I have two users on Windows XP. I have run spybot s&d, ad aware, cw shredder and hijack this on both users. I have emptied temporary internet files. I have read the faq for newbies. CW Shredder comes up clean. Spybot and ad aware come up okay. Hijack this will bring up the "res://pomjc.dll/index.html#96676" and others to do with it. I let hijack this fix them and run again, they will be gone. When I switch users or reboot they come back. Please help me. I am a newbie so you will nead to get out the crayons and draw me a picture! Here is my hijack this log from the most recent run. Thank you.


Logfile of HijackThis v1.98.0

Scan saved at 5:38:40 PM, on 7/4/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:








C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe





C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE






C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe


C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe


C:\Program Files\Messenger\msmsgs.exe



C:\Program Files\America Online 9.0\aoltray.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe

C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe


C:\Program Files\Internet Explorer\iexplore.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xjjfm.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xjjfm.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://kzjoz.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\kzjoz.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\kzjoz.dll/sp.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://kzjoz.dll/index.html#96676

R3 - Default URLSearchHook is missing

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,


O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDFB032B-81CA-5B7E-7876-05C4543E674E} - C:\WINDOWS\appxt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

O4 - HKLM\..\Run: [apiws32.exe] C:\WINDOWS\apiws32.exe

O4 - HKLM\..\RunOnce: [crxn32.exe] C:\WINDOWS\system32\crxn32.exe

O4 - HKLM\..\RunOnce: [sysal32.exe] C:\WINDOWS\sysal32.exe

O4 - HKLM\..\RunOnce: [ieyy32.exe] C:\WINDOWS\ieyy32.exe

O4 - HKLM\..\RunOnce: [javaiq32.exe] C:\WINDOWS\system32\javaiq32.exe

O4 - HKLM\..\RunOnce: [crtb.exe] C:\WINDOWS\system32\crtb.exe

O4 - HKLM\..\RunOnce: [atlit32.exe] C:\WINDOWS\atlit32.exe

O4 - HKLM\..\RunOnce: [apihe32.exe] C:\WINDOWS\apihe32.exe

O4 - HKLM\..\RunOnce: [cryn.exe] C:\WINDOWS\cryn.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1

O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~2\PSFREE.EXE"

O4 - Startup: Camio Viewer.lnk = C:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe

O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: InterTrust Quick Start.lnk = C:\Program Files\InterTrust\InterRights Point\Program\it_cpquickstart.exe

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?

O16 - DPF: {3CC943C7-3C99-11D4-8135-0050041A5144} (RunExeActiveX.UserControl1) - file://C:\Program Files\Gateway\HelpSpot\RunExeActiveX.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{179C2FED-2F37-48D7-90C2-0531516FB458}: NameServer =,

*Nothing* in the HKLM RunOnce section looks healthy, and a few look familliar from my own weekend with res://

Weatherbug and its ilk need attention too.



+thank you, end call



The following applies to me in spades on this issue:


Note: People whose Group is 'Member' have no standing as helpers, and their advice should be regarded sceptically. We try to catch and fix anything dangerous, misleading, or inadequate, but can't always get there in time.

