• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
mconly

need help with my browser

16 posts in this topic

need help with my puter, here's the log

 

 

Logfile of HijackThis v1.97.7

Scan saved at 11:32:38 PM, on 7/5/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE

C:\WINDOWS\TEMP\Q5XP.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\WINDOWS\SYSTEM32\WINPROC32.EXE

C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\SYSTEM\GRUPJUUD.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE

C:\PROGRAM FILES\PALM\HOTSYNC.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\NETBIOSV.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\DDDUN.EXE

C:\WINDOWS\SYSTEM\DDDUN.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\DRSPEED SUITE\MEMRX.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM32\SYSTEM_24973.DAT

C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/?b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL (file missing)

O2 - BHO: (no name) - {3AA94004-E837-1DE4-8753-60550DA62C11} - C:\WINDOWS\SYSTEM\OOPTNFBL.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe

O4 - HKLM\..\Run: [WORKFLO] D:\INSTALL\WORKFLOW.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [epotkhed] C:\WINDOWS\epotkhed.exe

O4 - HKLM\..\Run: [Q5XP] C:\WINDOWS\TEMP\Q5XP.EXE

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

O4 - HKLM\..\Run: [5QEKE7T5NG9WG2] C:\WINDOWS\SYSTEM\Uit99525.exe

O4 - HKLM\..\Run: [p4mX37l] BATMG32.EXE

O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE

O4 - HKLM\..\Run: [anct] C:\WINDOWS\anct.exe

O4 - HKLM\..\Run: [R32_32I] C:\WINDOWS\SYSTEM\R32_32I.exe

O4 - HKLM\..\Run: [M20DECT] C:\WINDOWS\SYSTEM\M20DECT.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\Run: [NETBIOSV] C:\WINDOWS\SYSTEM\NETBIOSV.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

O4 - HKCU\..\Run: [Xaygg] C:\WINDOWS\SYSTEM\grupjuud.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O9 - Extra button: Encarta Encyclopedia (HKLM)

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)

O9 - Extra button: Define (HKLM)

O9 - Extra 'Tools' menuitem: Define (HKLM)

O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)

O9 - Extra button: Dell Home (HKCU)

O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8128.7896527778

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab

Share this post


Link to post
Share on other sites

Hello,

 

You have a CWS infection. Please click here to download CWShredder by Merijn Bellekom and run it in Safe Mode, hitting 'fix' as opposed to 'scan only.' Reboot and then run the program a second time. Reboot when done.

 

Click here to download Spybot Search & Destroy v1.3 (earlier versions are no longer being supported with updates) - install, update, scan and fix all RED items it finds. Reboot when done.

 

Click here to download Ad-Aware and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Boot into Safe Mode, then click the gear wheel at the top and check these options to configure Ad-aware for a customized scan:

 

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

 

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

 

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

 

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

 

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?" Reboot when finished.

 

Next, perform online virus and Trojan scans, using the links in my signature below. Allow the programs to delete all that they may find. Reboot after each scan.

 

Now, please proceed to the Windows Update site (see link below) to download and install ALL available critical updates. Reboot when finished.

 

Please create a folder on your C:\ drive for HijackThis and download the latest version of HijackThis, v1.98 into that folder. Click here to download HijackThis v1.98. You can create the new folder by going to My Computer (Windows key+e) then double click on C: then right click and select "New" then "Folder" and name it HJT. Delete your old copy of HijackThis.

 

Scan with HJT and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

hi, thanks for your help.

 

i run cws, spybot, adaware, windows updates and a few of the on line virus and trojan scans(most of them required a fee, i don't mind buying them if i need to, but thought i'd check first.

 

here's my new log, and as you can see, still having problems with 4counter and about:blank.

 

looking forward to any suggestions, thanks

 

 

Logfile of HijackThis v1.98.0

Scan saved at 8:57:47 PM, on 7/7/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM32\WINPROC32.EXE

C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\PALM\HOTSYNC.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\DRSPEED SUITE\DRSPEED.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\ARDRIVEF.EXE

C:\WINDOWS\SYSTEM\DDDUN.EXE

C:\WINDOWS\SYSTEM\AUNL.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL (file missing)

O2 - BHO: (no name) - {3AA94004-E837-1DE4-8753-60550DA62C11} - C:\WINDOWS\SYSTEM\OOPTNFBL.DLL

O2 - BHO: (no name) - {46AC10F5-F0BB-4147-9B0C-292F9987D86E} - C:\WINDOWS\SYSTEM\FHH.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe

O4 - HKLM\..\Run: [WORKFLO] D:\INSTALL\WORKFLOW.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [epotkhed] C:\WINDOWS\epotkhed.exe

O4 - HKLM\..\Run: [Q5XP] C:\WINDOWS\TEMP\Q5XP.EXE

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

O4 - HKLM\..\Run: [5QEKE7T5NG9WG2] C:\WINDOWS\SYSTEM\Uit99525.exe

O4 - HKLM\..\Run: [p4mX37l] BATMG32.EXE

O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE

O4 - HKLM\..\Run: [anct] C:\WINDOWS\anct.exe

O4 - HKLM\..\Run: [R32_32I] C:\WINDOWS\SYSTEM\R32_32I.exe

O4 - HKLM\..\Run: [M20DECT] C:\WINDOWS\SYSTEM\M20DECT.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\Run: [arDriveF] C:\WINDOWS\SYSTEM\arDriveF.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe

O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O18 - Filter: text/html - {57E7A26D-1305-4E68-9FF7-3AFB481A318D} - C:\WINDOWS\SYSTEM\FHH.DLL

O18 - Filter: text/plain - {57E7A26D-1305-4E68-9FF7-3AFB481A318D} - C:\WINDOWS\SYSTEM\FHH.DLL

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hello

 

You have a Peper infection. To get rid of It, please download and run this Peper Trojan uninstaller from http://downloads.subratam.org/PeperFix.exe Once it's finished downloading, boot into Safe Mode. Now, double click it the PeperFix tool, then click “Find and Fix” and let it run until it's finished. Reboot (again in Safe Mode)... then, run it a second time to make sure the uninstaller has done its job.

 

Reboot your computer.

 

You have a CWS infection. Please click here to download CWShredder by Merijn Bellekom, then reboot and run it in safe mode, hitting 'fix' as opposed to 'scan only.' Reboot to safe mode again, and then run the program a second time. Reboot when done.

 

The online virus and Trojan scans in the links in my signature below are free. Please run the virus scan at Panda Software. Also, you can download a free trial of TrojanHunter here: http://www.misec.net/ then manually update the definitions and then scan.

 

Or...

 

Download this free anti-Trojan program, A2 (A squared) at http://www.emsisoft.com/en/software/free/

 

Please delete whatever the programs find and reboot after each scan.

 

Scan with HijackThis and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

hi, thanks again. I ran peper, CWS, panda and A2. here's the latest log.

 

thanks again in advance.

 

 

Logfile of HijackThis v1.98.0

Scan saved at 11:10:44 PM, on 7/7/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\PAVSCHED.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\FIREWALL\PAVFIRES.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE

C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE

C:\WINDOWS\KDX\KHOST.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\APVXDWIN.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM32\WINPROC32.EXE

C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE

C:\PROGRAM FILES\PALM\HOTSYNC.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\DRSPEED SUITE\DRSPEED.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\SRVLOAD.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\PAPS.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\WEBPROXY.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM32\SYSTEM_24973.DAT

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/?b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

R3 - Default URLSearchHook is missing

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL (file missing)

O2 - BHO: (no name) - {3AA94004-E837-1DE4-8753-60550DA62C11} - C:\WINDOWS\SYSTEM\OOPTNFBL.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe

O4 - HKLM\..\Run: [WORKFLO] D:\INSTALL\WORKFLOW.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [epotkhed] C:\WINDOWS\epotkhed.exe

O4 - HKLM\..\Run: [Q5XP] C:\WINDOWS\TEMP\Q5XP.EXE

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

O4 - HKLM\..\Run: [5QEKE7T5NG9WG2] C:\WINDOWS\SYSTEM\FEBU6S.EXE

O4 - HKLM\..\Run: [p4mX37l] BATMG32.EXE

O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE

O4 - HKLM\..\Run: [anct] C:\WINDOWS\anct.exe

O4 - HKLM\..\Run: [R32_32I] C:\WINDOWS\SYSTEM\R32_32I.exe

O4 - HKLM\..\Run: [M20DECT] C:\WINDOWS\SYSTEM\M20DECT.exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\Run: [PAPS] C:\WINDOWS\SYSTEM\PAPS.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"

O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Pavsched.exe"

O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe

O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hello,

 

I'm sorry about the delay in responding to your post. I did not receive an e-mail notification of your reply.

 

Will you please open CWShredder and check the version number and let me know what it is.

Share this post


Link to post
Share on other sites

Hi,

 

That's very odd. You're using the latest version of CWShredder, yet it's not removing those R0 and R1 lines, and it should.

 

Will you try it for me one more time, please? Once in normal mode, and once in Safe Mode, and be certain that you select the "Fix" button on the lower right, rather than scan. Reboot when finished.

 

Next, we need to work on the Peper infection a bit more, just to be certain we have it......

 

Run the PeperFix tool again...... this time making sure you're online while running it:

Peper-uninstaller

 

Next download this uninstaller and run it.

 

When this is done, run Ad-aware as before.....

 

Now, reboot into safe mode and run that last uninstaller and Ad-aware again to fully remove the remnants...

Reboot normally...

 

NOTE: Please print a copy of these instructions because you will be working with all windows closed except HijackThis.

 

Please run HijackThis in Safe Mode and place a check mark next to the following items then, WITH ALL OTHER WINDOWS CLOSED, select “fix checked.”

 

The R0 and R1 items won't be there if CWShredder removed them......

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

 

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/?b=encry

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

 

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

 

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\NEM219.DLL (file missing)

 

O2 - BHO: ie - {2FF5573C-0EB5-43db-A1B2-C4326813468E} - C:\WINDOWS\IEHR.DLL

 

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL (file missing)

 

O2 - BHO: (no name) - {3AA94004-E837-1DE4-8753-60550DA62C11} - C:\WINDOWS\SYSTEM\OOPTNFBL.DLL

 

O4 - HKLM\..\Run: [epotkhed] C:\WINDOWS\epotkhed.exe

 

O4 - HKLM\..\Run: [Q5XP] C:\WINDOWS\TEMP\Q5XP.EXE

 

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\SYSTEM\DP-HIM.EXE

 

Note: This next one may not be there, or it may have changed its file name, but the numbers at the beginning will be the same.... [5QEKE7T5NG9WG2] If the name of the file has changed, write it down, because you will need to delete it after finishing with the HijackThis removal process....

 

O4 - HKLM\..\Run: [5QEKE7T5NG9WG2] C:\WINDOWS\SYSTEM\FEBU6S.EXE

 

O4 - HKLM\..\Run: [p4mX37l] BATMG32.EXE

 

O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\TVM.EXE

 

O4 - HKLM\..\Run: [anct] C:\WINDOWS\anct.exe

 

O4 - HKLM\..\Run: [R32_32I] C:\WINDOWS\SYSTEM\R32_32I.exe

 

O4 - HKLM\..\Run: [M20DECT] C:\WINDOWS\SYSTEM\M20DECT.exe

 

O4 - HKLM\..\Run: [PAPS] C:\WINDOWS\SYSTEM\PAPS.exe

 

O4 - HKCU\..\Run: [Windows Update Checker] C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE

 

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe

 

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab

 

O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab

 

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

 

Remain in safe mode and enable the ”Show Hidden Files and Folders” option:

 

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Apply

Click OK.

 

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

 

C:\WINDOWS\epotkhed.exe < file

 

C:\WINDOWS\TEMP\Q5XP.EXE < file

 

C:\WINDOWS\SYSTEM\DP-HIM.EXE < file

 

This next one is the one that may have changed its file name. If you wrote down a new file name, this is where you will use it....

 

C:\WINDOWS\SYSTEM\FEBU6S.EXE < file

 

BATMG32.EXE < file

 

C:\PROGRAM FILES\TV MEDIA\ < folder

 

C:\WINDOWS\anct.exe < file

 

C:\WINDOWS\SYSTEM\R32_32I.exe < file

 

C:\WINDOWS\SYSTEM\M20DECT.exe < file

 

C:\WINDOWS\SYSTEM\PAPS.exe < file

 

C:\WINDOWS\SYSTEM32\DEINST_QFE002.EXE < file

 

C:\WINDOWS\SYSTEM\ms.exe < file

 

While still in safe mode........

 

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

 

C:\WINDOWS\Temp\

 

C:\Temp\

 

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

 

Empty your Recycle Bin.

 

Reboot in normal mode. Scan with HijackThis and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

hi, sorry took a while to get back to you, but here's the latest log. let me know what you think. thanks again for you help.

 

Logfile of HijackThis v1.98.0

Scan saved at 7:24:51 PM, on 7/11/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\PAVSCHED.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\FIREWALL\PAVFIRES.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE

C:\WINDOWS\KDX\KHOST.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\APVXDWIN.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM32\WINPROC32.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\SRVLOAD.EXE

C:\PROGRAM FILES\PALM\HOTSYNC.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\DRSPEED SUITE\DRSPEED.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\WEBPROXY.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

 

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe

O4 - HKLM\..\Run: [WORKFLO] D:\INSTALL\WORKFLOW.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [jndwzrqnyelnp] C:\WINDOWS\SYSTEM\xwxnwhcw.exe

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"

O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Pavsched.exe"

O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)

O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hello,

 

You're very welcome.

 

Your log is looking much better now. Big-Thumbs-Up.gif There's just a little minor clean-up to do....

 

Run HijackThis in Safe Mode and with all other windows closed, place a check mark next to the following items and then select "fix checked."

 

O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\PROGRAM FILES\COMMON FILES\MIDADDLE\MIDADDLE.DLL (file missing)

 

O4 - HKLM\..\Run: [jndwzrqnyelnp] C:\WINDOWS\SYSTEM\xwxnwhcw.exe

 

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - (no file)

 

Remain in Safe Mode and enable the ”Show Hidden Files and Folders” option:

 

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Apply to confirm.

Click OK.

 

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

 

C:\PROGRAM FILES\COMMON FILES\MIDADDLE\ < folder

 

C:\WINDOWS\SYSTEM\xwxnwhcw.exe < file

 

SideFind < folder

 

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

 

C:\WINDOWS\Temp\

 

C:\Temp\

 

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

 

Empty your Recycle Bin.

 

Reboot when finished.

 

Check Ad-aware for reference file updates, boot into safe mode and perform a full scan.

 

Reboot, scan with HijackThis and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

Hello again!

 

Guess what's back, yep, 4 counter again. when i ran hijack this in safe mode i got those R0 and R1 entries again, so i deleted them along with the 3 entries you told me to delete. i didn't run CWS, peper and the other uninstaller first this time(suspect i probably should have). at any rate, i'm looking forward to any suggestions.

 

Thanks a bunch.

 

 

Logfile of HijackThis v1.98.0

Scan saved at 10:15:11 PM, on 7/11/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\PAVSCHED.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\FIREWALL\PAVFIRES.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE

C:\WINDOWS\KDX\KHOST.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\APVXDWIN.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\WINDOWS\SYSTEM32\WINPROC32.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\PALM\HOTSYNC.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\DRSPEED SUITE\DRSPEED.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\SRVLOAD.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\E_S1T0A2.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

 

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://4-counter.com/?b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://4-counter.com/?a=2&b=encry

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://4-counter.com/?a=2&b=encry

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

O1 - Hosts: 198.172.202.101 ads.specificpop.com

O1 - Hosts: 64.236.22.11 cl.cnn.com

O1 - Hosts: 199.181.132.140 espn.go.com

O1 - Hosts: 208.42.236.6 forums.spywareinfo.com

O1 - Hosts: 159.153.230.27 hearts.pogo.com

O1 - Hosts: 81.222.131.59 icanfindit.net

O1 - Hosts: 159.153.253.29 play.pogo.com

O1 - Hosts: 199.181.132.141 sports.espn.go.com

O1 - Hosts: 144.118.31.24 webmail.drexel.edu

O1 - Hosts: 64.236.16.20 www.cnn.com

O1 - Hosts: 207.68.171.245 www.msn.com

O1 - Hosts: 159.153.252.163 www22.pogo.com

O1 - Hosts: 159.153.252.185 www23.pogo.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe

O4 - HKLM\..\Run: [WORKFLO] D:\INSTALL\WORKFLOW.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"

O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Pavsched.exe"

O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hello,

 

Since we're not having much luck with your CWShredder, let's try this and see if it makes a difference. At this point, do not delete anything with HijackThis, or run any other clean-up program. Delete your current copy of CWShredder, do not update it, delete it, and download the newest one....

 

Please click here to download the newest version of CWShredder by Merijn Bellekom then run it in Safe Mode. Run the program, hitting 'fix' as opposed to 'scan only.' Reboot and then run the program a second time, again in Safe Mode. Reboot when done.

 

Scan with HijackThis and post a fresh log into this same thread.

Share this post


Link to post
Share on other sites

Hi,

 

This thing is really sneaky so we're going to take a different approach. After you've downloaded the new copy of CWShredder, please print and follow these directions exactly.

 

Stop the running process on this file before running CWShredder!

 

C:\WINDOWS\SYSTEM32\WINPROC32.EXE

 

Boot into Safe Mode then.....

 

Press Ctrl-Alt-Del (you may need to do this several times before the task manager window pops up) and select the program you want to stop from the list of running programs. The name on this list will usually match the file name without the extension. Click the End Task button to stop the program:

 

WINPROC32 <--- This one!!!

 

If the file was not located there, try this.....

 

Click Start ----> Run and type msconfig. Then click the Startup tab. You will see a list of programs that will run each time you start your PC. Clear only the checkbox next to WINPROC32 if found.

 

Next, run HijackThis in Safe Mode and fix the following line only! Make sure that all other windows are closed.

 

O4 - HKCU\..\Run: [spywareGuard] C:\WINDOWS\SYSTEM32\WINPROC32.EXE

 

Remaining in Safe Mode, enable the ”Show Hidden Files and Folders” option:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

 

Now, search for, and delete if found, (some files may not be present after previous steps) the following:

 

C:\WINDOWS\SYSTEM32\WINPROC32.EXE < file

 

Still in Safe Mode, run CWShredder, with all other windows closed, and hitting "fix" as opposed to scan. Run it a second time for good measure.

 

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example:

 

C:\WINDOWS\Temp\

 

C:\Temp\

 

Also delete your Temporary Internet Files, be sure to also select "delete all offline content."

 

Empty your Recycle Bin.

 

Reboot in Safe Mode.

 

Run CWShredder twice more.

 

Reboot and post a fresh HijackThis log into this same thread.

Share this post


Link to post
Share on other sites

thanks for your patience! here's the latest.

 

thanks

 

Logfile of HijackThis v1.98.0

Scan saved at 7:44:43 PM, on 7/12/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\PAVSCHED.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\FIREWALL\PAVFIRES.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE

C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE

C:\WINDOWS\KDX\KHOST.EXE

C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\APVXDWIN.EXE

C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE

C:\PROGRAM FILES\SIERRA IMAGING\IMAGE EXPERT 2000\IXAPPLET.EXE

C:\PROGRAM FILES\PALM\HOTSYNC.EXE

C:\PROGRAM FILES\OLYMPUS\CAMEDIA MASTER 4.1\CM_CAMERA.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\ASE\ASE SCHEDULER.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\SRVLOAD.EXE

C:\PROGRAM FILES\ALURIA SOFTWARE\DRSPEED SUITE\DRSPEED.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE

C:\PROGRAM FILES\PANDA SOFTWARE\PANDA PLATINUM INTERNET SECURITY\WEBPROXY.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\WINDOWS\SYSTEM\E_S10IC2.EXE

C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

 

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\kotud4ad.slt\prefs.js)

O1 - Hosts: 198.172.202.101 ads.specificpop.com

O1 - Hosts: 64.236.22.11 cl.cnn.com

O1 - Hosts: 199.181.132.140 espn.go.com

O1 - Hosts: 159.153.230.27 hearts.pogo.com

O1 - Hosts: 81.222.131.59 icanfindit.net

O1 - Hosts: 159.153.253.29 play.pogo.com

O1 - Hosts: 199.181.132.141 sports.espn.go.com

O1 - Hosts: 144.118.31.24 webmail.drexel.edu

O1 - Hosts: 64.236.16.20 www.cnn.com

O1 - Hosts: 159.153.252.163 www22.pogo.com

O1 - Hosts: 159.153.252.185 www23.pogo.com

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off

O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [ink Monitor] C:\PROGRA~1\EPSON\INKMON~1\InkMonitor.exe

O4 - HKLM\..\Run: [WORKFLO] D:\INSTALL\WORKFLOW.EXE

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [kdx] C:\WINDOWS\KDX\KHOST.EXE

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKLM\..\RunServices: [PavProc] "C:\Program Files\Common Files\Panda Software\PavShld\PavPrS9x.exe"

O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Pavsched.exe"

O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe

O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE

O4 - Startup: CAMEDIA Master.lnk = C:\Program Files\OLYMPUS\CAMEDIA Master 4.1\CM_camera.exe

O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe

O4 - Startup: Dr.Speed NetRx.lnk = C:\Program Files\Aluria Software\DrSpeed Suite\drspeed.exe

O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE

O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM

O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM

O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)

O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .mpg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .TIF: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin5.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Share this post


Link to post
Share on other sites

Hi!

 

You're very welcome. I'm so glad we could help. You've done a great job and have been very patient yourself! Big-Thumbs-Up.gif

 

I think I'm just going to sit back for a moment and enjoy looking at your clean log! highfive.gif

 

Yes, it's finally clean! :lol: Here's a few tips to help you keep it that way.......

 

First, go here:

http://www.spywareinfo.com/~merijn/winfiles.html and download and install this file... SDHelper.dll (Located near the bottom of the page). This file belongs to Spybot Search & Destroy, and it was killed off by CWS. This will replace it.

 

Next, it would be a good idea to flush out your system restore points so you don't accidentally restore to a point where the baddies are located.....

 

Turn off System Restore.

 

Go to Control Panel.

Double click on System.

Click the Performance tab.

Click on File System.

Click on the Troubleshooting tab.

Place a checkmark in Disable System Restore.

Click Apply, and then click OK

 

Turn ON System Restore.

 

Go to Control Panel.

Double click on System.

Click the Performance tab.

Click on File System.

Click on the Troubleshooting tab.

Remove the checkmark in Disable System Restore.

Click Apply, and then click OK.

 

Set a new system restore point.

 

Scan often with Spybot Search and Destroy and Ad-aware to remove malware before it gains a foothold on your computer. (Links below). Install SpywareBlaster and SpywareGuard to keep baddies from invading your system. (Links below).

 

Make sure you keep your system updated by frequent visits to the Windows Update site (see link below). Always install ALL critical updates.

 

Please take a minute or two to read the short article, "How did I get infected in the first place?" (See link in my signature below). You will find good information on keeping your system clean in the future, as well as links for excellent free anti-spyware tools.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0