLM\..\RunServices: [IPPU.EXE] C:\WINDOWS\IPPU.EXE
O4 - HKLM\..\RunServices: [MSID.EXE] C:\WINDOWS\SYSTEM\MSID.EXE
O4 - HKLM\..\RunServices: [SDKYT.EXE] C:\WINDOWS\SDKYT.EXE
O4 - HKLM\..\RunServices: [D3ED32.EXE] C:\WINDOWS\D3ED32.EXE
O4 - HKLM\..\RunServices: [APPKY.EXE] C:\WINDOWS\APPKY.EXE
O4 - HKLM\..\RunServices: [MFCIC32.EXE] C:\WINDOWS\SYSTEM\MFCIC32.EXE
O4 - HKLM\..\RunServices: [CRHZ.EXE] C:\WINDOWS\CRHZ.EXE
O4 - HKLM\..\RunServices: [IEWX32.EXE] C:\WINDOWS\IEWX32.EXE
O4 - HKLM\..\RunServices: [CRPW32.EXE] C:\WINDOWS\CRPW32.EXE
O4 - HKLM\..\RunServices: [NETXO.EXE] C:\WINDOWS\NETXO.EXE
O4 - HKLM\..\RunServices: [IPYT.EXE] C:\WINDOWS\IPYT.EXE
O4 - HKLM\..\RunServices: [MSYY32.EXE] C:\WINDOWS\MSYY32.EXE
O4 - HKLM\..\RunServices: [SDKCH.EXE] C:\WINDOWS\SDKCH.EXE
O4 - HKLM\..\RunServices: [JAVABT32.EXE] C:\WINDOWS\JAVABT32.EXE
O4 - HKLM\..\RunServices: [NETSP32.EXE] C:\WINDOWS\NETSP32.EXE
O4 - HKLM\..\RunServices: [WINZU.EXE] C:\WINDOWS\SYSTEM\WINZU.EXE
O4 - HKLM\..\RunServices: [IEZT.EXE] C:\WINDOWS\SYSTEM\IEZT.EXE
O4 - HKLM\..\RunServices: [IEMZ.EXE] C:\WINDOWS\IEMZ.EXE
O4 - HKLM\..\RunServices: [CRCD32.EXE] C:\WINDOWS\CRCD32.EXE
O4 - HKLM\..\RunServices: [D3OM32.EXE] C:\WINDOWS\D3OM32.EXE
O4 - HKLM\..\RunServices: [SYSUU32.EXE] C:\WINDOWS\SYSUU32.EXE
O4 - HKCU\..\Run: [Popup Zapper] C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\1200USB\WATCH.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol023.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c18.cab
O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)
 
Flrman1

· Registered
Joined
·
46,465 Posts
#9 ·
First copy the contents of the quotebox to notepad. Go to File > Save As and name it Fix.reg (save as type: 'all files' )

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]
Click to expand...
___________________________________________________________________________

Click here to download CWSinstall.exe. Click on the CWSinstall.exe file and it will install CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.
____________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
_____________________________________________________________________

Next click Here and download the the new version of Killbox and save it to your desktop.
______________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

Click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

______________________________________________________________________

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
______________________________________________________________________

Double-click on Killbox.exe to run it. Now put a tick by Delete on Reboot. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\SYSTEM\APIVR.EXE

C:\WINDOWS\SYSNM.EXE

C:\WINDOWS\SYSTEM\WINTR32.EXE

C:\WINDOWS\APPOD32.EXE

C:\WINDOWS\MFCQY32.EXE

C:\WINDOWS\SYSTEM\MFCFR32.EXE

C:\WINDOWS\NTXU.EXE

C:\WINDOWS\NTQI.EXE

C:\WINDOWS\CRIG32.EXE

C:\WINDOWS\IPGT32.EXE

C:\WINDOWS\APPCC32.EXE

C:\WINDOWS\SYSTEM\WINYT.EXE

C:\WINDOWS\IPWY32.EXE

C:\WINDOWS\SYSTEM\NTHW32.EXE

C:\WINDOWS\SYSTEM\D3BB.EXE

C:\WINDOWS\IPBZ.EXE

C:\WINDOWS\CRAS.EXE

C:\WINDOWS\SYSTEM\SDKOW.EXE

C:\WINDOWS\JAVAEU.EXE

C:\WINDOWS\NTXW32.EXE

C:\WINDOWS\ADDWJ.EXE

C:\WINDOWS\SYSTEM\ADDEJ.EXE

C:\WINDOWS\NETFM.EXE

C:\WINDOWS\JAVAWW.EXE

C:\WINDOWS\NETIC32.EXE

C:\WINDOWS\SYSTEM\SYSQB32.EXE

C:\WINDOWS\JAVATG.EXE

C:\WINDOWS\IPPU.EXE

C:\WINDOWS\SYSTEM\MSID.EXE

C:\WINDOWS\SDKYT.EXE

C:\WINDOWS\D3ED32.EXE

C:\WINDOWS\APPKY.EXE

C:\WINDOWS\SYSTEM\MFCIC32.EXE

C:\WINDOWS\CRHZ.EXE

C:\WINDOWS\IEWX32.EXE

C:\WINDOWS\CRPW32.EXE

C:\WINDOWS\NETXO.EXE

C:\WINDOWS\IPYT.EXE

C:\WINDOWS\MSYY32.EXE

C:\WINDOWS\SDKCH.EXE

C:\WINDOWS\JAVABT32.EXE

C:\WINDOWS\NETSP32.EXE

C:\WINDOWS\SYSTEM\WINZU.EXE

C:\WINDOWS\SYSTEM\IEZT.EXE

C:\WINDOWS\IEMZ.EXE

C:\WINDOWS\CRCD32.EXE

C:\WINDOWS\D3OM32.EXE

C:\WINDOWS\SYSUU32.EXE

C:\WINDOWS\MSOPT.DLL

Exit the Killbox and restart to safe mode.

How to start your computer in safe mode

Perform the following steps in safe mode:

____________________________________________________________________

Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\mxzlq.dll/sp.html#29126

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {955B9DB3-7108-B908-AE91-BA9DA144B035} - C:\WINDOWS\SYSTEM\APIIG.DLL

O4 - HKLM\..\RunServices: [APIVR.EXE] C:\WINDOWS\SYSTEM\APIVR.EXE
O4 - HKLM\..\RunServices: [SYSNM.EXE] C:\WINDOWS\SYSNM.EXE
O4 - HKLM\..\RunServices: [WINTR32.EXE] C:\WINDOWS\SYSTEM\WINTR32.EXE
O4 - HKLM\..\RunServices: [APPOD32.EXE] C:\WINDOWS\APPOD32.EXE
O4 - HKLM\..\RunServices: [MFCQY32.EXE] C:\WINDOWS\MFCQY32.EXE
O4 - HKLM\..\RunServices: [MFCFR32.EXE] C:\WINDOWS\SYSTEM\MFCFR32.EXE
O4 - HKLM\..\RunServices: [NTXU.EXE] C:\WINDOWS\NTXU.EXE
O4 - HKLM\..\RunServices: [NTQI.EXE] C:\WINDOWS\NTQI.EXE
O4 - HKLM\..\RunServices: [CRIG32.EXE] C:\WINDOWS\CRIG32.EXE
O4 - HKLM\..\RunServices: [IPGT32.EXE] C:\WINDOWS\IPGT32.EXE
O4 - HKLM\..\RunServices: [APPCC32.EXE] C:\WINDOWS\APPCC32.EXE
O4 - HKLM\..\RunServices: [WINYT.EXE] C:\WINDOWS\SYSTEM\WINYT.EXE
O4 - HKLM\..\RunServices: [IPWY32.EXE] C:\WINDOWS\IPWY32.EXE
O4 - HKLM\..\RunServices: [NTHW32.EXE] C:\WINDOWS\SYSTEM\NTHW32.EXE
O4 - HKLM\..\RunServices: [D3BB.EXE] C:\WINDOWS\SYSTEM\D3BB.EXE
O4 - HKLM\..\RunServices: [IPBZ.EXE] C:\WINDOWS\IPBZ.EXE
O4 - HKLM\..\RunServices: [CRAS.EXE] C:\WINDOWS\CRAS.EXE
O4 - HKLM\..\RunServices: [SDKOW.EXE] C:\WINDOWS\SYSTEM\SDKOW.EXE
O4 - HKLM\..\RunServices: [JAVAEU.EXE] C:\WINDOWS\JAVAEU.EXE
O4 - HKLM\..\RunServices: [NTXW32.EXE] C:\WINDOWS\NTXW32.EXE
O4 - HKLM\..\RunServices: [ADDWJ.EXE] C:\WINDOWS\ADDWJ.EXE
O4 - HKLM\..\RunServices: [ADDEJ.EXE] C:\WINDOWS\SYSTEM\ADDEJ.EXE
O4 - HKLM\..\RunServices: [NETFM.EXE] C:\WINDOWS\NETFM.EXE
O4 - HKLM\..\RunServices: [JAVAWW.EXE] C:\WINDOWS\JAVAWW.EXE
O4 - HKLM\..\RunServices: [NETIC32.EXE] C:\WINDOWS\NETIC32.EXE
O4 - HKLM\..\RunServices: [SYSQB32.EXE] C:\WINDOWS\SYSTEM\SYSQB32.EXE
O4 - HKLM\..\RunServices: [JAVATG.EXE] C:\WINDOWS\JAVATG.EXE
O4 - HKLM\..\RunServices: [IPPU.EXE] C:\WINDOWS\IPPU.EXE
O4 - HKLM\..\RunServices: [MSID.EXE] C:\WINDOWS\SYSTEM\MSID.EXE
O4 - HKLM\..\RunServices: [SDKYT.EXE] C:\WINDOWS\SDKYT.EXE
O4 - HKLM\..\RunServices: [D3ED32.EXE] C:\WINDOWS\D3ED32.EXE
O4 - HKLM\..\RunServices: [APPKY.EXE] C:\WINDOWS\APPKY.EXE
O4 - HKLM\..\RunServices: [MFCIC32.EXE] C:\WINDOWS\SYSTEM\MFCIC32.EXE
O4 - HKLM\..\RunServices: [CRHZ.EXE] C:\WINDOWS\CRHZ.EXE
O4 - HKLM\..\RunServices: [IEWX32.EXE] C:\WINDOWS\IEWX32.EXE
O4 - HKLM\..\RunServices: [CRPW32.EXE] C:\WINDOWS\CRPW32.EXE
O4 - HKLM\..\RunServices: [NETXO.EXE] C:\WINDOWS\NETXO.EXE
O4 - HKLM\..\RunServices: [IPYT.EXE] C:\WINDOWS\IPYT.EXE
O4 - HKLM\..\RunServices: [MSYY32.EXE] C:\WINDOWS\MSYY32.EXE
O4 - HKLM\..\RunServices: [SDKCH.EXE] C:\WINDOWS\SDKCH.EXE
O4 - HKLM\..\RunServices: [JAVABT32.EXE] C:\WINDOWS\JAVABT32.EXE
O4 - HKLM\..\RunServices: [NETSP32.EXE] C:\WINDOWS\NETSP32.EXE
O4 - HKLM\..\RunServices: [WINZU.EXE] C:\WINDOWS\SYSTEM\WINZU.EXE
O4 - HKLM\..\RunServices: [IEZT.EXE] C:\WINDOWS\SYSTEM\IEZT.EXE
O4 - HKLM\..\RunServices: [IEMZ.EXE] C:\WINDOWS\IEMZ.EXE
O4 - HKLM\..\RunServices: [CRCD32.EXE] C:\WINDOWS\CRCD32.EXE
O4 - HKLM\..\RunServices: [D3OM32.EXE] C:\WINDOWS\D3OM32.EXE
O4 - HKLM\..\RunServices: [SYSUU32.EXE] C:\WINDOWS\SYSUU32.EXE

O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c18.cab

O16 - DPF: {042EEA26-2402-4E5A-B5BB-0FB445A5526E} (VacPro.win98_P) - http://www9.advnt01.com/dialer/win98_P.CAB

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL (file missing)

Find and delete this folder:

C:\Program Files\DR_S

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

control.exe may have been deleted.
See if control.exe is present in C:\windows\system

If control.exe isn't there, Click here to download control_98.zip.

Unzip the file and copy the new control.exe file to the C:\Windows\System folder.

IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.
 
Save Share
S

· Registered
Joined
·
14 Posts
Discussion Starter · #12 ·
They seem to have helped alot so far! I am now in the process of the online scan you suggested. For some reason, when i choose the country to do the scan, the next page will not display? Is this omehting to do with active X? I'm a little lost as to how i start the scan? Any help appreciated!

I have completed everything you have asked apart from the online scan???
Here is the log, i would appreciate it if you could confirm that everything is ok??

Logfile of HijackThis v1.99.0
Scan saved at 05:50:00, on 13/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUPLD32.EXE
C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMON32A.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\SPYWARE & ZIP PROGRAMS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUpld32.exe" -l
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMon32a.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKCU\..\Run: [Popup Zapper] C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\1200USB\WATCH.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol023.cab

I will certainly be making a donation (as soon as i get paid next week!).. you have been very helpful!
Just a few question's, is it save to delete all items that are stored in the 'Temp' (not the tempory internet folder) in the future? (as i have done during this clean up). Also, can you recommend to me any software i should buy or download to maintain the system's performance? Thanks agian for your help!

Sing2loud
 
S

· Registered
Joined
·
14 Posts
Discussion Starter · #14 ·
Here's the log as requested:-

Logfile of HijackThis v1.99.0
Scan saved at 19:25:12, on 13/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUPLD32.EXE
C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMON32A.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\SPYWARE & ZIP PROGRAMS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUpld32.exe" -l
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMon32a.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKCU\..\Run: [Popup Zapper] C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\1200USB\WATCH.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol023.cab
 
Flrman1

· Registered
Joined
·
46,465 Posts
#15 ·
Fix this one:

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

Boot to safe mode and delete the C:\Program Files\Internet Optimizer folder.
 
Save Share
S

· Registered
Joined
·
14 Posts
Discussion Starter · #16 ·
Just completed the above. Deleted file using hijack this, re-started in safe mode.. although the 'Internet Optimizer' folder was not there...

New Log:-

Logfile of HijackThis v1.99.0
Scan saved at 00:40:10, on 14/01/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMON32A.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\PICASA\PICASAMEDIADETECTOR.EXE
C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.EXE
C:\PROGRAM FILES\ULEAD SYSTEMS\ULEAD PHOTO EXPRESS 2 SE\CALCHECK.EXE
C:\WINDOWS\TWAIN_32\1200USB\WATCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\BT YAHOO! INTERNET\DIALBTYAHOO.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\SPYWARE & ZIP PROGRAMS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Onscreen Display] C:\Program Files\Netropa\Onscreen Display\OSD.exe
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [bpcpost.exe] c:\windows\SYSTEM\bpcpost.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [BTopenworld] "C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [LifeScape Media Detector] C:\Program Files\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [AccessRampLAN 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARUpld32.exe" -l
O4 - HKLM\..\RunServices: [AccessRampMonitor 01] "C:\PROGRAM FILES\INVERSE IP INSIGHT\BT\ARMon32a.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKCU\..\Run: [Popup Zapper] C:\PROGRAM FILES\POPUP ZAPPER\URLBIZPOPUPZAPPER.exe
O4 - Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O4 - Startup: Watch.lnk = C:\Windows\TWAIN_32\1200USB\WATCH.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol023.cab

I also have a few questions that i hope you can help me with?

1. Now that i have followed your instructions and turned off most ActiveX features, whenever i visit sites (even sites i have added to 'trusted Zone') the writing is very basic and i can't use emoticons and some other features. What can i do to restore these features but also maintain a certain level of secuirty?

2. Whenever I open a window and then decide to go to a different webpage by clicking on a desktop icon (or by choosing the website name from my favorites list), instead of opening a new window (and being able to keep the existing window open) this original window is used to display the new web page. This is anoying as i need to view many webpages at once. Any idea's what to do?

Thanks again for yor time!

Sing2loud
 
Flrman1

· Registered
Joined
·
46,465 Posts
#17 ·
Click Start > Settings > Control Panel, then double-click Add/Remove Programs
On the Install/Uninstall tab, doubleclick "Microsoft Internet Explorer 6 SP1 and Internet Tools", click the Repair Internet Explorer option, and then click OK
 
Save Share
amthmi

· Registered
Joined
·
519 Posts
#19 ·
Try this..
In Internet Explorer, go to tools Internet Options then the Advanced Tab
Drill down until you see...
Reuse windows for launching shortcuts
Uncheck it if it's checked
 
1 - 19 of 19 Posts
Status
Not open for further replies.
About this Discussion
18 Replies
4 Participants
Last post:
amthmi
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top