Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

help with loadingweb.com removal [RESOLVED]

Started by Jefgorbach , Aug 04 2005 08:54 AM

  • This topic is locked This topic is locked

#1
Jefgorbach
Posted 04 August 2005 - 08:54 AM

Jefgorbach

    New Member

  • Member
  • Pip
  • 3 posts
A fiendish stealth generator is cycling popups from www.loadingweb.com and www.pokerparty.com (mostly) along with sending false emails from our "IT Dept" (me!) regarding changes to password/account status with attachments bearing various viruses.

Didnt see anything new running in msconfig and the usual tools all report the system is "clean" -- Cleanup!, Ad-aware, Spybot, CWShredder, CA-Etrust (anti-virus), TrojanHunter, and SpywareDoctor.

Trendmicro's Housecall finds, but cant remove: QSEARCH.319
Google didnt find anything pertinent regarding this keyword.

Help!

Logfile of HijackThis v1.99.1
Scan saved at 10:27:28 AM, on 8/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust Antivirus\InoRPC.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust Antivirus\InoRT9X.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE -m
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBUpdate.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: SearchRocket - {9F3CAE40-20D0-11d4-AF53-00104B60B604} - C:\TOOLS\SEARCH~1\iesrch.exe
O9 - Extra 'Tools' menuitem: SearchRocket - {9F3CAE40-20D0-11d4-AF53-00104B60B604} - C:\TOOLS\SEARCH~1\iesrch.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: DQSD Search Wizard - {F3E2D167-7415-4997-8575-C479E0583D6D} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O15 - Trusted Zone: http://scids.summitoh.net
O15 - Trusted Zone: http://www.dqsd.net
O15 - Trusted Zone: http://e-luminate.imagepoint.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.infuzer.c...ayer/isetup.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {6D86317F-39D0-11D6-A407-0010A4B08201} (PLUploadInstaller.Installer) - http://e-luminate.pl...adInstaller.ocx
O16 - DPF: {843351CE-D94B-4E47-9F61-88E3FD3CE997} (EWB_Upload.ULControl) - http://e-luminate.im.../EWB_Upload.ocx
O16 - DPF: {CACC1CE0-2DE6-11D5-A405-0010A4B08201} (EDD_WebDrawing.Launch) - http://e-luminate.pl..._WebDrawing.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse....iveX/winrep.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.ohiooneca...ry/mgaxctrl.cab
O16 - DPF: {30985566-E01F-11D2-85DB-EA44DE000000} (IRTHMapDisplay Control) - http://www.ohiooneca...HMapDisplay.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = elletneon.local
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1

This may also help?

StartupList report, 8/4/05, 10:24:37 AM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBUpdate.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Realtime Monitor = C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
AtiCwd32 = Aticwd32.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe
InoTask = C:\Program Files\CA\eTrust Antivirus\InoTask.exe
InoRPC = C:\Program Files\CA\eTrust Antivirus\InoRPC.exe
InoRT = C:\Program Files\CA\eTrust Antivirus\InoRT9X.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

H/PC Connection Agent = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
Mobipocket Web Companion = C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE -m

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 4/8/2005, 8:21:14)

[rename]
NUL=C:\WINDOWS\SYSTEM\TNEMBED.DLL£

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

PATH=C:\My Documents;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\PROGRA~1\CA\ETRUST~1
SET AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\EXAMINE.EXE
SET INOCULAN=C:\PROGRA~1\CA\ETRUST~1

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

cls
if exist c:\windows\startm~1\programs\nec~1\system~1.lnk goto FIXIT
if exist c:\windows\startm~1\programs\packar~1\system~1.lnk goto FIXIT
goto END
:FIXIT
C:\upgrade.bat
:END

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
(no name) - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
{84F4A8E2-6B06-11D5-AE67-00E029951028}_JGorbach.job
{84F4A8E3-6B06-11D5-AE67-00E029951028}_JGorbach.job
{84F4A8E4-6B06-11D5-AE67-00E029951028}_JGorbach.job
{DB60368C-1211-11D9-AE6E-00E029951028}_jgorbach.job
SetTime.job
{DB603693-1211-11D9-AE6E-00E029951028}_jgorbach.job


note: the {} items do NOT appear in Scheduled Task window and I dont
know what these are referring to / doing.

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab

[IPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.infuzer.c...ayer/isetup.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab

[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/p...r/v9/ticker.cab

[PLUploadInstaller.Installer]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLUPLOADINSTALLER.OCX
CODEBASE = http://e-luminate.pl...adInstaller.ocx

[EWB_Upload.ULControl]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EWB_UPLOAD.OCX
CODEBASE = http://e-luminate.im.../EWB_Upload.ocx

[EDD_WebDrawing.Launch]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EDD_WEBDRAWING.OCX
CODEBASE = http://e-luminate.pl..._WebDrawing.ocx

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe

[DASWebDownload Class]
InProcServer32 = C:\WINDOWS\DASACT.DLL
CODEBASE = http://das.microsoft...tail/DASAct.cab

[{4E888414-DB8F-11D1-9CD9-00C04F98436A}]
CODEBASE = https://webresponse....iveX/winrep.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?38194.4390625

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[Autodesk MapGuide ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MGAXCTRL.DLL
CODEBASE = http://www.ohiooneca...ry/mgaxctrl.cab

[IRTHMapDisplay Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IRTHMA~1.OCX
CODEBASE = http://www.ohiooneca...HMapDisplay.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PLAY365.DLL
CODEBASE = http://www.live365.c...ers/play365.cab

[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...42/wmsp9dmo.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVEX.OCX
CODEBASE = http://www.icannnews.../ST/ActiveX.ocx

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX
CODEBASE = http://housecall60.t...all/xscan60.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 8,512 bytes
Report generated in 0.388 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Any/all help will be appreciated.
  • 0

Advertisements

#2
greyknight17
Posted 04 August 2005 - 01:19 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Did you install a program called Search Rocket? If not, uninstall it.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx

Please download L2m9xfix here:
http://www.geekstogo...ds/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.
  • 0

#3
Jefgorbach
Posted 05 August 2005 - 06:30 AM

Jefgorbach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
thanks

Athough I mostly use Google, Searchrocket has had its moments - sends the keywords simotaneously to multiple search engines then correlates the results.

Followed your instructions....
Log of L2M9XFix v1

************

Running from directory:
C:\WINDOWS\Desktop\proglem\l2m9xfix

************

Files found:

C:\WINDOWS\system\ADIVPM32.DLL
C:\WINDOWS\system\ADIVPM32.DLL
C:\WINDOWS\system\ADIVPM32.DLL
C:\WINDOWS\system\ADIVPM32.DLL
C:\WINDOWS\system\AJDCXC32.DLL
C:\WINDOWS\system\AJDCXC32.DLL
C:\WINDOWS\system\AJDCXC32.DLL
C:\WINDOWS\system\AJDCXC32.DLL
C:\WINDOWS\system\AKDCXC32.DLL
C:\WINDOWS\system\AKDCXC32.DLL
C:\WINDOWS\system\AKDCXC32.DLL
C:\WINDOWS\system\AKDCXC32.DLL
C:\WINDOWS\system\AKILCD.DLL
C:\WINDOWS\system\AKILCD.DLL
C:\WINDOWS\system\AKILCD.DLL
C:\WINDOWS\system\AKILCD.DLL
C:\WINDOWS\system\AOIVPM32.DLL
C:\WINDOWS\system\AOIVPM32.DLL
C:\WINDOWS\system\AOIVPM32.DLL
C:\WINDOWS\system\AOIVPM32.DLL
C:\WINDOWS\system\aqdbres.dll
C:\WINDOWS\system\aqdbres.dll
C:\WINDOWS\system\aqdbres.dll
C:\WINDOWS\system\aqdbres.dll
C:\WINDOWS\system\AURESX32.DLL
C:\WINDOWS\system\AURESX32.DLL
C:\WINDOWS\system\AURESX32.DLL
C:\WINDOWS\system\AURESX32.DLL
C:\WINDOWS\system\CHM.DLL
C:\WINDOWS\system\CHM.DLL
C:\WINDOWS\system\CHM.DLL
C:\WINDOWS\system\CHM.DLL
C:\WINDOWS\system\CITDLL.DLL
C:\WINDOWS\system\CITDLL.DLL
C:\WINDOWS\system\CITDLL.DLL
C:\WINDOWS\system\CITDLL.DLL
C:\WINDOWS\system\CMUSALGO.DLL
C:\WINDOWS\system\CMUSALGO.DLL
C:\WINDOWS\system\CMUSALGO.DLL
C:\WINDOWS\system\CMUSALGO.DLL
C:\WINDOWS\system\CQDIAL32.DLL
C:\WINDOWS\system\CQDIAL32.DLL
C:\WINDOWS\system\CQDIAL32.DLL
C:\WINDOWS\system\CQDIAL32.DLL
C:\WINDOWS\system\CSGWIZ.DLL
C:\WINDOWS\system\CSGWIZ.DLL
C:\WINDOWS\system\CSGWIZ.DLL
C:\WINDOWS\system\CSGWIZ.DLL
C:\WINDOWS\system\CSM.DLL
C:\WINDOWS\system\CSM.DLL
C:\WINDOWS\system\CSM.DLL
C:\WINDOWS\system\CSM.DLL
C:\WINDOWS\system\CUYPTNET.DLL
C:\WINDOWS\system\CUYPTNET.DLL
C:\WINDOWS\system\CUYPTNET.DLL
C:\WINDOWS\system\CUYPTNET.DLL
C:\WINDOWS\system\DADRG32X.DLL
C:\WINDOWS\system\DADRG32X.DLL
C:\WINDOWS\system\DADRG32X.DLL
C:\WINDOWS\system\DADRG32X.DLL
C:\WINDOWS\system\DAOM2W98.DLL
C:\WINDOWS\system\DAOM2W98.DLL
C:\WINDOWS\system\DAOM2W98.DLL
C:\WINDOWS\system\DAOM2W98.DLL
C:\WINDOWS\system\DCDRM.DLL
C:\WINDOWS\system\DCDRM.DLL
C:\WINDOWS\system\DCDRM.DLL
C:\WINDOWS\system\DCDRM.DLL
C:\WINDOWS\system\DDDRG32X.DLL
C:\WINDOWS\system\DDDRG32X.DLL
C:\WINDOWS\system\DDDRG32X.DLL
C:\WINDOWS\system\DDDRG32X.DLL
C:\WINDOWS\system\DEDRG55X.DLL
C:\WINDOWS\system\DEDRG55X.DLL
C:\WINDOWS\system\DEDRG55X.DLL
C:\WINDOWS\system\DEDRG55X.DLL
C:\WINDOWS\system\DHNDI.DLL
C:\WINDOWS\system\DHNDI.DLL
C:\WINDOWS\system\DHNDI.DLL
C:\WINDOWS\system\DHNDI.DLL
C:\WINDOWS\system\DKAO35.DLL
C:\WINDOWS\system\DKAO35.DLL
C:\WINDOWS\system\DKAO35.DLL
C:\WINDOWS\system\DKAO35.DLL
C:\WINDOWS\system\DLCWFP32.DLL
C:\WINDOWS\system\DLCWFP32.DLL
C:\WINDOWS\system\DLCWFP32.DLL
C:\WINDOWS\system\DLCWFP32.DLL
C:\WINDOWS\system\DOCMSP32.DLL
C:\WINDOWS\system\DOCMSP32.DLL
C:\WINDOWS\system\DOCMSP32.DLL
C:\WINDOWS\system\DOCMSP32.DLL
C:\WINDOWS\system\DTKAPI32.DLL
C:\WINDOWS\system\DTKAPI32.DLL
C:\WINDOWS\system\DTKAPI32.DLL
C:\WINDOWS\system\DTKAPI32.DLL
C:\WINDOWS\system\DVDRAMPF.DLL
C:\WINDOWS\system\DVDRAMPF.DLL
C:\WINDOWS\system\DVDRAMPF.DLL
C:\WINDOWS\system\DVDRAMPF.DLL
C:\WINDOWS\system\DX.dll
C:\WINDOWS\system\DX.dll
C:\WINDOWS\system\DX.dll
C:\WINDOWS\system\DX.dll
C:\WINDOWS\system\DYDRAMPF.DLL
C:\WINDOWS\system\DYDRAMPF.DLL
C:\WINDOWS\system\DYDRAMPF.DLL
C:\WINDOWS\system\DYDRAMPF.DLL
C:\WINDOWS\system\DZ3J.DLL
C:\WINDOWS\system\DZ3J.DLL
C:\WINDOWS\system\DZ3J.DLL
C:\WINDOWS\system\DZ3J.DLL
C:\WINDOWS\system\DZMSSPXN.DLL
C:\WINDOWS\system\DZMSSPXN.DLL
C:\WINDOWS\system\DZMSSPXN.DLL
C:\WINDOWS\system\DZMSSPXN.DLL
C:\WINDOWS\system\edStub3.dll
C:\WINDOWS\system\edStub3.dll
C:\WINDOWS\system\edStub3.dll
C:\WINDOWS\system\edStub3.dll
C:\WINDOWS\system\EQ.DLL
C:\WINDOWS\system\EQ.DLL
C:\WINDOWS\system\EQ.DLL
C:\WINDOWS\system\EQ.DLL
C:\WINDOWS\system\GZOUPPOL.DLL
C:\WINDOWS\system\GZOUPPOL.DLL
C:\WINDOWS\system\GZOUPPOL.DLL
C:\WINDOWS\system\GZOUPPOL.DLL
C:\WINDOWS\system\iaet16.dll
C:\WINDOWS\system\iaet16.dll
C:\WINDOWS\system\iaet16.dll
C:\WINDOWS\system\iaet16.dll
C:\WINDOWS\system\IFRNONCE.DLL
C:\WINDOWS\system\IFRNONCE.DLL
C:\WINDOWS\system\IFRNONCE.DLL
C:\WINDOWS\system\IFRNONCE.DLL
C:\WINDOWS\system\IFS.DLL
C:\WINDOWS\system\IFS.DLL
C:\WINDOWS\system\IFS.DLL
C:\WINDOWS\system\IFS.DLL
C:\WINDOWS\system\ijengine.dll
C:\WINDOWS\system\ijengine.dll
C:\WINDOWS\system\ijengine.dll
C:\WINDOWS\system\ijengine.dll
C:\WINDOWS\system\ipebase12.dll
C:\WINDOWS\system\Iuside your Computer.dll
C:\WINDOWS\system\Iuside your Computer.dll
C:\WINDOWS\system\Iuside your Computer.dll
C:\WINDOWS\system\Iuside your Computer.dll
C:\WINDOWS\system\JCT.DLL
C:\WINDOWS\system\JCT.DLL
C:\WINDOWS\system\JCT.DLL
C:\WINDOWS\system\JCT.DLL
C:\WINDOWS\system\jlsd400.dll
C:\WINDOWS\system\jlsd400.dll
C:\WINDOWS\system\jlsd400.dll
C:\WINDOWS\system\jlsd400.dll
C:\WINDOWS\system\JXEG2X32.DLL
C:\WINDOWS\system\JXEG2X32.DLL
C:\WINDOWS\system\JXEG2X32.DLL
C:\WINDOWS\system\JXEG2X32.DLL
C:\WINDOWS\system\jzproxy.dll
C:\WINDOWS\system\jzproxy.dll
C:\WINDOWS\system\jzproxy.dll
C:\WINDOWS\system\jzproxy.dll
C:\WINDOWS\system\lEprxy.dll
C:\WINDOWS\system\lEprxy.dll
C:\WINDOWS\system\lEprxy.dll
C:\WINDOWS\system\lEprxy.dll
C:\WINDOWS\system\lofpx70n.dll
C:\WINDOWS\system\lofpx70n.dll
C:\WINDOWS\system\lofpx70n.dll
C:\WINDOWS\system\lofpx70n.dll
C:\WINDOWS\system\LTRT.DLL
C:\WINDOWS\system\LTRT.DLL
C:\WINDOWS\system\LTRT.DLL
C:\WINDOWS\system\LTRT.DLL
C:\WINDOWS\system\mavci70.dll
C:\WINDOWS\system\mavci70.dll
C:\WINDOWS\system\mavci70.dll
C:\WINDOWS\system\mavci70.dll
C:\WINDOWS\system\MBPIX32.DLL
C:\WINDOWS\system\MBPIX32.DLL
C:\WINDOWS\system\MBPIX32.DLL
C:\WINDOWS\system\MBPIX32.DLL
C:\WINDOWS\system\mioert2.dll
C:\WINDOWS\system\mioert2.dll
C:\WINDOWS\system\mioert2.dll
C:\WINDOWS\system\mioert2.dll
C:\WINDOWS\system\MITCP.DLL
C:\WINDOWS\system\MITCP.DLL
C:\WINDOWS\system\MITCP.DLL
C:\WINDOWS\system\MITCP.DLL
C:\WINDOWS\system\MJAFD.DLL
C:\WINDOWS\system\MJAFD.DLL
C:\WINDOWS\system\MJAFD.DLL
C:\WINDOWS\system\MJAFD.DLL
C:\WINDOWS\system\MJPWL32.DLL
C:\WINDOWS\system\MJPWL32.DLL
C:\WINDOWS\system\MJPWL32.DLL
C:\WINDOWS\system\MJPWL32.DLL
C:\WINDOWS\system\MKVCRT20.DLL
C:\WINDOWS\system\MKVCRT20.DLL
C:\WINDOWS\system\MKVCRT20.DLL
C:\WINDOWS\system\MKVCRT20.DLL
C:\WINDOWS\system\MMPRINT2.DLL
C:\WINDOWS\system\MMPRINT2.DLL
C:\WINDOWS\system\MMPRINT2.DLL
C:\WINDOWS\system\MMPRINT2.DLL
C:\WINDOWS\system\MNPWL32.DLL
C:\WINDOWS\system\MNPWL32.DLL
C:\WINDOWS\system\MNPWL32.DLL
C:\WINDOWS\system\MNPWL32.DLL
C:\WINDOWS\system\MQJET35.DLL
C:\WINDOWS\system\MQJET35.DLL
C:\WINDOWS\system\MQJET35.DLL
C:\WINDOWS\system\MQJET35.DLL
C:\WINDOWS\system\MRCONF.DLL
C:\WINDOWS\system\MRCONF.DLL
C:\WINDOWS\system\MRCONF.DLL
C:\WINDOWS\system\MRCONF.DLL
C:\WINDOWS\system\muisip.dll
C:\WINDOWS\system\muisip.dll
C:\WINDOWS\system\muisip.dll
C:\WINDOWS\system\muisip.dll
C:\WINDOWS\system\munetobj.dll
C:\WINDOWS\system\munetobj.dll
C:\WINDOWS\system\munetobj.dll
C:\WINDOWS\system\munetobj.dll
C:\WINDOWS\system\MWLTUS40.DLL
C:\WINDOWS\system\MWLTUS40.DLL
C:\WINDOWS\system\MWLTUS40.DLL
C:\WINDOWS\system\MWLTUS40.DLL
C:\WINDOWS\system\MXPST32.DLL
C:\WINDOWS\system\MXPST32.DLL
C:\WINDOWS\system\MXPST32.DLL
C:\WINDOWS\system\MXPST32.DLL
C:\WINDOWS\system\MZNP32.DLL
C:\WINDOWS\system\MZNP32.DLL
C:\WINDOWS\system\MZNP32.DLL
C:\WINDOWS\system\MZNP32.DLL
C:\WINDOWS\system\mzxml3r.dll
C:\WINDOWS\system\mzxml3r.dll
C:\WINDOWS\system\mzxml3r.dll
C:\WINDOWS\system\mzxml3r.dll
C:\WINDOWS\system\NDMKCERT.DLL
C:\WINDOWS\system\NDMKCERT.DLL
C:\WINDOWS\system\NDMKCERT.DLL
C:\WINDOWS\system\NDMKCERT.DLL
C:\WINDOWS\system\nnapilyr.dll
C:\WINDOWS\system\nnapilyr.dll
C:\WINDOWS\system\nnapilyr.dll
C:\WINDOWS\system\nnapilyr.dll
C:\WINDOWS\system\OAFIL400.DLL
C:\WINDOWS\system\OAFIL400.DLL
C:\WINDOWS\system\OAFIL400.DLL
C:\WINDOWS\system\OAFIL400.DLL
C:\WINDOWS\system\OJECLI.DLL
C:\WINDOWS\system\OJECLI.DLL
C:\WINDOWS\system\OJECLI.DLL
C:\WINDOWS\system\OJECLI.DLL
C:\WINDOWS\system\PQPWRENU.DLL
C:\WINDOWS\system\PQPWRENU.DLL
C:\WINDOWS\system\PQPWRENU.DLL
C:\WINDOWS\system\PQPWRENU.DLL
C:\WINDOWS\system\PXWRPROF.DLL
C:\WINDOWS\system\PXWRPROF.DLL
C:\WINDOWS\system\PXWRPROF.DLL
C:\WINDOWS\system\PXWRPROF.DLL
C:\WINDOWS\system\pz.dll
C:\WINDOWS\system\pz.dll
C:\WINDOWS\system\pz.dll
C:\WINDOWS\system\pz.dll
C:\WINDOWS\system\QEGRPRXY.DLL
C:\WINDOWS\system\QEGRPRXY.DLL
C:\WINDOWS\system\QEGRPRXY.DLL
C:\WINDOWS\system\QEGRPRXY.DLL
C:\WINDOWS\system\RAABASE.DLL
C:\WINDOWS\system\RAABASE.DLL
C:\WINDOWS\system\RAABASE.DLL
C:\WINDOWS\system\RAABASE.DLL
C:\WINDOWS\system\RCR20.DLL
C:\WINDOWS\system\RCR20.DLL
C:\WINDOWS\system\RCR20.DLL
C:\WINDOWS\system\RCR20.DLL
C:\WINDOWS\system\REABASE.DLL
C:\WINDOWS\system\REABASE.DLL
C:\WINDOWS\system\REABASE.DLL
C:\WINDOWS\system\REABASE.DLL
C:\WINDOWS\system\RKSCHK16.DLL
C:\WINDOWS\system\RKSCHK16.DLL
C:\WINDOWS\system\RKSCHK16.DLL
C:\WINDOWS\system\RKSCHK16.DLL
C:\WINDOWS\system\RNSCHK16.DLL
C:\WINDOWS\system\RNSCHK16.DLL
C:\WINDOWS\system\RNSCHK16.DLL
C:\WINDOWS\system\RNSCHK16.DLL
C:\WINDOWS\system\rssdbdll.dll
C:\WINDOWS\system\rssdbdll.dll
C:\WINDOWS\system\rssdbdll.dll
C:\WINDOWS\system\rssdbdll.dll
C:\WINDOWS\system\RUABASE.DLL
C:\WINDOWS\system\RUABASE.DLL
C:\WINDOWS\system\RUABASE.DLL
C:\WINDOWS\system\RUABASE.DLL
C:\WINDOWS\system\RUSCHK32.DLL
C:\WINDOWS\system\RUSCHK32.DLL
C:\WINDOWS\system\RUSCHK32.DLL
C:\WINDOWS\system\RUSCHK32.DLL
C:\WINDOWS\system\SBFTPUB.DLL
C:\WINDOWS\system\SBFTPUB.DLL
C:\WINDOWS\system\SBFTPUB.DLL
C:\WINDOWS\system\SBFTPUB.DLL
C:\WINDOWS\system\SGDOCLC.DLL
C:\WINDOWS\system\SGDOCLC.DLL
C:\WINDOWS\system\SGDOCLC.DLL
C:\WINDOWS\system\SGDOCLC.DLL
C:\WINDOWS\system\SHMSETUP.DLL
C:\WINDOWS\system\SHMSETUP.DLL
C:\WINDOWS\system\SHMSETUP.DLL
C:\WINDOWS\system\SHMSETUP.DLL
C:\WINDOWS\system\SJDOCLC.DLL
C:\WINDOWS\system\SJDOCLC.DLL
C:\WINDOWS\system\SJDOCLC.DLL
C:\WINDOWS\system\SJDOCLC.DLL
C:\WINDOWS\system\SLSINV.DLL
C:\WINDOWS\system\SLSINV.DLL
C:\WINDOWS\system\SLSINV.DLL
C:\WINDOWS\system\SLSINV.DLL
C:\WINDOWS\system\SNSINV.DLL
C:\WINDOWS\system\SNSINV.DLL
C:\WINDOWS\system\SNSINV.DLL
C:\WINDOWS\system\SNSINV.DLL
C:\WINDOWS\system\SOSDETMG.DLL
C:\WINDOWS\system\SOSDETMG.DLL
C:\WINDOWS\system\SOSDETMG.DLL
C:\WINDOWS\system\SOSDETMG.DLL
C:\WINDOWS\system\SQCDLL.DLL
C:\WINDOWS\system\SQCDLL.DLL
C:\WINDOWS\system\SQCDLL.DLL
C:\WINDOWS\system\SQCDLL.DLL
C:\WINDOWS\system\STP32.DLL
C:\WINDOWS\system\STP32.DLL
C:\WINDOWS\system\STP32.DLL
C:\WINDOWS\system\STP32.DLL
C:\WINDOWS\system\strrun.dll
C:\WINDOWS\system\strrun.dll
C:\WINDOWS\system\strrun.dll
C:\WINDOWS\system\strrun.dll
C:\WINDOWS\system\SVTUPWBV.DLL
C:\WINDOWS\system\SVTUPWBV.DLL
C:\WINDOWS\system\SVTUPWBV.DLL
C:\WINDOWS\system\SVTUPWBV.DLL
C:\WINDOWS\system\SXP32.DLL
C:\WINDOWS\system\SXP32.DLL
C:\WINDOWS\system\SXP32.DLL
C:\WINDOWS\system\SXP32.DLL
C:\WINDOWS\system\SYDOCLC.DLL
C:\WINDOWS\system\SYDOCLC.DLL
C:\WINDOWS\system\SYDOCLC.DLL
C:\WINDOWS\system\SYDOCLC.DLL
C:\WINDOWS\system\TLPIUI.DLL
C:\WINDOWS\system\TLPIUI.DLL
C:\WINDOWS\system\TLPIUI.DLL
C:\WINDOWS\system\TLPIUI.DLL
C:\WINDOWS\system\TTTOOLS2.DLL
C:\WINDOWS\system\TTTOOLS2.DLL
C:\WINDOWS\system\TTTOOLS2.DLL
C:\WINDOWS\system\TTTOOLS2.DLL
C:\WINDOWS\system\uvcom.dll
C:\WINDOWS\system\uvcom.dll
C:\WINDOWS\system\uvcom.dll
C:\WINDOWS\system\uvcom.dll
C:\WINDOWS\system\UXBUI.DLL
C:\WINDOWS\system\UXBUI.DLL
C:\WINDOWS\system\UXBUI.DLL
C:\WINDOWS\system\UXBUI.DLL
C:\WINDOWS\system\WFLSOF32.DLL
C:\WINDOWS\system\WFLSOF32.DLL
C:\WINDOWS\system\WFLSOF32.DLL
C:\WINDOWS\system\WFLSOF32.DLL
C:\WINDOWS\system\WFOCK32.DLL
C:\WINDOWS\system\WFOCK32.DLL
C:\WINDOWS\system\WFOCK32.DLL
C:\WINDOWS\system\WFOCK32.DLL
C:\WINDOWS\system\WGNSSPI.DLL
C:\WINDOWS\system\WGNSSPI.DLL
C:\WINDOWS\system\WGNSSPI.DLL
C:\WINDOWS\system\WGNSSPI.DLL
C:\WINDOWS\system\wusdmoe.dll
C:\WINDOWS\system\wusdmoe.dll
C:\WINDOWS\system\wusdmoe.dll
C:\WINDOWS\system\wusdmoe.dll
C:\WINDOWS\system\WWBVW.DLL
C:\WINDOWS\system\WWBVW.DLL
C:\WINDOWS\system\WWBVW.DLL
C:\WINDOWS\system\WWBVW.DLL
C:\WINDOWS\system\WWNMM.DLL
C:\WINDOWS\system\WWNMM.DLL
C:\WINDOWS\system\WWNMM.DLL
C:\WINDOWS\system\WWNMM.DLL
C:\WINDOWS\system\WZ2THK.DLL
C:\WINDOWS\system\WZ2THK.DLL
C:\WINDOWS\system\WZ2THK.DLL
C:\WINDOWS\system\WZ2THK.DLL
C:\WINDOWS\system\wzstream.dll
C:\WINDOWS\system\wzstream.dll
C:\WINDOWS\system\wzstream.dll
C:\WINDOWS\system\wzstream.dll
C:\WINDOWS\system\XJNROLL.DLL
C:\WINDOWS\system\XJNROLL.DLL
C:\WINDOWS\system\XJNROLL.DLL
C:\WINDOWS\system\XJNROLL.DLL

************

Registry entries found:

<snipped white space>

[HKEY_CLASSES_ROOT\CLSID\{15801700-DE7B-11D9-AE6E-00E029951028}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DAOM2W98.DLL"

[HKEY_CLASSES_ROOT\CLSID\{15801700-DE7B-11D9-AE6E-00E029951028}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DAOM2W98.DLL"

[HKEY_CLASSES_ROOT\CLSID\{15801700-DE7B-11D9-AE6E-00E029951028}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DAOM2W98.DLL"

[HKEY_CLASSES_ROOT\CLSID\{15801700-DE7B-11D9-AE6E-00E029951028}\InprocServer32]
@="C:\\WINDOWS\\SYSTEM\\DAOM2W98.DLL"

<snipped pages of white space>

************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!



and second hijackthis! log

Logfile of HijackThis v1.99.1
Scan saved at 5:14:23 PM, on 8/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\PROGLEM\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust Antivirus\InoRPC.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust Antivirus\InoRT9X.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE -m
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBUpdate.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: SearchRocket - {9F3CAE40-20D0-11d4-AF53-00104B60B604} - C:\TOOLS\SEARCH~1\iesrch.exe
O9 - Extra 'Tools' menuitem: SearchRocket - {9F3CAE40-20D0-11d4-AF53-00104B60B604} - C:\TOOLS\SEARCH~1\iesrch.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: DQSD Search Wizard - {F3E2D167-7415-4997-8575-C479E0583D6D} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O15 - Trusted Zone: http://scids.summitoh.net
O15 - Trusted Zone: http://www.dqsd.net
O15 - Trusted Zone: http://e-luminate.imagepoint.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.infuzer.c...ayer/isetup.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {6D86317F-39D0-11D6-A407-0010A4B08201} (PLUploadInstaller.Installer) - http://e-luminate.pl...adInstaller.ocx
O16 - DPF: {843351CE-D94B-4E47-9F61-88E3FD3CE997} (EWB_Upload.ULControl) - http://e-luminate.im.../EWB_Upload.ocx
O16 - DPF: {CACC1CE0-2DE6-11D5-A405-0010A4B08201} (EDD_WebDrawing.Launch) - http://e-luminate.pl..._WebDrawing.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse....iveX/winrep.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.ohiooneca...ry/mgaxctrl.cab
O16 - DPF: {30985566-E01F-11D2-85DB-EA44DE000000} (IRTHMapDisplay Control) - http://www.ohiooneca...HMapDisplay.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = elletneon.local
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
  • 0

#4
Jefgorbach
Posted 05 August 2005 - 10:26 AM

Jefgorbach

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
12:30 Follow-up
I believe you squashed it - not a single pop-up all morning.
Thank you!! Thank you!! Thank you!! Thank you!!
  • 0

#5
greyknight17
Posted 05 August 2005 - 02:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
:tazz: Those little critters had no chance against the tool. It's all gone now ;)

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP