Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

GENERALLY SCREWED UP


  • Please log in to reply

#16
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Deleted the files using Pocket KillBox. Here is the new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:14:34 PM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\BROTHER\BRMFL03A\BRSTDVPT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\ISRVS\DESKTOP.EXE
C:\WINDOWS\SYSTEM\LEHVEAYJ.EXE
C:\WINDOWS\SYSTEM\NSVSVC\NSVSVC.EXE
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\MIAMPR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\SYSAGENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PACKAGER.EXE
C:\WINDOWS\TEMP\DRPE1B1.TMP\THNALL2C.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\miampr.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Dirlcvu] C:\WINDOWS\SYSTEM\fakkb.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: prup.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll



Here's the FindIt log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

VW4EN16 DLL 227,104 03-16-05 7:06a VW4EN16.DLL
OSETHK32 DLL 227,104 03-16-05 7:06a OSETHK32.DLL
IDM32 DLL 227,104 03-16-05 7:06a IDM32.DLL
OUECNV32 DLL 227,104 03-16-05 7:06a OUECNV32.DLL
MUMP3WAV DLL 227,104 03-16-05 7:06a mump3wav.dll
UHP10 DLL 227,104 03-16-05 7:06a uhp10.dll
VBHELPER DLL 227,104 03-16-05 7:06a VBHELPER.DLL
WOICORE DLL 227,104 03-16-05 7:06a WOICORE.DLL
CPTDLL DLL 227,104 03-16-05 7:06a CPTDLL.DLL
PSBDLG DLL 227,104 03-16-05 7:06a PSBDLG.DLL
FISRCH DLL 227,104 03-16-05 7:06a FISRCH.DLL
ID50_QC DLL 227,104 03-16-05 7:06a Id50_qc.dll
MXCPXL32 DLL 227,104 03-16-05 7:06a MXCPXL32.DLL
MZACM DLL 227,104 03-16-05 7:06a MZACM.DLL
MQC42ENU DLL 227,104 03-16-05 7:06a MQC42ENU.DLL
RVAUI DLL 227,104 03-16-05 7:06a RVAUI.DLL
MWAFD DLL 227,104 03-16-05 7:06a MWAFD.DLL
MZCRLREV DLL 227,104 03-16-05 7:06a mzcrlrev.dll
VGR DLL 227,104 03-16-05 7:06a VGR.DLL
NIS DLL 227,104 03-16-05 7:06a NIS.DLL
SKSCRAP DLL 227,104 03-16-05 7:06a SKSCRAP.DLL
SCLSTR DLL 227,104 03-16-05 7:06a SCLSTR.DLL
TED32 DLL 227,104 03-16-05 7:06a TED32.DLL
SREM0409 DLL 227,104 03-16-05 7:06a SREM0409.DLL
NOS DLL 227,104 03-16-05 7:06a NOS.DLL
MHSTDFMT DLL 227,104 03-16-05 7:06a MHSTDFMT.DLL
SHSTHUNK DLL 227,104 03-16-05 7:06a SHSTHUNK.DLL
MFYUV DLL 227,104 03-16-05 7:06a mfyuv.dll
BGMFUSB DLL 227,104 03-16-05 7:06a BgmfUSB.dll
MDAFD DLL 227,104 03-16-05 7:06a MDAFD.DLL
JOMP500 DLL 227,104 03-16-05 7:06a JOMP500.DLL
BANDFILE DLL 227,104 03-16-05 7:06a BANDFILE.DLL
AASTREAM DLL 227,104 03-16-05 7:06a AASTREAM.DLL
DXIMAN32 DLL 227,104 03-16-05 7:06a DXIMAN32.DLL
JFVALE DLL 227,104 03-16-05 7:06a JFVALE.DLL
IDDKCS32 DLL 227,104 03-16-05 7:06a IDDKCS32.DLL
POUSTAB DLL 227,104 03-16-05 7:06a POUSTAB.DLL
SXLWOA DLL 227,104 03-16-05 7:06a SXLWOA.DLL
CQRESRC DLL 227,104 03-16-05 7:06a CQRESRC.DLL
MRBRKR12 DLL 227,104 03-16-05 7:06a MRBRKR12.DLL
OJE2NLS DLL 227,104 03-16-05 7:06a OJE2NLS.DLL
VXODCTL DLL 227,104 03-16-05 7:06a VXODCTL.DLL
DXNDI DLL 227,104 03-16-05 7:06a DXNDI.DLL
IK509CLS DLL 227,104 03-16-05 7:06a IK509CLS.DLL
BXWEBINS DLL 227,104 03-16-05 7:06a BxWebIns.dll
AVDENC32 DLL 227,104 03-16-05 7:06a AVDENC32.DLL
ONECNV32 DLL 227,104 03-16-05 7:06a ONECNV32.DLL
TZBINF32 DLL 227,104 03-16-05 7:06a TZBINF32.DLL
WFLSOF32 DLL 227,104 03-16-05 7:06a Wflsof32.dll
MZAFD DLL 227,104 03-16-05 7:06a MZAFD.DLL
DYDXOF DLL 227,104 03-16-05 7:06a DYDXOF.DLL
ACFERROR DLL 227,104 03-16-05 7:06a acferror.dll
IDCTL DLL 227,104 03-16-05 7:06a idctl.dll
MCPCIC DLL 227,104 03-16-05 7:06a MCPCIC.DLL
MLAFD DLL 227,104 03-16-05 7:06a MLAFD.DLL
MPCMS DLL 227,104 03-16-05 7:06a MPCMS.DLL
RYR20 DLL 227,104 03-16-05 7:06a RYR20.DLL
NMDLL DLL 227,104 03-16-05 7:06a NMDLL.DLL
PBS DLL 227,104 03-16-05 7:06a pbs.dll
SCORAGE DLL 227,104 03-16-05 7:06a SCORAGE.DLL
RUAUI DLL 227,104 03-15-05 3:33p RUAUI.DLL
LEME_ENC DLL 227,104 03-15-05 3:33p lEme_enc.dll
MMGSYS DLL 227,104 03-15-05 3:33p MMGSYS.DLL
MMMIXMGR DLL 227,104 03-15-05 3:33p MMMIXMGR.DLL
MKIMRT16 DLL 227,104 03-08-05 5:32p MKIMRT16.DLL
MFOSS DLL 227,104 03-08-05 5:32p MFOSS.DLL
QSSNAME DLL 227,104 03-08-05 5:32p QSSNAME.DLL
PIGFILT DLL 227,104 03-08-05 5:32p pigfilt.dll
REAUI DLL 227,104 03-08-05 5:32p REAUI.DLL
MZVCIRT DLL 227,104 03-08-05 5:32p mzvcirt.dll
NERSNL DLL 227,104 03-08-05 5:32p NERSNL.DLL
IPSENG DLL 227,104 03-08-05 2:31p IPSENG.DLL
AXRIP DLL 227,104 03-08-05 2:31p axrip.dll
IJDKCS32 DLL 222,568 02-01-05 2:54p IJDKCS32.DLL
VKRSION DLL 222,568 02-01-05 2:54p VKRSION.DLL
DLMCLIEN DLL 222,568 02-01-05 2:54p dlmclien.dll
JET DLL 222,568 02-01-05 2:54p JET.DLL
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
79 file(s) 17,976,940 bytes
0 dir(s) 9,513.92 MB free

------- Hidden Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

NSVSVC <DIR> 03-26-05 9:17p nsvsvc
FOLDER HTT 13,122 03-26-05 11:58a folder.htt
DESKTOP INI 266 03-26-05 11:58a desktop.ini
PROSETP GID 24,200 03-26-05 9:15a PROSETP.GID
PICSVR <DIR> 03-25-05 8:51p picsvr
VMSS <DIR> 03-06-05 6:30p vmss
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
VX0 NLS 8,192 11-01-04 7:47p VX0.NLS
6 file(s) 553,856 bytes
3 dir(s) 9,513.91 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{305938A1-9132-56EB-379D-BFFE055C0FC5}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vw4en16.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
osethk32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
folder.htt Sat Mar 26 2005 11:58:40a ...H. 13,122 12.81 K
idm32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
desktop.ini Sat Mar 26 2005 11:58:40a ...H. 266 0.26 K
ouecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mump3wav.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
uhp10.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
prosetp.gid Sat Mar 26 2005 9:15:36a A..H. 24,200 23.63 K
vbhelper.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
woicore.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ijdkcs32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
vkrsion.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
dlmclien.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
cptdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
psbdlg.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
fisrch.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jet.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
id50_qc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ipseng.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
mkimrt16.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mfoss.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
qssname.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
pigfilt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
reaui.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
axrip.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
ruaui.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mzvcirt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
leme_enc.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmgsys.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmmixmgr.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mxcpxl32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzacm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nersnl.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mqc42enu.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rvaui.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mwafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzcrlrev.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vgr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nis.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
skscrap.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sclstr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ted32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
srem0409.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nos.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mhstdfmt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
shsthunk.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfyuv.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bgmfusb.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mdafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jomp500.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bandfile.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
aastream.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dximan32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jfvale.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
iddkcs32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
poustab.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sxlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cqresrc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mrbrkr12.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oje2nls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vxodctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dxndi.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ik509cls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bxwebins.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
avdenc32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
onecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tzbinf32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
wflsof32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dydxof.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
acferror.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
idctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mcpcic.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mlafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mpcms.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ryr20.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nmdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
pbs.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
scorage.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K

80 items found: 80 files, 0 directories.
Total of file sizes: 17,506,452 bytes 16.70 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\hmrho.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\RWSAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\CNHTMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\WCNNET16.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\ILMUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\NSMODE.DLL: UMonitor
C:\WINDOWS\SYSTEM\KDRNEL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOELL.DLL: UMonitor
C:\WINDOWS\SYSTEM\OOBCINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PKUSTAB.DLL: UMonitor
C:\WINDOWS\SYSTEM\FHNTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\OZECNV32.DLL: UMonitor
C:\WINDOWS\SYSTEM\demigr.dll: UMonitor
C:\WINDOWS\SYSTEM\VFAR2232.DLL: UMonitor
C:\WINDOWS\SYSTEM\WBLP32T.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJDKCS32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IDSENG.DLL: UMonitor
C:\WINDOWS\SYSTEM\sgnsapi.dll: UMonitor
C:\WINDOWS\SYSTEM\BHNDFILE.DLL: UMonitor
C:\WINDOWS\SYSTEM\IU509CLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\RWVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\TCPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\VKRSION.DLL: UMonitor
C:\WINDOWS\SYSTEM\FFPWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\xhlparse.dll: UMonitor
C:\WINDOWS\SYSTEM\NSQTWK.DLL: UMonitor
C:\WINDOWS\SYSTEM\MJSTDFMT.DLL: UMonitor
C:\WINDOWS\SYSTEM\mfjint35.dll: UMonitor
C:\WINDOWS\SYSTEM\CSMMDLG.DLL: UMonitor
C:\WINDOWS\SYSTEM\PUTORERC.DLL: UMonitor
C:\WINDOWS\SYSTEM\smbapi.dll: UMonitor
C:\WINDOWS\SYSTEM\essmtp.dll: UMonitor
C:\WINDOWS\SYSTEM\izwdial.dll: UMonitor
C:\WINDOWS\SYSTEM\MFLTUS40.DLL: UMonitor
C:\WINDOWS\SYSTEM\GUU32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NBRSES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MVPP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\dovoiced.dll: UMonitor
C:\WINDOWS\SYSTEM\MQCPXL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\dlmclien.dll: UMonitor
C:\WINDOWS\SYSTEM\TKPELIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\RDCLTS3.DLL: UMonitor
C:\WINDOWS\SYSTEM\JET.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\jpsd400.dll: UMonitor
C:\WINDOWS\SYSTEM\JXDW500.DLL: UMonitor
C:\WINDOWS\SYSTEM\WX5INF16.DLL: UMonitor
C:\WINDOWS\SYSTEM\NMRSIT.DLL: UMonitor
C:\WINDOWS\SYSTEM\dkwaved.dll: UMonitor
C:\WINDOWS\SYSTEM\RLCLTSCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\tRembed.dll: UMonitor
C:\WINDOWS\SYSTEM\COHTMGRX.DLL: UMonitor
C:\WINDOWS\SYSTEM\COAXFR.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVVENUM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MALTUS40.DLL: UMonitor
C:\WINDOWS\SYSTEM\BZOWSEUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\ANMCMPRS.DLL: UMonitor
C:\WINDOWS\SYSTEM\CLIMGX.DLL: UMonitor
C:\WINDOWS\SYSTEM\ulp10.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"EnsoniqMixer"="C:\\WINDOWS\\starter.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"WildTangent CDA"="RUNDLL32.exe C:\\PROGRA~1\\WILDTA~1\\APPS\\CDA\\CDAENG~1.DLL,cdaEngineMain"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"
"lehveayj"="c:\\windows\\system\\lehveayj.exe"
"nsvcin"="C:\\N20050308.EXE"
"Nsv"="C:\\WINDOWS\\SYSTEM\\nsvsvc\\nsvsvc.exe"
"picsvr"="C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE"
"KavSvc"="C:\\WINDOWS\\miampr.exe"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL,SHStart"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

What next?

DR04
  • 0

Advertisements


#17
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - (no file)
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [nsvcin] C:\N20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\miampr.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKCU\..\Run: [Dirlcvu] C:\WINDOWS\SYSTEM\fakkb.exe
O4 - Startup: prup.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\isrvs
c:\windows\system\lehveayj.exe
C:\N20050308.EXE
C:\WINDOWS\SYSTEM\nsvsvc
C:\WINDOWS\SYSTEM\PICSVR\PICSVR.EXE
C:\WINDOWS\miampr.exe
C:\WINDOWS\SYSTEM\WINUP2DATE.DLL
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER


If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#18
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Did as you instructed. Disconnected from the internet and ran a HJT scan. Deleted the 19 registry entries (that’s what they are, right?) and attempted to restart. Pls note that when I tried to reboot the first time, I got a ‘program not responding’ window. Selected cancel and was able to restart without issue. FYI, this has been a common ‘problem’ for some time, but figured it was related to everything else going on and didn’t mention it. More on that later.

Rebooted into SAFE MODE. Insured ‘view hidden folders’ was enabled. Using ‘Find files/folders’ tool, was able to locate and delete – including from the recycle bin afterwards – 6 of the 8 files/folders you listed. Could not locate:

C:\N20050308.EXE
C:\PROGRAM FILES\EBATES_MOEMONEYMAKER

Interestingly enough, I did see the following files/folders with names similar to those which you told me to delete:

Files:
C:\WINDOWS\APPLOG\Lehveaj.lgc
C:\WINDOWS\APPLOG\nsvsc.lgc
C:\WINDOWS\APPLOG\picsvr.lgc
C:\WINDOWS\APPLOG\miampr.lgc
C:\WINDOWS\All Users\Application Data\picsvr\picsvr.inf
C:\WINDOWS\TEMP\uppicsvr.exe

Hidden Folders:
C:\WINDOWS\SYSTEM\picsvr
C:\WINDOWS\All Users\Application Data\picsvr

I then restarted. When I did this, I got the following pop-up window error during reboot:

Microsoft Networking
The following error occurred while loading protocol number 2.
Error 59: A network error occurred.

Probably caused by my forgetting to reconnect my cable modem. However, when I clicked OK and the boot process continued, I got the following error when Windows loaded:

RUNDLL
Error loading C:\PROGRA~1\APPS\CDA\CDAENG~1.DLL

This is another “Oh, by the way…” that’s come up during the last few attempts to clean up the mess. I saw a post with a similar issue and a registry key on the original HJT log that probably needs to be deleted, but didn’t do so. Anyway, I restarted. This time, I did NOT get the ‘program not responding’ error and my PC restarted without incident. Since I had reconnected my cable modem, I did not get the MS Networking error this time during reboot, but I did get the RUNDLL error.

Before I post the new HJT log, here’s what has happened with my system while I’ve been writing this:

For no reason, the C:\Win98se folder popped up on my desktop
Still getting pop-ups, one of which is to the following URL: 64.192.130.144
The ‘Search the Web’ bar that was hidden beneath my taskbar is gone
Only one ‘Rundll32’ application listed in the ‘Close Program’ window when I press CTL-ALT-DEL (used to be 2 or 3)

Other than that, everything seems to be hunky-dory. OK, here is my HJT log (I still see a couple of things in there that you had me delete, most notably the re-direction URLs, so guess I still have some work to do):

Logfile of HijackThis v1.99.1
Scan saved at 11:00:34 AM, on 4/3/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Thanks again,
DR04
  • 0

#19
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
ok, we are going to do two steps here.

First, Download the Hoster from here http://members.aol.c...bee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

Next, You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [lehveayj] c:\windows\system\lehveayj.exe


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

c:\windows\system\lehveayj.exe
C:\WINDOWS\isrvs


(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#20
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Roger all :tazz: . I'm at work right now so this will have to wait until I get home tonight. Will let you know how it all works out.

Thanks,
DR04
  • 0

#21
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Did as you instructed. So far, so good. No pop-ups. No lock-ups. One question, why does the 'Win98se' folder pop-up when I reboot?

Uh, spoke too soon. Stupid me, I closed the window before writing down the URL. Oh, by the way, didn't find the file or directory (or anything close to those names) to delete in SAFE MODE, but did find C:\WINDOWS\APPLOG\Lehveayj.lgc. Here is my latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:39 PM, on 4/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Thanks again and Semper Fi,
DR04
  • 0

#22
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
I think I have found the remaining issues.

ou may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/c..._12_1,0,2,5.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip....pGameLoader.dll


Reboot your PC.

next start Internet Explorer and choose tools. Then click on the Delete Cookies Button. After that clickon the Delete Files button.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#23
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Will do. Again, will have to be this evening as I am at work again (work sure does interfere with the important things in life, doesn't it :tazz: ). Will take care of when I get home and send you a new log tonight.

Thanks,
DR04
  • 0

#24
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Close but no cigar. Disconnected from the internet, ran HJT, then deleted the items you listed. Shut down PC. Reconnected my cable modem while the PC was shut down (was I supposed to do this BEFORE the 1st reboot or BEFORE the 2d reboot?). When I powered up, the Win98se folder popped up again. When I connected to IE to delete the cookies, got two pop-up, one for URL 64.192.130.141. Closed the pop-ups, then deleted Cookies and Files in the Tools menu. Rebooted again. Again, I got the Win98se folder popping up for no reason. Ran HJT and saved the log.

Had to go eat dinner before I could post the log. PC was connected to the internet, but IE was not open. When I came back to post the log, had about 5 pop-ups. At any rate, here's the HJT log you requested:

Logfile of HijackThis v1.99.1
Scan saved at 7:09:39 PM, on 4/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\BROTHER\BRMFL03A\BRSTDVPT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Let me know what to do next.

Thanks,
DR04
  • 0

#25
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
Download: StartDreck from: http://www.niksoft.a.../startdreck.htm
  • Extract the file into c:\startdreck.
  • Navigate to c:\startdreck and double-click on Startdreck.exe
  • When the program opens click on the Config button.
  • Then click on the unmark all button.
  • Put checkmarks in the following checkboxes:
  • Under Registry put a checkmark in the Run Keys checkbox.
  • Under System/Drivers put a check in the Running Proccess checkbox.
  • Press the OK button.
  • Press the Save button.
Type in the location you want to save the log to, or use the defaults which will save the log into the directory you are running the program from. If you choose the defaults the filename for the log will be StartDreck.log.

Edited by Efwis, 06 April 2005 - 08:56 AM.

  • 0

Advertisements


#26
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Just so you know, I've run 2 AdAware scans (4 & 5 April) w/o my PC locking up when it gets to the DELETE mode. On the 4th, there were over 200 'problems'. Last night, only 6 and they were all tracking cookies. NAV scans still negative.

By the way, hope that all is well with you. Downloaded STARTDRECK217.ZIP for the website and installed to its own directory. Opened the program, checked the appropriate boxes, and ran the program (while still connected to the internet). Here are the results:

StartDreck (build 2.1.7 public stable) - 2005-04-06 @ 20:53:50 (GMT -04:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 6.0.2800.1106
Logged in as Richard Davidson at GATEWAYO5S6Y1

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*EnsoniqMixer=C:\WINDOWS\starter.exe
*Adaptec DirectCD=C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*IndexSearch=C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
*SetDefPrt=C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*MMTray=C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
*vptray=C:\PROGRA~1\NORTON~1\vptray.exe
*CreateCD=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
+OptionalComponents
+IMAIL
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
*NMSSvc=C:\WINDOWS\SYSTEM\NMSSVC.EXE
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*rtvscn95=C:\PROGRA~1\NORTON~1\rtvscn95.exe
*defwatch=C:\PROGRA~1\NORTON~1\defwatch.exe
*SchedulingAgent=mstask.exe
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
+FF0F3A97=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF7AB7=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF714F=C:\WINDOWS\SYSTEM\SPOOL32.EXE
+FFFF677F=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE818F=C:\WINDOWS\BCMDMMSG.EXE
+FFFEE0B3=C:\WINDOWS\SYSTEM\NMSSVC.EXE
+FFFE2E7F=C:\WINDOWS\SYSTEM\MDM.EXE
+FFFE51A3=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
+FFFEE1BF=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
+FFFDDBB7=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFD748F=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFCA21F=C:\WINDOWS\EXPLORER.EXE
+FFFC716F=C:\WINDOWS\RUNDLL32.EXE
+FFFB0C7F=C:\WINDOWS\TASKMON.EXE
+FFFB244F=C:\WINDOWS\STARTER.EXE
+FFFB41DB=C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
+FFFA95C7=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFAD85F=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
+FFFA96C3=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
+FFFB0847=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
+FFFA7F13=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF72E7F=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFF5E693=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFF289C3=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFF41B2F=C:\STARTDRECK217\STARTDRECK.EXE
»Application specific


Also ran HJT. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 8:54:31 PM, on 4/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Thanks again for the help :tazz:
DR04
  • 0

#27
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
hi DR04,

doing well thanks for asking.

just wondering after running adaware if you are still getting those annoying popups.

If you are then I need you to run a new findit log for me. I may have missed something.
  • 0

#28
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

Yep, still getting annoying pop-ups and the Win98se folder opening on its own shortly after system boot up. Also, I ran a HJT this morning and saw a couple of my old friends in there (miampr.exe and prup.exe - log posted below).

HJT for DR04

Logfile of HijackThis v1.99.1
Scan saved at 7:13:52 AM, on 4/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\NMSSVC.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\MIAMPR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINDOWS\starter.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WINUP2DATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\miampr.exe
O4 - HKLM\..\RunServices: [NMSSvc] C:\WINDOWS\SYSTEM\NMSSVC.EXE
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\defwatch.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Brother SmartUI PopUp.lnk = C:\WINDOWS\SYSTEM\SYSAGENT.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: prup.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Here's the FINDIT Log:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

VW4EN16 DLL 227,104 03-16-05 7:06a VW4EN16.DLL
OSETHK32 DLL 227,104 03-16-05 7:06a OSETHK32.DLL
IDM32 DLL 227,104 03-16-05 7:06a IDM32.DLL
OUECNV32 DLL 227,104 03-16-05 7:06a OUECNV32.DLL
MUMP3WAV DLL 227,104 03-16-05 7:06a mump3wav.dll
UHP10 DLL 227,104 03-16-05 7:06a uhp10.dll
VBHELPER DLL 227,104 03-16-05 7:06a VBHELPER.DLL
WOICORE DLL 227,104 03-16-05 7:06a WOICORE.DLL
CPTDLL DLL 227,104 03-16-05 7:06a CPTDLL.DLL
PSBDLG DLL 227,104 03-16-05 7:06a PSBDLG.DLL
FISRCH DLL 227,104 03-16-05 7:06a FISRCH.DLL
ID50_QC DLL 227,104 03-16-05 7:06a Id50_qc.dll
TND32 DLL 227,104 03-16-05 7:06a TND32.DLL
SDLWOA DLL 227,104 03-16-05 7:06a SDLWOA.DLL
MXCPXL32 DLL 227,104 03-16-05 7:06a MXCPXL32.DLL
MZACM DLL 227,104 03-16-05 7:06a MZACM.DLL
MQC42ENU DLL 227,104 03-16-05 7:06a MQC42ENU.DLL
RVAUI DLL 227,104 03-16-05 7:06a RVAUI.DLL
MWAFD DLL 227,104 03-16-05 7:06a MWAFD.DLL
MZCRLREV DLL 227,104 03-16-05 7:06a mzcrlrev.dll
VGR DLL 227,104 03-16-05 7:06a VGR.DLL
NIS DLL 227,104 03-16-05 7:06a NIS.DLL
SKSCRAP DLL 227,104 03-16-05 7:06a SKSCRAP.DLL
SCLSTR DLL 227,104 03-16-05 7:06a SCLSTR.DLL
TED32 DLL 227,104 03-16-05 7:06a TED32.DLL
SREM0409 DLL 227,104 03-16-05 7:06a SREM0409.DLL
NOS DLL 227,104 03-16-05 7:06a NOS.DLL
MHSTDFMT DLL 227,104 03-16-05 7:06a MHSTDFMT.DLL
SHSTHUNK DLL 227,104 03-16-05 7:06a SHSTHUNK.DLL
MFYUV DLL 227,104 03-16-05 7:06a mfyuv.dll
BGMFUSB DLL 227,104 03-16-05 7:06a BgmfUSB.dll
MDAFD DLL 227,104 03-16-05 7:06a MDAFD.DLL
JOMP500 DLL 227,104 03-16-05 7:06a JOMP500.DLL
BANDFILE DLL 227,104 03-16-05 7:06a BANDFILE.DLL
AASTREAM DLL 227,104 03-16-05 7:06a AASTREAM.DLL
DXIMAN32 DLL 227,104 03-16-05 7:06a DXIMAN32.DLL
JFVALE DLL 227,104 03-16-05 7:06a JFVALE.DLL
IDDKCS32 DLL 227,104 03-16-05 7:06a IDDKCS32.DLL
POUSTAB DLL 227,104 03-16-05 7:06a POUSTAB.DLL
SXLWOA DLL 227,104 03-16-05 7:06a SXLWOA.DLL
CQRESRC DLL 227,104 03-16-05 7:06a CQRESRC.DLL
MRBRKR12 DLL 227,104 03-16-05 7:06a MRBRKR12.DLL
OJE2NLS DLL 227,104 03-16-05 7:06a OJE2NLS.DLL
VXODCTL DLL 227,104 03-16-05 7:06a VXODCTL.DLL
DXNDI DLL 227,104 03-16-05 7:06a DXNDI.DLL
IK509CLS DLL 227,104 03-16-05 7:06a IK509CLS.DLL
BXWEBINS DLL 227,104 03-16-05 7:06a BxWebIns.dll
AVDENC32 DLL 227,104 03-16-05 7:06a AVDENC32.DLL
ONECNV32 DLL 227,104 03-16-05 7:06a ONECNV32.DLL
TZBINF32 DLL 227,104 03-16-05 7:06a TZBINF32.DLL
WFLSOF32 DLL 227,104 03-16-05 7:06a Wflsof32.dll
MZAFD DLL 227,104 03-16-05 7:06a MZAFD.DLL
DYDXOF DLL 227,104 03-16-05 7:06a DYDXOF.DLL
ACFERROR DLL 227,104 03-16-05 7:06a acferror.dll
IDCTL DLL 227,104 03-16-05 7:06a idctl.dll
MCPCIC DLL 227,104 03-16-05 7:06a MCPCIC.DLL
MLAFD DLL 227,104 03-16-05 7:06a MLAFD.DLL
OQBC32GT DLL 227,104 03-16-05 7:06a OQBC32GT.DLL
SFHANNEL DLL 227,104 03-16-05 7:06a SFHANNEL.DLL
MPCMS DLL 227,104 03-16-05 7:06a MPCMS.DLL
RYR20 DLL 227,104 03-16-05 7:06a RYR20.DLL
NMDLL DLL 227,104 03-16-05 7:06a NMDLL.DLL
PBS DLL 227,104 03-16-05 7:06a pbs.dll
SCORAGE DLL 227,104 03-16-05 7:06a SCORAGE.DLL
RZCHED DLL 227,104 03-16-05 7:06a RZCHED.DLL
DINADDR DLL 227,104 03-16-05 7:06a dinaddr.dll
IP1CM DLL 227,104 03-16-05 7:06a IP1cm.dll
RUAUI DLL 227,104 03-15-05 3:33p RUAUI.DLL
LEME_ENC DLL 227,104 03-15-05 3:33p lEme_enc.dll
MMGSYS DLL 227,104 03-15-05 3:33p MMGSYS.DLL
MMMIXMGR DLL 227,104 03-15-05 3:33p MMMIXMGR.DLL
MKIMRT16 DLL 227,104 03-08-05 5:32p MKIMRT16.DLL
MFOSS DLL 227,104 03-08-05 5:32p MFOSS.DLL
QSSNAME DLL 227,104 03-08-05 5:32p QSSNAME.DLL
PIGFILT DLL 227,104 03-08-05 5:32p pigfilt.dll
REAUI DLL 227,104 03-08-05 5:32p REAUI.DLL
MZVCIRT DLL 227,104 03-08-05 5:32p mzvcirt.dll
NERSNL DLL 227,104 03-08-05 5:32p NERSNL.DLL
IPSENG DLL 227,104 03-08-05 2:31p IPSENG.DLL
AXRIP DLL 227,104 03-08-05 2:31p axrip.dll
IJDKCS32 DLL 222,568 02-01-05 2:54p IJDKCS32.DLL
VKRSION DLL 222,568 02-01-05 2:54p VKRSION.DLL
DLMCLIEN DLL 222,568 02-01-05 2:54p dlmclien.dll
JET DLL 222,568 02-01-05 2:54p JET.DLL
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
86 file(s) 19,566,668 bytes
0 dir(s) 9,775.58 MB free

------- Hidden Files in System Directory -------


Volume in drive C is WIN98SE
Volume Serial Number is 2029-12F4
Directory of C:\WINDOWS\SYSTEM

FOLDER HTT 13,122 03-26-05 11:58a folder.htt
DESKTOP INI 266 03-26-05 11:58a desktop.ini
PROSETP GID 24,200 03-26-05 9:15a PROSETP.GID
PICSVR <DIR> 03-25-05 8:51p picsvr
VMSS <DIR> 03-06-05 6:30p vmss
VYW4 EXE 254,038 12-06-04 5:34p Vyw4.exe
SND2C EXE 254,038 12-06-04 5:34p Snd2C.exe
VX0 NLS 8,192 11-01-04 7:47p VX0.NLS
6 file(s) 553,856 bytes
2 dir(s) 9,775.56 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{305938A1-9132-56EB-379D-BFFE055C0FC5}"=""

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
vw4en16.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
osethk32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
folder.htt Sat Mar 26 2005 11:58:40a ...H. 13,122 12.81 K
idm32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
desktop.ini Sat Mar 26 2005 11:58:40a ...H. 266 0.26 K
ouecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mump3wav.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
uhp10.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
prosetp.gid Sat Mar 26 2005 9:15:36a A..H. 24,200 23.63 K
vbhelper.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
woicore.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ijdkcs32.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
vkrsion.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
dlmclien.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
cptdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
psbdlg.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
fisrch.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jet.dll Tue Feb 1 2005 2:54:52p ..S.R 222,568 217.35 K
id50_qc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tnd32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sdlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ipseng.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
mkimrt16.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mfoss.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
qssname.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
pigfilt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
reaui.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
axrip.dll Tue Mar 8 2005 2:31:12p ..S.R 227,104 221.78 K
ruaui.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mzvcirt.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
leme_enc.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmgsys.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mmmixmgr.dll Tue Mar 15 2005 3:33:46p ..S.R 227,104 221.78 K
mxcpxl32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzacm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nersnl.dll Tue Mar 8 2005 5:32:36p ..S.R 227,104 221.78 K
mqc42enu.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rvaui.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mwafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzcrlrev.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vgr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nis.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
skscrap.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sclstr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ted32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
srem0409.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nos.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mhstdfmt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
shsthunk.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mfyuv.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bgmfusb.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mdafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jomp500.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bandfile.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
aastream.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dximan32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
jfvale.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
iddkcs32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
poustab.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sxlwoa.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
cqresrc.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mrbrkr12.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oje2nls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
vxodctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dxndi.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ik509cls.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
bxwebins.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
avdenc32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
onecnv32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
tzbinf32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
wflsof32.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mzafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dydxof.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
acferror.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
idctl.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mcpcic.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mlafd.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
oqbc32gt.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
sfhannel.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
mpcms.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ryr20.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
nmdll.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
pbs.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
scorage.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
rzched.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
dinaddr.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K
ip1cm.dll Wed Mar 16 2005 7:06:30a ..S.R 227,104 221.78 K

87 items found: 87 files, 0 directories.
Total of file sizes: 19,096,180 bytes 18.21 M

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.G
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.C
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.B
C:\WINDOWS\VPTNFILE.518: TROJ_QOOLOGIC.A
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.G
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.C
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.B
C:\WINDOWS\lpt$vpn.518: TROJ_QOOLOGIC.A
C:\WINDOWS\unadbeh.exe: e:\Projects\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb
C:\WINDOWS\hmrho.dll: excl_urls=photobucket.com,c1.zedo.com,media.deskwizz.com,stats.eblocs.com,passportimages.com,banners.searchingbooth.com,ads234.com,click2.containsitall.com,media.fastclick.net,sandboxer.com,a.websponsors.com,ads.clickagents.com,trk.bestmagsdirect.com,toprebates.com,ad.doubleclick.net,as.casalemedia.com,m3.doubleclick.net,dw.dailywinner.net,img2.mailpostdirect.com,bv.channel.aol.com,adlog2.lzio.com,host239.ipowerweb.com,popups.ad-logics.com,clickserve.cc-dt.com,hits.clickandtrack.net,ads.mydailyhoroscope.net,c5.zedo.com,affiliates.4lowrates.com,couponage.com,ekmas.com,creativeby.viewpoint.com,mydailyhoroscope.net,images.trafficmp.com,actualdeals.com,download.websearch.com,aim-charts.pf.aol.com,aol.com,target.com,yahoo.com,microsoft.com,anrdoezrs.net,isg05.casalemedia.com,jbigpops.cjt1.net,whenusearch.com,trk.pcsecurityshield.com,license.hotbar.com,web.icq.com,sc.musicmatch.com,comcast.net,filter.belkin.com,clickit.go2net.com,adverts.lzio.com,windowsupdate.microsoft.com,v4.windowsupdate.microsoft.com,odysseusmarketing.com,join1.winhundred.com,advert.runescape.com,top-banners.com,sr.websearch.com,messenger.msn.com,download.abetterinternet.com,adserv.internetfuel.com,pops.browseraid.com,banners.pennyweb.com,tv.180solutions.com,s.clkoptimizer.com,adserv1.gruvmedia.com,cdn.icq.com,messenger.zango.com,smileycentral.com,wwp.icq.com,web.tickle.com,isapi60.weatherbug.com,websearch.com,hop.clickbank.net,media76.fastclick.net,mmm.media-motor.net,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,ww2.weatherbug.com,servedby.advertising.com,adsrv.qoologic.com,games.yahoo.com,weatherbug.com,jicmedia.cjt1.net,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,ar.atwola.com,ads.addynamix.com,wisapidata.weatherbug.com,popuppers.com,as.adwave.com,look2me.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,delfinproject.com,view.atdmt.com,mm.delfinproject.com,download.smileycentral.com,xadso.offeroptimizer.com,webpdp.gator.com,ayb.lop.com,stopzilla.com,pgq.yahoo.com,jmnad1.com,topicks.com,e.rn11.com,focusin.ads.targetnet.com,insider.msg.yahoo.com,m2.doubleclick.net,mail.yahoo.com,jcontent.bns1.net,ctl.twain-tech.com,master.mx-targeting.com,hotmail.com,searcheffect.com,ads.delfinproject.com,cfg.mywebsearch.com,akapp.whenu.com,newupdates.lzio.com,allaboutsearching.com,amch.questionmarket.com,adfarm.mediaplex.com,hotmail.msn.com,by.optimost.com,cdn-cf.aol.com,paypopup.com,popuptraffic.com,xadsq.offeroptimizer.com,jnictech.cjt1.net,xanga.com,count.exitexchange.com,servedby.adscpm.com,search200.com,cdn-aimtoday.aol.com,kill-pop-ups.com,us.update.companion.yahoo.com,qksrv.net,clickspring.net,xlime.offeroptimizer.com,sr.adwave.com,zone.msn.com,radio.launch.yahoo.com,ads.bidclix.com,counters.honesty.com,oz.valueclick.com,i.emarketresearchgroup.com,ads2.revenue.net,popup.msn.com,adsv2.delfinproject.com,u.clkoptimizer.com,ezula.com,server.iad.liveperson.net,loadingwebsite.com,pan-advert.com,t.trafficmp.com,clicktrk.com,aaabesthomepage.com,ads.exitexchange.com,us.a1.yimg.com,trafficmp.com,yimg.com,a.as-us.falkag.net,a1.yimg.com,z1.adserver.com,falkag.net,as-us.falkag.net,loginnet.passport.com,ads.inet1.com,pagead2.googlesyndication.com,login.passport.net,v8.alwaysupdatednews.com,adv.eblocs.com,alwaysupdatednews.com,fxfeeds.mozilla.org,cdn.aim.com,ar.atwola.com,c4.maxserving.com,maxserving.com,mediaplex.com,altfarm.mediaplex.com,topmoxie.com,global.msads.net,msads.net,banner.goldenpalace.com,goldenpalace.com,us.i1.yimg.com,cdn.comcast.net,us.yimg.com,us.js1.yimg.com,js1.yimg.com,switch.atdmt.com,atdmt.com,update32.searchmiracle.com,onemoresearch.net,
C:\WINDOWS\SYSTEM\pav.sig: Qoologic
C:\WINDOWS\SYSTEM\pav.sig: Qoologic

-------------- Strings.exe Aspack Results -------------

C:\WINDOWS\vsapi32.dll: ASPACK EXE
C:\WINDOWS\vsapi32.dll: ASPACK2 EXE
C:\WINDOWS\vsapi32.dll: ASPack 1.08.04
C:\WINDOWS\vsapi32.dll: ASPack 1.08.03
C:\WINDOWS\vsapi32.dll: ASPack 1.08.02b
C:\WINDOWS\vsapi32.dll: ASPack 1.08.01
C:\WINDOWS\vsapi32.dll: ASPack 1.08
C:\WINDOWS\vsapi32.dll: ASPack 1.07b
C:\WINDOWS\vsapi32.dll: ASPack 1.61
C:\WINDOWS\vsapi32.dll: ASPack 1.05b
C:\WINDOWS\vsapi32.dll: ASPack 1.03
C:\WINDOWS\vsapi32.dll: ASPack 1.02
C:\WINDOWS\vsapi32.dll: ASPack 1.01
C:\WINDOWS\vsapi32.dll: ASPack 1.00
C:\WINDOWS\SYSTEM\pav.sig: AsPack

----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------
C:\WINDOWS\SYSTEM\RWSAPI16.DLL: UMonitor
C:\WINDOWS\SYSTEM\CNHTMGR.DLL: UMonitor
C:\WINDOWS\SYSTEM\WCNNET16.DLL: UMonitor
C:\WINDOWS\SYSTEM\MRCO30.DLL: UMonitor
C:\WINDOWS\SYSTEM\ILMUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\NSMODE.DLL: UMonitor
C:\WINDOWS\SYSTEM\KDRNEL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\SOELL.DLL: UMonitor
C:\WINDOWS\SYSTEM\OOBCINT.DLL: UMonitor
C:\WINDOWS\SYSTEM\PKUSTAB.DLL: UMonitor
C:\WINDOWS\SYSTEM\FHNTEXT.DLL: UMonitor
C:\WINDOWS\SYSTEM\OZECNV32.DLL: UMonitor
C:\WINDOWS\SYSTEM\demigr.dll: UMonitor
C:\WINDOWS\SYSTEM\VFAR2232.DLL: UMonitor
C:\WINDOWS\SYSTEM\WBLP32T.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJDKCS32.DLL: UMonitor
C:\WINDOWS\SYSTEM\IDSENG.DLL: UMonitor
C:\WINDOWS\SYSTEM\sgnsapi.dll: UMonitor
C:\WINDOWS\SYSTEM\BHNDFILE.DLL: UMonitor
C:\WINDOWS\SYSTEM\IU509CLS.DLL: UMonitor
C:\WINDOWS\SYSTEM\RWVPSP.DLL: UMonitor
C:\WINDOWS\SYSTEM\TCPI.DLL: UMonitor
C:\WINDOWS\SYSTEM\VKRSION.DLL: UMonitor
C:\WINDOWS\SYSTEM\FFPWPP.DLL: UMonitor
C:\WINDOWS\SYSTEM\xhlparse.dll: UMonitor
C:\WINDOWS\SYSTEM\NSQTWK.DLL: UMonitor
C:\WINDOWS\SYSTEM\MJSTDFMT.DLL: UMonitor
C:\WINDOWS\SYSTEM\mfjint35.dll: UMonitor
C:\WINDOWS\SYSTEM\CSMMDLG.DLL: UMonitor
C:\WINDOWS\SYSTEM\PUTORERC.DLL: UMonitor
C:\WINDOWS\SYSTEM\smbapi.dll: UMonitor
C:\WINDOWS\SYSTEM\essmtp.dll: UMonitor
C:\WINDOWS\SYSTEM\izwdial.dll: UMonitor
C:\WINDOWS\SYSTEM\MFLTUS40.DLL: UMonitor
C:\WINDOWS\SYSTEM\GUU32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NBRSES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MVPP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\dovoiced.dll: UMonitor
C:\WINDOWS\SYSTEM\MQCPXL32.DLL: UMonitor
C:\WINDOWS\SYSTEM\dlmclien.dll: UMonitor
C:\WINDOWS\SYSTEM\TKPELIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\RDCLTS3.DLL: UMonitor
C:\WINDOWS\SYSTEM\JET.DLL: UMonitor
C:\WINDOWS\SYSTEM\MEC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\MWC40.DLL: UMonitor
C:\WINDOWS\SYSTEM\jpsd400.dll: UMonitor
C:\WINDOWS\SYSTEM\JXDW500.DLL: UMonitor
C:\WINDOWS\SYSTEM\WX5INF16.DLL: UMonitor
C:\WINDOWS\SYSTEM\NMRSIT.DLL: UMonitor
C:\WINDOWS\SYSTEM\dkwaved.dll: UMonitor
C:\WINDOWS\SYSTEM\RLCLTSCM.DLL: UMonitor
C:\WINDOWS\SYSTEM\tRembed.dll: UMonitor
C:\WINDOWS\SYSTEM\COHTMGRX.DLL: UMonitor
C:\WINDOWS\SYSTEM\COAXFR.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVVENUM.DLL: UMonitor
C:\WINDOWS\SYSTEM\MALTUS40.DLL: UMonitor
C:\WINDOWS\SYSTEM\BZOWSEUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\ANMCMPRS.DLL: UMonitor
C:\WINDOWS\SYSTEM\CLIMGX.DLL: UMonitor
C:\WINDOWS\SYSTEM\ulp10.dll: UMonitor

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"EnsoniqMixer"="C:\\WINDOWS\\starter.exe"
"Adaptec DirectCD"="C:\\PROGRA~1\\ADAPTEC\\DIRECTCD\\DIRECTCD.EXE"
"IndexSearch"="C:\\Program Files\\Scansoft\\PaperPort\\IndexSearch.exe"
"SetDefPrt"="C:\\Program Files\\Brother\\Brmfl03a\\BrStDvPt.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"MMTray"="C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe"
"vptray"="C:\\PROGRA~1\\NORTON~1\\vptray.exe"
"CreateCD"="C:\\PROGRA~1\\ADAPTEC\\EASYCD~1\\CREATECD\\CREATECD.EXE -r"
"autoupdate"="rundll32 C:\\WINDOWS\\SYSTEM\\WINUP2DATE.DLL,SHStart"
"KavSvc"="C:\\WINDOWS\\miampr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

Have a good one :tazz:
DR04
  • 0

#29
DR04

DR04

    Member

  • Topic Starter
  • Member
  • PipPip
  • 57 posts
Efwis,

In addition to the HJT and FINDIT logs I posted this morning (see preceeding post), an interesting friend showed up again. When I first attempted to shut down my PC after posting the logs, I got the 'program not responding' error that had gone away after our work this weekend. Clicked on 'cancel', waited for the normal desktop to return, then shut down without incident. Just wanted to add that little tidbit of info for you.

DR04
:tazz:
  • 0

#30
Dragon

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,678 posts
so I see, well I want to try a new round of attack, lets see what we can do here.

Download the free VX2 Cleaner here
  • Close Ad-Aware SE build 1.05 and Ad-Watch (if running)
  • Install the VX2 Cleaner
  • Start Ad-Aware SE build 1.05
  • Go to “Plug-ins”
  • Select the VX2 Cleaner plug-in and click “Run Plugin”
  • If your computer isn't infected, click "close"
  • If your computer is infected:
  • Select “Clean System”
  • Reboot your computer
  • Scan your computer with Ad-Aware
  • Remove any VX2 objects detected
  • Reboot your computer again
  • Run a second scan to make sure the files have been removed from your computer
If you would please, rescan with HijackThis and post a fresh copy both logs in this same topic, and let us know how your system's working. :tazz:

Edited by Efwis, 07 April 2005 - 08:10 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP