Jump to content


Photo

Browser Redirected


  • This topic is locked This topic is locked
16 replies to this topic

#1 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 27 July 2004 - 04:47 PM

I have run all the spy software available (adware, spybot, cwshredder, coolwebsclear, kill2me). Also have cleared files with ccleaner.

Here are the symptoms:

1. Browser home page being modified every time I go into and out of IE and at system startup. AD WATCH is catching this. However, other symptoms continue.
The site it is currently setting is "res://hchoa.dll/indes/htm#37049". Another site (I did not document) was being set prior to using ADWARE. Since adware this is the setting.
2. ADWARE shows hchoa.dll is suspect. I remove it but it comes back
2. Accessing site really becomes slow until entire system hangs
3. Some occasions IE starts spawning quite a few Explorer processes that start with "Searching for ...."

Ran highjack this log is as follows:

Logfile of HijackThis v1.98.0
Scan saved at 5:10:39 PM, on 7/27/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\D3SN.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE
C:\PROGRAM FILES\MSOFFICE\OFFICE\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hchoa.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hchoa.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hchoa.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (file missing)
O2 - BHO: Invisible Class - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\SYSTEM\VEG32.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: Anonymizer Core Browser Helper Object - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRAM FILES\ANONYMIZER\CORE\ANONYMIZER.DLL (file missing)
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL (file missing)
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\IEQI\IEQI.DLL (file missing)
O2 - BHO: Class - {FC8FA69B-FBF5-C176-1082-0905AB77E3AF} - C:\WINDOWS\SYSTEM\WINYR.DLL (file missing)
O2 - BHO: 6˒7=9?>+@ - Data - (no file)
O2 - BHO: Class - {CC0CF1A3-63B9-E911-72FC-7746570414B2} - C:\WINDOWS\SYSTEM\MFCGG.DLL (file missing)
O2 - BHO: Class - {1CBAA6B1-D64E-A9DE-F1C9-853D1F9FC732} - C:\WINDOWS\SYSTEM\APPJK32.DLL (file missing)
O2 - BHO: Class - {FA991F0E-1BD9-6EAD-EFEC-2317207D5E37} - C:\WINDOWS\APIVF32.DLL (file missing)
O2 - BHO: Class - {75C0CE90-77B0-474A-9042-569FE1520654} - C:\WINDOWS\SYSTEM\WINBV.DLL (file missing)
O2 - BHO: Class - {E436CD32-AE4D-738A-E06E-D227AC75B577} - C:\WINDOWS\APIKB32.DLL (file missing)
O2 - BHO: Class - {EC2CF18F-71F2-5369-7AA5-B038B7715F1A} - C:\WINDOWS\SYSTEM\ADDYO.DLL (file missing)
O2 - BHO: Class - {877B338B-0B25-FB35-72B8-272EF3FF6CDC} - C:\WINDOWS\WINMW32.DLL (file missing)
O2 - BHO: Class - {587707A9-FC34-782E-821D-EE35D04D6F9D} - C:\WINDOWS\ADDCT.DLL (file missing)
O2 - BHO: Class - {A36795B7-C66F-30E1-24FB-CE2A8EB3E7E1} - C:\WINDOWS\SYSTEM\SDKSH32.DLL (file missing)
O2 - BHO: Class - {06C29B2B-EEBB-14DC-0A66-F0ED8226BB00} - C:\WINDOWS\SYSTEM\MFCWB.DLL (file missing)
O2 - BHO: Class - {AAF49E2D-5238-7996-454E-F46EB882598D} - C:\WINDOWS\SYSTEM\D3SC.DLL (file missing)
O2 - BHO: Class - {617458C6-6E17-07E1-3E8F-4F74E109BF8F} - C:\WINDOWS\NETGZ32.DLL (file missing)
O2 - BHO: Class - {848DC661-460C-1759-2257-AF74EE2D55E8} - C:\WINDOWS\SYSTEM\WINIP32.DLL (file missing)
O2 - BHO: Class - {99DA5AB8-7087-E065-9435-7E1E655BB58E} - C:\WINDOWS\SYSTEM\APIZU.DLL (file missing)
O2 - BHO: Class - {1E8A5464-4ACA-194D-5E29-E07DCDD5972E} - C:\WINDOWS\SYSTEM\D3SB.DLL (file missing)
O2 - BHO: Class - {0CFC42C2-E994-BF8E-9D53-9FBECF61038E} - C:\WINDOWS\SYSTEM\D3QW32.DLL (file missing)
O2 - BHO: Class - {FA4788F1-4822-A986-4D3E-44B435C19A9C} - C:\WINDOWS\WINAQ32.DLL (file missing)
O2 - BHO: Class - {A460D84A-E7E5-234E-7E11-AFF0CC22C181} - C:\WINDOWS\SYSTEM\MFCDL.DLL (file missing)
O2 - BHO: Class - {4F50B7F2-A038-D4A8-1978-9247661F76F7} - C:\WINDOWS\SYSTEM\ADDCZ32.DLL (file missing)
O2 - BHO: Class - {5B571395-D542-0087-653F-7C09A44F7F9B} - C:\WINDOWS\APPIO32.DLL (file missing)
O2 - BHO: Class - {B1EC0AC1-B601-E3C9-0088-A958BCC19DD7} - C:\WINDOWS\ATLGS.DLL (file missing)
O2 - BHO: Class - {5C0DA137-C7E7-0030-01E6-36822B1A2293} - C:\WINDOWS\SYSTEM\APPKA32.DLL (file missing)
O2 - BHO: Class - {8A5F0FCE-B4C7-C116-D92B-0B255A0B1010} - C:\WINDOWS\NTZX32.DLL (file missing)
O2 - BHO: Class - {0A8CC5AD-6CB8-94A8-FEF2-BEB1C9592B9F} - C:\WINDOWS\ADDDE.DLL (file missing)
O2 - BHO: Class - {46BCC53C-16A6-B232-32BE-A6A734001028} - C:\WINDOWS\SYSTEM\SDKNO.DLL (file missing)
O2 - BHO: Class - {319AAF29-5AF7-424D-A2BF-652F766BFD22} - C:\WINDOWS\MSEF.DLL (file missing)
O2 - BHO: Class - {A18BBD1A-155E-061F-CEC3-1D1D0FD001AD} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {014AA13A-49F9-5D06-3090-AFE8A6A99EB3} - C:\WINDOWS\SYSTEM\D3UW.DLL (file missing)
O2 - BHO: Class - {58A3B827-E558-6A95-E4CB-C1818FB35C24} - C:\WINDOWS\SYSTEM\D3OY.DLL (file missing)
O2 - BHO: Class - {0E04E44F-DABB-A3E6-D044-F99125738982} - C:\WINDOWS\SYSTEM\MFCVU.DLL (file missing)
O2 - BHO: Class - {2622A7EE-A486-8EBC-94F7-84B63486BC92} - C:\WINDOWS\SYSTEM\MSNM.DLL (file missing)
O2 - BHO: Class - {4B034615-6EB7-64E3-324F-7E2D83C47C51} - C:\WINDOWS\SYSTEM\IPAL.DLL (file missing)
O2 - BHO: Class - {72A39AEF-DD4E-4E16-F75A-38EC18D3FF84} - C:\WINDOWS\SYSTEM\APPCH32.DLL (file missing)
O2 - BHO: Class - {055BB011-24C0-044F-1AC2-0DD6BE5F0059} - C:\WINDOWS\WINJK.DLL (file missing)
O2 - BHO: Class - {8008A5E4-E7E0-D626-819E-2CABC19B791F} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {4A515210-1CD0-C708-D58B-235E88247714} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {180FCABA-EF31-938C-9338-3DC66EBCF1D1} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {199374E3-93D9-A3DC-ECFD-83B509626878} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {FF1366ED-9E07-B33B-4476-0FAE65FC41AE} - C:\WINDOWS\SYSXL32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE
O4 - HKLM\..\RunServices: [D3SN.EXE] C:\WINDOWS\D3SN.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

Edited by bmorton, 28 July 2004 - 10:56 PM.


#2 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 08:49 AM

Help!!!!! Things are getting really bad. Cannot use my system for more then 20 minutes. "Serach" windows are being spawned (dozens) and eventually everything hangs.

Here is a latest log

Logfile of HijackThis v1.98.0
Scan saved at 9:23:04 AM, on 7/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\D3SN.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (file missing)
O2 - BHO: Invisible Class - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\SYSTEM\VEG32.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: Anonymizer Core Browser Helper Object - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRAM FILES\ANONYMIZER\CORE\ANONYMIZER.DLL (file missing)
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL (file missing)
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\IEQI\IEQI.DLL (file missing)
O2 - BHO: Class - {FC8FA69B-FBF5-C176-1082-0905AB77E3AF} - C:\WINDOWS\SYSTEM\WINYR.DLL (file missing)
O2 - BHO: 6˒7=9?>+@ - Data - (no file)
O2 - BHO: Class - {CC0CF1A3-63B9-E911-72FC-7746570414B2} - C:\WINDOWS\SYSTEM\MFCGG.DLL (file missing)
O2 - BHO: Class - {1CBAA6B1-D64E-A9DE-F1C9-853D1F9FC732} - C:\WINDOWS\SYSTEM\APPJK32.DLL (file missing)
O2 - BHO: Class - {FA991F0E-1BD9-6EAD-EFEC-2317207D5E37} - C:\WINDOWS\APIVF32.DLL (file missing)
O2 - BHO: Class - {75C0CE90-77B0-474A-9042-569FE1520654} - C:\WINDOWS\SYSTEM\WINBV.DLL (file missing)
O2 - BHO: Class - {E436CD32-AE4D-738A-E06E-D227AC75B577} - C:\WINDOWS\APIKB32.DLL (file missing)
O2 - BHO: Class - {EC2CF18F-71F2-5369-7AA5-B038B7715F1A} - C:\WINDOWS\SYSTEM\ADDYO.DLL (file missing)
O2 - BHO: Class - {877B338B-0B25-FB35-72B8-272EF3FF6CDC} - C:\WINDOWS\WINMW32.DLL (file missing)
O2 - BHO: Class - {587707A9-FC34-782E-821D-EE35D04D6F9D} - C:\WINDOWS\ADDCT.DLL (file missing)
O2 - BHO: Class - {A36795B7-C66F-30E1-24FB-CE2A8EB3E7E1} - C:\WINDOWS\SYSTEM\SDKSH32.DLL (file missing)
O2 - BHO: Class - {06C29B2B-EEBB-14DC-0A66-F0ED8226BB00} - C:\WINDOWS\SYSTEM\MFCWB.DLL (file missing)
O2 - BHO: Class - {AAF49E2D-5238-7996-454E-F46EB882598D} - C:\WINDOWS\SYSTEM\D3SC.DLL (file missing)
O2 - BHO: Class - {617458C6-6E17-07E1-3E8F-4F74E109BF8F} - C:\WINDOWS\NETGZ32.DLL (file missing)
O2 - BHO: Class - {848DC661-460C-1759-2257-AF74EE2D55E8} - C:\WINDOWS\SYSTEM\WINIP32.DLL (file missing)
O2 - BHO: Class - {99DA5AB8-7087-E065-9435-7E1E655BB58E} - C:\WINDOWS\SYSTEM\APIZU.DLL (file missing)
O2 - BHO: Class - {1E8A5464-4ACA-194D-5E29-E07DCDD5972E} - C:\WINDOWS\SYSTEM\D3SB.DLL (file missing)
O2 - BHO: Class - {0CFC42C2-E994-BF8E-9D53-9FBECF61038E} - C:\WINDOWS\SYSTEM\D3QW32.DLL (file missing)
O2 - BHO: Class - {FA4788F1-4822-A986-4D3E-44B435C19A9C} - C:\WINDOWS\WINAQ32.DLL (file missing)
O2 - BHO: Class - {A460D84A-E7E5-234E-7E11-AFF0CC22C181} - C:\WINDOWS\SYSTEM\MFCDL.DLL (file missing)
O2 - BHO: Class - {4F50B7F2-A038-D4A8-1978-9247661F76F7} - C:\WINDOWS\SYSTEM\ADDCZ32.DLL (file missing)
O2 - BHO: Class - {5B571395-D542-0087-653F-7C09A44F7F9B} - C:\WINDOWS\APPIO32.DLL (file missing)
O2 - BHO: Class - {B1EC0AC1-B601-E3C9-0088-A958BCC19DD7} - C:\WINDOWS\ATLGS.DLL (file missing)
O2 - BHO: Class - {5C0DA137-C7E7-0030-01E6-36822B1A2293} - C:\WINDOWS\SYSTEM\APPKA32.DLL (file missing)
O2 - BHO: Class - {8A5F0FCE-B4C7-C116-D92B-0B255A0B1010} - C:\WINDOWS\NTZX32.DLL (file missing)
O2 - BHO: Class - {0A8CC5AD-6CB8-94A8-FEF2-BEB1C9592B9F} - C:\WINDOWS\ADDDE.DLL (file missing)
O2 - BHO: Class - {46BCC53C-16A6-B232-32BE-A6A734001028} - C:\WINDOWS\SYSTEM\SDKNO.DLL (file missing)
O2 - BHO: Class - {319AAF29-5AF7-424D-A2BF-652F766BFD22} - C:\WINDOWS\MSEF.DLL (file missing)
O2 - BHO: Class - {A18BBD1A-155E-061F-CEC3-1D1D0FD001AD} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {014AA13A-49F9-5D06-3090-AFE8A6A99EB3} - C:\WINDOWS\SYSTEM\D3UW.DLL (file missing)
O2 - BHO: Class - {58A3B827-E558-6A95-E4CB-C1818FB35C24} - C:\WINDOWS\SYSTEM\D3OY.DLL (file missing)
O2 - BHO: Class - {0E04E44F-DABB-A3E6-D044-F99125738982} - C:\WINDOWS\SYSTEM\MFCVU.DLL (file missing)
O2 - BHO: Class - {2622A7EE-A486-8EBC-94F7-84B63486BC92} - C:\WINDOWS\SYSTEM\MSNM.DLL (file missing)
O2 - BHO: Class - {4B034615-6EB7-64E3-324F-7E2D83C47C51} - C:\WINDOWS\SYSTEM\IPAL.DLL (file missing)
O2 - BHO: Class - {72A39AEF-DD4E-4E16-F75A-38EC18D3FF84} - C:\WINDOWS\SYSTEM\APPCH32.DLL (file missing)
O2 - BHO: Class - {055BB011-24C0-044F-1AC2-0DD6BE5F0059} - C:\WINDOWS\WINJK.DLL (file missing)
O2 - BHO: Class - {8008A5E4-E7E0-D626-819E-2CABC19B791F} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {4A515210-1CD0-C708-D58B-235E88247714} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {180FCABA-EF31-938C-9338-3DC66EBCF1D1} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {199374E3-93D9-A3DC-ECFD-83B509626878} - C:\WINDOWS\SYSXL32.DLL
O2 - BHO: Class - {FF1366ED-9E07-B33B-4476-0FAE65FC41AE} - C:\WINDOWS\SYSXL32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

#3 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 09:04 AM

hey

Go here http://www.downloads...AboutBuster.zip unzip to the desktop.

Reboot into safe mode by tapping F8 while it' booting. Open up about:buster. Read the directions. Then click OK..Click update and look for an update, if there's one, download it. Then click scan, save the log from each scan of course, it'll scan twice. When done, boot back into normal mode, post both about:buster logs and a new hijackthis log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#4 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 10:27 AM

Thanks for the help

Ran AboutBuster log:
-- Scan 1 --------
About:Buster Version 2.0
Removed! : C:\WINDOWS\qrghav.dat
Removed! : C:\WINDOWS\d3sn.exe
Removed! : C:\WINDOWS\hchoa.dat
Removed! : C:\WINDOWS\hchoa.dll
Removed! : C:\WINDOWS\ezeewz.dat
Removed! : C:\WINDOWS\urdtm.dat
Removed! : C:\WINDOWS\gzoan.dat
Removed! : C:\WINDOWS\sysxl32.dll
Removed! : C:\WINDOWS\d3dx.exe
Removed! : C:\WINDOWS\addou32.exe
Removed! : C:\WINDOWS\n_uqzasb.dat
Removed! : C:\WINDOWS\jrfjw.dat
Removed! : C:\WINDOWS\pkbnr.dat
Removed! : C:\WINDOWS\SYSTEM\shhbs.dat
Removed! : C:\WINDOWS\SYSTEM\addlj.exe
Removed! : C:\WINDOWS\SYSTEM\apiiy.exe
Removed! : C:\WINDOWS\SYSTEM\ronbo.dat
Removed! : C:\WINDOWS\SYSTEM\pdopb.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!

Highjack log now:
Logfile of HijackThis v1.98.0
Scan saved at 11:21:04 AM, on 7/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (file missing)
O2 - BHO: Invisible Class - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\SYSTEM\VEG32.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: Anonymizer Core Browser Helper Object - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRAM FILES\ANONYMIZER\CORE\ANONYMIZER.DLL (file missing)
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL (file missing)
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\IEQI\IEQI.DLL (file missing)
O2 - BHO: Class - {FC8FA69B-FBF5-C176-1082-0905AB77E3AF} - C:\WINDOWS\SYSTEM\WINYR.DLL (file missing)
O2 - BHO: 6˒7=9?>+@ - Data - (no file)
O2 - BHO: Class - {CC0CF1A3-63B9-E911-72FC-7746570414B2} - C:\WINDOWS\SYSTEM\MFCGG.DLL (file missing)
O2 - BHO: Class - {1CBAA6B1-D64E-A9DE-F1C9-853D1F9FC732} - C:\WINDOWS\SYSTEM\APPJK32.DLL (file missing)
O2 - BHO: Class - {FA991F0E-1BD9-6EAD-EFEC-2317207D5E37} - C:\WINDOWS\APIVF32.DLL (file missing)
O2 - BHO: Class - {75C0CE90-77B0-474A-9042-569FE1520654} - C:\WINDOWS\SYSTEM\WINBV.DLL (file missing)
O2 - BHO: Class - {E436CD32-AE4D-738A-E06E-D227AC75B577} - C:\WINDOWS\APIKB32.DLL (file missing)
O2 - BHO: Class - {EC2CF18F-71F2-5369-7AA5-B038B7715F1A} - C:\WINDOWS\SYSTEM\ADDYO.DLL (file missing)
O2 - BHO: Class - {877B338B-0B25-FB35-72B8-272EF3FF6CDC} - C:\WINDOWS\WINMW32.DLL (file missing)
O2 - BHO: Class - {587707A9-FC34-782E-821D-EE35D04D6F9D} - C:\WINDOWS\ADDCT.DLL (file missing)
O2 - BHO: Class - {A36795B7-C66F-30E1-24FB-CE2A8EB3E7E1} - C:\WINDOWS\SYSTEM\SDKSH32.DLL (file missing)
O2 - BHO: Class - {06C29B2B-EEBB-14DC-0A66-F0ED8226BB00} - C:\WINDOWS\SYSTEM\MFCWB.DLL (file missing)
O2 - BHO: Class - {AAF49E2D-5238-7996-454E-F46EB882598D} - C:\WINDOWS\SYSTEM\D3SC.DLL (file missing)
O2 - BHO: Class - {617458C6-6E17-07E1-3E8F-4F74E109BF8F} - C:\WINDOWS\NETGZ32.DLL (file missing)
O2 - BHO: Class - {848DC661-460C-1759-2257-AF74EE2D55E8} - C:\WINDOWS\SYSTEM\WINIP32.DLL (file missing)
O2 - BHO: Class - {99DA5AB8-7087-E065-9435-7E1E655BB58E} - C:\WINDOWS\SYSTEM\APIZU.DLL (file missing)
O2 - BHO: Class - {1E8A5464-4ACA-194D-5E29-E07DCDD5972E} - C:\WINDOWS\SYSTEM\D3SB.DLL (file missing)
O2 - BHO: Class - {0CFC42C2-E994-BF8E-9D53-9FBECF61038E} - C:\WINDOWS\SYSTEM\D3QW32.DLL (file missing)
O2 - BHO: Class - {FA4788F1-4822-A986-4D3E-44B435C19A9C} - C:\WINDOWS\WINAQ32.DLL (file missing)
O2 - BHO: Class - {A460D84A-E7E5-234E-7E11-AFF0CC22C181} - C:\WINDOWS\SYSTEM\MFCDL.DLL (file missing)
O2 - BHO: Class - {4F50B7F2-A038-D4A8-1978-9247661F76F7} - C:\WINDOWS\SYSTEM\ADDCZ32.DLL (file missing)
O2 - BHO: Class - {5B571395-D542-0087-653F-7C09A44F7F9B} - C:\WINDOWS\APPIO32.DLL (file missing)
O2 - BHO: Class - {B1EC0AC1-B601-E3C9-0088-A958BCC19DD7} - C:\WINDOWS\ATLGS.DLL (file missing)
O2 - BHO: Class - {5C0DA137-C7E7-0030-01E6-36822B1A2293} - C:\WINDOWS\SYSTEM\APPKA32.DLL (file missing)
O2 - BHO: Class - {8A5F0FCE-B4C7-C116-D92B-0B255A0B1010} - C:\WINDOWS\NTZX32.DLL (file missing)
O2 - BHO: Class - {0A8CC5AD-6CB8-94A8-FEF2-BEB1C9592B9F} - C:\WINDOWS\ADDDE.DLL (file missing)
O2 - BHO: Class - {46BCC53C-16A6-B232-32BE-A6A734001028} - C:\WINDOWS\SYSTEM\SDKNO.DLL (file missing)
O2 - BHO: Class - {319AAF29-5AF7-424D-A2BF-652F766BFD22} - C:\WINDOWS\MSEF.DLL (file missing)
O2 - BHO: Class - {A18BBD1A-155E-061F-CEC3-1D1D0FD001AD} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {014AA13A-49F9-5D06-3090-AFE8A6A99EB3} - C:\WINDOWS\SYSTEM\D3UW.DLL (file missing)
O2 - BHO: Class - {58A3B827-E558-6A95-E4CB-C1818FB35C24} - C:\WINDOWS\SYSTEM\D3OY.DLL (file missing)
O2 - BHO: Class - {0E04E44F-DABB-A3E6-D044-F99125738982} - C:\WINDOWS\SYSTEM\MFCVU.DLL (file missing)
O2 - BHO: Class - {2622A7EE-A486-8EBC-94F7-84B63486BC92} - C:\WINDOWS\SYSTEM\MSNM.DLL (file missing)
O2 - BHO: Class - {4B034615-6EB7-64E3-324F-7E2D83C47C51} - C:\WINDOWS\SYSTEM\IPAL.DLL (file missing)
O2 - BHO: Class - {72A39AEF-DD4E-4E16-F75A-38EC18D3FF84} - C:\WINDOWS\SYSTEM\APPCH32.DLL (file missing)
O2 - BHO: Class - {055BB011-24C0-044F-1AC2-0DD6BE5F0059} - C:\WINDOWS\WINJK.DLL (file missing)
O2 - BHO: Class - {8008A5E4-E7E0-D626-819E-2CABC19B791F} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {4A515210-1CD0-C708-D58B-235E88247714} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {180FCABA-EF31-938C-9338-3DC66EBCF1D1} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {199374E3-93D9-A3DC-ECFD-83B509626878} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {FF1366ED-9E07-B33B-4476-0FAE65FC41AE} - C:\WINDOWS\SYSXL32.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

#5 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 11:01 AM

hey, open hijackthis, and fix the following with no browser windows open:

R3 - Default URLSearchHook is missing
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL (file missing)
O2 - BHO: Invisible Class - {7DD896A9-7AEB-430F-955B-CD125604FDCB} - C:\WINDOWS\SYSTEM\VEG32.DLL (file missing)
O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: Anonymizer Core Browser Helper Object - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\PROGRAM FILES\ANONYMIZER\CORE\ANONYMIZER.DLL (file missing)
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - C:\PROGRAM FILES\ALADDIN SYSTEMS\INTERNET CLEANUP\POPFILTR.DLL (file missing)
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\IEQI\IEQI.DLL (file missing)
O2 - BHO: Class - {FC8FA69B-FBF5-C176-1082-0905AB77E3AF} - C:\WINDOWS\SYSTEM\WINYR.DLL (file missing)
O2 - BHO: 6˒7=9?>+@ - Data - (no file)
O2 - BHO: Class - {CC0CF1A3-63B9-E911-72FC-7746570414B2} - C:\WINDOWS\SYSTEM\MFCGG.DLL (file missing)
O2 - BHO: Class - {1CBAA6B1-D64E-A9DE-F1C9-853D1F9FC732} - C:\WINDOWS\SYSTEM\APPJK32.DLL (file missing)
O2 - BHO: Class - {FA991F0E-1BD9-6EAD-EFEC-2317207D5E37} - C:\WINDOWS\APIVF32.DLL (file missing)
O2 - BHO: Class - {75C0CE90-77B0-474A-9042-569FE1520654} - C:\WINDOWS\SYSTEM\WINBV.DLL (file missing)
O2 - BHO: Class - {E436CD32-AE4D-738A-E06E-D227AC75B577} - C:\WINDOWS\APIKB32.DLL (file missing)
O2 - BHO: Class - {EC2CF18F-71F2-5369-7AA5-B038B7715F1A} - C:\WINDOWS\SYSTEM\ADDYO.DLL (file missing)
O2 - BHO: Class - {877B338B-0B25-FB35-72B8-272EF3FF6CDC} - C:\WINDOWS\WINMW32.DLL (file missing)
O2 - BHO: Class - {587707A9-FC34-782E-821D-EE35D04D6F9D} - C:\WINDOWS\ADDCT.DLL (file missing)
O2 - BHO: Class - {A36795B7-C66F-30E1-24FB-CE2A8EB3E7E1} - C:\WINDOWS\SYSTEM\SDKSH32.DLL (file missing)
O2 - BHO: Class - {06C29B2B-EEBB-14DC-0A66-F0ED8226BB00} - C:\WINDOWS\SYSTEM\MFCWB.DLL (file missing)
O2 - BHO: Class - {AAF49E2D-5238-7996-454E-F46EB882598D} - C:\WINDOWS\SYSTEM\D3SC.DLL (file missing)
O2 - BHO: Class - {617458C6-6E17-07E1-3E8F-4F74E109BF8F} - C:\WINDOWS\NETGZ32.DLL (file missing)
O2 - BHO: Class - {848DC661-460C-1759-2257-AF74EE2D55E8} - C:\WINDOWS\SYSTEM\WINIP32.DLL (file missing)
O2 - BHO: Class - {99DA5AB8-7087-E065-9435-7E1E655BB58E} - C:\WINDOWS\SYSTEM\APIZU.DLL (file missing)
O2 - BHO: Class - {1E8A5464-4ACA-194D-5E29-E07DCDD5972E} - C:\WINDOWS\SYSTEM\D3SB.DLL (file missing)
O2 - BHO: Class - {0CFC42C2-E994-BF8E-9D53-9FBECF61038E} - C:\WINDOWS\SYSTEM\D3QW32.DLL (file missing)
O2 - BHO: Class - {FA4788F1-4822-A986-4D3E-44B435C19A9C} - C:\WINDOWS\WINAQ32.DLL (file missing)
O2 - BHO: Class - {A460D84A-E7E5-234E-7E11-AFF0CC22C181} - C:\WINDOWS\SYSTEM\MFCDL.DLL (file missing)
O2 - BHO: Class - {4F50B7F2-A038-D4A8-1978-9247661F76F7} - C:\WINDOWS\SYSTEM\ADDCZ32.DLL (file missing)
O2 - BHO: Class - {5B571395-D542-0087-653F-7C09A44F7F9B} - C:\WINDOWS\APPIO32.DLL (file missing)
O2 - BHO: Class - {B1EC0AC1-B601-E3C9-0088-A958BCC19DD7} - C:\WINDOWS\ATLGS.DLL (file missing)
O2 - BHO: Class - {5C0DA137-C7E7-0030-01E6-36822B1A2293} - C:\WINDOWS\SYSTEM\APPKA32.DLL (file missing)
O2 - BHO: Class - {8A5F0FCE-B4C7-C116-D92B-0B255A0B1010} - C:\WINDOWS\NTZX32.DLL (file missing)
O2 - BHO: Class - {0A8CC5AD-6CB8-94A8-FEF2-BEB1C9592B9F} - C:\WINDOWS\ADDDE.DLL (file missing)
O2 - BHO: Class - {46BCC53C-16A6-B232-32BE-A6A734001028} - C:\WINDOWS\SYSTEM\SDKNO.DLL (file missing)
O2 - BHO: Class - {319AAF29-5AF7-424D-A2BF-652F766BFD22} - C:\WINDOWS\MSEF.DLL (file missing)
O2 - BHO: Class - {A18BBD1A-155E-061F-CEC3-1D1D0FD001AD} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {014AA13A-49F9-5D06-3090-AFE8A6A99EB3} - C:\WINDOWS\SYSTEM\D3UW.DLL (file missing)
O2 - BHO: Class - {58A3B827-E558-6A95-E4CB-C1818FB35C24} - C:\WINDOWS\SYSTEM\D3OY.DLL (file missing)
O2 - BHO: Class - {0E04E44F-DABB-A3E6-D044-F99125738982} - C:\WINDOWS\SYSTEM\MFCVU.DLL (file missing)
O2 - BHO: Class - {2622A7EE-A486-8EBC-94F7-84B63486BC92} - C:\WINDOWS\SYSTEM\MSNM.DLL (file missing)
O2 - BHO: Class - {4B034615-6EB7-64E3-324F-7E2D83C47C51} - C:\WINDOWS\SYSTEM\IPAL.DLL (file missing)
O2 - BHO: Class - {72A39AEF-DD4E-4E16-F75A-38EC18D3FF84} - C:\WINDOWS\SYSTEM\APPCH32.DLL (file missing)
O2 - BHO: Class - {055BB011-24C0-044F-1AC2-0DD6BE5F0059} - C:\WINDOWS\WINJK.DLL (file missing)
O2 - BHO: Class - {8008A5E4-E7E0-D626-819E-2CABC19B791F} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {4A515210-1CD0-C708-D58B-235E88247714} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {180FCABA-EF31-938C-9338-3DC66EBCF1D1} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Class - {199374E3-93D9-A3DC-ECFD-83B509626878} - C:\WINDOWS\SYSXL32.DLL (file missing)
O2 - BHO: Class - {FF1366ED-9E07-B33B-4476-0FAE65FC41AE} - C:\WINDOWS\SYSXL32.DLL (file missing)

reboot your computer.

Post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#6 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 11:37 AM

THanks

Here you go:

Logfile of HijackThis v1.98.0
Scan saved at 12:32:07 PM, on 7/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

#7 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 12:20 PM

have hijackthis fix the following with no browser windows open:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE

reboot into safe mode.

find and delete:

C:\WINDOWS\MFCEE32.EXE

empty recycling bin and post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#8 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 12:43 PM

Thanks all is done. C\WINDOWS\MFCEE32.EXE. To be sure, I scanned for it elswher and did not find it.

Logfile of HijackThis v1.98.0
Scan saved at 1:37:13 PM, on 7/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

#9 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 01:01 PM

fix the following with hijackthis, no browser windows open:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE

reboot your computer and post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#10 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 01:25 PM

Done- Interesting that the hcoa.dll and MDCEE32.EXE keep coming back?

Logfile of HijackThis v1.98.0
Scan saved at 2:19:21 PM, on 7/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

#11 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 01:42 PM

hey, boot into safe mode by tapipng F8 while its booting up... have hijackthis fix the following with nothing open, except hijackthis:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE

reboot your computer back into normal mode and post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#12 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 02:27 PM

Did it. If I look at the log after the fix but before I reboot from safe mode the changes were done. However, once I reboot the entries are back!. I have inlcuded both logs

While still in safe mode but after the fix:

Logfile of HijackThis v1.98.0
Scan saved at 3:03:26 PM, on 7/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

Log after reboot to normal mode:

Logfile of HijackThis v1.98.0
Scan saved at 3:11:09 PM, on 7/30/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-WATCH.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\IE UTILITIES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hchoa.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gump.net/search/index.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;;localhost;<local>
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Ad-watch] "C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\Ad-watch.exe"
O4 - HKLM\..\RunServices: [minilog] C:\WINDOWS\SYSTEM\ZoneLabs\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [MFCEE32.EXE] C:\WINDOWS\MFCEE32.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = c:\Program Files\Hewlett-Packard\hpis\bin\mpbtn.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O4 - Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O4 - Startup: Billminder.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{2D974D26-BA8F-4A0B-B7EE-3F563AF79746}\NewShortcut1.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

#13 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 03:29 PM

Hello

Do this:

Download Ad-aware from: http://www.lavasoft.de/res/aaw6.exe

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Posted Image Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URLs
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
Posted Image Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
Posted Image Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
Posted Image Click on Proceed to save the settings.

Posted Image Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
Posted Image Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

Posted Image When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Posted Image Reboot your computer.

post a new log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#14 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 30 July 2004 - 04:54 PM

Did it. FYI i have been using ad-aware for awhile, however, without all of the options you had suggested.

Below is a new Hijack log. Below that is the adaware log

--------------------------------------------------
Lavasoft Ad-aware Professional Build 6.181
Logfile created on :Friday, July 30, 2004 4:33:23 PM
Using reference-file :01R334 24.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R334 24.07.2004
Internal build : 268
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 1316091 Bytes
Signature data size : 1295051 Bytes
Reference data size : 20976 Bytes
Signatures total : 28648
Target categories : 10
Target families : 528

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium II
Memory available:22 %
Total physical memory:130200 kb
Available physical memory:22332 kb
Total page file size:956448 kb
Available on page file:838256 kb
Total virtual memory:2093056 kb
Available virtual memory:2044992 kb
OS:Windows (98)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically mark all objects in result list
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Completely reanalyze processes on change
Set : Block ActiveX installations
Set : Block IE save operations
Set : Block Popups and banned sites
Set : Log Ad-aware events
Set : Show splash screen
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-30-04 4:33:23 PM - Scan started. (Custom mode)

Listing running processes


#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279211853
Threads : 8
Priority : High
FileSize : 460 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1991-1998
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294956821
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:3 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294957733
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:4 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM\ZONELABS\
ProcessID : 4294884469
Threads : 17
Priority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 6/3/04 7:55:16 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/17/04 8:55:26 AM

#:5 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294893969
Threads : 2
Priority : Normal
FileSize : 109 KB
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
Copyright : Copyright © Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 6/18/01 4:33:20 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 6/18/01 4:33:20 PM

#:6 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294860469
Threads : 3
Priority : Normal
FileSize : 44 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:7 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294860737
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294844049
Threads : 13
Priority : Normal
FileSize : 176 KB
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
Copyright : Copyright © Microsoft Corp. 1981-1997
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows NT® Operating System
Created on : 5/12/98 12:01:00 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:9 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294034285
Threads : 1
Priority : Normal
FileSize : 36 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:10 [em_exec.exe]
FilePath : C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\
ProcessID : 4293989381
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 9.70.216
ProductVersion : 9.70
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 2/1/03 6:45:07 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/1/02 1:50:00 PM

#:11 [zlclient.exe]
FilePath : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\
ProcessID : 4294001797
Threads : 7
Priority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 6/3/04 7:55:20 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/17/04 8:56:14 AM

#:12 [wcmdmgr.exe]
FilePath : C:\WINDOWS\WT\UPDATER\
ProcessID : 4294003581
Threads : 4
Priority : Idle
FileSize : 148 KB
FileVersion : 1.6.2.3
ProductVersion : 1.6.2.3
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wcmdmgr
InternalName : WildTangent Updater Service
OriginalFilename : wcmdmgr.exe
ProductName : WildTangent Updater Service
Created on : 5/28/04 9:42:39 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 3/12/04 7:53:48 PM

#:13 [evntsvc.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294001757
Threads : 2
Priority : Normal
FileSize : 143 KB
FileVersion : 0.1.0.880
ProductVersion : 0.1.0.880
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : evntsvc.EXE
ProductName : RealOne Player (32-bit)
Created on : 7/1/02 4:10:59 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/1/02 4:11:00 PM

#:14 [ad-watch.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294013669
Threads : 3
Priority : Normal
FileSize : 383 KB
FileVersion : 3.1.2.17
ProductVersion : 3.0
Copyright : 2001-2003 Team Lavasoft
CompanyName : Lavasoft Sweden
FileDescription : Ad-watch Monitor
InternalName : Ad-watch.exe
OriginalFilename : Ad-watch.exe
ProductName : Ad-aware 6
Created on : 7/20/04 1:21:39 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 2/13/03 2:04:42 AM

#:15 [hpotdd01.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4293975873
Threads : 3
Priority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
OriginalFilename : hpotdd01.exe
ProductName : Hewlett-Packard hpotdd01
Created on : 4/9/03 10:11:12 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 10:11:12 PM

#:16 [hposol08.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4294047557
Threads : 3
Priority : Normal
FileSize : 144 KB
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
Copyright : Copyright © Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOSOL08
OriginalFilename : HPOSOL08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 4/9/03 9:42:06 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 9:42:06 PM

#:17 [hpoevm08.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4294050221
Threads : 9
Priority : Normal
FileSize : 280 KB
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
Copyright : Copyright © Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
OriginalFilename : HPOEVM08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 4/9/03 9:49:36 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 9:49:36 PM

#:18 [hpzipm12.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294058489
Threads : 1
Priority : Normal
FileSize : 64 KB
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 2/7/03 2:38:52 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 2/7/03 2:38:52 AM

#:19 [hposts08.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4294207133
Threads : 2
Priority : Normal
FileSize : 304 KB
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
Copyright : Copyright © Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
OriginalFilename : HPOSTS08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 4/9/03 9:59:24 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 9:59:24 PM

#:20 [internat.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294216777
Threads : 1
Priority : Normal
FileSize : 39 KB
FileVersion : 4.80.3008.1
ProductVersion : 4.80.3008.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Internat
InternalName : Internat - exe
OriginalFilename : INTERNAT.EXE
ProductName : Microsoft® Windows NT® Operating System
Created on : 1/31/00 4:20:54 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 1/31/00 4:20:54 PM

#:21 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294413461
Threads : 2
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 8/11/03 1:26:13 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 12/12/02 4:14:32 AM

#:22 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294316193
Threads : 3
Priority : Normal
FileSize : 79 KB
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
Copyright : Copyright © Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft® Windows NT® Operating System
Created on : 3/18/99 4:00:00 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 3/18/99 4:00:00 AM

#:23 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294101885
Threads : 3
Priority : Normal
FileSize : 724 KB
FileVersion : 6.0.1.183
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/13/04 12:53:41 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/13/03 2:01:58 AM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


Registry scan result :

New objects : 0
Objects found so far: 0


Started deep registry scan


Deep registry scan result :

New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)


Tracking Cookie Object recognized!
Type : File
Data : bill@overture[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:00:31 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:00:32 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@2o7[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 4:39:08 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 4:39:10 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@questionmarket[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:01:38 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:01:40 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@zedo[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:16:06 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:16:08 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@realmedia[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:56:09 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:56:10 PM



Disk scan result for C:\

New objects : 0
Objects found so far: 5


Performing conditional scans..


Conditional scan result:

New objects : 0
Objects found so far: 5


5:17:10 PM Scan complete

Summary of this scan

Total scanning time :00:43:47:640
Objects scanned :260241
Objects identified :5
Objects ignored :0
New objects :5

--------------------------------------------------------
Lavasoft Ad-aware Professional Build 6.181
Logfile created on :Friday, July 30, 2004 4:33:23 PM
Using reference-file :01R334 24.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R334 24.07.2004
Internal build : 268
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 1316091 Bytes
Signature data size : 1295051 Bytes
Reference data size : 20976 Bytes
Signatures total : 28648
Target categories : 10
Target families : 528

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium II
Memory available:22 %
Total physical memory:130200 kb
Available physical memory:22332 kb
Total page file size:956448 kb
Available on page file:838256 kb
Total virtual memory:2093056 kb
Available virtual memory:2044992 kb
OS:Windows (98)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Automatically mark all objects in result list
Set : Automatically try to unregister objects prior to deletion
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Completely reanalyze processes on change
Set : Block ActiveX installations
Set : Block IE save operations
Set : Block Popups and banned sites
Set : Log Ad-aware events
Set : Show splash screen
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-30-04 4:33:23 PM - Scan started. (Custom mode)

Listing running processes


#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279211853
Threads : 8
Priority : High
FileSize : 460 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1991-1998
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294956821
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:3 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294957733
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:4 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM\ZONELABS\
ProcessID : 4294884469
Threads : 17
Priority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 6/3/04 7:55:16 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/17/04 8:55:26 AM

#:5 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294893969
Threads : 2
Priority : Normal
FileSize : 109 KB
FileVersion : 4.71.1972.1
ProductVersion : 4.71.1972.1
Copyright : Copyright © Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 6/18/01 4:33:20 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 6/18/01 4:33:20 PM

#:6 [spool32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294860469
Threads : 3
Priority : Normal
FileSize : 44 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1994 - 1998
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
OriginalFilename : spool32.exe
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:7 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294860737
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294844049
Threads : 13
Priority : Normal
FileSize : 176 KB
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
Copyright : Copyright © Microsoft Corp. 1981-1997
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft® Windows NT® Operating System
Created on : 5/12/98 12:01:00 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:9 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294034285
Threads : 1
Priority : Normal
FileSize : 36 KB
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
Copyright : Copyright © Microsoft Corp. 1993-1998
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft® Windows® Operating System
Created on : 1/1/01
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/12/98 12:01:00 AM

#:10 [em_exec.exe]
FilePath : C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\
ProcessID : 4293989381
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 9.70.216
ProductVersion : 9.70
Copyright : Copyright
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
OriginalFilename : EM_EXEC.CPP
ProductName : MouseWare
Created on : 2/1/03 6:45:07 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/1/02 1:50:00 PM

#:11 [zlclient.exe]
FilePath : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\
ProcessID : 4294001797
Threads : 7
Priority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.015
ProductVersion : 5.0.590.015
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 6/3/04 7:55:20 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 5/17/04 8:56:14 AM

#:12 [wcmdmgr.exe]
FilePath : C:\WINDOWS\WT\UPDATER\
ProcessID : 4294003581
Threads : 4
Priority : Idle
FileSize : 148 KB
FileVersion : 1.6.2.3
ProductVersion : 1.6.2.3
Copyright : Copyright
CompanyName : WildTangent, Inc.
FileDescription : wcmdmgr
InternalName : WildTangent Updater Service
OriginalFilename : wcmdmgr.exe
ProductName : WildTangent Updater Service
Created on : 5/28/04 9:42:39 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 3/12/04 7:53:48 PM

#:13 [evntsvc.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294001757
Threads : 2
Priority : Normal
FileSize : 143 KB
FileVersion : 0.1.0.880
ProductVersion : 0.1.0.880
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : evntsvc.EXE
ProductName : RealOne Player (32-bit)
Created on : 7/1/02 4:10:59 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/1/02 4:11:00 PM

#:14 [ad-watch.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294013669
Threads : 3
Priority : Normal
FileSize : 383 KB
FileVersion : 3.1.2.17
ProductVersion : 3.0
Copyright : 2001-2003 Team Lavasoft
CompanyName : Lavasoft Sweden
FileDescription : Ad-watch Monitor
InternalName : Ad-watch.exe
OriginalFilename : Ad-watch.exe
ProductName : Ad-aware 6
Created on : 7/20/04 1:21:39 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 2/13/03 2:04:42 AM

#:15 [hpotdd01.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4293975873
Threads : 3
Priority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Hewlett-Packard
FileDescription : hpotdd01
InternalName : hpotdd01
OriginalFilename : hpotdd01.exe
ProductName : Hewlett-Packard hpotdd01
Created on : 4/9/03 10:11:12 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 10:11:12 PM

#:16 [hposol08.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4294047557
Threads : 3
Priority : Normal
FileSize : 144 KB
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
Copyright : Copyright © Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Device Objects
InternalName : HPOSOL08
OriginalFilename : HPOSOL08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 4/9/03 9:42:06 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 9:42:06 PM

#:17 [hpoevm08.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4294050221
Threads : 9
Priority : Normal
FileSize : 280 KB
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
Copyright : Copyright © Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet COM Event Manager
InternalName : HPOEVM08
OriginalFilename : HPOEVM08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 4/9/03 9:49:36 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 9:49:36 PM

#:18 [hpzipm12.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294058489
Threads : 1
Priority : Normal
FileSize : 64 KB
FileVersion : 6, 0, 0, 0
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : HP
FileDescription : PML Driver
InternalName : PmlDrv
OriginalFilename : PmlDrv.exe
ProductName : HP PML
Created on : 2/7/03 2:38:52 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 2/7/03 2:38:52 AM

#:19 [hposts08.exe]
FilePath : C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\
ProcessID : 4294207133
Threads : 2
Priority : Normal
FileSize : 304 KB
FileVersion : 4.2.0.021
ProductVersion : 2.4.1.021
Copyright : Copyright © Hewlett-Packard Co. 1995-2001
CompanyName : Hewlett-Packard Co.
FileDescription : HP OfficeJet Status
InternalName : HPOSTS08
OriginalFilename : HPOSTS08.EXE
ProductName : hp digital imaging - hp all-in-one series
Created on : 4/9/03 9:59:24 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 4/9/03 9:59:24 PM

#:20 [internat.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294216777
Threads : 1
Priority : Normal
FileSize : 39 KB
FileVersion : 4.80.3008.1
ProductVersion : 4.80.3008.1
Copyright : Copyright © Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : Internat
InternalName : Internat - exe
OriginalFilename : INTERNAT.EXE
ProductName : Microsoft® Windows NT® Operating System
Created on : 1/31/00 4:20:54 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 1/31/00 4:20:54 PM

#:21 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294413461
Threads : 2
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 8/11/03 1:26:13 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 12/12/02 4:14:32 AM

#:22 [pstores.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294316193
Threads : 3
Priority : Normal
FileSize : 79 KB
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
Copyright : Copyright © Microsoft Corp. 1981-1998
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
OriginalFilename : Protected storage server
ProductName : Microsoft® Windows NT® Operating System
Created on : 3/18/99 4:00:00 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 3/18/99 4:00:00 AM

#:23 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294101885
Threads : 3
Priority : Normal
FileSize : 724 KB
FileVersion : 6.0.1.183
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 7/13/04 12:53:41 AM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/13/03 2:01:58 AM

Memory scan result :

New objects : 0
Objects found so far: 0


Started registry scan


Registry scan result :

New objects : 0
Objects found so far: 0


Started deep registry scan


Deep registry scan result :

New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)


Tracking Cookie Object recognized!
Type : File
Data : bill@overture[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:00:31 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:00:32 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@2o7[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 4:39:08 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 4:39:10 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@questionmarket[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:01:38 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:01:40 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@zedo[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:16:06 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:16:08 PM



Tracking Cookie Object recognized!
Type : File
Data : bill@realmedia[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/30/04 1:56:09 PM
Last accessed : 7/30/04 4:00:00 AM
Last modified : 7/30/04 1:56:10 PM



Disk scan result for C:\

New objects : 0
Objects found so far: 5


Performing conditional scans..


Conditional scan result:

New objects : 0
Objects found so far: 5


5:17:10 PM Scan complete

Summary of this scan

Total scanning time :00:43:47:640
Objects scanned :260241
Objects identified :5
Objects ignored :0
New objects :5

#15 pomp

pomp

    Forum Deity

  • Helper
  • PipPipPipPipPip
  • 1,163 posts

Posted 30 July 2004 - 11:43 PM

Ok, well just fix whatever adaware finds.

And post a new hijackthis log.




PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD

#16 bmorton

bmorton

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 July 2004 - 09:00 PM

All seems to be working OK!! There does seem to be something trying to reset the hchoa and MFCEE32.EXE stanza in the registry. But it is not consistant and ad-watch is catching it when it does happen. I also installed IE 6 security update KB867801. This also seemed to help a lot.

Consider this one closed!

Again, many thanks.

#17 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 31 July 2004 - 09:24 PM

Glad we could help. :)

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button