Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Home Page hijack[CLOSED]

Started by marylandactuary , May 14 2005 02:06 PM

  • This topic is locked This topic is locked

#1
marylandactuary
Posted 14 May 2005 - 02:06 PM

marylandactuary

    New Member

  • Member
  • Pip
  • 6 posts
I went through your suggested procedures, and I'm still having problems. My home page changes every time I reboot.

Here is my Hijack This log. Someone please help!

Logfile of HijackThis v1.99.1
Scan saved at 4:03:34 PM, on 05/14/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ADDLO32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ACS495\MIXGHOST.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\CRCW.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\MSREFERENCE\BOOKSHELF 98\QSHELF98.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\MSOFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\EYETIDE MEDIA\EYETIDE VIEWER\EYETIDECONTROLLER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {C8BC9065-AF44-BC87-B7F3-1B9DA5C3979C} - C:\WINDOWS\SYSTEM\D3FQ32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\4FFE7780.hta
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [CRCW.EXE] C:\WINDOWS\CRCW.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe c:\windows\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [D3KA32.EXE] C:\WINDOWS\SYSTEM\D3KA32.EXE /s
O4 - HKLM\..\RunServices: [ADDLO32.EXE] C:\WINDOWS\SYSTEM\ADDLO32.EXE /s
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\Run: [Onhl] C:\WINDOWS\SYSTEM\xfpziq.exe
O4 - Startup: Qshelf.lnk = C:\Program Files\MSReference\Bookshelf 98\qshelf98.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O16 - DPF: {6EBE5A5B-2621-11D1-905C-00A0244D4224} (ReadHTML.GetHTML) - file://C:\DELL\ie4si\ReadHTML.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsof...rchsettings.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {1D59ABA8-7032-11D2-9CB0-00105A10AAF6} (IconUpdate Class) - http://ftp.won.net/p...dateControl.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.micro...si/mcsimenu.cab
O16 - DPF: {7D699C5B-FA08-11D0-BC8E-0020AFFA71B6} (Atomic3D Control) - http://www.atomic3d....in/a3dx1454.cab
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.co...tartControl.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfr...ll/iftwclix.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixm...tiveXImgCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify204.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...438e6/enter.cab
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Edited by marylandactuary, 14 May 2005 - 04:01 PM.

  • 0

Advertisements

#2
Guest_thatman_*
Posted 18 May 2005 - 03:28 PM

Guest_thatman_*
  • Guest
Hi marylandactuary

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
marylandactuary
Posted 19 May 2005 - 09:48 PM

marylandactuary

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I've tried to run the Panda Software scan three times now, and it keeps freezing up after it has scanned 96557 files and 720 messages. Two boxes pop up. One with the heading Mapisp32 and the other is the Inbox Setup Wizard.

What should I do?
  • 0

#4
Guest_thatman_*
Posted 20 May 2005 - 05:12 AM

Guest_thatman_*
  • Guest
Hi marylandactuary

Please read through the instructions before you start (you may want to print this out).

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.

Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.

Please set your system to show all files; please see here if you're unsure how to do this.

Use windows add remove program file uninstall the following program.
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
Exit the Task Manager when finished.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zhqmm.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C8BC9065-AF44-BC87-B7F3-1B9DA5C3979C} - C:\WINDOWS\SYSTEM\D3FQ32.DLL
O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\4FFE7780.hta
O4 - HKLM\..\Run: [CRCW.EXE] C:\WINDOWS\CRCW.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKCU\..\Run: [Onhl] C:\WINDOWS\SYSTEM\xfpziq.exe
O16 - DPF: {4351667F-8901-11D1-B31B-0060089CD339} (WonGameStart Class) - http://www.wonnet.co...tartControl.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfr...ll/iftwclix.cab
O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c24.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com...438e6/enter.cab
Click on Fix Checked when finished and exit HijackThis.

Start AboutBuster

Run CWShredder to fix your CWS problem.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let
C:\WINDOWS\zhqmm.dll/sp.html#44768
C:\WINDOWS\SYSTEM\D3FQ32.DLL
C:\WINDOWS\SYSTEM\4FFE7780.hta
C:\WINDOWS\CRCW.EXE
C:\WINDOWS\SYSTEM\xfpziq.exe[/B]
the system reboot. When prompted.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
marylandactuary
Posted 24 May 2005 - 07:21 PM

marylandactuary

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, I followed your procedures.
AboutBuster was freezing up after scanning 51% of the files. It was hung up on
c:\WINDOWS\SYSTEM\wnsintsv.exe

Here are my PandaScan and HJT logs:


Incident Status Location

Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\ieqn.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\nzkax.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\hhzgn.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ckxen.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\sgarh.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\xkvzl.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\yotac.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\bmhmu.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\apijy.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\ntbp32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\winjn.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\sdknc.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\crev.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\levsz.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\ssfys.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\javant.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\javafd32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\msig.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\ntwa.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\appqv32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\d3ep32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\sdktz32.dll
Adware:Adware/SearchExe No disinfected C:\WINDOWS\SYSTEM\appkv32.dll
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\SYSTEM\apiip.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\jsxct.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\SYSTEM\ide21201.vxd
Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\ccu\comet.cab[csbho.dll]
Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\ccu\csbho.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\TEMP\BullGuard\bulldownload.exe
Adware:Adware/WinAD No disinfected C:\WINDOWS\TEMP\ICD3.tmp\MediaAccX.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\Application Data\drro.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\Application Data\newh.exe
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Downloaded Program Files\inst2.inf
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\What is hydrocodone.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Favorites\Sites about\Online instant loan.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Favorites\Seven days of free [bleep].url
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme_u.log
Adware:Adware/SearchAid No disinfected C:\WINDOWS\EXPLORER.EXE.$$$
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Application
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\jiwir.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\scijja.dat
Adware:Adware/SearchExe No disinfected C:\WINDOWS\n_srngln.log
Adware:Adware/SearchExe No disinfected C:\WINDOWS\n_zrlqar.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\dynkz.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\lnmfi.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\oxzzhh.txt
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\djcqv.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\hldwpd.txt
Adware:Adware/SearchExe No disinfected C:\WINDOWS\winnn32.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\zisejf.log
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\zpqadu.dat
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\vlprw.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\yiipz.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\cgmap.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\ikhit.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\ezhza.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\vnolh.dll
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access\MediaAccC.dll
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:17:48 PM, on 05/24/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ACS495\MIXGHOST.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSREFERENCE\BOOKSHELF 98\QSHELF98.EXE
C:\PROGRAM FILES\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\EYETIDE MEDIA\EYETIDE VIEWER\EYETIDECONTROLLER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe c:\windows\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [D3KA32.EXE] C:\WINDOWS\SYSTEM\D3KA32.EXE /s
O4 - HKLM\..\RunServices: [szserver] "C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE" szserver
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\RunServices: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: Qshelf.lnk = C:\Program Files\MSReference\Bookshelf 98\qshelf98.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O16 - DPF: {6EBE5A5B-2621-11D1-905C-00A0244D4224} (ReadHTML.GetHTML) - file://C:\DELL\ie4si\ReadHTML.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsof...rchsettings.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {1D59ABA8-7032-11D2-9CB0-00105A10AAF6} (IconUpdate Class) - http://ftp.won.net/p...dateControl.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.micro...si/mcsimenu.cab
O16 - DPF: {7D699C5B-FA08-11D0-BC8E-0020AFFA71B6} (Atomic3D Control) - http://www.atomic3d....in/a3dx1454.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixm...tiveXImgCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify204.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

What should I do next?
  • 0

#6
Guest_thatman_*
Posted 25 May 2005 - 02:21 AM

Guest_thatman_*
  • Guest
Hi marylandactuary

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

Scan with AdAware and let it remove any bad files found.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
C:\WINDOWS\SYSTEM\wnsintsv.exe
C:\WINDOWS\SYSMON.EXE
C:\WINDOWS\SYSTEM\ieqn.dll
C:\WINDOWS\SYSTEM\nzkax.dll
C:\WINDOWS\SYSTEM\hhzgn.dll
C:\WINDOWS\SYSTEM\ckxen.dll
C:\WINDOWS\SYSTEM\sgarh.dll
C:\WINDOWS\SYSTEM\xkvzl.dll
C:\WINDOWS\SYSTEM\yotac.dll
C:\WINDOWS\SYSTEM\bmhmu.dll
C:\WINDOWS\SYSTEM\apijy.dll
C:\WINDOWS\SYSTEM\ntbp32.dll
C:\WINDOWS\SYSTEM\winjn.dll
C:\WINDOWS\SYSTEM\sdknc.dll
C:\WINDOWS\SYSTEM\crev.dll
C:\WINDOWS\SYSTEM\levsz.dll
C:\WINDOWS\SYSTEM\ssfys.dll
C:\WINDOWS\SYSTEM\javant.dll
C:\WINDOWS\SYSTEM\javafd32.dll
C:\WINDOWS\SYSTEM\msig.dll
C:\WINDOWS\SYSTEM\ntwa.dll
C:\WINDOWS\SYSTEM\appqv32.dll
C:\WINDOWS\SYSTEM\d3ep32.dll
C:\WINDOWS\SYSTEM\sdktz32.dll
C:\WINDOWS\SYSTEM\appkv32.dll
C:\WINDOWS\SYSTEM\apiip.exe
C:\WINDOWS\SYSTEM\jsxct.dll
C:\WINDOWS\SYSTEM\ide21201.vxd
C:\WINDOWS\TEMP\ccu\comet.cab[csbho.dll]
C:\WINDOWS\TEMP\ccu\csbho.dll
C:\WINDOWS\TEMP\BullGuard\bulldownload.exe
C:\WINDOWS\TEMP\ICD3.tmp\MediaAccX.dll
C:\WINDOWS\Application Data\drro.exe
C:\WINDOWS\Application Data\newh.exe
C:\WINDOWS\Downloaded Program Files\inst2.inf
C:\WINDOWS\Favorites\Sites about\Credit counseling.url
C:\WINDOWS\Favorites\Sites about\Insurance home.url
C:\WINDOWS\Favorites\Sites about\Mortgage life insurance.url
C:\WINDOWS\Favorites\Sites about\Help desk software.url
C:\WINDOWS\Favorites\Sites about\Ab scissor.url
C:\WINDOWS\Favorites\Sites about\Videos.url
C:\WINDOWS\Favorites\Sites about\What is hydrocodone.url
C:\WINDOWS\Favorites\Sites about\Online gambling casino.url
C:\WINDOWS\Favorites\Sites about\Refinancing my mortgage.url
C:\WINDOWS\Favorites\Sites about\Debt credit card.url
C:\WINDOWS\Favorites\Sites about\Fha.url
C:\WINDOWS\Favorites\Sites about\Loan for debt consolidation.url
C:\WINDOWS\Favorites\Sites about\Health insurance.url
C:\WINDOWS\Favorites\Sites about\Personal loans online.url
C:\WINDOWS\Favorites\Sites about\Payroll advance.url
C:\WINDOWS\Favorites\Sites about\Marketing email.url
C:\WINDOWS\Favorites\Sites about\Prescription Drugs Rx Online.url
C:\WINDOWS\Favorites\Sites about\Credit report.url
C:\WINDOWS\Favorites\Sites about\Tahoe vacation rental.url
C:\WINDOWS\Favorites\Sites about\Escorts.url
C:\WINDOWS\Favorites\Sites about\Order phentermine.url
C:\WINDOWS\Favorites\Sites about\Mortgage insurance.url
C:\WINDOWS\Favorites\Sites about\Personal loans with bad credit.url
C:\WINDOWS\Favorites\Sites about\Crm software.url
C:\WINDOWS\Favorites\Sites about\Nevada corporations.url
C:\WINDOWS\Favorites\Sites about\Unsecured bad credit loans.url
C:\WINDOWS\Favorites\Sites about\Loan for people with bad credit.url
C:\WINDOWS\Favorites\Sites about\Broadband comparison.url
C:\WINDOWS\Favorites\Sites about\Online Betting Site.url
C:\WINDOWS\Favorites\Sites about\Online instant loan.url
C:\WINDOWS\Favorites\Only sex website.url
C:\WINDOWS\Favorites\Seven days of free [bleep].url
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\GatorUninstaller_cme.log
C:\WINDOWS\GatorUninstaller_cme_u.log
C:\WINDOWS\EXPLORER.EXE.$$$
C:\WINDOWS\Application
C:\WINDOWS\jiwir.dll
C:\WINDOWS\scijja.dat
C:\WINDOWS\n_srngln.log
C:\WINDOWS\n_zrlqar.dat
C:\WINDOWS\dynkz.dll
C:\WINDOWS\lnmfi.dll
C:\WINDOWS\oxzzhh.txt
C:\WINDOWS\djcqv.dll
C:\WINDOWS\hldwpd.txt
C:\WINDOWS\winnn32.dll
C:\WINDOWS\zisejf.log
C:\WINDOWS\zpqadu.dat
C:\WINDOWS\vlprw.dll
C:\WINDOWS\yiipz.dll
C:\WINDOWS\cgmap.dll
C:\WINDOWS\ikhit.dll
C:\WINDOWS\ezhza.dll
C:\WINDOWS\vnolh.dll
C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL
C:\Program Files\Media Access\MediaAccC.dll
Let the system reboot

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
marylandactuary
Posted 30 May 2005 - 04:07 PM

marylandactuary

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I did what you suggested and here are my new PandaScan and HJT logs:


Incident Status Location

Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\ccu\comet.cab[csbho.dll]


Logfile of HijackThis v1.99.1
Scan saved at 10:21:52 AM, on 05/30/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ACS495\MIXGHOST.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\MSREFERENCE\BOOKSHELF 98\QSHELF98.EXE
C:\PROGRAM FILES\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\EYETIDE MEDIA\EYETIDE VIEWER\EYETIDECONTROLLER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe c:\windows\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [D3KA32.EXE] C:\WINDOWS\SYSTEM\D3KA32.EXE /s
O4 - HKLM\..\RunServices: [szserver] "C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE" szserver
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: Qshelf.lnk = C:\Program Files\MSReference\Bookshelf 98\qshelf98.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O16 - DPF: {6EBE5A5B-2621-11D1-905C-00A0244D4224} (ReadHTML.GetHTML) - file://C:\DELL\ie4si\ReadHTML.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsof...rchsettings.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {1D59ABA8-7032-11D2-9CB0-00105A10AAF6} (IconUpdate Class) - http://ftp.won.net/p...dateControl.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.micro...si/mcsimenu.cab
O16 - DPF: {7D699C5B-FA08-11D0-BC8E-0020AFFA71B6} (Atomic3D Control) - http://www.atomic3d....in/a3dx1454.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixm...tiveXImgCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify204.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

Now what should I do?
  • 0

#8
Guest_thatman_*
Posted 30 May 2005 - 07:30 PM

Guest_thatman_*
  • Guest
Hi marylandactuary

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O16 - DPF: {1D59ABA8-7032-11D2-9CB0-00105A10AAF6} (IconUpdate Class) - http://ftp.won.net/p...dateControl.cab
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - http://activex.micro...si/mcsimenu.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
c:\windows\SYSTEM\wucrtupd.exe -startup<--Delete this file
Exit Explorer.Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
marylandactuary
Posted 30 May 2005 - 09:43 PM

marylandactuary

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Not that I am doubting your advice, but that one file you want me to delete I'm not sure about. It is:
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB

With "atlantic" in the address, are you sure that's not a necessary file from my internet provider (Atlantic Broadband)?

Thanks so much for your help so far!
  • 0

#10
Guest_thatman_*
Posted 30 May 2005 - 11:09 PM

Guest_thatman_*
  • Guest
Hi marylandactuary

Keep the file O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB

Just for your information deleting any 016 entry is very safe the next time the application contacts the vendor it will be downloaded again.

Kc :tazz:
  • 0

#11
marylandactuary
Posted 31 May 2005 - 09:48 PM

marylandactuary

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Updated PandaScan and HJT logs below:


Incident Status Location

Adware:Adware/Comet No disinfected C:\WINDOWS\TEMP\ccu\comet.cab[csbho.dll]


Logfile of HijackThis v1.99.1
Scan saved at 11:45:45 PM, on 05/31/2005
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ACS495\MIXGHOST.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
C:\PROGRAM FILES\MSREFERENCE\BOOKSHELF 98\QSHELF98.EXE
C:\PROGRAM FILES\MSOFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\EYETIDE MEDIA\EYETIDE VIEWER\EYETIDECONTROLLER.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Disknag] C:\DELL\DISKNAG.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [Mixghost] C:\ACS495\MixGhost.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [BookmarkCentral] C:\PROGRA~1\BMCENT~1\BMLauncher.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [STOPzilla] C:\PROGRAM FILES\STOPZILLA!\STOPZILLA.EXE /autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [V128IID] Rundll32.exe c:\windows\SYSTEM\v128iitw.dll,STB_InitTweak
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ccEvtMgr] "c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] c:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] c:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [D3KA32.EXE] C:\WINDOWS\SYSTEM\D3KA32.EXE /s
O4 - HKLM\..\RunServices: [szserver] "C:\PROGRAM FILES\COMMON FILES\STOPZILLA!\SZSERVER.EXE" szserver
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Eraser] C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: Qshelf.lnk = C:\Program Files\MSReference\Bookshelf 98\qshelf98.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\MSOffice\Office\OSA.EXE
O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0522.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL (file missing)
O16 - DPF: {6EBE5A5B-2621-11D1-905C-00A0244D4224} (ReadHTML.GetHTML) - file://C:\DELL\ie4si\ReadHTML.CAB
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://home.microsof...rchsettings.cab
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {7D699C5B-FA08-11D0-BC8E-0020AFFA71B6} (Atomic3D Control) - http://www.atomic3d....in/a3dx1454.cab
O16 - DPF: {351CF0CE-B05A-11D2-ABD9-00104B685417} (PWImageControl Class) - http://ebay.sj.ipixm...tiveXImgCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.nor...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.nor...bin/AvSniff.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.14...tiveXImgCtl.CAB
O16 - DPF: {F7DC2A2E-FC34-11D3-B1D9-00A0C99B41BB} (Zoom Class) - http://www.zoomify.c.../zoomify204.cab
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.chart...oad/tgctlsi.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.chart...oad/tgctlcm.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.chart...ad/tgctlins.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://tdserver.bits...om/tdserver.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

What's next?
  • 0

#12
Guest_thatman_*
Posted 01 June 2005 - 03:41 AM

Guest_thatman_*
  • Guest
Hi marylandactuary

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O4 - HKLM\..\RunServices: [D3KA32.EXE] C:\WINDOWS\SYSTEM\D3KA32.EXE /s
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - http://pcwab.ab.moti...wActiveXCab.CAB
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINDOWS\SYSTEM\D3KA32.EXE /s<--Delete this file
C:\WINDOWS\TEMP\ccu <--Delete the whole folder
Exit Explorer.

Run Adaware

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[b]Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#13
Guest_thatman_*
Posted 04 June 2005 - 11:11 AM

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP