Jump to content


Photo

HijackThis deletes it, but it returns again!


  • Please log in to reply
22 replies to this topic

#1 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 24 July 2004 - 11:05 AM

After an experience with a browser hijack last month, I vowed to switch browsers and never use IE again. The last night I let my roommate use my computer. I didn't realize that she preferred IE, but she did. She said that she just checked her email, but when I got back on my computer, it was swimming with spyware - ClearSearch, WhenUSave, ClockSync, and at least six other programs.

I ran updated versions of Ad-Aware, Spybot, and HijackThis. Deleted what I could. I also removed every file under "Program Files" that was dated as 7/24/2004. I removed the shortcuts to WhenUSave and ClearSearch on my "Start" menu, since HijackThis didn't seem to do it. I rebooted a couple times (not connected to the internet), ran HijackThis again (Spybot and AdAware were now coming up "clean") and found that several of the programs were still there, despite having been previously deleted.

When HijackThis failed to delete them again, I went to my Control Panel, and started ye olde "Add/Remove Programs." I found several programs that, when I tried to remove them, instead popped up little windows that said "Are you sure you want to delete this program? It can save you $$$$$! blah blah blah." I figured that was a red flag, so I removed them.

Then my computer crashed.

I rebooted again, and only one, lone, single pop-up ad greeted me: an add for an online poker thingy. At this point I was feeling pretty great, so I ran HijackThis again. I found only one suspicious program,
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\XdkD.exe
and I deleted it.

Rebooted, still had a pop-up ad. Ran HijackThis again, and got:
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\DqhD.exe

I went to C:\WINDOWS\SYSTEM, and the file in question would NOT show up in that folder so that I could manually delete it. (Yes, I made sure that all hidden objects were shown as well.) I ran a "Search" and Windows couldn't find the file on my computer.

So I went back to "Add/Remove files" and found:
midADdle
WhenUSearch
SEP
Pgate Basic

Despite the fact that I had previously removed them.

Here's where the scary part comes in. First I tried to remove "midADdle," and this window popped up:

http://www.boukenshin.net/hijack01.gif (screenshot)

I didn't want to do the "uninstall code" thing because it seemed like a trick... Like, you know, those programs that pretend to be spyware removers but actually install spyware? (My first batch of pop-up ads pointed me to some of those.) Despite me not entering the code, however, a lying little pop-up window said "Uninstall complete!"

Next I did "WhenUSearch." This popped up:
http://www.boukenshin.net/hijack02.gif (screenshot)

I chose "Yes." The same thing happened with SEP. When I tried to delete Pgate Basic, however, it opened a website that asked me to download an "uninstaller." Er, no.

So I shut down and rebooted again. Here's what I found:
1) The four above-mentioned programs were on my list of Add/Remove programs again.
2) HijackThis found:
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Xke3.exe
3) Still a poker ad!
4) My C:\ folder was suddenly littered with weirdly-named files that read "0KB" in size. There was also a big "_RESTORE" folder that hadn't been there before. The weird thing was that these new things were HALF-TRANSPARENT, you know, the way that a file or folder looks after you've just "cut" it and you want to paste it somewhere else. I deleted all of the half-transparent folder and files.
5) Under "Program Files," there was a half-transparent folder called "Windows Update" that was dated 7/24/2004. I deleted it.
6) THIS IS THE SCARY PART. Under "WINDOWS," half of MY folders were suddenly half-transparent!

http://www.boukenshin.net/hijack03.gif (screenshot)

By now it was 3 AM and I wanted to go to bed.

I rebooted my computer this morning. The half-transparent "_RESTORE" was back, as was the "Windows Update" folder, despite me having deleted them. (The other mysterious files under C:\ were gone for good, though.) HijackThis still found Xke3.exe, which I had not deleted last night because I knew it would do no good. However, three surprises were in store for me this morning:

1) NO poker ad!!!
2) Windows Media Player will no longer open.
3) My icons are all messed up. On my desktop, I have a folder icon representing a text file, an image file representing an .avi movie, and some other weird stuff going on....

And half of the folders under WINDOWS still look creepy and half-transparent.

So here's my HijackThis log. I dunno how much good it will do, because the program in question just comes back with a different name every time it's deleted. Maybe there's something *else* I should be deleting?

Logfile of HijackThis v1.97.7
Scan saved at 8:24:57 AM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\LJYZG.EXE
C:\WINDOWS\SYSTEM\HTERY6W.EXE
C:\WINDOWS\APPLICATION DATA\OOCS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RSSEX.EXE
C:\PROGRAM FILES\ZZZ_DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.macalester.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {6DF81959-B242-2B97-8753-60550DA72E1F} - C:\WINDOWS\SYSTEM\JCL.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Xke3.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PHPGeekUtil] "C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4840740741

Any help would be much appreciated!

Much love and thanks in advance.

#2 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 24 July 2004 - 12:52 PM

Download PeperFix
Save it to your Desktop.
Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.


And post a new log, still there is way to go.

#3 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 24 July 2004 - 03:45 PM

Thanks for the help. ^___^

Okay, I can PeperFix once, rebooted, and ran it again. The second time through it said that it found no pepers.

Here's my new HT log:

Logfile of HijackThis v1.97.7
Scan saved at 1:44:10 PM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\WINDOWS\APPLICATION DATA\OOCS.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ZZZ_DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.macalester.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {6DF81959-B242-2B97-8753-60550DA72E1F} - C:\WINDOWS\SYSTEM\JCL.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\XdkD.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PHPGeekUtil] "C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4840740741

#4 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 24 July 2004 - 04:14 PM

6) THIS IS THE SCARY PART. Under "WINDOWS," half of MY folders were suddenly half-transparent!


Those are the hidden folders, you have enabled view hidden and system files, don愒 worry about that.

Let愀 work on the other stuff.

You still have the Peper infection. So ...

Click on the PeperFix.exe to launch it.

Click the Find and Fix button.

It will scan the %Systemroot% folder and locate all the peper files. You will be prompted to reboot. Reboot and it will delete the peper files.
Ensure that you are online before starting the fix. Make sure to run the fix twice.


Print out these instructions so you can read them while you clean your system.


Move Hijack This to its own folder.Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Move hijack this there. Hijack this makes backups of everything you fix, these backups are saved in the same folder the program is.


Now close all open windows AND browsers and check these items for HJT to fix:
O2 - BHO: (no name) - {6DF81959-B242-2B97-8753-60550DA72E1F} - C:\WINDOWS\SYSTEM\JCL.DLL
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\XdkD.exe




Please reboot into safe mode - How do I boot into "Safe" mode?


Delete these files:
C:\WINDOWS\Application Data\oocs.exe
C:\WINDOWS\System\JCL.DLL


You may need to show hidden files to delete them.How to show all hidden and system files

The following DIRECTORY CONTENTS (But not the directory) need to be deleted while in safe mode.
* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <=This will delete all your cached internet
content including cookies. This is recommended and strongly suggested.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Then disable your system restore

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.

Reboot into normal mode enable System Restore and post a fresh log in this thread to give you further recommendations.

#5 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 24 July 2004 - 04:58 PM

Those are the hidden folders, you have enabled view hidden and system files, don愒 worry about that


Okay, I feel stupid now. ^^;;

I followed to the above instructions to the letter, except...

1) When I rebooted into safe mode, even after following all the instructions to show all files and folders, JCL.DLL did not show up in C:\WINDOWS\SYSTEM\. "Search" couldn't find it either. Maybe HT finally got it. ^__^

2)

1 Right-click My Computer, and then click Properties.
2 Click the System Restore tab.
3 Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
4 Click Apply
5 this will delete all existing restore points. Click Yes to do this.
6 Click OK.


I right-clicked in "My Computer" and chose "Properties." But there was no "System Restore" tab, although I did find this:
Properties > File System > Troubleshooting > *Disable System Restore.

So I did that, rebooted in safe mode, and ran HT:

Logfile of HijackThis v1.97.7
Scan saved at 4:48:52 PM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.macalester.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PHPGeekUtil] "C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4840740741


Just a moment ago I tried to open up an MP3 to see if Windows Media Player would work again. It wouldn't open. I pressed Ctrl+alt+delete and "Oocs" showed up on my list of programs running.

#6 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 24 July 2004 - 05:32 PM

Sorry i扉e get used to work in XP Here are the instructions to disable system restore in WINDOWS ME http://service1.syma...src=sec_doc_nam

The Peper is gone.

Stop the Oocs process, then find the file and delete it.

In the Internet Explorer go to Tools > Windows Update and update it.
After that post a new log ;)

#7 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 24 July 2004 - 06:08 PM

Okay, cool, I have system restore disable.

I quit Oocs, then found the file and deleted it.

Ran Windows Update, and rebooted when it was finished.

I ran HT again, and in the first scan, Oocs didn't show up. However, I tried to open WMP player again, and it still wouldn't work. Tried Crt+Alt+Delete again, and sure enough, Oocs was running. I told it to quit. Found the file, deleted it again. Then ran HT again, but HT still found it:

Logfile of HijackThis v1.97.7
Scan saved at 6:05:07 PM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.macalester.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PHPGeekUtil] "C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4840740741

#8 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 24 July 2004 - 06:15 PM

Do you have the Purityscan installed in your pc?

#9 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 24 July 2004 - 06:29 PM

No... Should I? Is it this thing: http://www.purityscan.com/ ?

#10 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 24 July 2004 - 06:34 PM

NO you shouldn愒, that oocs.exe is related to PurityScan. Please never install it.
Let愀 check if there is some hidden file recreating that oocs.exe.

Please download and install the program Registry Lite from here:

http://www.resplendence.com/reglite

Once it is installed, please double click on the icon that should now be on your desktop. If an icon is not there, then check under programs portion of the Start Menu.

Once it is opened, copy and paste the below line, into the address field of Registrar Lite.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

And press enter. You will now be presented with new information in the bottom right and left sections and on the right section, the name AppInit_DLLs should be highlighted. Double-click on the AppInit_DLLs entry and copy and paste the text found in the value field in your next reply to this post.

#11 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 24 July 2004 - 06:54 PM

I copied and pasted that line into the "address" field of Registrar Lite, but I didn't pull up anything like AppInit_DLLs . Instead I got this screen:

http://www.boukenshin.net/hijack03.gif

I checked the folders listed on the right, but it wasn't in any of those, either.

(I'm probably just missing something really obvious, though...)

#12 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 08 August 2004 - 12:42 PM

(*bump*)

Some time has passed, but I still have the problem. Here's my new HT log:

Logfile of HijackThis v1.97.7
Scan saved at 12:34:37 PM, on 8/8/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\WINDOWS\APPLICATION DATA\OOCS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\PROGRAM FILES\BITTORRENT\BTDOWNLOADGUI.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.macalester.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PHPGeekUtil] "C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8157.4840740741


Other noticeable problems:
When I press CTRL + ALT + DELETE, my computer spits out a list of running programs, which includes OOCS and a whole bunch of other stuff that wasn't there before I got my infection.

When I go to Add/Remove Programs, the following suspicious stuff is still listed:
midADdle
PGate Basic
WhenUSearch

When I want to open a file and I choose "Open with...", the list of programs that pops up includes:
Dummy
updateipr
And "Windows Media Player" is listed twice, once with the normal icon, once with a weird icon. This may explain why it never opens or works for me anymore... (I have never downloaded an update to WMP, by the way.)

Any help would be appreciated. I think we got cut off in the middle of doing something useful (*points to above post*)

BTW, I still have my system restore disabled.

#13 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 08 August 2004 - 10:34 PM

Current vresion of HJT is 198.2, please download the current version and post a new log in this thread.
http://www.computerc...s-file-328.html
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#14 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 09 August 2004 - 11:28 AM

LoPhatPhuud thanks. I never got the july 24 reply notification.

#15 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 09 August 2004 - 01:38 PM

Okay, log from the updated version of HT:

Logfile of HijackThis v1.98.2
Scan saved at 1:37:04 PM, on 8/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\APPLICATION DATA\OOCS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\JASC SOFTWARE INC\PAINT SHOP PRO 7\PSP.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ZZZ_DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.macalester.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PHPGeekUtil] "C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook

#16 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 14 August 2004 - 12:00 PM

(*bump*) because it looks like it's getting lost in the pile.

Now I've got Internet Explorer opening up pop-up windows at random times. I kill them before they can load. Especially annoying because I haven't used internet explorer for a month...

New HT log:

Logfile of HijackThis v1.98.2
Scan saved at 11:59:20 AM, on 8/14/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\APACHE\APACHE.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\SYSTEM\PRPCUI.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
C:\WINDOWS\SYSTEM\RMCTRL.EXE
C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
C:\WINDOWS\APPLICATION DATA\OOCS.EXE
C:\WINDOWS\SYSTEM\POQZRG.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\PROGRAM FILES\BITTORRENT\BTDOWNLOADGUI.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\ZZZ_DOWNLOADS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.macalester.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {6CFB4F59-B64A-29C7-8753-60550DA82F41} - C:\WINDOWS\SYSTEM\REKXHEO.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ESS Daemon] C:\WINDOWS\ESSD.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [CP32NOT] C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\SYSTEM\rmctrl.exe
O4 - HKLM\..\Run: [S3TRAYHP] S3trayhp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [PHPGeekUtil] "C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - HKCU\..\Run: [Egda] C:\WINDOWS\SYSTEM\poqzrg.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/go/business-notebook

#17 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 14 August 2004 - 12:16 PM

When I go to Add/Remove Programs, the following suspicious stuff is still listed:
midADdle
PGate Basic
WhenUSearch

When I want to open a file and I choose "Open with...", the list of programs that pops up includes:
Dummy
updateipr
And "Windows Media Player" is listed twice, once with the normal icon, once with a weird icon. This may explain why it never opens or works for me anymore... (I have never downloaded an update to WMP, by the way.)



Try uninstalling , If you can愒 delete the folders:

C:\Program Files\midADdle
C:\Program Files\PGate Basic
C:\Program Files\WhenUSearch

Can you post a list of the folders in your C:\Program Files directory.

Now close all open windows AND browsers and check these items for HJT to fix:
O4 - HKCU\..\Run: [Uate] C:\WINDOWS\Application Data\oocs.exe
O4 - HKCU\..\Run: [Egda] C:\WINDOWS\SYSTEM\poqzrg.exe

Delete:
C:\WINDOWS\Application Data\oocs.exe
C:\WINDOWS\SYSTEM\poqzrg.exe

Download: "StartDreck", from here:
http://members.black.../startdreck.htm

Unzip to its own folder and start the program,

Press 'Config'
Press 'Unmark All'

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'

Press 'Save' and select hte location to save the log file
(default is the same folder as the application)

Post the log in this thread.

#18 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 15 August 2004 - 12:20 PM

Try uninstalling , If you can愒 delete the folders:

C:\Program Files\midADdle
C:\Program Files\PGate Basic
C:\Program Files\WhenUSearch

Can you post a list of the folders in your  C:\Program Files directory.


The three folders listed above don't even show up in my C:\Program Files directory. (And I have all of my hidden folders shown, still). Instead of making a list, I double-checked every single folder on there, and I can honestly say that each folder contains a program that I deliberately installed, EXCEPT:

directx
Microsoft ActiveSync
SBApps

I can't remember what the above three are for... I'm probably just forgetful, though.

I tried going through add/remove programs again, but
midADdle asked me for an uninstallation key again, and I got suspicious and pressed "cancel".
PGate Basic asked me to download a special "uninstaller." I chose not to.
I tried to uninstall WhenUSearch, but a window popped up that said "an error has occurred when trying to uninstall WhenUSearch. The program may have already been uninstalled. Would you like to remove WhenUSearch from the list of programs?" I chose "yes," and then it was gone. But when I shut down and started up my computer again, it was baaaaack.


I did everything else you said. ^^ Here is my log from StartDreck:

StartDreck (build 2.1.7 public stable) - 2004-08-15 @ 12:17:32 (GMT -07:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at OEMCOMPUTER

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*ESS Daemon=C:\WINDOWS\ESSD.exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*PRPCMonitor=PRPCUI.exe
*CP32NOT=C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
*WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe
*Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
*Microsoft Works Update Detection=C:\Program Files\Microsoft Works\WkDetect.exe
*RemoteControl=C:\WINDOWS\SYSTEM\rmctrl.exe
*S3TRAYHP=S3trayhp.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*CreateCD=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*PHPGeekUtil="C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFCF47E7=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF8107=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE210B=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE2B37=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE1A47=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE6F07=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFE941F=C:\APACHE\APACHE.EXE
+FFFEC61B=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFEFE37=C:\WINDOWS\EXPLORER.EXE
+FFFD4E53=C:\APACHE\APACHE.EXE
+FFFD410F=C:\WINDOWS\SYSTEM\WINOA386.MOD
+FFFCD54B=C:\WINDOWS\TASKMON.EXE
+FFFB29EB=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB1CDF=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFB61FB=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFB4DFB=C:\WINDOWS\SYSTEM\PRPCUI.EXE
+FFFBA48B=C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
+FFFBCCF3=C:\WINDOWS\SYSTEM\RMCTRL.EXE
+FFFBDA8F=C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
+FFFBC5DF=C:\WINDOWS\SYSTEM\QTTASK.EXE
+FFFA3B6B=C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
+FFFA9A77=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFFA9D03=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFB5AFF=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFADA17=C:\PROGRAM FILES\SONY CORPORATION\IMAGE TRANSFER\SONYTRAY.EXE
+FFFB3C83=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
+FFF97657=C:\WINDOWS\SYSTEM\PSTORES.EXE
+FFFB9473=C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
+FFF9E537=C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
+FFF9CAC7=C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
+FFFCBD5B=C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
+FFF7BA4B=C:\PROGRAM FILES\BITTORRENT\BTDOWNLOADGUI.EXE
+FFF60A2F=C:\WINDOWS\RUNDLL32.EXE
+FFF775F7=C:\WINDOWS\WUAUCLT.EXE
+FFF77143=C:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
翠pplication specific


*THEN* I shut down my computer and started it up again. Oocs is, for the first time, not running when I press crtl + alt + delete. Oocs and poqzrg also seem to be permanently deleted from my computer. However, midADdle and PGate Basic are still listed on my add/remove programs list. WhenUSearch, however, seems to be permanently gone.

I don't know if this matters or not, I thought it might be playing it safe to post a StartDreck log from after my shutdown/reboot, too. (If this is insanely redundant, then I apologize.)

StartDreck (build 2.1.7 public stable) - 2004-08-15 @ 12:25:29 (GMT -07:00)
Platform: Windows ME (Win 4.90.3000 )
Internet Explorer: 6.0.2800.1106
Logged in as default at OEMCOMPUTER

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*ESS Daemon=C:\WINDOWS\ESSD.exe
*SynTPLpr=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
*SynTPEnh=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*PRPCMonitor=PRPCUI.exe
*CP32NOT=C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
*WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe
*Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
*Microsoft Works Update Detection=C:\Program Files\Microsoft Works\WkDetect.exe
*RemoteControl=C:\WINDOWS\SYSTEM\rmctrl.exe
*S3TRAYHP=S3trayhp.exe
*QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
*CreateCD=C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*PHPGeekUtil="C:\APACHE\APACHE.EXE" -k start -n PHPGeekUtil
*StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FFCF426B=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF848B=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFE2487=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE2EBB=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFE1FCB=C:\WINDOWS\SYSTEM\MSTASK.EXE
+FFFE6877=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
+FFFE484B=C:\APACHE\APACHE.EXE
+FFFEF3D7=C:\WINDOWS\SYSTEM\STIMON.EXE
+FFFD0C8F=C:\WINDOWS\EXPLORER.EXE
+FFFE530F=C:\APACHE\APACHE.EXE
+FFFE5107=C:\WINDOWS\SYSTEM\WINOA386.MOD
+FFFB29F3=C:\WINDOWS\TASKMON.EXE
+FFFB3147=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFB784B=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
+FFFB520F=C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
+FFFBB0CB=C:\WINDOWS\SYSTEM\PRPCUI.EXE
+FFFB802B=C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
+FFFA3A97=C:\WINDOWS\SYSTEM\RMCTRL.EXE
+FFFA6187=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
+FFFA6BCB=C:\WINDOWS\SYSTEM\S3TRAYHP.EXE
+FFFB6FAB=C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
+FFFCEAD3=C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
+FFFBE0B7=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
+FFFA85AF=C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
+FFFAFACF=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
+FFF92453=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFF9E29F=C:\PROGRAM FILES\STARTDRECK\STARTDRECK.EXE
翠pplication specific

Edited by Nenena, 15 August 2004 - 12:33 PM.


#19 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 16 August 2004 - 08:12 AM

You愉e almost there.
for Pgate Basic try this:

1.Update Ad-aware by using its Globe icon.
After updating, shutdown and restart Ad-aware.
Ad-aware is ready to scan and clean your system following these steps:

Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Scanning Engine:
"Unload recognized processes during scanning."
Under Ad-aware 6 > Settings (Gear at the top) > Tweaks > Cleaning Engine:
"Let Windows remove files in use after reboot."
Press "Scan Now"
Check option "Use Custom scanning options"
Check option "Activate In-Depth Scan"
Press "Select drives\folders to scan"
Select the active partition which is usually C:
Press "Next" to let Ad-aware scan your drives...
If it finds "bad" files and registry keys, press "Next" again
Right-click in that pane and choose "select all"
Press "next"
When it asks to remove all checked items, Press "OK"
Close Ad-aware, reboot your system and go on to Step 2 below.


2. Spybot S&D
Run Spybot S&D from desktop icon or Start menu.
Press "Search for updates" button to get list of updates available.
Press "Download updates" button.
Close all IE windows and close & restart Spybot S&D.
Press "Check for problems" button.
Have SpyBot remove all it marks in red by pressing "Fix selected problems"
Close Spybot S&D, reboot your system

Did it help?

#20 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 16 August 2004 - 12:03 PM

Worked beautifully! Thank you.

Now, PGateBasic still shows up on my add/remove programs list, and when I try to remove it, I get an error message that says:

Cannot find 'files:///C:/Program Files/Common Files/remove_tools.html'

Then it opens up Internet Explorer, only it send me to my homepage, instead of to the "please download this uninstaller" message I got before.

That's the only problem I've noticed that's left.

BTW, thank you sooo much for all the help!

#21 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 16 August 2004 - 03:44 PM

start up the Registry Editor by clicking the Start button, typing REGEDIT in the Run dialog box off the Start Menu, clicking OK or typing the Enter key. Next, navigate down the left pane of the Explorer-like Regedit window until you get to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Uninstall

find the value PgateBasic and delete it

#22 Nenena

Nenena

    Member

  • Full Member
  • Pip
  • 35 posts

Posted 16 August 2004 - 10:03 PM

It worked perfectly - THANK YOU sooo much!

(And thank you for your patience with dealing with me, too.) Hooray! My computer appears to be perfectly clean now.

(*does a happy dance*)

#23 mmxx66

mmxx66

    The SWI drummer

  • Retired Staff
  • PipPipPipPipPip
  • 4,412 posts

Posted 17 August 2004 - 08:04 AM

Your welcome
Glad we could help :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button