• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
LostOnTheWeb

Yikes!!! I've been hijacked!

12 posts in this topic

Please help - I'm constantly being redirected and have MSIE pages loading in the background - particularly something.dl, and acculoader, and a few other oddities. Any help from the experts would be greatly appreciated. Here is my Hijack this log - I'm running Windows Me and AOL. I keep removing the R0 and R1 items and they keep coming back. Thanks again.

 

Logfile of HijackThis v1.97.7

Scan saved at 10:02:15 PM, on 6/6/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\AFTER DARK\AFTER DARK.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\WINDOWS\SYSTEM32\WINTIME.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\AMERICA ONLINE 7.0A\AOLTRAY.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\HPZSTATX.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\AMERICA ONLINE 7.0A\WAOL.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\TEMP\TD_0007.DIR\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

F1 - win.ini: run=hpfsched

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [After Dark QuickAccess] "c:\After Dark\After Dark.exe" /taskbar

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\BEBOCAPD.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

O4 - Startup: UMAX VistaAccess.lnk.disabled

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Startup: America Online 7.0 Tray Icon.lnk.disabled

O4 - Startup: Camio Viewer 3.2.lnk.disabled

O4 - Startup: Adobe Gamma Loader.exe.lnk.disabled

O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Dell Home (HKCU)

O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.pictures.aol.com/ygp/aol/plug...der.8.0.3.0.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

O19 - User stylesheet: (file missing)

Share this post


Link to post
Share on other sites

Download CW Shredder:

http://www3.ns.sympatico.ca/c.bennett03/CWShredder.exe

Open and hit the ->fix tab to fix all found problems

 

CW Shredder takes advantage of security holes in windows so you should install all critical as well as hot fixes available from windows update.

 

 

Create a folder on your hard drive somewhere like in "My Documents" and name it Hijackthis

Download 'Hijack This to its own folder http://www3.ns.sympatico.ca/c.bennett03/HijackThis.exe

Doubleclick HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

__________________

Share this post


Link to post
Share on other sites

Sorry - should have said it -I updated SPYBOT and CWS - ran both and both turn up clean. The Log above is the results after a cleaning with the two programs.

Share this post


Link to post
Share on other sites

Rescan once again with hijack this please and put a check next to each of the following items then close all browser windoes and click"fix checked"

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

 

O4 - HKCU\..\Run: [msmc] C:\WINDOWS\SYSTEM\msmc.exe

]

O19 - User stylesheet: (file missing)

 

 

Then reboot your system into safe mode and delete:

C:\WINDOWS\SYSTEM\msmc.exe

Share this post


Link to post
Share on other sites

Thanks for the quick help - I completed the steps and my HIJACKTHIS log is below. The R0 and R1 redirects keep coming back. While I was in Safe Mode I rand HijackThis and the R0 and R1 lines were not in the log (if this means anything). What should I try next? Thanks in advance.

 

 

Logfile of HijackThis v1.97.7

Scan saved at 6:31:56 PM, on 6/7/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\AFTER DARK\AFTER DARK.EXE

C:\WINDOWS\TASKMON.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\AMERICA ONLINE 7.0A\AOLTRAY.EXE

C:\WINDOWS\TEMP\TD_0005.DIR\HIJACKTHIS.EXE

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [After Dark QuickAccess] "c:\After Dark\After Dark.exe" /taskbar

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\BEBOCAPD.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - Startup: UMAX VistaAccess.lnk.disabled

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Startup: America Online 7.0 Tray Icon.lnk.disabled

O4 - Startup: Camio Viewer 3.2.lnk.disabled

O4 - Startup: Adobe Gamma Loader.exe.lnk.disabled

O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Dell Home (HKCU)

O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.pictures.aol.com/ygp/aol/plug...der.8.0.3.0.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

Share this post


Link to post
Share on other sites

Rescan and put a check next to each of the following items then close all browser windows and click"fix checked"

 

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php

Share this post


Link to post
Share on other sites

Done - I rechecked my CWS shredder and found I had two versions. I ran the newer one and voila -it was gone. Thanks for the help here's my new log - I think tit looks clean.

 

Logfile of HijackThis v1.97.7

Scan saved at 7:35:11 AM, on 6/8/2004

Platform: Windows ME (Win9x 4.90.3000)

MSIE: Internet Explorer v5.50 (5.50.4134.0100)

 

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\SSDPSRV.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\EXPLORER.EXE

C:\AFTER DARK\AFTER DARK.EXE

C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE

C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\DEVLDR16.EXE

C:\WINDOWS\SYSTEM\CTFMON.EXE

C:\WINDOWS\RunDLL.exe

C:\PROGRAM FILES\AMERICA ONLINE 7.0A\AOLTRAY.EXE

C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

C:\WINDOWS\TEMP\TD_0003.DIR\HIJACKTHIS.EXE

 

O4 - HKLM\..\Run: [speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe

O4 - HKLM\..\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [After Dark QuickAccess] "c:\After Dark\After Dark.exe" /taskbar

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe

O4 - HKLM\..\RunServices: [scriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\BEBOCAPD.EXE

O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY

O4 - Startup: UMAX VistaAccess.lnk.disabled

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

O4 - Startup: America Online 7.0 Tray Icon.lnk.disabled

O4 - Startup: Camio Viewer 3.2.lnk.disabled

O4 - Startup: Adobe Gamma Loader.exe.lnk.disabled

O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0a\aoltray.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Dell Home (HKCU)

O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .MPG: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll

O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {B33CCD56-0909-42C9-8A88-8976F66B8BF2} (AOL YGP Picture Finder Tool) - http://pak02.pictures.aol.com/ygp/aol/plug...der.8.0.3.0.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

Share this post


Link to post
Share on other sites

The log is not quite clean - I will give you a hand with it to clean it up. Mobo - Pleae check your personal messages.

Share this post


Link to post
Share on other sites

Please create a new directory C:\HJT and move the HijackThis.exe file into that directory and only run it from there. That way we can ensure that we have the backup files available in the event that they are needed.

 

Please browse to C:\WINDOWS\TEMP\TD_0003.DIR and look for all files that begin with backup-. Move all these files into the new C:\HJT directory. If you need instructions on how to do that, please let me know.

 

Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for "PowerReg Scheduler V3.exe", "PowerReg Scheduler.exe". If you find the files, click on them, and then click End Process => Exit the Task Manager.

 

Run HijackThis and delete the following:

O4 - HKCU\..\Run: [sr64] C:\WINDOWS\SYSTEM\SR64\BEBOCAPD.EXE <= I cannot find anything on this - Do you know what it is?

O4 - Startup: PowerReg Scheduler V3.exe

O4 - Startup: PowerReg Scheduler.exe

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a...all/xscan53.cab

 

Please reboot into safe mode - How do I boot into "Safe" mode?

 

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):

  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files(all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
  • PowerReg Scheduler V3.exe <= You will have to search for this file
  • PowerReg Scheduler.exe <= You will have to search for this file

Reboot again and log in normally, repost a new HijackThis log into this message for further review.

Share this post


Link to post
Share on other sites

What exactly am I cleaning up with the steps you listed? I'm worried I've got some extreme thing going on now. I'll clean it up when I get home but I wondered what PowerReg etc. is.

 

Thanks again.

Share this post


Link to post
Share on other sites

PowerReg Scheduler is a registration scheduler. Periodically attempts to connect to the Internet. Gathers unknown information = Basically classified as adware, nothing extreme.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0