Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help Me.....


  • This topic is locked This topic is locked
22 replies to this topic

#1 stezieb

stezieb

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 13 May 2006 - 04:29 PM

ok I am gettting pop-up's like crazy, I use mozilla but im getting ie pop-ups 2 by the minute. Also my background is solid black and i've lost the picture I had on the background.

So far I have ran:

Adware-
Avg-
Spybot-
Spyware Nuker-

All with the latest updates as of 5-12-2006

I've delete cookies and all other temporary internet files and saved passwords......still i get pop -up's out of nowhere for places like party poker.net and stuff.......

I really dont want to have to format and re-install so please help me out here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:52 PM, on 5/13/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\SPYWARE NUKER\SWNXT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\FIREFOX.EXE
C:\WINDOWS\PROFILES\STEZIEB\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SWN2] C:\PROGRAM FILES\SPYWARE NUKER\SWNXT.EXE /h
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Program files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Program files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Program files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Program files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

--------------------------------------------------------------------------------------
I'm also getting this error from the bootup avg scanner "Virus Found C:NNSCIAA~.exe" but then i search at that location there is no files remotely close to that name.....

And also on startup the message ibm0001.exe or one of it's components are not found.......hope this helps

Spywarenuker and spybot say that zestyfind and webhancer are my problems but spybot and spyware nuker supposedly deleted them....
they find and recognize these files:

c:\Windows\System\CZWMDM.dll

EXPLORER.EXE (ID -116133) MTVCR70.DLL

c:\WINDOWS\SYSTEM\mtvcr70.dll

but they wont delete them...

Thanks in advance.


-StezieB-

Edited by stezieb, 13 May 2006 - 08:37 PM.


BC AdBot (Login to Remove)

 


#2 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 13 May 2006 - 04:41 PM

I dont know if this helps or not but here is th HJT log with the pop-up's actually open:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:51 PM, on 5/13/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\FIREFOX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PROFILES\STEZIEB\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SWN2] C:\PROGRAM FILES\SPYWARE NUKER\SWNXT.EXE /h
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Program files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Program files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Program files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Program files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

#3 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 14 May 2006 - 09:02 AM

ok I found out more about this.....i started saving all of the url's to the pop-up's i am getting here is what the list looks like:

http://serving.rpowermedia.com/advertpro/s...e?zid=29&pid=10
http://www.onlineshopp-ing.com/muon.html
http://www.dealiotoday.com/muon.html
http://www.winantivirus.com
http://www.888.com
http://www.buyer-shabit.com/muon.html
http://www.bigdiscountbuy.com/muon.html
http://www.blow-outsales.com/muon.html
http://www5.zapmeta.com/cgi-bin/search/met...&thumbs=on&to=5

http://www.hug-ediscounts.com/<b>muon[/b].html
http://www.uniqueoffer-s.com/muon.html

A simple google search led me here:
http://forums.techguy.org/security/459211-...pages-muon.html


And a search on this board led me here:
http://www.bleepingcomputer.com/forums/ind...c=49774&hl=muon

I am trying to learn more about this virus/spyware/hijackattempt or whatever it is because AVG doesnt protect against it yet....I want it off my computer as soon as possible though...once again thanks in advance

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:01 AM

Posted 16 May 2006 - 02:44 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijackthis log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 16 May 2006 - 06:37 PM

I am not close to being rid of this virus/malware or whatever.....it is actually making more pop-up's in less time....and recently is taking over my mozilla.......

here is a new log:

HJT LOG 5-16-2006

Anti-virus and spyware searching programs arent finding this problem i really need help...


Thanks in advance SAM

StezieB


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:01 AM

Posted 16 May 2006 - 09:17 PM

Always copy your log and paste it in your reply so that it can be easily seen and reviewed.

Logfile of HijackThis v1.99.1
Scan saved at 5:29:18 PM, on 5/16/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PROFILES\STEZIEB\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Program files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Program files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Program files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Program files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:01 AM

Posted 16 May 2006 - 09:20 PM

Now let's see what we can dig up.

I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.
============


Please download DLLCompare

*Save it to your desktop and run it.
*Click 'Run Locate.com'to scan.
*When the scan has completed, click 'Compare'.
*When completed, click "Make a Log of What Was Found".
*Please Copy/Paste the entire contents of the logfile to this thread.

Note: If you get an error after pressing Run Locate.com:
copy autoexec.nt from c:\windows\repair\ folder to c:\windows\system32\ folder.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 16 May 2006 - 11:44 PM

HJT uninstall manager log:

AC3Filter (remove only)
Ace DivX Player
Ad-Aware SE Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 6.0
America Online
AnalogX Rhyme
AOL Instant Messenger
Apollo DVD Copy 4.5.2
Ares 1.9.0
AVG Free Edition
AVI Codec Pack
Bug Doctor 3.0.3.3
CDBurnerXP Pro 3
Collab
Combined Community Codec Pack 9x 11/19/2005 (Remove Only)
Command Prompt Here
Crystal Player Professional 1.76
CueClub
DATA BECKER 5,000 Greeting Cards
Date Cracker 2000
DivX
DivX Player
D-Link VGA Webcam
DVC5.0 Driver
DVC5.1 Driver
ffdshow
FreshView
Google Toolbar for Internet Explorer
HighGrow
HijackThis 1.99.1
Hi-Speed USB-to-IDE Win98 Driver
IBP 8.1
Intel« PRO/DSL Modem & Utilities
Internet Explorer Q891781
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Lexmark Z22-Z32 Series
LimeWire PRO 4.10.9
MA311 Device Driver and Configuration Utility
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 SR-1 Professional
Microsoft Outlook Express 6
Microsoft Reader
Microsoft Web Publishing Wizard 1.6
Microsoft XML Parser and SDK
Mozilla Firefox (1.5.0.3)
MSN Messenger 7.0
nAVI Vx3 MPEG-4 Codec
Nero Fast CD-Burning Plug-in
NetZero
Nimo Codecs Pack v5.0 (Remove Only)
RAMpage
Real Alternative 1.47
Samsung DVC Media 5.1
setup (Remove only)
Sony ACID Pro 4.0f
Spybot - Search & Destroy 1.4
Spyware Nuker XT
StartUp Manager
Tweak UI
Unofficial Windows98 SE Service Pack 2.0.2 (Remove Only)
USB Product Driver v2.12r016
VNC Free Edition 4.1.1
Windows 98 KB891711 Update
Windows 98 KB908519 Update
Windows 98 Q823559 Update
Windows 98 Q888113 Update
Windows Media Player system update (9 Series)
WinRAR archiver
XviD 1.1 final uninstall
Yatcee! by Max v4.1

-------------------------------------------------------

Ive been wanting to get rid of these programs but the add/remove in the control panel wouldnt let me remove them:

-America Online
-DATA BECKER 5,000 Greeting Cards
-Date Cracker 2000
-Nero Fast CD-Burning Plug-in (*and anything else nero related)
-Netzero
and
-Tweak UI

It just wont let me remove them.......

-------------------------------------------------------

Here is the DLL Compare Log:


* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\oa519usd.dll Thu May 11 2006 4:34:42p ..S.R 226,592 221.28 K
C:\WINDOWS\SYSTEM\cguinf32.dll Thu May 11 2006 4:34:42p ..S.R 226,592 221.28 K
C:\WINDOWS\SYSTEM\rzdi.dll Thu May 11 2006 4:34:42p ..S.R 226,592 221.28 K
C:\WINDOWS\SYSTEM\mtvcr70.dll Thu May 11 2006 4:34:42p ..S.R 226,592 221.28 K
C:\WINDOWS\SYSTEM\eecapi.dll Thu May 11 2006 4:34:42p ..S.R 226,592 221.28 K
C:\WINDOWS\SYSTEM\sjsinv.dll Thu May 11 2006 4:34:42p ..S.R 226,592 221.28 K
C:\WINDOWS\SYSTEM\opcom400.dll Thu May 11 2006 4:34:42p ..S.R 226,592 221.28 K
C:\WINDOWS\SYSTEM\whlpda~1.dll Mon Oct 4 2004 10:11:04a ...H. 2,045 1.99 K
________________________________________________

928 items found: 928 files (8 H/S), 0 directories.
Total of file sizes: 196,935,957 bytes 187.81 M

--------------------End log---------------------


Hope this helps.....

StezieB

Edited by stezieb, 17 May 2006 - 12:00 AM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:01 AM

Posted 17 May 2006 - 04:57 PM

Before we start I would like to advise you to only follow the directions of one helper at a time. I see you are getting help here also.

http://forums.majorgeeks.com/showthread.php?t=92186

Either follow the direction there from chaslang, or follow mine here, but don't try to do both.


===========


Uninstall these programs.

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 3
Spyware Nuker XT <-- this program is not recommended
VNC Free Edition 4.1.1 <-- keep this only if you are aware of it's use



On the others that you couldn't remove, you can use Hijackthis to remove them from the Add/Remove list.
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Hilight the entry you want to remove and click Delete this entry.
We'll have to remove them manually, but let's get your malware issue resolved first.


============


Please download L2m9xfix here:
http://www.geekstogo.com/downloads/l2m9xfix.exe

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post the entire text of the log.txt file which should be in the same folder as RunThis.bat.


============


Are you using msconfig to control your startup items? If so, run msconfig once again and enable all startup items. Then reboot and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 17 May 2006 - 05:19 PM

I will follow the directions from you.......


I deleted those programs with the exception of vnc because thats what i use to connect to my computer from work..............

here is the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 4:25:58 PM, on 5/17/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\FIREFOX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\PROFILES\STEZIEB\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Program files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Program files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Program files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Program files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab




And the New programs list from HJT misc tools:

AC3Filter (remove only)
Ace DivX Player
Ad-Aware SE Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 6.0
America Online
AnalogX Rhyme
AOL Instant Messenger
Apollo DVD Copy 4.5.2
Ares 1.9.0
AVG Free Edition
AVI Codec Pack
Bug Doctor 3.0.3.3
CDBurnerXP Pro 3
Collab
Combined Community Codec Pack 9x 11/19/2005 (Remove Only)
Command Prompt Here
Crystal Player Professional 1.76
CueClub
Date Cracker 2000
DivX
DivX Player
D-Link VGA Webcam
DVC5.0 Driver
DVC5.1 Driver
ffdshow
FreshView
Google Toolbar for Internet Explorer
HighGrow
HijackThis 1.99.1
Hi-Speed USB-to-IDE Win98 Driver
IBP 8.1
Intel« PRO/DSL Modem & Utilities
Internet Explorer Q891781
J2SE Runtime Environment 5.0 Update 6
Lexmark Z22-Z32 Series
LimeWire PRO 4.10.9
MA311 Device Driver and Configuration Utility
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Office 2000 SR-1 Professional
Microsoft Outlook Express 6
Microsoft Reader
Microsoft Web Publishing Wizard 1.6
Microsoft XML Parser and SDK
Mozilla Firefox (1.5.0.3)
MSN Messenger 7.0
nAVI Vx3 MPEG-4 Codec
Nero Fast CD-Burning Plug-in
Nimo Codecs Pack v5.0 (Remove Only)
RAMpage
Real Alternative 1.47
Samsung DVC Media 5.1
setup (Remove only)
Sony ACID Pro 4.0f
Spybot - Search & Destroy 1.4
StartUp Manager
Tweak UI
Unofficial Windows98 SE Service Pack 2.0.2 (Remove Only)
USB Product Driver v2.12r016
VNC Free Edition 4.1.1
Windows 98 KB891711 Update
Windows 98 KB908519 Update
Windows 98 Q823559 Update
Windows 98 Q888113 Update
Windows Media Player system update (9 Series)
WinRAR archiver
XviD 1.1 final uninstall
Yatcee! by Max v4.1

Edited by stezieb, 17 May 2006 - 05:28 PM.


#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:01 AM

Posted 17 May 2006 - 05:23 PM

Good. We should have you fixed up in no time. :thumbsup:

Please post back with the requested logs once you've had a chance to run through the steps in my last post.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 17 May 2006 - 05:39 PM

My HJT PROCESS LIST AFTER I ENABLED EVERYTHING THROUGH MSCONFIG:

Process list saved on 4:56:52 PM, on 5/17/06
Platform: Windows 98 SE (Win9x 4.10.2222A)

[pid] [full path to filename] [file version] [company name]
-3158235 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.0.2222 Microsoft Corporation
-1871 C:\WINDOWS\SYSTEM\MSGSRV32.EXE 4.10.0.2222 Microsoft Corporation
-28735 C:\WINDOWS\SYSTEM\MPREXE.EXE 4.10.0.1998 Microsoft Corporation
-27135 C:\WINDOWS\SYSTEM\mmtask.tsk 4.3.0.1998 Microsoft Corporation
-101875 C:\WINDOWS\SYSTEM\MSTASK.EXE 4.71.1972.1 Microsoft Corporation
-130775 C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE 4.10.0.2223 Microsoft Corporation
-74483 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Microsoft Corporation
-176279 C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE 7.1.0.381 GRISOFT, s.r.o.
-238983 C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE 7.1.0.371 GRISOFT, s.r.o.
-206711 C:\DEFENDER19A.EXE 1.0.0.104 ─┬├╠└
-207267 C:\WINDOWS\SYSTEM\SPOOL32.EXE 4.10.0.1998 Microsoft Corporation
-199603 C:\WINDOWS\SYSTEM\LEXBCES.EXE 5.12.0.0 Lexmark International, Inc.
-258415 C:\WINDOWS\CFG32.EXE 1.0.0.1 (
-309103 C:\WINDOWS\SYSTEM\STIMON.EXE 4.10.0.2222 Microsoft Corporation
-304195 C:\WINDOWS\SYSTEM\RPCSS.EXE 4.71.2900.0 Microsoft Corporation
-296907 C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE 7.1.0.365 GRISOFT, s.r.o.
-376539 C:\WINDOWS\TOMW\FAST.EXE
-571151 C:\WINDOWS\CFG32A.EXE 1.0.0.1 (
-237435 C:\WINDOWS\SYSTEM\RNAAPP.EXE 4.10.0.2222 Microsoft Corporation
-492931 C:\WINDOWS\SYSTEM\TAPISRV.EXE 4.10.0.2222 Microsoft Corporation
-209391 C:\WINDOWS\PROFILES\STEZIEB\DESKTOP\HIJACKTHIS.EXE 1.99.0.1 Soeperman Enterprises Ltd.
-253711 C:\WINDOWS\SYSTEM\PSTORES.EXE 5.0.1877.3 Microsoft Corporation


DLLs loaded by process C:\WINDOWS\SYSTEM\KERNEL32.DLL:

[full path to filename] [file version] [company name]
C:\WINDOWS\SYSTEM\USER32.DLL 4.10.0.2222 Microsoft Corporation
C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.0.1998 Microsoft Corporation
C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.0.1675 Microsoft Corporation
C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.0.2222 Microsoft Corporation


NEW HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:59:47 PM, on 5/17/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\DEFENDER19A.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\CFG32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\TOMW\FAST.EXE
C:\WINDOWS\CFG32A.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\FIREFOX.EXE
C:\WINDOWS\PROFILES\STEZIEB\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFG32P.DLL
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\CFG32O.DLL
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\CFG32R.DLL
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\CFG32S.DLL
O4 - HKLM\..\Run: [PCI TV Card Remote Control Applet] C:\WINDOWS\878RMT.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [VVSN] C:\PROGRAM FILES\VVSN\VVSN.EXE
O4 - HKLM\..\Run: [InternetK] E:\PROGRAM FILES\NVSR32.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" U=3 M=20 T=10 A D=N P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\DEFENDER19A.exe
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD19.exe
O4 - HKLM\..\Run: [newname] C:\\NEWNAME19.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKCU\..\Run: [NBJ] "E:\MY DOCUMENTS\NERO BACKITUP\NBJ.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE" -quiet
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00001.exe"
O4 - HKCU\..\Run: [Stto] "C:\WINDOWS\tomw\fast.exe" -vt yazr
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Program files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Program files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Program files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Program files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab


l2m9XFIX LOG:

Log of L2M9XFix v1

************

Running from directory:
C:\Program Files\l2m9xfix

************

Files found:

C:\WINDOWS\system\CGUINF32.DLL
C:\WINDOWS\system\CGUINF32.DLL
C:\WINDOWS\system\eecapi.dll
C:\WINDOWS\system\eecapi.dll
C:\WINDOWS\system\mtvcr70.dll
C:\WINDOWS\system\mtvcr70.dll
C:\WINDOWS\system\OA519USD.DLL
C:\WINDOWS\system\OA519USD.DLL
C:\WINDOWS\system\pigfilt.dll
C:\WINDOWS\system\pigfilt.dll
C:\WINDOWS\system\RZDI.DLL
C:\WINDOWS\system\RZDI.DLL
C:\WINDOWS\system\SJSINV.DLL
C:\WINDOWS\system\SJSINV.DLL

************

Registry entries found:



************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

Edited by stezieb, 17 May 2006 - 06:02 PM.


#13 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 17 May 2006 - 06:05 PM

Let me clearly state all my symptoms as of right now.....

-Pop-up's
-No Desktop Image - it was removed and I cant put it back
-Power Management isnt saving.......after 15min my monitor turns off i changed the setting but still turns off after 15 mins of no activity.....
-ibm00001.exe at startup
(Cannot find the file ibm00001.exe' [or one of its components]. Make sure the path and filename are correct and that all required libraries are available.)

Edited by stezieb, 17 May 2006 - 06:07 PM.


#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:01 AM

Posted 17 May 2006 - 06:40 PM

The popups indicate malware, which is not clearly present in your log. Our first priority is to remove the malware on your computer, then we'll come back and address any additional problems that you are still having once you are clean.


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFG32P.DLL
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\CFG32O.DLL
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\CFG32R.DLL
O3 - Toolbar: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - (no file)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\CFG32S.DLL
O4 - HKLM\..\Run: [VVSN] C:\PROGRAM FILES\VVSN\VVSN.EXE
O4 - HKLM\..\Run: [InternetK] E:\PROGRAM FILES\NVSR32.EXE
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [defender] C:\\DEFENDER19A.exe
O4 - HKLM\..\Run: [keyboard] C:\\KEYBOARD19.exe
O4 - HKLM\..\Run: [newname] C:\\NEWNAME19.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00001.exe"
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - E:\Program files\EmpirePoker.exe (file missing)



==========


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\CFG32P.DLL
    C:\WINDOWS\CFG32O.DLL
    C:\WINDOWS\CFG32R.DLL
    C:\WINDOWS\CFG32S.DLL
    C:\PROGRAM FILES\VVSN\VVSN.EXE
    E:\PROGRAM FILES\NVSR32.EXE
    C:\Program Files\webHancer\Programs\whagent.exe
    C:\Program Files\webHancer\Programs\whsurvey.exe
    C:\\DEFENDER19A.exe
    C:\\KEYBOARD19.exe
    C:\\NEWNAME19.exe
    C:\WINDOWS\cfg32.exe
    C:\winstall.exe
    C:\WINDOWS\SYSTEM\ibm00001.exe
    C:\WINDOWS\SYSTEM\ibm00001.dll
    C:\WINDOWS\SYSTEM\ibm00002.exe
    C:\WINDOWS\SYSTEM\ibm00002.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



============


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 stezieb

stezieb
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 18 May 2006 - 12:06 AM

so far ive fixed the errors in HJT and deleted what you told me with killbox.....im awaiting the panda scan results now.......when i hit ctrl+alt+del "Stimon" is in my list of active programs.....ever since i enabled everything on startup with ms config......thats all for now i will post a new HJT log when panda finishes.....

Thanks
StezieB


Panda Log:

Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\windows\tomw\fast.exe
Adware:adware/centim Not disinfected C:\WINDOWS\TEMP\mute41.exe
Adware:adware/purityscan Not disinfected C:\WINDOWS\TEMP\!update.exe
Adware:adware/secure32 Not disinfected c:\program files\secure32.html
Adware:adware/dollarrevenue Not disinfected c:\keyboard19.exe
Adware:adware/cws.searchmeup Not disinfected c:\windows\uniq
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/bookedspace Not disinfected Windows Registry
Adware:adware/stiebar Not disinfected Windows Registry
Adware:adware/gator Not disinfected Windows Registry
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.advertising.com/]
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.2o7.net/]
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.zedo.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Adserver Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Statcounter Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/WUpd Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.revenue.net/]
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Profiles\Stezieb\Application Data\Mozilla\Firefox\Profiles\oai02agi.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@atdmt[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@hitbox[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@adopt.hbmediapro[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@mediaplex[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@tribalfusion[1].txt
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@google.com[2].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@888[1].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@as-us.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@atwola[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@zedo[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@doubleclick[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@realmedia[1].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@as-eu.falkag[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@statse.webtrendslive[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@bluestreak[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Profiles\Stezieb\Cookies\stezieb@ad.yieldmanager[2].txt
Adware:Adware/Webdir Not disinfected C:\WINDOWS\VirtualDNS.dll
Adware:Adware/Look2Me Not disinfected C:\Program Files\l2m9xfix\backups\CGUINF32.DLL
Adware:Adware/Look2Me Not disinfected C:\Program Files\l2m9xfix\backups\eecapi.dll
Adware:Adware/Look2Me Not disinfected C:\Program Files\l2m9xfix\backups\mtvcr70.dll
Adware:Adware/Look2Me Not disinfected C:\Program Files\l2m9xfix\backups\OA519USD.DLL
Adware:Adware/Look2Me Not disinfected C:\Program Files\l2m9xfix\backups\pigfilt.dll
Adware:Adware/Look2Me Not disinfected C:\Program Files\l2m9xfix\backups\RZDI.DLL
Adware:Adware/Look2Me Not disinfected C:\Program Files\l2m9xfix\backups\SJSINV.DLL
Adware:Adware/PurityScan Not disinfected C:\Trelew.exe
Virus:Trj/Clicker.PZ Disinfected C:\defender19a.exe



New Hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 6:24:59 AM, on 5/18/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TOMW\FAST.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\PROFILES\STEZIEB\DESKTOP\HIJACKTHIS.EXE

O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\CFG32O.DLL (file missing)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFG32P.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\CFG32S.DLL (file missing)
O4 - HKLM\..\Run: [PCI TV Card Remote Control Applet] C:\WINDOWS\878RMT.EXE
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" U=3 M=20 T=10 A D=N P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service
O4 - HKCU\..\Run: [NBJ] "E:\MY DOCUMENTS\NERO BACKITUP\NBJ.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRAM FILES\YAHOO!\MESSENGER\YAHOOMESSENGER.EXE" -quiet
O4 - HKCU\..\Run: [Shell] "C:\WINDOWS\SYSTEM\ibm00001.exe"
O4 - HKCU\..\Run: [Stto] "C:\WINDOWS\tomw\fast.exe" -vt yazr
O8 - Extra context menu item: Download by Free Download Manager - file://E:\Program files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://E:\Program files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download all by Free Download Manager - file://E:\Program files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://E:\Program files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

Edited by stezieb, 18 May 2006 - 07:27 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users