Didnt see anything new running in msconfig and the usual tools all report the system is "clean" -- Cleanup!, Ad-aware, Spybot, CWShredder, CA-Etrust (anti-virus), TrojanHunter, and SpywareDoctor.
Trendmicro's Housecall finds, but cant remove: QSEARCH.319
Google didnt find anything pertinent regarding this keyword.
Help!
Logfile of HijackThis v1.99.1
Scan saved at 10:27:28 AM, on 8/4/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRPC] C:\Program Files\CA\eTrust Antivirus\InoRPC.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust Antivirus\InoRT9X.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Mobipocket Web Companion] C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE -m
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBUpdate.exe
O8 - Extra context menu item: Search Using Copernic - C:\Program Files\Copernic 2001 Basic\Search Extension.htm
O8 - Extra context menu item: &Document Tree - C:\WINDOWS\web\tree.htm
O8 - Extra context menu item: View Partial So&urce - C:\WINDOWS\web\source.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INETREPL.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra button: SearchRocket - {9F3CAE40-20D0-11d4-AF53-00104B60B604} - C:\TOOLS\SEARCH~1\iesrch.exe
O9 - Extra 'Tools' menuitem: SearchRocket - {9F3CAE40-20D0-11d4-AF53-00104B60B604} - C:\TOOLS\SEARCH~1\iesrch.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic 2001 - {2A465934-E5F0-11D2-91B5-00104B9C4765} - C:\Program Files\Copernic 2001 Basic\Copernic.exe
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://C:\Program Files\Copernic 2001 Basic\Translate.htm
O9 - Extra button: (no name) - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra 'Tools' menuitem: &Document Tree - {438AFBA1-B0CB-11d2-9214-00104B3BCE5F} - C:\WINDOWS\web\tree.htm
O9 - Extra button: Merriam-Webster - {BAC53F31-6090-11d5-8497-0048548030CA} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: DQSD Search Wizard - {F3E2D167-7415-4997-8575-C479E0583D6D} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O15 - Trusted Zone: http://scids.summitoh.net
O15 - Trusted Zone: http://www.dqsd.net
O15 - Trusted Zone: http://e-luminate.imagepoint.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.infuzer.c...ayer/isetup.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/p...r/v9/ticker.cab
O16 - DPF: {6D86317F-39D0-11D6-A407-0010A4B08201} (PLUploadInstaller.Installer) - http://e-luminate.pl...adInstaller.ocx
O16 - DPF: {843351CE-D94B-4E47-9F61-88E3FD3CE997} (EWB_Upload.ULControl) - http://e-luminate.im.../EWB_Upload.ocx
O16 - DPF: {CACC1CE0-2DE6-11D5-A405-0010A4B08201} (EDD_WebDrawing.Launch) - http://e-luminate.pl..._WebDrawing.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse....iveX/winrep.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.ohiooneca...ry/mgaxctrl.cab
O16 - DPF: {30985566-E01F-11D2-85DB-EA44DE000000} (IRTHMapDisplay Control) - http://www.ohiooneca...HMapDisplay.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = elletneon.local
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.0.1
This may also help?
StartupList report, 8/4/05, 10:24:37 AM
StartupList version: 1.52
Started from : C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INOTASK.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORPC.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\INORT9X.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE
C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\STARTUPLIST.EXE
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBUpdate.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
TaskMonitor = c:\windows\taskmon.exe
SystemTray = SysTray.Exe
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
Realtime Monitor = C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
StillImageMonitor = C:\WINDOWS\SYSTEM\STIMON.EXE
AtiCwd32 = Aticwd32.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
SchedulingAgent = mstask.exe
InoTask = C:\Program Files\CA\eTrust Antivirus\InoTask.exe
InoRPC = C:\Program Files\CA\eTrust Antivirus\InoRPC.exe
InoRT = C:\Program Files\CA\eTrust Antivirus\InoRT9X.exe
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
H/PC Connection Agent = "C:\PROGRAM FILES\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
Mobipocket Web Companion = C:\PROGRAM FILES\COMMON FILES\MOBIPOCKET SHARED\WEBCOMP.EXE -m
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv
--------------------------------------------------
C:\WINDOWS\WININIT.BAK listing:
(Created 4/8/2005, 8:21:14)
[rename]
NUL=C:\WINDOWS\SYSTEM\TNEMBED.DLL£
--------------------------------------------------
C:\AUTOEXEC.BAT listing:
PATH=C:\My Documents;C:\PROGRA~1\CA\SHARED~1\SCANEN~1;C:\PROGRA~1\CA\ETRUST~1
SET AVENGINE=C:\PROGRA~1\CA\SHARED~1\SCANEN~1
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\EXAMINE.EXE
SET INOCULAN=C:\PROGRA~1\CA\ETRUST~1
--------------------------------------------------
C:\WINDOWS\WINSTART.BAT listing:
cls
if exist c:\windows\startm~1\programs\nec~1\system~1.lnk goto FIXIT
if exist c:\windows\startm~1\programs\packar~1\system~1.lnk goto FIXIT
goto END
:FIXIT
C:\upgrade.bat
:END
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL - {B56A7D7D-6927-48C8-A975-17DF180C71AC}
(no name) - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
--------------------------------------------------
Enumerating Task Scheduler jobs:
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
{84F4A8E2-6B06-11D5-AE67-00E029951028}_JGorbach.job
{84F4A8E3-6B06-11D5-AE67-00E029951028}_JGorbach.job
{84F4A8E4-6B06-11D5-AE67-00E029951028}_JGorbach.job
{DB60368C-1211-11D9-AE6E-00E029951028}_jgorbach.job
SetTime.job
{DB603693-1211-11D9-AE6E-00E029951028}_jgorbach.job
note: the {} items do NOT appear in Scheduled Task window and I dont
know what these are referring to / doing.
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macr...ash/swflash.cab
[IPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab
[InstallShield International Setup Player]
InProcServer32 = c:\WINDOWS\DOWNLO~1\ISETUP.DLL
CODEBASE = http://www.infuzer.c...ayer/isetup.cab
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macr...director/sw.cab
[MS Investor Ticker]
InProcServer32 = C:\WINDOWS\DOWNLO~1\TICKER9.OCX
CODEBASE = http://fdl.msn.com/p...r/v9/ticker.cab
[PLUploadInstaller.Installer]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PLUPLOADINSTALLER.OCX
CODEBASE = http://e-luminate.pl...adInstaller.ocx
[EWB_Upload.ULControl]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EWB_UPLOAD.OCX
CODEBASE = http://e-luminate.im.../EWB_Upload.ocx
[EDD_WebDrawing.Launch]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\EDD_WEBDRAWING.OCX
CODEBASE = http://e-luminate.pl..._WebDrawing.ocx
[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akama...meInstaller.exe
[DASWebDownload Class]
InProcServer32 = C:\WINDOWS\DASACT.DLL
CODEBASE = http://das.microsoft...tail/DASAct.cab
[{4E888414-DB8F-11D1-9CD9-00C04F98436A}]
CODEBASE = https://webresponse....iveX/winrep.cab
[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupd...B?38194.4390625
[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com...ex/qtplugin.cab
[Autodesk MapGuide ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MGAXCTRL.DLL
CODEBASE = http://www.ohiooneca...ry/mgaxctrl.cab
[IRTHMapDisplay Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\IRTHMA~1.OCX
CODEBASE = http://www.ohiooneca...HMapDisplay.cab
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai...all/xscan53.cab
[Live365Player Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PLAY365.DLL
CODEBASE = http://www.live365.c...ers/play365.cab
[{0000000A-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...42/wmsp9dmo.cab
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB
[ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ACTIVEX.OCX
CODEBASE = http://www.icannnews.../ST/ActiveX.ocx
[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN60.OCX
CODEBASE = http://housecall60.t...all/xscan60.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
--------------------------------------------------
End of report, 8,512 bytes
Report generated in 0.388 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Any/all help will be appreciated.