Jump to content


Photo

Help. My computer is hijacked by spyware!


  • Please log in to reply
6 replies to this topic

#1 microjoe

microjoe

    Member

  • New Member
  • Pip
  • 3 posts

Posted 29 June 2004 - 07:19 PM

Hello,

I'm new to spyware and this is my second post asking for help. My computer has become hijacked about 2 weeks ago. My browser's homepage keeps getting redirected to res://(random)/index.html#909256038 sites. I'm also experiencing random popups in my browser.

I've tried Spybot, AdWare, and CWShredder to try and remove what has affected my system but I am having no luck as it keeps coming back. Its been real frustrating as I've been able to remove CWS in the past be using these programs. But Iíve been unable to remove this malware.

Below is my log file from Hijackthis. I ran Spybot, Adware, and CWShredder before running Hijackthis.

Thank you in advance for any help that is given. I really hope I can remove this malware and return to using my PC. Iím at the point where Iím considering reformatting my operating system.

Thank You,
Joe

Logfile of HijackThis v1.97.7
Scan saved at 8:07:54 PM, on 6/29/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\APPCH.EXE
C:\WINDOWS\MSZR32.EXE
C:\WINDOWS\APPSE32.EXE
C:\WINDOWS\IPNS.EXE
C:\WINDOWS\NTAW.EXE
C:\WINDOWS\MSJK.EXE
C:\WINDOWS\APIQW32.EXE
C:\WINDOWS\NETAH32.EXE
C:\WINDOWS\MFCLQ32.EXE
C:\WINDOWS\D3PC32.EXE
C:\WINDOWS\MSNH.EXE
C:\WINDOWS\NETNG32.EXE
C:\WINDOWS\D3CD32.EXE
C:\WINDOWS\SYSRH32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRIFFIN TECHNOLOGY\POWERMATE\POWERMATE.EXE
C:\PROGRAM FILES\MSI\PC ALERT III\ALERT.EXE
C:\PROGRAM FILES\BELKIN\NOSTROMO\NOST_LM.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\APPDV.EXE
C:\WINDOWS\APPSE32.EXE
C:\WINDOWS\APPSE32.EXE
C:\WINDOWS\D3PP32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SYSDN.EXE
C:\WINDOWS\DESKTOP\SPYWARE PROTECTION\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\aizzi.dll/sp.html#909256038
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aizzi.dll/index.html#909256038
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aizzi.dll/index.html#909256038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\aizzi.dll/sp.html#909256038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aizzi.dll/index.html#909256038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\aizzi.dll/sp.html#909256038
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_4_0.DLL (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\WINWS\WINWS32.DLL (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {EF4B1BBF-9691-E915-81F6-F75B7DD313AA} - C:\WINDOWS\IETQ32.DLL (file missing)
O2 - BHO: (no name) - {932D21BB-436A-AA18-7EFE-9D87C425742E} - C:\WINDOWS\MSFL32.DLL
O2 - BHO: (no name) - {7F0FD938-6921-7913-8F78-2E42633C1214} - C:\WINDOWS\APPDV.DLL (file missing)
O2 - BHO: (no name) - {C35CE64A-7DBE-0086-D856-38BA516B061D} - C:\WINDOWS\SYSTEM\SDKUL32.DLL (file missing)
O2 - BHO: (no name) - {C4565FFB-AB90-5E4E-7B62-BABFEF4C0F01} - C:\WINDOWS\SYSTEM\SYSUP.DLL (file missing)
O2 - BHO: (no name) - {086D4C94-8795-3F3E-AD57-B413E97E121E} - C:\WINDOWS\SYSTEM\APPKE32.DLL (file missing)
O2 - BHO: (no name) - {964D529C-4AD1-46EA-0916-27A927C09E20} - C:\WINDOWS\SYSTEM\MSIG32.DLL (file missing)
O2 - BHO: (no name) - {16CEBA5B-9D6F-7367-1E63-C6B0897B9115} - C:\WINDOWS\SYSTEM\NETLE.DLL (file missing)
O2 - BHO: (no name) - {8C7FD412-6EB7-9CE5-AC5E-314514ACC679} - C:\WINDOWS\SYSTEM\APIOP32.DLL (file missing)
O2 - BHO: (no name) - {B227CE59-8A0E-F02D-5CF0-B626D4A07B84} - C:\WINDOWS\SYSTEM\NETRH32.DLL (file missing)
O2 - BHO: (no name) - {9916C962-3432-BB26-FEE6-D6D2AF827F16} - C:\WINDOWS\SYSTEM\MSPV.DLL
O2 - BHO: (no name) - {867653BB-CBDA-5ADF-86A5-ECF1FB3432E2} - C:\WINDOWS\NETUZ32.DLL (file missing)
O2 - BHO: (no name) - {2CFF8F86-4117-E570-DCB8-49CE5BB1B815} - C:\WINDOWS\APIKF32.DLL (file missing)
O2 - BHO: (no name) - {F69AA0DB-F421-F1A5-FE7E-80CCFBC0B008} - C:\WINDOWS\CRPO32.DLL (file missing)
O2 - BHO: (no name) - {BB1C7E31-AB2A-B10E-AD1C-F84A89B87AC1} - C:\WINDOWS\CRQR.DLL
O2 - BHO: (no name) - {081758B8-1464-68B8-A672-5A257F23165E} - C:\WINDOWS\SYSTEM\MFCIR.DLL (file missing)
O2 - BHO: (no name) - {3E8A3A27-AB09-911A-8D54-F1EB0E22B2DA} - C:\WINDOWS\SYSTEM\NTAJ32.DLL (file missing)
O2 - BHO: (no name) - {CB83EABE-042D-3AF0-E655-0127FF3EAB9D} - C:\WINDOWS\SYSTEM\NTBH32.DLL (file missing)
O2 - BHO: (no name) - {397ACE10-AC4F-6D02-B07D-9C18F19A967C} - C:\WINDOWS\SDKWJ.DLL (file missing)
O2 - BHO: (no name) - {596F7928-B559-04FA-CE93-E6ABE2FF819E} - C:\WINDOWS\SYSTEM\JAVATC.DLL (file missing)
O2 - BHO: (no name) - {AA1795A0-6BE1-73AF-E66B-ED071FF52D80} - C:\WINDOWS\MSWV32.DLL (file missing)
O2 - BHO: (no name) - {ECC25D05-F730-EBC1-878F-45873A6D522C} - C:\WINDOWS\SYSTEM\MSZM32.DLL (file missing)
O2 - BHO: (no name) - {0F33EAF3-17FC-8D05-C942-5D8C38B83233} - C:\WINDOWS\SYSTEM\IEXY32.DLL (file missing)
O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\SYSEC32.DLL (file missing)
O2 - BHO: (no name) - {28A44E47-1962-F448-78C6-1A2589E5B9B5} - C:\WINDOWS\D3EW.DLL (file missing)
O2 - BHO: (no name) - {73A38BD5-8F30-6993-56A3-9373BD3E6E7B} - C:\WINDOWS\SYSTEM\MFCOR.DLL (file missing)
O2 - BHO: (no name) - {292E35CC-69D5-FB97-1ED9-C7DA8B132261} - C:\WINDOWS\SYSTEM\D3WA.DLL (file missing)
O2 - BHO: (no name) - {FF6D79FE-4452-C373-6850-EFD03145949C} - C:\WINDOWS\D3PE32.DLL (file missing)
O2 - BHO: (no name) - {A13A235C-EE8E-7F0F-35D2-BB318893F03A} - C:\WINDOWS\SYSTEM\MFCNH32.DLL
O2 - BHO: (no name) - {AAB84880-0463-A3A5-02AA-5E33BB02E2BE} - C:\WINDOWS\SYSTEM\SYSDR32.DLL (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_4_0.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EASY ACCESS KEYBOARD] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [PowerMate] C:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [RunAlert] C:\Program Files\MSI\PC Alert III\AService.exe
O4 - HKLM\..\RunServices: [Retrospect Launcher] C:\PROGRAM FILES\DANTZ\RETROSPECT\RETRORUN.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKLM\..\RunServices: [APPCH.EXE] C:\WINDOWS\APPCH.EXE
O4 - HKLM\..\RunServices: [D3PC32.EXE] C:\WINDOWS\D3PC32.EXE
O4 - HKLM\..\RunServices: [NETAH32.EXE] C:\WINDOWS\NETAH32.EXE
O4 - HKLM\..\RunServices: [APPUP.EXE] C:\WINDOWS\SYSTEM\APPUP.EXE
O4 - HKLM\..\RunServices: [NETNG32.EXE] C:\WINDOWS\NETNG32.EXE
O4 - HKLM\..\RunServices: [MSJK.EXE] C:\WINDOWS\MSJK.EXE
O4 - HKLM\..\RunServices: [D3FJ32.EXE] C:\WINDOWS\SYSTEM\D3FJ32.EXE
O4 - HKLM\..\RunServices: [JAVALU.EXE] C:\WINDOWS\SYSTEM\JAVALU.EXE
O4 - HKLM\..\RunServices: [MSNH.EXE] C:\WINDOWS\MSNH.EXE
O4 - HKLM\..\RunServices: [IPNS.EXE] C:\WINDOWS\IPNS.EXE
O4 - HKLM\..\RunServices: [SDKMI.EXE] C:\WINDOWS\SYSTEM\SDKMI.EXE
O4 - HKLM\..\RunServices: [IELI32.EXE] C:\WINDOWS\SYSTEM\IELI32.EXE
O4 - HKLM\..\RunServices: [NTAW.EXE] C:\WINDOWS\NTAW.EXE
O4 - HKLM\..\RunServices: [APPSE32.EXE] C:\WINDOWS\APPSE32.EXE
O4 - HKLM\..\RunServices: [WINMM32.EXE] C:\WINDOWS\SYSTEM\WINMM32.EXE
O4 - HKLM\..\RunServices: [APIQW32.EXE] C:\WINDOWS\APIQW32.EXE
O4 - HKLM\..\RunServices: [MFCLQ32.EXE] C:\WINDOWS\MFCLQ32.EXE
O4 - HKLM\..\RunServices: [CRVM32.EXE] C:\WINDOWS\SYSTEM\CRVM32.EXE
O4 - HKLM\..\RunServices: [MFCQO32.EXE] C:\WINDOWS\SYSTEM\MFCQO32.EXE
O4 - HKLM\..\RunServices: [MSZR32.EXE] C:\WINDOWS\MSZR32.EXE
O4 - HKLM\..\RunServices: [CRFC.EXE] C:\WINDOWS\SYSTEM\CRFC.EXE
O4 - HKLM\..\RunServices: [WINLI32.EXE] C:\WINDOWS\SYSTEM\WINLI32.EXE
O4 - HKLM\..\RunServices: [SYSRH32.EXE] C:\WINDOWS\SYSRH32.EXE
O4 - HKLM\..\RunServices: [D3CD32.EXE] C:\WINDOWS\D3CD32.EXE
O4 - HKLM\..\RunServices: [NETAN.EXE] C:\WINDOWS\SYSTEM\NETAN.EXE
O4 - HKLM\..\RunServices: [D3PP32.EXE] C:\WINDOWS\D3PP32.EXE
O4 - HKLM\..\RunServices: [SYSDN.EXE] C:\WINDOWS\SYSTEM\SYSDN.EXE
O4 - Startup: PC Alert III.lnk = C:\Program Files\MSI\PC Alert III\alert.exe
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtange...ic/wtwdinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_4_0.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8050.6302314815
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 29 June 2004 - 07:25 PM

Visit this page http://www.ducky.atribune.org . Download About:Buster and save it to your desktop. Then startup Hijack this. Tick the boxes next to these items.


All Random '02's' and (File Missings).. All 'RunServices'

Then close all windows and hit fix checked. Start About:Buster. On the first prompt hit ok, then start, then ok again. It will run a while. Once it is done there will be a log in the white box. Save that log somewhere. Restart your computer. Post a new Hijack this log and the buster log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 microjoe

microjoe

    Member

  • New Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 07:59 PM

Hello Rubber Ducky,
Thanks for the response. I appreciate the help you've given. I followed you instructions but it looks like the spyware still hasn't been removed. I've attached my new Hijack this log and buster log below. Did I miss something?

Do you have any other suggestions to help?

Thanks again,
Joe S


Logfile of HijackThis v1.97.7
Scan saved at 8:47:34 PM, on 6/30/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\GRIFFIN TECHNOLOGY\POWERMATE\POWERMATE.EXE
C:\PROGRAM FILES\MSI\PC ALERT III\ALERT.EXE
C:\PROGRAM FILES\BELKIN\NOSTROMO\NOST_LM.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MEDIACTR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
C:\WINDOWS\APPDV.EXE
C:\WINDOWS\D3CD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\SPYWARE PROTECTION\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\doxmb.dll/sp.html#909256038
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://doxmb.dll/index.html#909256038
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://doxmb.dll/index.html#909256038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\doxmb.dll/sp.html#909256038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://doxmb.dll/index.html#909256038
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\doxmb.dll/sp.html#909256038
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {28A44E47-1962-F448-78C6-1A2589E5B9B5} - C:\WINDOWS\D3EW.DLL (file missing)
O2 - BHO: (no name) - {F69AA0DB-F421-F1A5-FE7E-80CCFBC0B008} - C:\WINDOWS\CRPO32.DLL (file missing)
O2 - BHO: (no name) - {7F0FD938-6921-7913-8F78-2E42633C1214} - C:\WINDOWS\APPDV.DLL (file missing)
O2 - BHO: (no name) - {3E8A3A27-AB09-911A-8D54-F1EB0E22B2DA} - C:\WINDOWS\SYSTEM\NTAJ32.DLL (file missing)
O2 - BHO: (no name) - {2FC683F4-4B40-99FD-E7FB-2D55A95BCDFF} - C:\WINDOWS\SYSEC32.DLL (file missing)
O2 - BHO: (no name) - {2F96309F-5728-7649-2879-9AF7D04FF706} - C:\WINDOWS\SYSTEM\JAVAHY.DLL (file missing)
O2 - BHO: (no name) - {2D3EC341-0567-0CAE-7DC7-B5AF0E0C46D2} - C:\WINDOWS\SYSTEM\SYSLY.DLL (file missing)
O2 - BHO: (no name) - {FF6D79FE-4452-C373-6850-EFD03145949C} - C:\WINDOWS\D3PE32.DLL (file missing)
O2 - BHO: (no name) - {BB1C7E31-AB2A-B10E-AD1C-F84A89B87AC1} - C:\WINDOWS\CRQR.DLL (file missing)
O2 - BHO: (no name) - {081758B8-1464-68B8-A672-5A257F23165E} - C:\WINDOWS\SYSTEM\MFCIR.DLL (file missing)
O2 - BHO: (no name) - {292E35CC-69D5-FB97-1ED9-C7DA8B132261} - C:\WINDOWS\SYSTEM\D3WA.DLL (file missing)
O2 - BHO: (no name) - {A13A235C-EE8E-7F0F-35D2-BB318893F03A} - C:\WINDOWS\SYSTEM\MFCNH32.DLL
O2 - BHO: (no name) - {9B52DB7D-8D7B-4564-958F-49D99A6430FB} - C:\WINDOWS\APPWH32.DLL (file missing)
O2 - BHO: (no name) - {9916C962-3432-BB26-FEE6-D6D2AF827F16} - C:\WINDOWS\SYSTEM\MSPV.DLL (file missing)
O2 - BHO: (no name) - {932D21BB-436A-AA18-7EFE-9D87C425742E} - C:\WINDOWS\MSFL32.DLL (file missing)
O2 - BHO: (no name) - {AAB84880-0463-A3A5-02AA-5E33BB02E2BE} - C:\WINDOWS\SYSTEM\SYSDR32.DLL (file missing)
O2 - BHO: (no name) - {397ACE10-AC4F-6D02-B07D-9C18F19A967C} - C:\WINDOWS\SDKWJ.DLL (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_1_4_0.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EASY ACCESS KEYBOARD] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [PowerMate] C:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
O4 - HKLM\..\Run: [APPDV.EXE] C:\WINDOWS\APPDV.EXE
O4 - HKLM\..\RunServices: [D3CD32.EXE] C:\WINDOWS\D3CD32.EXE
O4 - Startup: PC Alert III.lnk = C:\Program Files\MSI\PC Alert III\alert.exe
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtange...ic/wtwdinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_4_0.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8050.6302314815
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net




About:Buster Version 1.23
Removed! : C:\WINDOWS\agmltr.dat
Removed! : C:\WINDOWS\brjdxc.dat
Removed! : C:\WINDOWS\MSFL32.EXE.$$$
Removed! : C:\WINDOWS\xoxup.dat
Removed! : C:\WINDOWS\selrg.dat
Removed! : C:\WINDOWS\n_hpeqmz.dat
Removed! : C:\WINDOWS\uajhd.dat
Removed! : C:\WINDOWS\uajhd.dll
Removed! : C:\WINDOWS\khegy.dat
Removed! : C:\WINDOWS\kfihl.dat
Removed! : C:\WINDOWS\APPDV.EXE.$$$
Removed! : C:\WINDOWS\qzast.dat
Removed! : C:\WINDOWS\zladw.dat
Removed! : C:\WINDOWS\chytu.dat
Removed! : C:\WINDOWS\qzast.dll
Removed! : C:\WINDOWS\upjpt.dat
Removed! : C:\WINDOWS\ipolf.dat
Removed! : C:\WINDOWS\nocaz.dat
Removed! : C:\WINDOWS\kjidg.dll
Removed! : C:\WINDOWS\hraif.dat
Removed! : C:\WINDOWS\n_oazndl.dat
Error Removing! : C:\WINDOWS\d3pc32.exe
Removed! : C:\WINDOWS\ijlrwz.dat
Error Removing! : C:\WINDOWS\netah32.exe
Removed! : C:\WINDOWS\ujiehz.dat
Removed! : C:\WINDOWS\npdalo.dat
Removed! : C:\WINDOWS\qpsbyw.dat
Removed! : C:\WINDOWS\vubbug.dat
Error Removing! : C:\WINDOWS\netng32.exe
Error Removing! : C:\WINDOWS\apiqw32.exe
Removed! : C:\WINDOWS\nzogqk.dat
Removed! : C:\WINDOWS\tlwev.dat
Removed! : C:\WINDOWS\rgdpc.dll
Error Removing! : C:\WINDOWS\msjk.exe
Removed! : C:\WINDOWS\tmkdzh.dat
Removed! : C:\WINDOWS\lwarka.dat
Removed! : C:\WINDOWS\n_gzngjh.dat
Removed! : C:\WINDOWS\hmdsz.dat
Removed! : C:\WINDOWS\rqmsp.dll
Removed! : C:\WINDOWS\hgyfgr.dat
Removed! : C:\WINDOWS\jrjcby.dat
Removed! : C:\WINDOWS\mwwkdd.dat
Removed! : C:\WINDOWS\fzjtac.dat
Error Removing! : C:\WINDOWS\msnh.exe
Removed! : C:\WINDOWS\ewqwnv.dat
Removed! : C:\WINDOWS\vwqiac.dat
Removed! : C:\WINDOWS\rolxu.dat
Removed! : C:\WINDOWS\iwdlp.dat
Removed! : C:\WINDOWS\bggkb.dat
Removed! : C:\WINDOWS\edmyh.dat
Removed! : C:\WINDOWS\awxzr.dat
Removed! : C:\WINDOWS\zvtpyl.dat
Removed! : C:\WINDOWS\yyely.dat
Removed! : C:\WINDOWS\xmqqq.dll
Error Removing! : C:\WINDOWS\ipns.exe
Removed! : C:\WINDOWS\qdqvwt.dat
Removed! : C:\WINDOWS\sdlqxa.dat
Removed! : C:\WINDOWS\n_qssulu.dat
Removed! : C:\WINDOWS\cxhak.dat
Removed! : C:\WINDOWS\n_oayfub.dat
Removed! : C:\WINDOWS\etxqh.dat
Removed! : C:\WINDOWS\uirhs.dll
Removed! : C:\WINDOWS\jdfemt.dat
Removed! : C:\WINDOWS\cgpshz.dat
Removed! : C:\WINDOWS\brgidn.dat
Removed! : C:\WINDOWS\lypxl.dat
Removed! : C:\WINDOWS\hohgs.dll
Removed! : C:\WINDOWS\syinu.dat
Error Removing! : C:\WINDOWS\ntaw.exe
Removed! : C:\WINDOWS\tlflnw.dat
Removed! : C:\WINDOWS\ttolrw.dat
Error Removing! : C:\WINDOWS\appse32.exe
Removed! : C:\WINDOWS\prfybm.dat
Removed! : C:\WINDOWS\rpepep.dat
Removed! : C:\WINDOWS\gxzqho.dat
Removed! : C:\WINDOWS\nscow.dat
Removed! : C:\WINDOWS\aeygj.dat
Removed! : C:\WINDOWS\cfvfb.dll
Removed! : C:\WINDOWS\vekdcp.dat
Removed! : C:\WINDOWS\wpuzpw.dat
Removed! : C:\WINDOWS\n_vekdcp.dat
Removed! : C:\WINDOWS\n_uifmjg.dat
Removed! : C:\WINDOWS\uifmjg.dat
Removed! : C:\WINDOWS\ikgha.dat
Removed! : C:\WINDOWS\mfcru32.exe
Removed! : C:\WINDOWS\msfl32.exe
Removed! : C:\WINDOWS\xdzjev.dat
Removed! : C:\WINDOWS\rljkz.dat
Removed! : C:\WINDOWS\skcbl.dat
Removed! : C:\WINDOWS\qcnhf.dll
Removed! : C:\WINDOWS\zmgkb.dat
Removed! : C:\WINDOWS\ldlkl.dll
Removed! : C:\WINDOWS\fxncn.dat
Error Removing! : C:\WINDOWS\mfclq32.exe
Removed! : C:\WINDOWS\etimt.dll
Removed! : C:\WINDOWS\vsgmrp.dat
Removed! : C:\WINDOWS\mgbcyb.dat
Removed! : C:\WINDOWS\n_rqvmdy.dat
Removed! : C:\WINDOWS\gnjbd.dat
Removed! : C:\WINDOWS\ajhza.dat
Removed! : C:\WINDOWS\sahhu.dll
Removed! : C:\WINDOWS\jvwtb.dat
Removed! : C:\WINDOWS\epztd.dll
Error Removing! : C:\WINDOWS\d3pp32.exe
Removed! : C:\WINDOWS\bnvia.dll
Removed! : C:\WINDOWS\atleq.exe
Removed! : C:\WINDOWS\kweqca.dat
Removed! : C:\WINDOWS\maxmph.dat
Removed! : C:\WINDOWS\n_jkyvue.dat
Removed! : C:\WINDOWS\qssulu.dat
Removed! : C:\WINDOWS\mzqyai.dat
Removed! : C:\WINDOWS\czrxwg.dat
Error Removing! : C:\WINDOWS\mszr32.exe
Removed! : C:\WINDOWS\hgsujs.dat
Removed! : C:\WINDOWS\ssccqq.dat
Removed! : C:\WINDOWS\opxzmr.dat
Removed! : C:\WINDOWS\paivzx.dat
Removed! : C:\WINDOWS\boyxno.dat
Error Removing! : C:\WINDOWS\sysrh32.exe
Removed! : C:\WINDOWS\drrtiv.dat
Removed! : C:\WINDOWS\ebjmy.dat
Removed! : C:\WINDOWS\bwhaja.dat
Removed! : C:\WINDOWS\uuuari.dat
Error Removing! : C:\WINDOWS\d3cd32.exe
Removed! : C:\WINDOWS\namzpp.dat
Removed! : C:\WINDOWS\pdfwkw.dat
Removed! : C:\WINDOWS\crac32.exe
Removed! : C:\WINDOWS\gcauvo.dat
Removed! : C:\WINDOWS\zcsjcp.dat
Removed! : C:\WINDOWS\afdgpv.dat
Removed! : C:\WINDOWS\enzcrc.dat
Removed! : C:\WINDOWS\sdjglu.dat
Removed! : C:\WINDOWS\jtqvxu.dat
Removed! : C:\WINDOWS\grjyei.dat
Removed! : C:\WINDOWS\xulhu.dat
Removed! : C:\WINDOWS\ywmmsh.dat
Error Removing! : C:\WINDOWS\winsq.exe
Removed! : C:\WINDOWS\zrbmxt.dat
Removed! : C:\WINDOWS\hakmuv.dat
Removed! : C:\WINDOWS\telmuk.dat
Removed! : C:\WINDOWS\rskxlc.dat
Removed! : C:\WINDOWS\iefv32.exe
Removed! : C:\WINDOWS\upwihr.dat
Error Removing! : C:\WINDOWS\apilo32.exe
Removed! : C:\WINDOWS\hxvlbc.dat
Removed! : C:\WINDOWS\jiohoi.dat
Removed! : C:\WINDOWS\System\qinaj.dat
Removed! : C:\WINDOWS\System\agmlt.dat
Removed! : C:\WINDOWS\System\xoecs.dat
Removed! : C:\WINDOWS\System\mhphm.dat
Removed! : C:\WINDOWS\System\dunoc.dat
Removed! : C:\WINDOWS\System\hbanr.dat
Removed! : C:\WINDOWS\System\plgnq.dat
Removed! : C:\WINDOWS\System\rgeeo.dat
Removed! : C:\WINDOWS\System\appqv.exe
Removed! : C:\WINDOWS\System\sdbnx.dat
Removed! : C:\WINDOWS\System\mzmch.dat
Removed! : C:\WINDOWS\System\xdzje.dat
Removed! : C:\WINDOWS\System\simps.dat
Removed! : C:\WINDOWS\System\mvqen.dat
Removed! : C:\WINDOWS\System\ieoa.exe
Removed! : C:\WINDOWS\System\slydd.dat
Removed! : C:\WINDOWS\System\suvbu.dat
Removed! : C:\WINDOWS\System\ksmaw.dat
Removed! : C:\WINDOWS\System\cymyl.dat
Removed! : C:\WINDOWS\System\gmshs.dat
Removed! : C:\WINDOWS\System\ciwby.dat
Removed! : C:\WINDOWS\System\pzsbc.dat
Removed! : C:\WINDOWS\System\ghtat.dat
Removed! : C:\WINDOWS\System\bpmvm.dat
Removed! : C:\WINDOWS\System\eccwv.dat
Removed! : C:\WINDOWS\System\mfcnh32.dll
Removed! : C:\WINDOWS\System\appro.exe
Removed! : C:\WINDOWS\System\jfdbm.dat
Removed! : C:\WINDOWS\System\iezc.exe
Removed! : C:\WINDOWS\System\cgtwa.dat
Removed! : C:\WINDOWS\System\sysox32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 08:05 PM

Run it one more time. Please post the buster log. It will try to remove the errors.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#5 notagain

notagain

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 30 June 2004 - 08:20 PM

Go to www.hsremove.bravehost.com and download HSRemove.exe. Be sure to close all applications including the hsremove.bravehost window before running the exe file. Everything has to be closed or it will not work. After you have successfully terminated the process, purchase Trojan Hunter (the free version is not up to date), get the most recent update and scan. I found 78 trojan files that needed to be cleaned up. I no longer have the problem. It might take several tries to get on the hsremove website, but don't give up.

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 30 June 2004 - 08:25 PM

notagain. If you would like to sign up to be a helper please visit Boot Camp


As for Hsremove. It changes your homepage after its done. It didnt work for me either. For now can the user post a new Hijack this log. And a new Buster log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 microjoe

microjoe

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 July 2004 - 06:59 PM

Rubber Ducky,
Thanks for the help. I followed your instructions. I think I finally got the spyware removed.

I ran About: Buster again. It looks like it removed all the earlier errors. I've attached a copy of the Buster Log below. Once it finished I restarted my PC and ran Hijack this. I have also attached the Hijack this log below.

About:Buster Version 1.23
Removed! : C:\WINDOWS\nzogqk.dat
Removed! : C:\WINDOWS\upwihr.dat
Removed! : C:\WINDOWS\vwqiac.dat
Removed! : C:\WINDOWS\lwarka.dat
Removed! : C:\WINDOWS\ttolrw.dat
Removed! : C:\WINDOWS\zrbmxt.dat
Removed! : C:\WINDOWS\namzpp.dat
Removed! : C:\WINDOWS\pdfwkw.dat
Removed! : C:\WINDOWS\agmltr.dat
Removed! : C:\WINDOWS\sdlqxa.dat
Removed! : C:\WINDOWS\npdalo.dat
Removed! : C:\WINDOWS\jiohoi.dat
Removed! : C:\WINDOWS\qdqvwt.dat
Removed! : C:\WINDOWS\uuuari.dat
Removed! : C:\WINDOWS\gcauvo.dat
Removed! : C:\WINDOWS\d3pc32.exe
Removed! : C:\WINDOWS\netah32.exe
Removed! : C:\WINDOWS\netng32.exe
Removed! : C:\WINDOWS\apiqw32.exe
Removed! : C:\WINDOWS\msjk.exe
Removed! : C:\WINDOWS\msnh.exe
Removed! : C:\WINDOWS\ipns.exe
Removed! : C:\WINDOWS\ntaw.exe
Removed! : C:\WINDOWS\appse32.exe
Removed! : C:\WINDOWS\mfclq32.exe
Removed! : C:\WINDOWS\d3pp32.exe
Removed! : C:\WINDOWS\mszr32.exe
Removed! : C:\WINDOWS\sysrh32.exe
Removed! : C:\WINDOWS\winsq.exe
Removed! : C:\WINDOWS\apilo32.exe
Attempted Clean Of Temp folder.
Pages Reset... Done!


Logfile of HijackThis v1.97.7
Scan saved at 7:37:38 PM, on 7/1/04
Platform: Windows 98 SE (Win9x 4.10.2222B)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\GRIFFIN TECHNOLOGY\POWERMATE\POWERMATE.EXE
C:\PROGRAM FILES\MSI\PC ALERT III\ALERT.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\BELKIN\NOSTROMO\NOST_LM.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MEDIACTR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\SPYWARE PROTECTION\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EASY ACCESS KEYBOARD] C:\Program Files\Compaq\Easy Access Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [PowerMate] C:\Program Files\Griffin Technology\PowerMate\PowerMate.exe
O4 - Startup: PC Alert III.lnk = C:\Program Files\MSI\PC Alert III\alert.exe
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw...nt/iftwclix.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://www.wildtange...ic/wtwdinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_4_0.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8050.6302314815
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


There is still one problem I'm having although its minor compared to the headaches all this spyware caused the two weeks. I'm having a problem opening new browser windows when I try right clicking on hyperlinks. The new browser window freezes and won't open the website. Have you ever heard of a problem like this? It started when I first caught the spyware. Is there in easy fix to this problem or will I have to reinstall Internet Explorer?

Rubber Ducky, thanks again for the help. My system looks clean. Now I just have to keep it clean.

Thank You,
Joe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button