Logfile of HijackThis v1.99.1
Scan saved at 4:35:36 PM, on 4/24/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOLSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\8TENO9IJ\HIJACKTHIS[1].EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\system32\blank.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.searchxl.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.searchxl.com/ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchxl.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://vevgea.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.searchxl.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.find-more.net/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.find-more.net/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://vevgea.t.muxa.cc/h.php?aid=586 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PeoplePC
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: URLSearch Class - {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25 - (no file)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.jzwtwmwix...JBMprZ0Ko.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\dnc0owbf.slt\prefs.js)
O1 - Hosts: 64.14.40.138 www.letssearch.com
O1 - Hosts: 64.14.40.138 www.searchex.com
O1 - Hosts: 64.14.40.138 search2.cometsystems.com
O1 - Hosts: 64.14.40.138 search.cometsystems.com
O1 - Hosts: 64.14.40.138 www.searchresult.net
O1 - Hosts: 64.14.40.138 www.xupiter.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\WINDOWS\SYSTEM\SZIEBHO.dll
O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - (no file)
O2 - BHO: Hecksixth - {C972D783-B87A-51C0-D417-982A654C8406} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {70527BE4-399B-134F-C2EA-C5EE789400CE} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_5_7_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE\HOMEPORTAL\2PORTALMON.EXE
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
O4 - HKLM\..\Run: [qyutyqwf] C:\WINDOWS\SYSTEM\tfdvdnsy.exe
O4 - HKLM\..\Run: [SysSearch] REGEDIT.EXE -s c:\ireg.reg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YaPU5l] C:\YPCEDTC.EXE
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\pmknpv.exe
O4 - HKLM\..\Run: [EE5N76LK.EXE] C:\WINDOWS\EE5N76LK.EXE /dk
O4 - HKLM\..\Run: [ALCHEM] C:\WINDOWS\ALCHEM.exe
O4 - HKLM\..\Run: [systray] C:\WINDOWS\SYSTEM\A.EXE
O4 - HKLM\..\Run: [WAITREFWEBBIAS] C:\WINDOWS\Application Data\live dash wait ref\Castaim.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
O4 - HKLM\..\RunServices: [Srv32 spool service] C:\WINDOWS\System\spoolsrv32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [mstask] C:\WINDOWS\mstask.exe
O4 - HKCU\..\Run: [More store] C:\WINDOWS\APPLIC~1\SECOND~1\soap draw.exe
O4 - Startup: CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk = C:\Program Files\CreataCard\Gold\FMRemind.exe
O4 - Startup: Z5Y30OFY.lnk = C:\WINDOWS\z5y30ofy.exe
O4 - Startup: 1GIBO38Y.lnk = C:\WINDOWS\1gibo38y.exe
O4 - Startup: 4KZDE02J.lnk = C:\WINDOWS\y065gpne.exe
O4 - Startup: DHJC7MAP.lnk = C:\WINDOWS\dhjc7map.exe
O4 - Startup: ILPOLM5G.lnk = C:\WINDOWS\ilpolm5g.exe
O4 - Startup: 9U1U4WN8.lnk = C:\WINDOWS\y065gpne.exe
O4 - Startup: F0C2VA7Z.lnk = C:\WINDOWS\f0c2va7z.exe
O4 - Startup: B1EDW0MW.lnk = C:\WINDOWS\b1edw0mw.exe
O4 - Startup: RIHDXTCU.lnk = C:\WINDOWS\rihdxtcu.exe
O4 - Startup: QL69UEDL.lnk = C:\WINDOWS\ql69uedl.exe
O4 - Startup: 71DUCHJR.lnk = C:\WINDOWS\71duchjr.exe
O4 - Startup: 6JX0MTDF.lnk = C:\WINDOWS\6jx0mtdf.exe
O4 - Startup: HDYIW7IE.lnk = C:\WINDOWS\y065gpne.exe
O4 - Startup: Y065GPNE.lnk = C:\WINDOWS\y065gpne.exe
O4 - Startup: 605GJIUT.lnk = C:\WINDOWS\605gjiut.exe
O4 - Startup: 3R3LMUZN.lnk = C:\WINDOWS\3r3lmuzn.exe
O4 - Startup: 3QJ3MH8E.lnk = C:\WINDOWS\3qj3mh8e.exe
O4 - Startup: 3DZBDOL3.lnk = C:\WINDOWS\3dzbdol3.exe
O4 - Startup: 3OUGAIT8.lnk = C:\WINDOWS\3ougait8.exe
O4 - Startup: 2IRP8Z9W.lnk = C:\WINDOWS\2irp8z9w.exe
O4 - Startup: 1U8ZVGF0.lnk = C:\WINDOWS\1u8zvgf0.exe
O4 - Startup: kpit.exe
O4 - Startup: OKZMTE59.lnk = C:\WINDOWS\okzmte59.exe
O4 - Startup: Q8H1W7XZ.lnk = C:\WINDOWS\q8h1w7xz.exe
O4 - Startup: Updates from HP.lnk = C:\Program Files\BackWeb\BackWeb\Program\backweb.exe
O4 - Startup: MX9IX4XF.lnk = C:\WINDOWS\mx9ix4xf.exe
O4 - Startup: IN3Y5JMV.lnk = C:\WINDOWS\in3y5jmv.exe
O4 - Startup: CVMIGBZV.lnk = C:\WINDOWS\cvmigbzv.exe
O4 - Startup: CYZ7H7TX.lnk = C:\WINDOWS\cyz7h7tx.exe
O4 - Startup: CIOU6MYG.lnk = C:\WINDOWS\ciou6myg.exe
O4 - Startup: CA30J5KM.lnk = C:\WINDOWS\ca30j5km.exe
O4 - Startup: O9OR2M62.lnk = C:\WINDOWS\o9or2m62.exe
O4 - Global Startup: DHJC7MAP.lnk = C:\WINDOWS\dhjc7map.exe
O4 - Global Startup: REEDZ5W1.lnk = C:\WINDOWS\reedz5w1.exe
O4 - Global Startup: F0C2VA7Z.lnk = C:\WINDOWS\f0c2va7z.exe
O4 - Global Startup: 09KHZN4N.lnk = C:\WINDOWS\09khzn4n.exe
O4 - Global Startup: 1GIBO38Y.lnk = C:\WINDOWS\1gibo38y.exe
O4 - Global Startup: ILPOLM5G.lnk = C:\WINDOWS\ilpolm5g.exe
O4 - Global Startup: U2RAFEY2.lnk = ?
O4 - Global Startup: O9OR2M62.lnk = C:\WINDOWS\o9or2m62.exe
O4 - Global Startup: EM57HZCI.lnk = C:\WINDOWS\em57hzci.exe
O4 - Global Startup: 0VQM0JOC.lnk = M:\SETUP.EXE
O4 - Global Startup: PBBLJUWZ.lnk = C:\WINDOWS\pbbljuwz.exe
O4 - Global Startup: Y065GPNE.lnk = C:\WINDOWS\y065gpne.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Wallet - {F05B7DAE-337E-11D3-83B6-00E0980647AC} - C:\WINDOWS\PEOPLEPC\BIN\PAYMEN~1.DLL
O9 - Extra button: Guide - {A6E07A80-436A-11d3-83B6-00902747E82E} - c:\windows\system\shdocvw.dll
O9 - Extra button: PeoplePC - {A6E07A82-436A-11d3-83B6-00902747E82E} - c:\windows\PeoplePC\hta\peopledialer.hta
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign...scandl_cnry.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {10101010-1010-1111-1010-101010101011} - mhtml:C:\\WINX.MHT!http://216.240.137.41/counter/ie.exe
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Protocol hijack: mhtml -