Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

allaboutsearching & missing shortcuts [CLOSED]


  • This topic is locked This topic is locked

#1
Brandts

Brandts

    New Member

  • Member
  • Pip
  • 4 posts
<_< My nephew was playing around on our computer and downloaded some casino gambling stuff and who knows what else. When we first started up the computer after he did this, it kept adding shortcuts to our desktop. Internet was really slow, we kept getting tons of pop-ups and being taken to sites we didn't want to go to.

I keep cleaning up the startup directory of a bunch of executables (morze2.exe, 2pflvox3.exe, 141wkvnf.exe, etc., etc.) and they keep going back in. We also cannot get ride of the new internet home page allaboutsearching.com (although it does take us to the roadrunner site initially).

We're not real knowledgeable on computers, so we need a lot of HELP .....

I did load "Hijack This" based on other things on found on this forum. Here is a copy of our log:

Logfile of HijackThis v1.97.7
Scan saved at 9:46:56 AM, on 3/28/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\JUPITCO.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\CLOSE 1\DRVHEART.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...flash/index.cfm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
F1 - win.ini: run=hpfsched
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: comments (such as these) may be inserted on individual
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe
O4 - HKLM\..\Run: [WinEssential] C:\WINDOWS\SYSTEM\KEYWORD.exe
O4 - HKLM\..\Run: [Owns Meet] C:\PROGRA~1\CLOSE1~1\Drvheart.exe
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe
O4 - HKLM\..\Run: [J089JGWG.EXE] C:\WINDOWS\J089JGWG.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [J089JGWG.EXE] C:\WINDOWS\J089JGWG.EXE /dk
O4 - HKCU\..\RunServices: [J089JGWG.EXE] C:\WINDOWS\J089JGWG.EXE /dk
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: K0V7L8LB.lnk = C:\WINDOWS\k0v7l8lb.exe
O4 - Startup: QO9RO75H.lnk = C:\WINDOWS\qo9ro75h.exe
O4 - Startup: FWTP1R17.lnk = C:\WINDOWS\fwtp1r17.exe
O4 - Startup: KDI8W0UV.lnk = C:\WINDOWS\kdi8w0uv.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: I10VQPTJ.lnk = C:\WINDOWS\i10vqptj.exe
O4 - Startup: FHLC18H5.lnk = C:\WINDOWS\fhlc18h5.exe
O4 - Startup: 5YVH3GRZ.lnk = C:\WINDOWS\5yvh3grz.exe
O4 - Startup: 7UOVRTJK.lnk = C:\WINDOWS\7uovrtjk.exe
O4 - Startup: J089JGWG.lnk = C:\WINDOWS\j089jgwg.exe
O4 - Global Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
O4 - Global Startup: 2PFLVOX3.lnk = C:\WINDOWS\2pflvox3.exe
O4 - Global Startup: 141WKVNF.lnk = C:\WINDOWS\141wkvnf.exe
O4 - Global Startup: II17LVKO.lnk = C:\WINDOWS\ii17lvko.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: JAGBP9FQ.lnk = C:\WINDOWS\jagbp9fq.exe
O4 - Global Startup: X7YP26CD.lnk = C:\WINDOWS\x7yp26cd.exe
O4 - Global Startup: MRB1ZIPI.lnk = C:\WINDOWS\mrb1zipi.exe
O4 - Global Startup: MWMOTAGC.lnk = C:\WINDOWS\mwmotagc.exe
O4 - Global Startup: 2GUFGRBA.lnk = C:\WINDOWS\2gufgrba.exe
O4 - Global Startup: O4K0J77J.lnk = C:\WINDOWS\o4k0j77j.exe
O4 - Global Startup: EETMWKCA.lnk = C:\WINDOWS\eetmwkca.exe
O4 - Global Startup: FC6YRX1V.lnk = C:\WINDOWS\fc6yrx1v.exe
O4 - Global Startup: JFOQEYM1.lnk = C:\WINDOWS\jfoqeym1.exe
O4 - Global Startup: V4RE5GW3.lnk = C:\WINDOWS\v4re5gw3.exe
O4 - Global Startup: B2TXTFKI.lnk = C:\WINDOWS\b2txtfki.exe
O4 - Global Startup: 5R3IKDDI.lnk = C:\WINDOWS\5r3ikddi.exe
O4 - Global Startup: TWDAI1JR.lnk = C:\WINDOWS\twdai1jr.exe
O4 - Global Startup: 3VH0IQBM.lnk = C:\WINDOWS\3vh0iqbm.exe
O4 - Global Startup: FMYDXDMP.lnk = C:\WINDOWS\fmydxdmp.exe
O4 - Global Startup: X5OKQD23.lnk = C:\WINDOWS\x5okqd23.exe
O4 - Global Startup: QDX7K92J.lnk = C:\WINDOWS\qdx7k92j.exe
O4 - Global Startup: XA4E4JID.lnk = C:\WINDOWS\xa4e4jid.exe
O4 - Global Startup: 7IPA2X0O.lnk = C:\WINDOWS\7ipa2x0o.exe
O4 - Global Startup: IKUX9M81.lnk = C:\WINDOWS\ikux9m81.exe
O4 - Global Startup: 17Z4ZIFK.lnk = C:\WINDOWS\17z4zifk.exe
O4 - Global Startup: L824PMT9.lnk = C:\WINDOWS\l824pmt9.exe
O4 - Global Startup: UYVUAKF9.lnk = C:\WINDOWS\uyvuakf9.exe
O4 - Global Startup: KG90HD0P.lnk = C:\WINDOWS\kg90hd0p.exe
O4 - Global Startup: FGD1ID8L.lnk = C:\WINDOWS\fgd1id8l.exe
O4 - Global Startup: AV4576YW.lnk = C:\WINDOWS\av4576yw.exe
O4 - Global Startup: FWTP1R17.lnk = C:\WINDOWS\fwtp1r17.exe
O4 - Global Startup: V06QNK7J.lnk = C:\WINDOWS\v06qnk7j.exe
O4 - Global Startup: 8PP3AJY6.lnk = C:\WINDOWS\8pp3ajy6.exe
O4 - Global Startup: R074K5OX.lnk = C:\WINDOWS\r074k5ox.exe
O4 - Global Startup: V51I9Y0Z.lnk = C:\WINDOWS\v51i9y0z.exe
O4 - Global Startup: W0V245OV.lnk = C:\WINDOWS\w0v245ov.exe
O4 - Global Startup: RDBH3GK2.lnk = C:\WINDOWS\rdbh3gk2.exe
O4 - Global Startup: FRXZMRTV.lnk = C:\WINDOWS\frxzmrtv.exe
O4 - Global Startup: 5O0DORDQ.lnk = C:\WINDOWS\5o0dordq.exe
O4 - Global Startup: 3XRX2OZF.lnk = C:\WINDOWS\3xrx2ozf.exe
O4 - Global Startup: GXW0D01O.lnk = C:\WINDOWS\gxw0d01o.exe
O4 - Global Startup: Q1IV5GQH.lnk = C:\WINDOWS\q1iv5gqh.exe
O4 - Global Startup: ZCZU10VW.lnk = C:\WINDOWS\zczu10vw.exe
O4 - Global Startup: K0V7L8LB.lnk = C:\WINDOWS\k0v7l8lb.exe
O4 - Global Startup: QO9RO75H.lnk = C:\WINDOWS\qo9ro75h.exe
O4 - Global Startup: KDI8W0UV.lnk = C:\WINDOWS\kdi8w0uv.exe
O4 - Global Startup: I10VQPTJ.lnk = C:\WINDOWS\i10vqptj.exe
O4 - Global Startup: FHLC18H5.lnk = C:\WINDOWS\fhlc18h5.exe
O4 - Global Startup: 5YVH3GRZ.lnk = C:\WINDOWS\5yvh3grz.exe
O4 - Global Startup: 7UOVRTJK.lnk = C:\WINDOWS\7uovrtjk.exe
O4 - Global Startup: J089JGWG.lnk = C:\WINDOWS\j089jgwg.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.lemelhomes.com/Jambalib.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {116576FE-9817-4AEE-9284-4865D497EC3C} (Factory Class) - http://claims.picwis...tml/LaX2Sys.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.8109027778
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...ner/ext360.html
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.samsphoto...oad/XUpload.ocx
O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} - http://webpdp.gator....ndle43v2d12.cab
O16 - DPF: {A16E6189-A1DD-4696-9806-0324C145D794} (KeyActivex Control) - http://www.jraun.com...ActivexTest.ocx
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://cdn2.adsdk.co...r1136040224.EXE
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Welcome Brandts :D

We'll help you get rid of all this junk. :D Your computer has a number of spyware programs that we need to remove. For more info on spyware see the Spyware Tools link in my signature.

Let's start with a couple of free programs:
CWShredder is the first to run. Here's why: If a CoolWebSearch variant is indeed running on your system, it may actually prevent you from running spyware scans. It is smart enough to detect efforts to detect it, and stop them. Download CWShredder to your desktop or other location. Close all browser windows, double click the CWShredder icon to run, then click the Fix -> button. When finished, reboot and run Spybot Search & Destroy.

Spybot Search & Destroy Download and install. Start Spybot S&D using the "Spybot-S&D (easy mode)" link from your Start menu . Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed. <_<

CLICK HERE to download CWShredder
CLICK HERE to download Spybot S&D
  • 0

#3
Brandts

Brandts

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for the quick response <_< . I did as you instructed and Spybot especially seemed to remove a ton of stuff, however, everything seems to be back. :D
After discovering that I still had problems I even tried removing all the .exe files from the Startup directory manually ... however they always came back.

Here is the new HiJack This log after running both CWShredder and Spybot.

Let me know our next step and thanks again for the help.

Logfile of HijackThis v1.97.7
Scan saved at 7:07:35 PM, on 3/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\JUPITCO.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\CLOSE 1\DRVHEART.EXE
C:\WINDOWS\HJ0D88TM.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearc...p://www.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://allaboutsearc.../searchbar.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
F1 - win.ini: run=hpfsched
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Owns Meet] C:\PROGRA~1\CLOSE1~1\Drvheart.exe
O4 - HKLM\..\Run: [frsk] C:\WINDOWS\frsk.exe
O4 - HKLM\..\Run: [HJ0D88TM.EXE] C:\WINDOWS\HJ0D88TM.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [HJ0D88TM.EXE] C:\WINDOWS\HJ0D88TM.EXE /dk
O4 - HKCU\..\RunServices: [HJ0D88TM.EXE] C:\WINDOWS\HJ0D88TM.EXE /dk
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: WN57LBZ9.lnk = C:\WINDOWS\wn57lbz9.exe
O4 - Startup: U6JYDQMA.lnk = C:\WINDOWS\u6jydqma.exe
O4 - Startup: EETMWKCA.lnk = C:\WINDOWS\eetmwkca.exe
O4 - Startup: Y0TZJR02.lnk = C:\WINDOWS\y0tzjr02.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 6A067E5H.lnk = C:\WINDOWS\6a067e5h.exe
O4 - Startup: B5XYCGX9.lnk = C:\WINDOWS\b5xycgx9.exe
O4 - Startup: NQC21UUQ.lnk = C:\WINDOWS\nqc21uuq.exe
O4 - Startup: H7PNX380.lnk = C:\WINDOWS\h7pnx380.exe
O4 - Startup: Q3N9OUU5.lnk = C:\WINDOWS\q3n9ouu5.exe
O4 - Startup: NLW912XB.lnk = C:\WINDOWS\nlw912xb.exe
O4 - Startup: 0M03U1U5.lnk = C:\WINDOWS\0m03u1u5.exe
O4 - Startup: JFOQEYM1.lnk = C:\WINDOWS\jfoqeym1.exe
O4 - Startup: O8O9OGZZ.lnk = C:\WINDOWS\o8o9ogzz.exe
O4 - Startup: 4GG2TT2X.lnk = C:\WINDOWS\4gg2tt2x.exe
O4 - Startup: AB909H0A.lnk = C:\WINDOWS\ab909h0a.exe
O4 - Startup: GLDX4TB8.lnk = C:\WINDOWS\gldx4tb8.exe
O4 - Startup: HJ0D88TM.lnk = C:\WINDOWS\hj0d88tm.exe
O4 - Global Startup: MORZE2.lnk = C:\WINDOWS\morze2.exe
O4 - Global Startup: 2PFLVOX3.lnk = C:\WINDOWS\2pflvox3.exe
O4 - Global Startup: 141WKVNF.lnk = C:\WINDOWS\141wkvnf.exe
O4 - Global Startup: II17LVKO.lnk = C:\WINDOWS\ii17lvko.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: JAGBP9FQ.lnk = C:\WINDOWS\jagbp9fq.exe
O4 - Global Startup: X7YP26CD.lnk = C:\WINDOWS\x7yp26cd.exe
O4 - Global Startup: MRB1ZIPI.lnk = C:\WINDOWS\mrb1zipi.exe
O4 - Global Startup: MWMOTAGC.lnk = C:\WINDOWS\mwmotagc.exe
O4 - Global Startup: 2GUFGRBA.lnk = C:\WINDOWS\2gufgrba.exe
O4 - Global Startup: O4K0J77J.lnk = C:\WINDOWS\o4k0j77j.exe
O4 - Global Startup: EETMWKCA.lnk = C:\WINDOWS\eetmwkca.exe
O4 - Global Startup: FC6YRX1V.lnk = C:\WINDOWS\fc6yrx1v.exe
O4 - Global Startup: JFOQEYM1.lnk = C:\WINDOWS\jfoqeym1.exe
O4 - Global Startup: V4RE5GW3.lnk = C:\WINDOWS\v4re5gw3.exe
O4 - Global Startup: B2TXTFKI.lnk = C:\WINDOWS\b2txtfki.exe
O4 - Global Startup: 5R3IKDDI.lnk = C:\WINDOWS\5r3ikddi.exe
O4 - Global Startup: TWDAI1JR.lnk = C:\WINDOWS\twdai1jr.exe
O4 - Global Startup: 3VH0IQBM.lnk = C:\WINDOWS\3vh0iqbm.exe
O4 - Global Startup: FMYDXDMP.lnk = C:\WINDOWS\fmydxdmp.exe
O4 - Global Startup: X5OKQD23.lnk = C:\WINDOWS\x5okqd23.exe
O4 - Global Startup: QDX7K92J.lnk = C:\WINDOWS\qdx7k92j.exe
O4 - Global Startup: XA4E4JID.lnk = C:\WINDOWS\xa4e4jid.exe
O4 - Global Startup: 7IPA2X0O.lnk = C:\WINDOWS\7ipa2x0o.exe
O4 - Global Startup: IKUX9M81.lnk = C:\WINDOWS\ikux9m81.exe
O4 - Global Startup: 17Z4ZIFK.lnk = C:\WINDOWS\17z4zifk.exe
O4 - Global Startup: L824PMT9.lnk = C:\WINDOWS\l824pmt9.exe
O4 - Global Startup: UYVUAKF9.lnk = C:\WINDOWS\uyvuakf9.exe
O4 - Global Startup: KG90HD0P.lnk = C:\WINDOWS\kg90hd0p.exe
O4 - Global Startup: FGD1ID8L.lnk = C:\WINDOWS\fgd1id8l.exe
O4 - Global Startup: AV4576YW.lnk = C:\WINDOWS\av4576yw.exe
O4 - Global Startup: FWTP1R17.lnk = C:\WINDOWS\fwtp1r17.exe
O4 - Global Startup: V06QNK7J.lnk = C:\WINDOWS\v06qnk7j.exe
O4 - Global Startup: 8PP3AJY6.lnk = C:\WINDOWS\8pp3ajy6.exe
O4 - Global Startup: R074K5OX.lnk = C:\WINDOWS\r074k5ox.exe
O4 - Global Startup: V51I9Y0Z.lnk = C:\WINDOWS\v51i9y0z.exe
O4 - Global Startup: W0V245OV.lnk = C:\WINDOWS\w0v245ov.exe
O4 - Global Startup: RDBH3GK2.lnk = C:\WINDOWS\rdbh3gk2.exe
O4 - Global Startup: FRXZMRTV.lnk = C:\WINDOWS\frxzmrtv.exe
O4 - Global Startup: 5O0DORDQ.lnk = C:\WINDOWS\5o0dordq.exe
O4 - Global Startup: 3XRX2OZF.lnk = C:\WINDOWS\3xrx2ozf.exe
O4 - Global Startup: GXW0D01O.lnk = C:\WINDOWS\gxw0d01o.exe
O4 - Global Startup: Q1IV5GQH.lnk = C:\WINDOWS\q1iv5gqh.exe
O4 - Global Startup: ZCZU10VW.lnk = C:\WINDOWS\zczu10vw.exe
O4 - Global Startup: K0V7L8LB.lnk = C:\WINDOWS\k0v7l8lb.exe
O4 - Global Startup: QO9RO75H.lnk = C:\WINDOWS\qo9ro75h.exe
O4 - Global Startup: KDI8W0UV.lnk = C:\WINDOWS\kdi8w0uv.exe
O4 - Global Startup: I10VQPTJ.lnk = C:\WINDOWS\i10vqptj.exe
O4 - Global Startup: FHLC18H5.lnk = C:\WINDOWS\fhlc18h5.exe
O4 - Global Startup: 5YVH3GRZ.lnk = C:\WINDOWS\5yvh3grz.exe
O4 - Global Startup: 7UOVRTJK.lnk = C:\WINDOWS\7uovrtjk.exe
O4 - Global Startup: J089JGWG.lnk = C:\WINDOWS\j089jgwg.exe
O4 - Global Startup: 40JR1PNK.lnk = C:\WINDOWS\40jr1pnk.exe
O4 - Global Startup: ITC0ALD8.lnk = C:\WINDOWS\itc0ald8.exe
O4 - Global Startup: RKB08X6L.lnk = C:\WINDOWS\rkb08x6l.exe
O4 - Global Startup: YK5XD81W.lnk = C:\WINDOWS\yk5xd81w.exe
O4 - Global Startup: 1R6LU8ZN.lnk = C:\WINDOWS\1r6lu8zn.exe
O4 - Global Startup: NOHZPMOQ.lnk = C:\WINDOWS\nohzpmoq.exe
O4 - Global Startup: WN57LBZ9.lnk = C:\WINDOWS\wn57lbz9.exe
O4 - Global Startup: U6JYDQMA.lnk = C:\WINDOWS\u6jydqma.exe
O4 - Global Startup: Y0TZJR02.lnk = C:\WINDOWS\y0tzjr02.exe
O4 - Global Startup: 6A067E5H.lnk = C:\WINDOWS\6a067e5h.exe
O4 - Global Startup: B5XYCGX9.lnk = C:\WINDOWS\b5xycgx9.exe
O4 - Global Startup: NQC21UUQ.lnk = C:\WINDOWS\nqc21uuq.exe
O4 - Global Startup: H7PNX380.lnk = C:\WINDOWS\h7pnx380.exe
O4 - Global Startup: Q3N9OUU5.lnk = C:\WINDOWS\q3n9ouu5.exe
O4 - Global Startup: NLW912XB.lnk = C:\WINDOWS\nlw912xb.exe
O4 - Global Startup: 0M03U1U5.lnk = C:\WINDOWS\0m03u1u5.exe
O4 - Global Startup: O8O9OGZZ.lnk = C:\WINDOWS\o8o9ogzz.exe
O4 - Global Startup: 4GG2TT2X.lnk = C:\WINDOWS\4gg2tt2x.exe
O4 - Global Startup: AB909H0A.lnk = C:\WINDOWS\ab909h0a.exe
O4 - Global Startup: GLDX4TB8.lnk = C:\WINDOWS\gldx4tb8.exe
O4 - Global Startup: HJ0D88TM.lnk = C:\WINDOWS\hj0d88tm.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.lemelhomes.com/Jambalib.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {116576FE-9817-4AEE-9284-4865D497EC3C} (Factory Class) - http://claims.picwis...tml/LaX2Sys.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.8109027778
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...ner/ext360.html
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.samsphoto...oad/XUpload.ocx
  • 0

#4
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Sorry, I missed this the first time, and it needs to be fixed first.

Reboot in safe mode (by tapping F8 at startup and selecting safe mode from the menu). Delete the following folder:

C:\PROGRAM FILES\CLOSE 1 <- (this folder)

Then go offline (close all browsers and any open Windows) making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

C:\PROGRAM FILES\CLOSE 1\DRVHEART.EXE
O4 - HKLM\..\Run: [Owns Meet] C:\PROGRA~1\CLOSE1~1\Drvheart.exe

Reboot you computer and run Spybot again, then reboot and post a fresh log <_<
  • 0

#5
Brandts

Brandts

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
:D I think we did it!!!!!

In addition to deleting the two items you mentioned, I deleted all the .exe files under startup and global startup that kept coming up every time I rebooted. It seemed like it added more and more each time I tried to fix these problems. After running HijackThis and Spybot and rebooting, I didn't have any errors, but, here's my log. Let me know if you think it's safe to turn back on my ActiveX and Java settings.

By the way, I understand Symantec has some kind of Norton program that will protect against this in the future ... do you know which particular program that is and if there is anything better.

Logfile of HijackThis v1.97.7
Scan saved at 10:33:12 PM, on 3/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\JUPITCO.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
F1 - win.ini: run=hpfsched
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [USB SECURITY DEVICE CoInstaller] JupitCo.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {FE67C682-F5EA-11CF-9C2F-0000C0C83ADC} (Jamba Class Library) - http://www.lemelhomes.com/Jambalib.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D47B9AB4-83C1-4534-ABDC-ACBFFE8F2B86} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.cab
O16 - DPF: {116576FE-9817-4AEE-9284-4865D497EC3C} (Factory Class) - http://claims.picwis...tml/LaX2Sys.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7879.8109027778
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...ner/ext360.html
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.micr...0367/wmavax.CAB
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.samsphoto...oad/XUpload.ocx

THANKS FOR THE WONDERFUL HELP!!!! YOU ARE MARKED AS A "FAVORITE" ON MY WEBSITE FOR SURE!!!!

<_<

Oops ... maybe I spoke too soon, as I was previewing this message an ad popped up. Let me know what your thoughts are. Thanks.
  • 0

#6
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Almost there <_<

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://allaboutsearc.../searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allaboutsearc.../searchbar.html
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

To prevent spyware we recommend installing SpywareBlaster. It's free, will prevent spyware from being installed and consumes no system resources. It also places over 4000 websites and domains in the IE Restricted list which will impair attempts to infect your system. More info and download is available at:
SpywareBlaster: http://www.javacools...areblaster.html
  • 0

#7
Brandts

Brandts

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
<_< Looks like our problems are fixed and we certainly couldn't have done it without you! Thanks. After your last instructions, we've been running good for two days now.

Thanks for all the help. You're providing an awesome "service".

:D
  • 0

#8
Smokey

Smokey

    Member 1K

  • Retired Staff
  • 1,423 posts
To prevent future infections install Spyware Blaster and update it regularly. <_<
  • 0

#9
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP