SPyware problems...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ELMO4635, Jul 16, 2004.

  1. ELMO4635

    ELMO4635 Private E-2

    I have noticed my IE Homepage being redirected to another sight and numerous strange processes (SYSTEM ???) running on the computer. The following is a list of EXE Files found in my C:\Windows\System\ Folder that I can't get rid of.

    I have Norton Virus and it detects the following files but it won't Delete\Quarantine or stop these programs from running... it will only allow me to Ignore them!!

    UPVZ32.exe
    IPVZ32.exe
    ATLWT32.exe
    D3JE.exe
    NTPQ32.exe
    ADDKB32.exe
    SYSJ32.exe
    IPWQ.exe
    JAVADU.exe
    NETUT.exe

    I am not at my infected computer so I am kinda vague as to some of the other details.

    Please Help!!

    Thanks in advance,
    ELMO4635
     
    ELMO4635, Jul 16, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    First off, it cant not delete or move them if they are running processes. Your first move is to reboot into safe mode (easiest way, reboot, and tap the f8 key over and over before the windows splash screen until you get a screen asking what to boot to and choose safe mode WITHOUT networking) and run your antivirus from there. If it can not remove them, they may be in a system restore checkpoint, so you may need to disable system restore. http://forums.majorgeeks.com/showthread.php?t=31668
     
    Major Attitude, Jul 16, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have the HSA hijack problem. There are many threads here with info on resolving that. The tool being used to fix is HSremove which is available here: http://www.majorgeeks.com/download4286.html

    Check out some of the threads and try giving HSremove a run. Letus know how this works out. If still having a problem a HijackThis log will be the next step.
     
    chaslang, Jul 16, 2004
    #3
  4. ELMO4635

    ELMO4635 Private E-2

    Here is what I did...

    1. Selective Startup
    2. Ran SpyBot (detected DSO Explouit)
    3. Ran AdAware (3 registry keys, 5 registry values, 238 files, 1 folder)
    4. Ran norton Anti-Virus (found nothing!)
    5. CCleaner (got rid of 460 items!!!)

    re-booted in normal startup


    Logged onto internet, and I am still encountering problems! Norton detected/quaranteened the following while I was logging onto this Forum...

    a. C:\Windows\System\msar.exe
    b. C:\Windows\apixq32.exe
    c. C:\Windows\ntsk.exe

    Soooo, any ideas? I loaded and ran the Hijack This, but can't get it to save a log file... click on the save log button, Acrobat distiller pops up, asks for the save directory, and then gives me "can not find the specified file name"... any ideas???

    ELMO4635
     
    ELMO4635, Jul 16, 2004
    #4
  5. ELMO4635

    ELMO4635 Private E-2

    HSRemove only works on W2K and Xp... I am on WinME...

    ELMO4635
     
    ELMO4635, Jul 16, 2004
    #5
  6. ELMO4635

    ELMO4635 Private E-2

    Ok, I figured out Hijack This and here is the Log from it... Please tell me what I can delete...

    Logfile of HijackThis v1.98.0
    Scan saved at 10:29:17 PM, on 7/16/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SCARDSVR.EXE
    C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\NTTY32.EXE
    C:\WINDOWS\NETHG32.EXE
    C:\WINDOWS\NTAV32.EXE
    C:\WINDOWS\NTPQ32.EXE
    C:\WINDOWS\D3QA32.EXE
    C:\WINDOWS\NTHU.EXE
    C:\WINDOWS\WINDE32.EXE
    C:\WINDOWS\NTHU.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\COMPAQ\EAKDRV\STARTDRV.EXE
    C:\COMPAQ\EAKDRV\EAKDRV.EXE
    C:\COMPAQ\EAKDRV\EAUSBKBD.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\PROGRAM FILES\EFAX MESSENGER PLUS\DLLCMD32.EXE
    C:\PROGRAM FILES\EFAX MESSENGER PLUS\HOTTRAY.EXE
    C:\WINDOWS\NTHU.EXE
    C:\WINDOWS\NTHU.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\NTTY32.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\NTHU.EXE
    C:\WINDOWS\NTAV32.EXE
    C:\DOWNLOADS\TROJAN STUFF\HIJACKTHIS V1.98\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vrluk.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vrluk.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vrluk.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
    O2 - BHO: (no name) - {DF9CB6C3-8E7D-6253-4FD4-7C38D013948E} - (no file)
    O2 - BHO: Class - {C5A0213F-9307-ECF1-A431-1EE7CE97B4D6} - C:\WINDOWS\MSBJ32.DLL
    O2 - BHO: (no name) - {2FD7B633-A927-FA82-4276-954F455935FD} - (no file)
    O2 - BHO: Class - {514574F5-5462-C897-0875-89A1EF0CC0AB} - (no file)
    O2 - BHO: Class - {EC181F69-6F9B-E0B5-49A6-720AC3A3C6BF} - (no file)
    O2 - BHO: Class - {4FD59AD2-6ED1-8E08-7594-0D203675C6D6} - (no file)
    O2 - BHO: Class - {DDF6B14C-567D-8D1E-21D4-2CACE1295ABB} - (no file)
    O2 - BHO: Class - {15B3DA51-A198-31BF-F6CC-2CDD02055A3E} - (no file)
    O2 - BHO: Class - {8FA40EFE-FC97-FA46-089B-509029FFBFA4} - (no file)
    O2 - BHO: Class - {8C2B313B-0038-177E-6D7E-FA538BD46D1C} - (no file)
    O2 - BHO: Class - {5DA770C4-0CDD-E5B9-E625-42AA47AB9AA4} - (no file)
    O2 - BHO: Class - {BB197B27-4CA3-A24A-52B6-F425942B6006} - (no file)
    O2 - BHO: Class - {603713DB-4BD5-544A-66D3-C39C456D92CC} - (no file)
    O2 - BHO: Class - {AA113C9B-C719-C143-EA25-ABD884B0F8D2} - (no file)
    O2 - BHO: Class - {26D0FA21-EFF8-C17F-6F83-52429D909285} - (no file)
    O2 - BHO: Class - {F52290AB-E0CD-B14A-153C-571E8BE174F4} - (no file)
    O2 - BHO: Class - {7A7E10DA-FBEB-BEC0-8B9D-91213C74ECF2} - (no file)
    O2 - BHO: Class - {EC6769E7-72FF-CFC6-4623-8D56AA16A3B9} - (no file)
    O2 - BHO: Class - {7FB049AA-44CB-DB1B-19A0-178C89E8EF3E} - (no file)
    O2 - BHO: Class - {A65F11A0-3D1B-37FD-F86D-9AB8607151F1} - (no file)
    O2 - BHO: Class - {6544D292-6022-D0FE-FA2E-EAF197AB6EFF} - (no file)
    O2 - BHO: Class - {F6E2FCAE-1198-A1BC-63E6-EFD2567AC69A} - (no file)
    O2 - BHO: Class - {70F4D6A2-0914-1D47-1484-8C85DE149A71} - (no file)
    O2 - BHO: Class - {77E35B59-5DBF-CA0F-2037-00B52E21E874} - (no file)
    O2 - BHO: Class - {9EF0D61C-C95A-346F-C156-03B08B1C061C} - (no file)
    O2 - BHO: Class - {D53BE37F-3A2E-270B-1A0A-66FD4B4BEE2F} - (no file)
    O2 - BHO: Class - {CC3649CC-937E-3A26-8F83-9CF0CF5407FE} - (no file)
    O2 - BHO: Class - {983C1758-DCAA-83B6-A461-FBD6D56D852E} - (no file)
    O2 - BHO: Class - {EAEDD2F7-A231-D258-2D9D-83929E38D040} - (no file)
    O2 - BHO: Class - {CFF4779F-F33D-207B-BBD5-41D31CC341A3} - (no file)
    O2 - BHO: Class - {C8004A51-B1C6-2B52-CE97-BA80D6D6C5DB} - (no file)
    O2 - BHO: Class - {936521ED-B9F9-119B-1DE2-BD195A166D77} - (no file)
    O2 - BHO: Class - {D5459708-5146-5B78-2C15-69BF794D6B12} - (no file)
    O2 - BHO: Class - {402AEE94-BB1D-D3EA-410F-95DE07E61963} - (no file)
    O2 - BHO: Class - {643F6EB4-4E6A-F3D9-0A0E-18B8331E180E} - (no file)
    O2 - BHO: Class - {27B5350B-649B-63FF-1B2C-479661DBD6C6} - (no file)
    O2 - BHO: Class - {309E3958-B011-61F7-2E73-86BA5E7CF01C} - (no file)
    O2 - BHO: Class - {D2819F1B-480D-72B7-2C88-50B1A005686B} - (no file)
    O2 - BHO: Class - {324C7B28-F8EB-05C3-47CF-680DDABE2D8D} - (no file)
    O2 - BHO: Class - {33A52CAA-E6B2-6BF5-6851-6B2529CEB91F} - (no file)
    O2 - BHO: Class - {F016EFF6-7206-8B10-B2DA-2E5F3C5E643C} - (no file)
    O2 - BHO: Class - {C871E993-FDEC-292E-86CE-435FEE5CFF75} - (no file)
    O2 - BHO: Class - {5AB6D1CA-4262-0290-F0E4-2DD9F8C75EA0} - (no file)
    O2 - BHO: Class - {211394D0-4597-96D2-5708-8F46CADBEFBE} - (no file)
    O2 - BHO: Class - {A3C660FF-DEAB-ECF0-02FE-C8DC9874C708} - (no file)
    O2 - BHO: Class - {7AC4ED96-5D2A-C75F-1817-E095A3DF83C6} - (no file)
    O2 - BHO: Class - {4855AACF-1F8F-710E-EFAF-19B0F8EE4D1C} - (no file)
    O2 - BHO: Class - {699C95C3-7427-B7B8-F6E1-CFEADD02B32F} - (no file)
    O2 - BHO: Class - {C01397B5-886F-E2A8-2FDD-7B4758D1AE8E} - (no file)
    O2 - BHO: Class - {90707E5F-205F-EDE0-649B-D11991038005} - (no file)
    O2 - BHO: Class - {A3656B27-94CB-8007-2B4E-CB9A9B2318EA} - (no file)
    O2 - BHO: Class - {2A678BA3-53C6-44B1-C740-E707AAB611A1} - (no file)
    O2 - BHO: (no name) - {A960FD01-0366-6D16-1396-60F66A7427AF} - (no file)
    O2 - BHO: Class - {986A2C7C-4904-2497-83F3-184B3E592E38} - (no file)
    O2 - BHO: Class - {2AE9109E-80F1-35DD-394F-6BD77DC00A7F} - (no file)
    O2 - BHO: Class - {C4002AA0-E402-546F-B18D-E929FCC430C3} - (no file)
    O2 - BHO: Class - {057E4B07-0FF3-2D55-04FA-916C8CB770B3} - (no file)
    O2 - BHO: Class - {05B55B9F-479D-7717-E7DB-C5F00DBBC97D} - (no file)
    O2 - BHO: Class - {C3D0592A-E898-9364-DBD7-EC2ED69821AF} - C:\WINDOWS\MSQM32.DLL (file missing)
    O2 - BHO: Class - {CD010E8E-B898-B574-309E-3493BE208A30} - (no file)
    O2 - BHO: Class - {A5AD29F2-C417-ADBE-550D-61E932069FF5} - (no file)
    O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\ATLMW.DLL (file missing)
    O2 - BHO: (no name) - {0BAA3A49-7A8E-5D74-313B-E73706261741} - (no file)
    O2 - BHO: Class - {C6B06762-45A4-1988-6040-E97B5A082104} - (no file)
    O2 - BHO: Class - {2529CF0F-C4F4-8DF9-52A3-3A45712A004D} - (no file)
    O2 - BHO: Class - {D6BA699A-B568-C5DC-6026-CF56D6D3D065} - (no file)
    O2 - BHO: Class - {B1D05DCA-880F-EDB7-F481-CC7F71316A99} - (no file)
    O2 - BHO: Class - {B27E8BCF-1A21-257E-958D-00B94008A3E8} - (no file)
    O2 - BHO: Class - {7E29EE2C-6606-C2CD-8C74-48007DC5A1CA} - (no file)
    O2 - BHO: Class - {5BCC4498-742A-FEB5-F005-EF036D64A390} - (no file)
    O2 - BHO: Class - {3C75DEE8-A676-3365-4261-DF9B64D79D7D} - (no file)
    O2 - BHO: Class - {D56772D5-4787-FEC2-2F9F-D3396F635202} - (no file)
    O2 - BHO: Class - {4F75DD02-C3BD-5F4D-3EDC-7061DD005621} - (no file)
    O2 - BHO: Class - {29121237-C594-0436-C688-77EFC366D7A9} - (no file)
    O2 - BHO: Class - {55CE340C-2A74-5C5B-64CC-5C04A6D7957F} - (no file)
    O2 - BHO: Class - {B0D478BC-4C98-5956-D01E-F69F33B7AB11} - (no file)
    O2 - BHO: Class - {BED6B04D-64A6-3B91-5D8F-AFE9FA9B664C} - (no file)
    O2 - BHO: Class - {E5EB9E08-4EF0-EB31-49BD-E10CEB7BCE5D} - (no file)
    O2 - BHO: Class - {CBF1F509-4631-D544-B318-1452FEE2A371} - (no file)
    O2 - BHO: Class - {EDB1D042-289E-C3E9-C13A-ED9A7FA21D37} - (no file)
    O2 - BHO: Class - {92C13A2E-9A7F-21D3-5898-A6A429E0CF01} - (no file)
    O2 - BHO: Class - {4572B4C5-5DD0-E0C1-E935-4A5F6D06763D} - (no file)
    O2 - BHO: Class - {E2DA8039-CBDD-D81A-8D7D-92CC6B06F19C} - (no file)
    O2 - BHO: Class - {3C7403A2-D75B-1F0E-77DE-C7146BA683E9} - (no file)
    O2 - BHO: Class - {53986CBA-C143-90A1-3A0D-74BD478C4D1E} - (no file)
    O2 - BHO: Class - {B4D3EDEC-4A78-9601-3C16-8BDA7652758F} - (no file)
    O2 - BHO: Class - {A8EF15EB-C199-52DA-C71D-992B49FD321E} - (no file)
    O2 - BHO: Class - {DF5522D8-9359-F9A4-13E8-9DA8F72AA16D} - (no file)
    O2 - BHO: Class - {920AD1D2-5235-FD60-EB1A-42DB37705C6B} - (no file)
    O2 - BHO: Class - {9B29E5B6-E566-351A-E143-A593A516CF7A} - (no file)
    O2 - BHO: Class - {71E89C0E-2874-DFA4-2061-C457066D0FCC} - (no file)
    O2 - BHO: Class - {82F80FC7-37E2-6952-8E22-0DE4656825C5} - (no file)
    O2 - BHO: Class - {BBEC1B2A-AC72-57D9-D55D-F4CC11608C95} - (no file)
    O2 - BHO: Class - {0597D537-86A0-08BE-1BB8-7597D9D9FE0A} - (no file)
    O2 - BHO: Class - {15174FC7-3978-A8EB-2E2F-CDCF325AF7B7} - (no file)
    O2 - BHO: Class - {EBC21DD1-18C4-74D7-C935-89E653731491} - C:\WINDOWS\IPNZ32.DLL (file missing)
    O2 - BHO: Class - {DD853910-DE3B-6AA5-3151-0ADF80EF05F4} - (no file)
    O2 - BHO: Class - {17430854-4E14-06E8-8573-05BB1F5E5DF6} - (no file)
    O2 - BHO: Class - {787633EB-8F9E-66A4-0026-A3987933DF9F} - (no file)
    O2 - BHO: Class - {0CC44EF2-0371-DAA0-3870-57FF6F6D01F4} - (no file)
    O2 - BHO: Class - {C2E378C6-A9C3-5F16-1F44-60897D78858E} - (no file)
    O2 - BHO: Class - {1F6B2AC9-8A18-97CC-C47B-CBBFB1EDBEF1} - (no file)
    O2 - BHO: Class - {6ED7881C-15E8-9C0E-4F52-AC2FEF0427E5} - (no file)
    O2 - BHO: Class - {40FA2355-DEA8-B02D-B2CC-10D5115F4DA8} - (no file)
    O2 - BHO: Class - {FEF22621-9874-CE5F-4F45-E119822E35B8} - (no file)
    O2 - BHO: Class - {7EFE0B4F-CF0A-0367-88AF-EDB349FEAC20} - (no file)
    O2 - BHO: Class - {3EAE9059-F848-0AF4-9179-E88F6B07ABB0} - (no file)
    O2 - BHO: Class - {C0F1C398-7405-5674-9029-55DE0FF52B0F} - (no file)
    O2 - BHO: Class - {64B03427-767A-A677-BFBA-CA02D52D9AE8} - (no file)
    O2 - BHO: Class - {1487B770-6A12-97D9-7B4A-24F6E0B7B61F} - (no file)
    O2 - BHO: Class - {C2F8171E-EE39-2E09-C899-6D4CA52D166B} - (no file)
    O2 - BHO: Class - {483EE7DE-21B6-16C6-7854-A6A21C6B2C20} - (no file)
    O2 - BHO: Class - {0B88F24F-66EF-91EA-6D60-D124CEADCA20} - (no file)
    O2 - BHO: Class - {35D04B13-540E-94EE-E3D3-A514F3941F85} - (no file)
    O2 - BHO: Class - {4288150C-A768-30F0-AFEC-CE3155F28398} - (no file)
    O2 - BHO: Class - {ABE38F53-421C-207B-DB34-60FC37406789} - (no file)
    O2 - BHO: Class - {0B7E5DBF-8DC6-4100-0DFD-72DBFA50CE36} - (no file)
    O2 - BHO: Class - {DD64FBB3-0059-FB29-AE0F-FEDA2065FC44} - (no file)
    O2 - BHO: Class - {47B847AB-7B7C-8A60-D55A-C91D2636BFE1} - (no file)
    O2 - BHO: Class - {A0153B0A-FA2F-32B0-6E06-897ADEE5B570} - (no file)
    O2 - BHO: Class - {DF81C44D-3E60-F698-D3FF-CB7B4BFB1DFB} - (no file)
    O2 - BHO: Class - {F6CB920B-A4A6-46E0-C07F-F02819E65389} - (no file)
    O2 - BHO: Class - {A97CF49C-9323-2A8B-9968-3ED2B4B035E3} - (no file)
    O2 - BHO: Class - {4D2A0FB2-61D0-0621-EE8A-D479FCB85742} - (no file)
    O2 - BHO: Class - {E8995C66-89E4-D9B5-D987-CB89F2AF8546} - (no file)
    O2 - BHO: Class - {51397C15-E299-38F4-5EB7-A8D49ABD5206} - (no file)
    O2 - BHO: Class - {410127F4-6EC0-FA46-13B5-0A935061D037} - (no file)
    O2 - BHO: Class - {8229FBFA-FF3F-EFEA-D599-8A5F56907C16} - (no file)
    O2 - BHO: Class - {38991D10-CBCA-F8EF-3BAC-A55F194EE6B4} - (no file)
    O2 - BHO: Class - {1DD3D11A-3109-1C20-8BD5-58F5241F1766} - (no file)
    O2 - BHO: Class - {7ABA8986-D76E-AADD-7BB4-07E458BE6A6B} - (no file)
    O2 - BHO: Class - {5089DAA5-7649-2557-B264-B78729FAF1B3} - (no file)
    O2 - BHO: Class - {64ACBCED-4C70-32ED-5E7C-6D6EFEDA085F} - (no file)
    O2 - BHO: Class - {CFE850F2-39B6-74D2-5743-6A8EDC9429B3} - (no file)
    O2 - BHO: Class - {A683235B-F1C6-B938-1C51-844ACBA6CA21} - (no file)
    O2 - BHO: Class - {3BCDCAEC-4065-E943-0E45-1E9FE0ADEF18} - (no file)
    O2 - BHO: Class - {E3B9B58F-7428-A46F-BDB7-E86BF07130FF} - (no file)
    O2 - BHO: Class - {E4F78A3B-E4C9-A50B-F62B-9CD76792AA50} - (no file)
    O2 - BHO: Class - {B5C6B322-4BD5-8817-6BCA-45148F181D4D} - (no file)
    O2 - BHO: Class - {EE65FB9C-280C-02E2-8454-DC71DD55F204} - (no file)
    O2 - BHO: Class - {F23458A1-1D96-9C46-3F26-DCEE8800C2FB} - (no file)
    O2 - BHO: Class - {19597D9F-B88E-697E-D763-E9940650A73C} - (no file)
    O2 - BHO: Class - {AC458677-DF16-AF47-F26F-1483F477E465} - (no file)
    O2 - BHO: Class - {9E8D30B9-0868-64A8-9289-FF52F6770580} - (no file)
    O2 - BHO: Class - {BDB5955C-9FF8-325D-8DBB-89CE2D9B30C1} - (no file)
    O2 - BHO: Class - {EAF1C668-38A7-44A6-F1D3-314823745712} - (no file)
    O2 - BHO: Class - {8E997062-38C5-1520-3D28-982F735E7149} - (no file)
    O2 - BHO: Class - {3C8BA8C9-C508-313C-7410-A6C1D6F7C2E0} - (no file)
    O2 - BHO: Class - {D172A39A-F3DD-E44E-68F7-A238EC18D3FF} - (no file)
    O2 - BHO: Class - {DBD1982E-1961-44C9-9035-F46D4C8A66A5} - (no file)
    O2 - BHO: Class - {A9AC10DB-D248-63DB-8036-793FF57026F9} - (no file)
    O2 - BHO: Class - {56A74345-A6EF-F199-91F6-3FF575DE3A3F} - (no file)
    O2 - BHO: Class - {CFBC0E5C-0127-6228-3FD0-4BBC58A6802D} - (no file)
    O2 - BHO: Class - {8C63D038-2323-A079-1DD0-E7F346EF140E} - (no file)
    O2 - BHO: Class - {EBB40628-9E74-FFA8-C6B1-7F035F60F991} - (no file)
    O2 - BHO: Class - {B2B4B0BB-B296-789A-68EE-18C4EDC973BD} - (no file)
    O2 - BHO: Class - {2ECEA165-3F6C-E79E-43DA-6E7B4C708792} - (no file)
    O2 - BHO: Class - {A5E3A16E-432C-CC0D-B946-1C802B2A708A} - (no file)
    O2 - BHO: Class - {9FA24FCA-DF9E-A81C-0C1B-751A6D6EB4BC} - (no file)
    O2 - BHO: Class - {B1CA3C07-6CDC-F986-405B-89C07CE5B6F8} - (no file)
    O2 - BHO: Class - {7F8FCEAC-D101-240A-BFCB-CC1453A6BA45} - (no file)
    O2 - BHO: Class - {966D5A46-3903-5B76-507D-E72CD070B6C8} - (no file)
    O2 - BHO: Class - {4252A652-0441-30ED-F035-492D80CB544E} - (no file)
    O2 - BHO: (no name) - {6BEACA14-DD48-CDE9-566D-05631A5E5DF9} - (no file)
    O2 - BHO: Class - {F0EE109C-9B59-1D4D-701B-893172B60010} - (no file)
    O2 - BHO: Class - {A6FCAC2F-5801-C911-81C4-80CCE66CEA0C} - (no file)
    O2 - BHO: Class - {C72A4586-4D25-38C9-9B49-C0A7147CE676} - (no file)
    O2 - BHO: Class - {3A25C38E-A454-74EA-D879-839335AAC453} - (no file)
    O2 - BHO: Class - {F9C3EB86-5E8A-7F1F-02CA-34B57433C586} - (no file)
    O2 - BHO: Class - {800B9048-A1BD-B338-E9D4-71396483AE60} - (no file)
    O2 - BHO: Class - {6F2100DD-ACA4-626F-1F56-2064BFA300C4} - (no file)
    O2 - BHO: Class - {C214ABCB-7DB1-BB07-E942-4A8E0FDD5A0D} - (no file)
    O2 - BHO: Class - {5C4F8F17-B63F-CBB0-262B-818FA803655C} - (no file)
    O2 - BHO: Class - {8FF201E5-9B6E-FBCE-92AD-41E877FA0A72} - (no file)
    O2 - BHO: Class - {5624FB2A-5E7E-C67B-2C18-0AAF52EEFBB0} - (no file)
    O2 - BHO: Class - {BE2E3D32-ABD6-CAEC-B1C7-27793A48849A} - (no file)
    O2 - BHO: Class - {34A8B07C-4792-6E92-C990-0AD1C9880CFF} - (no file)
    O2 - BHO: Class - {AD979EF0-4E2D-0151-5E87-CC0ABDB1DFA2} - (no file)
    O2 - BHO: Class - {4F916E0E-FD1B-1A53-6742-DB2ABB3F3CFB} - (no file)
    O2 - BHO: Class - {BC18BA43-C47A-6611-F21E-B318D4B30ACB} - (no file)
    O2 - BHO: Class - {5AEC2E5B-19DD-07E2-6172-3EEC429FF547} - (no file)
    O2 - BHO: Class - {A9B87744-E58C-1B79-9F9B-661D1E91F825} - (no file)
    O2 - BHO: Class - {A9685094-AF19-D128-2AC9-9C3D034602A8} - (no file)
    O2 - BHO: Class - {4911C707-4BFB-2938-3C7F-7FEC182378BF} - (no file)
    O2 - BHO: Class - {992E13AE-D008-24B3-4C60-B18BF10373C7} - (no file)
    O2 - BHO: Class - {86949D98-6819-D759-9AA5-F1DF6B1EC168} - (no file)
    O2 - BHO: Class - {8830AC75-B27B-63D2-0B56-5488166A6EF1} - (no file)
    O2 - BHO: Class - {75DD9E15-5389-2B5B-4E5F-CC69934230B5} - (no file)
    O2 - BHO: Class - {11B10CF2-B2B6-4BF8-5E57-FC69DB5570B5} - (no file)
    O2 - BHO: Class - {46015205-9C0D-68F5-0714-0BA8A0DA3C56} - (no file)
    O2 - BHO: Class - {DFBA518F-AE34-EA17-0B78-90292FD1E61B} - (no file)
    O2 - BHO: Class - {102D7ADF-B1F2-150B-DD47-0D7AE8ECDFE0} - (no file)
    O2 - BHO: Class - {CD14DA8B-EAC4-68DE-23FD-8789624A84A6} - (no file)
    O2 - BHO: Class - {98A53B76-C929-8197-7BAC-61F4821FB4EE} - (no file)
    O2 - BHO: Class - {2F71C161-9404-0890-EE38-E0DB36A3CA46} - (no file)
    O2 - BHO: Class - {091DEB52-9EDB-61D3-5176-21E7CDB1169A} - (no file)
    O2 - BHO: Class - {ED9FCA60-EFBC-010F-4B89-4C97B28758CA} - (no file)
    O2 - BHO: Class - {02B26036-09CA-CFF8-3C5F-B5935A92B85E} - (no file)
    O2 - BHO: Class - {EB7A738C-0CE4-D731-5E60-6A46C953396F} - (no file)
    O2 - BHO: Class - {010B05F2-C50C-BB3E-31BF-741C59280D6A} - C:\WINDOWS\SYSTEM\APPQG32.DLL
    O2 - BHO: Class - {F145A3F6-4070-C63F-6264-ABDACC5AF0DC} - (no file)
    O2 - BHO: Class - {42288042-BF38-EA89-30D7-997394C9F9B6} - (no file)
    O2 - BHO: Class - {1A0D767B-0C24-CB78-0876-5F7AEE9294F4} - (no file)
    O2 - BHO: Class - {BECA9408-9403-9283-B350-EA959870709D} - (no file)
    O2 - BHO: Class - {9928825D-F511-512E-6A16-25709CC2A8EB} - (no file)
    O2 - BHO: Class - {EBAD3491-EA18-CF3F-B2F3-FA569AACFFA5} - (no file)
    O2 - BHO: Class - {392A8C5B-144A-0321-C773-9AA02D3AC373} - (no file)
    O2 - BHO: Class - {A7100957-E41C-A5C0-3C65-680FE880B4F7} - (no file)
    O2 - BHO: Class - {855EA263-CA96-2E5D-E8BB-FEAD04FFCAEA} - (no file)
    O2 - BHO: Class - {BCE94E2D-6A47-A37E-E2FE-A1C67C36912F} - (no file)
    O2 - BHO: Class - {F16A6A2E-9260-7118-3C8D-B5690AC38C06} - (no file)
    O2 - BHO: Class - {C97D5205-FCDC-EB7D-F24D-A44C92DB4A54} - (no file)
    O2 - BHO: Class - {604133F1-BF83-5ACA-2FE2-2B601C6A7458} - (no file)
    O2 - BHO: Class - {40430AEB-7146-EE85-0D82-B57E2A8F44A9} - (no file)
    O2 - BHO: (no name) - {D9DA3A46-683B-9426-0DBC-16767E88C80F} - (no file)
    O2 - BHO: Class - {13F0D85F-8AF2-D315-6F75-AA75944D4E2F} - (no file)
    O2 - BHO: (no name) - {2591D279-B7C3-5368-10B2-3F539F8F16DA} - (no file)
    O2 - BHO: (no name) - {3D11949D-122A-F736-FC9E-B1C992E35B78} - (no file)
    O2 - BHO: (no name) - {18DD36BF-0591-D69B-0345-30D50AC4880E} - (no file)
    O2 - BHO: (no name) - {DD6D55FD-C699-0028-DB35-7E38BF78BA5D} - (no file)
    O2 - BHO: (no name) - {CE9596F4-6291-9D52-7126-1963BA99D795} - (no file)
    O2 - BHO: (no name) - {30E5F1B7-1A0E-D201-3AD0-3AD342315B47} - (no file)
    O2 - BHO: (no name) - {844E11BC-B83D-2A84-C2D2-431669C171C5} - (no file)
    O2 - BHO: (no name) - {DFED9D51-AA17-CE70-C5E6-2D9E057B615F} - (no file)
    O2 - BHO: (no name) - {C88E144F-4510-0AF3-96D3-FA4B4D451F0F} - (no file)
    O2 - BHO: (no name) - {8A766F6D-09E0-FC95-E63C-ECC0B49DBF51} - (no file)
    O2 - BHO: (no name) - {0B660373-E1F0-C963-AE63-9622A8DECA96} - (no file)
    O2 - BHO: (no name) - {509EE3A1-0DA3-E6F6-847A-4CAFDBB2C0DB} - (no file)
    O2 - BHO: (no name) - {BC0B52B2-2F1C-67AE-D558-D35199E36734} - (no file)
    O2 - BHO: (no name) - {315E32CB-195A-8536-EB55-7CF4CDA121F2} - (no file)
    O2 - BHO: (no name) - {CD101537-32F8-4AA3-3402-3E75C232A431} - (no file)
    O2 - BHO: (no name) - {F6F66A80-41BE-11BB-0AD1-2A766F9815F2} - (no file)
    O2 - BHO: (no name) - {71F6D625-50AB-41C3-B6EC-563B80E121D0} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [WINDE32.EXE] C:\WINDOWS\WINDE32.EXE
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
    O4 - HKLM\..\RunServices: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\SYSTEM\IPVZ32.EXE
    O4 - HKLM\..\RunServices: [SYSYJ32.EXE] C:\WINDOWS\SYSTEM\SYSYJ32.EXE
    O4 - HKLM\..\RunServices: [NTPQ32.EXE] C:\WINDOWS\NTPQ32.EXE
    O4 - HKLM\..\RunServices: [NTTY32.EXE] C:\WINDOWS\NTTY32.EXE
    O4 - HKLM\..\RunServices: [ADDKB32.EXE] C:\WINDOWS\SYSTEM\ADDKB32.EXE
    O4 - HKLM\..\RunServices: [ATLWT32.EXE] C:\WINDOWS\SYSTEM\ATLWT32.EXE
    O4 - HKLM\..\RunServices: [NTAV32.EXE] C:\WINDOWS\NTAV32.EXE
    O4 - HKLM\..\RunServices: [D3QA32.EXE] C:\WINDOWS\D3QA32.EXE
    O4 - HKLM\..\RunServices: [NETUT.EXE] C:\WINDOWS\SYSTEM\NETUT.EXE
    O4 - HKLM\..\RunServices: [D3JE.EXE] C:\WINDOWS\SYSTEM\D3JE.EXE
    O4 - HKLM\..\RunServices: [NTHU.EXE] C:\WINDOWS\NTHU.EXE
    O4 - HKLM\..\RunServices: [IPWQ.EXE] C:\WINDOWS\SYSTEM\IPWQ.EXE
    O4 - HKLM\..\RunServices: [JAVADU.EXE] C:\WINDOWS\SYSTEM\JAVADU.EXE
    O4 - HKLM\..\RunServices: [NETHG32.EXE] C:\WINDOWS\NETHG32.EXE
    O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE -z
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O4 - Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://www.messagebay.com/code1/mbayactx.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
     
    ELMO4635, Jul 16, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Holy .....! You need to stop doing whatever it is that you have been doing to try to clean this up. You are spawning all kinds of processes and making your problem get significantly worse.

    First we need to shorten this log up a little. Run HijackThis (don't select fix until I tell you to) again and put a check mark on all the O2 BHO lines that have either (no file) or (file missing) . NOTE: ONLY THE O2 LINES MENTIONED. Then shutdown all Internet Explorer sessions (not minimize, you must shut them down). Now select fix with HijackThis.

    Now run a new HijackThis scan and post a new log. At this point you must not shutdown or reboot your PC unitl I get back to you. It's okay to disconnect from the internet to key your PC secure, but do not shutdown or reboot.

    I see you are still logged in. Don't log out for awhile.
     
    chaslang, Jul 16, 2004
    #7
  8. ELMO4635

    ELMO4635 Private E-2

    Ok... I ran another HijackThis, cleaned all the 02 BHO Items with "NO FILE" or "FILE MISSING", and here is the latest Log from HiJack This...

    Logfile of HijackThis v1.98.0
    Scan saved at 2:47:52 PM, on 7/18/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SCARDSVR.EXE
    C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\D3QA32.EXE
    C:\WINDOWS\NTPQ32.EXE
    C:\WINDOWS\NTHU.EXE
    C:\WINDOWS\NTTY32.EXE
    C:\WINDOWS\NETHG32.EXE
    C:\WINDOWS\NTAV32.EXE
    C:\WINDOWS\WINDE32.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
    C:\COMPAQ\EAKDRV\STARTDRV.EXE
    C:\COMPAQ\EAKDRV\EAKDRV.EXE
    C:\COMPAQ\EAKDRV\EAUSBKBD.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\PROGRAM FILES\EFAX MESSENGER PLUS\DLLCMD32.EXE
    C:\PROGRAM FILES\EFAX MESSENGER PLUS\HOTTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\NETHG32.EXE
    C:\WINDOWS\D3QA32.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
    C:\DOWNLOADS\TROJAN STUFF\HIJACKTHIS V1.98\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vrluk.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vrluk.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vrluk.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: Class - {0BAA3A49-7A8E-5D74-313B-E73706261741} - C:\WINDOWS\SYSTEM\IPHA.DLL (file missing)
    O2 - BHO: Class - {C5A0213F-9307-ECF1-A431-1EE7CE97B4D6} - C:\WINDOWS\MSBJ32.DLL (file missing)
    O2 - BHO: Class - {C3D0592A-E898-9364-DBD7-EC2ED69821AF} - C:\WINDOWS\MSQM32.DLL
    O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\ATLMW.DLL (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [WINDE32.EXE] C:\WINDOWS\WINDE32.EXE
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
    O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
    O4 - HKLM\..\RunServices: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\SYSTEM\IPVZ32.EXE
    O4 - HKLM\..\RunServices: [SYSYJ32.EXE] C:\WINDOWS\SYSTEM\SYSYJ32.EXE
    O4 - HKLM\..\RunServices: [NTPQ32.EXE] C:\WINDOWS\NTPQ32.EXE
    O4 - HKLM\..\RunServices: [NTTY32.EXE] C:\WINDOWS\NTTY32.EXE
    O4 - HKLM\..\RunServices: [ADDKB32.EXE] C:\WINDOWS\SYSTEM\ADDKB32.EXE
    O4 - HKLM\..\RunServices: [ATLWT32.EXE] C:\WINDOWS\SYSTEM\ATLWT32.EXE
    O4 - HKLM\..\RunServices: [NTAV32.EXE] C:\WINDOWS\NTAV32.EXE
    O4 - HKLM\..\RunServices: [D3QA32.EXE] C:\WINDOWS\D3QA32.EXE
    O4 - HKLM\..\RunServices: [NETUT.EXE] C:\WINDOWS\SYSTEM\NETUT.EXE
    O4 - HKLM\..\RunServices: [D3JE.EXE] C:\WINDOWS\SYSTEM\D3JE.EXE
    O4 - HKLM\..\RunServices: [NTHU.EXE] C:\WINDOWS\NTHU.EXE
    O4 - HKLM\..\RunServices: [IPWQ.EXE] C:\WINDOWS\SYSTEM\IPWQ.EXE
    O4 - HKLM\..\RunServices: [JAVADU.EXE] C:\WINDOWS\SYSTEM\JAVADU.EXE
    O4 - HKLM\..\RunServices: [NETHG32.EXE] C:\WINDOWS\NETHG32.EXE
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O4 - Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://www.messagebay.com/code1/mbayactx.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
     
    ELMO4635, Jul 18, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now follow these steps exactly. Read thru them first. If you cannot do them or do not understand anything, don't do anything until you get clarification from me. You may want to print these or copy them locally to a notepad file because I am going to have you physically disconnect from the internet very soon.

    Before starting make sure you have the current versions of:
    HijackThis (you have an old version): http://www.majorgeeks.com/download3155.html
    a² anti virus: http://www.majorgeeks.com/download4281.html
    (download and install a2 you need to get registration key to use and it will require a reboot before using. Don't reboot yet. We'll do that later when we go into safe mode.)
    Ad-aware: http://www.majorgeeks.com/download506.html
    make sure Ad-aware reference file is updated. At time of writing we are at: 01R333 18.07.2004
    Also first read about how to set Ad-aware for a fullscan: http://www.lavahelp.com/howto/fullscan/index.html

    Print instructions if necessary or save locally.

    - Make sure you can view hidden files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
    - disable system restore: http://forums.majorgeeks.com/showthread.php?t=31668 (do not reboot when told to)
    - **** VERY IMPORTANT physically disconnect from the internet (unplug cables) ****
    - as long as you have not rebooted since posting the log the files below may still be the same. Bring up Task Manager (CTRL-ALT-DEL) and kill these processes if found:
    C:\WINDOWS\D3QA32.EXE
    C:\WINDOWS\NTPQ32.EXE
    C:\WINDOWS\NTHU.EXE
    C:\WINDOWS\NTTY32.EXE
    C:\WINDOWS\NETHG32.EXE
    C:\WINDOWS\NTAV32.EXE
    C:\WINDOWS\WINDE32.EXE
    C:\WINDOWS\NETHG32.EXE
    C:\WINDOWS\D3QA32.EXE
    C:\WINDOWS\SYSTEM\IPVZ32.EXE
    C:\WINDOWS\SYSTEM\SYSYJ32.EXE
    C:\WINDOWS\SYSTEM\ADDKB32.EXE
    C:\WINDOWS\SYSTEM\ATLWT32.EXE
    C:\WINDOWS\SYSTEM\NETUT.EXE
    C:\WINDOWS\SYSTEM\D3JE.EXE
    C:\WINDOWS\SYSTEM\IPWQ.EXE
    C:\WINDOWS\SYSTEM\JAVADU.EXE

    - Now we are going to use notepad to erase the contents of the DLL file shown
    in the R0 & R1 lines of your HijaakThis log. To do this click Start, Run, and
    enter the following command "notepad C:\WINDOWS\vrluk.dll" (without the quotes)
    and click OK.

    Now in the notepad window, hit CTRL-A to select all contents of the file
    then hit the Delete key to delete all lines of the file. Now save the file
    (yes as an empty file). Now using Windows Explorer, locate the file
    C:\WINDOWS\vrluk.dll and right click on it and select Properties and change the
    attributes to Read Only and click OK.

    - Boot into safe mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam
    - shutdown IE and run HijackThis and fix these if found:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://vrluk.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vrluk.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINDOWS\system32\searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrluk.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://vrluk.dll/index.html#96676
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINDOWS\system32\searchbar.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINDOWS\system32\searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {0BAA3A49-7A8E-5D74-313B-E73706261741} - C:\WINDOWS\SYSTEM\IPHA.DLL (file missing)
    O2 - BHO: Class - {C5A0213F-9307-ECF1-A431-1EE7CE97B4D6} - C:\WINDOWS\MSBJ32.DLL (file missing)
    O2 - BHO: Class - {C3D0592A-E898-9364-DBD7-EC2ED69821AF} - C:\WINDOWS\MSQM32.DLL
    O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\ATLMW.DLL (file missing)
    O4 - HKLM\..\Run: [WINDE32.EXE] C:\WINDOWS\WINDE32.EXE
    O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\SYSTEM\IPVZ32.EXE
    O4 - HKLM\..\RunServices: [SYSYJ32.EXE] C:\WINDOWS\SYSTEM\SYSYJ32.EXE
    O4 - HKLM\..\RunServices: [NTPQ32.EXE] C:\WINDOWS\NTPQ32.EXE
    O4 - HKLM\..\RunServices: [NTTY32.EXE] C:\WINDOWS\NTTY32.EXE
    O4 - HKLM\..\RunServices: [ADDKB32.EXE] C:\WINDOWS\SYSTEM\ADDKB32.EXE
    O4 - HKLM\..\RunServices: [ATLWT32.EXE] C:\WINDOWS\SYSTEM\ATLWT32.EXE
    O4 - HKLM\..\RunServices: [NTAV32.EXE] C:\WINDOWS\NTAV32.EXE
    O4 - HKLM\..\RunServices: [D3QA32.EXE] C:\WINDOWS\D3QA32.EXE
    O4 - HKLM\..\RunServices: [NETUT.EXE] C:\WINDOWS\SYSTEM\NETUT.EXE
    O4 - HKLM\..\RunServices: [D3JE.EXE] C:\WINDOWS\SYSTEM\D3JE.EXE
    O4 - HKLM\..\RunServices: [NTHU.EXE] C:\WINDOWS\NTHU.EXE
    O4 - HKLM\..\RunServices: [IPWQ.EXE] C:\WINDOWS\SYSTEM\IPWQ.EXE
    O4 - HKLM\..\RunServices: [JAVADU.EXE] C:\WINDOWS\SYSTEM\JAVADU.EXE
    O4 - HKLM\..\RunServices: [NETHG32.EXE] C:\WINDOWS\NETHG32.EXE


    - Delete these files if found (make sure you are still set to view hidden files and folders):
    C:\WINDOWS\SYSTEM\IPHA.DLL
    C:\WINDOWS\MSBJ32.DLL
    C:\WINDOWS\MSQM32.DLL
    C:\WINDOWS\ATLMW.DLL
    C:\WINDOWS\D3QA32.EXE
    C:\WINDOWS\NTPQ32.EXE
    C:\WINDOWS\NTHU.EXE
    C:\WINDOWS\NTTY32.EXE
    C:\WINDOWS\NETHG32.EXE
    C:\WINDOWS\NTAV32.EXE
    C:\WINDOWS\WINDE32.EXE
    C:\WINDOWS\NETHG32.EXE
    C:\WINDOWS\D3QA32.EXE
    C:\WINDOWS\SYSTEM\IPVZ32.EXE
    C:\WINDOWS\SYSTEM\SYSYJ32.EXE
    C:\WINDOWS\SYSTEM\ADDKB32.EXE
    C:\WINDOWS\SYSTEM\ATLWT32.EXE
    C:\WINDOWS\SYSTEM\NETUT.EXE
    C:\WINDOWS\SYSTEM\D3JE.EXE
    C:\WINDOWS\SYSTEM\IPWQ.EXE
    C:\WINDOWS\SYSTEM\JAVADU.EXE

    - Reset Web Settings by right clicking on your Internet Explorer icon. Then click Properties, Programs, and click the Reset Web Settings button. Then go back to the General tab and set you home page back to something useful like www.majorgeeks.com
    - while in safe mode run Fullscan with Ad-aware
    - boot normal and reconnect to internet
    - run this online scan: http://housecall.trendmicro.com/housecall/start_corp.asp
    - Run a² anti virus!
    - Post a new HijackThis log
     
    chaslang, Jul 18, 2004
    #9
  10. ELMO4635

    ELMO4635 Private E-2

    Well, followed all the directions....

    HouseCall found the following:
    TROJ EMT.A (C:\WINDOWS\WINDE32.EXE)
    TROJ ICOOL.A (C:\WINDOWS\MSXMIDI.EXE)

    A2 found nothing....


    Here is the latest HiJack This LOG:

    Logfile of HijackThis v1.98.0
    Scan saved at 1:22:38 AM, on 7/19/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SCARDSVR.EXE
    C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\NETBL32.EXE
    C:\WINDOWS\SYSTEM\ATLPC.EXE
    C:\WINDOWS\CRDK.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\SYSTEM\ATLQQ.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
    C:\COMPAQ\EAKDRV\STARTDRV.EXE
    C:\COMPAQ\EAKDRV\EAKDRV.EXE
    C:\COMPAQ\EAKDRV\EAUSBKBD.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\PROGRAM FILES\EFAX MESSENGER PLUS\DLLCMD32.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\DOWNLOADS\TROJAN STUFF\HIJACKTHIS V1.98\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.majorgeek.com/
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: Class - {0E36C91F-E8C5-668C-6824-711A0D9B3543} - C:\WINDOWS\SYSTEM\ATLQQ.DLL (file missing)
    O2 - BHO: Class - {C14A63C4-80B0-D977-7CCE-440563F34821} - C:\WINDOWS\SYSGA.DLL (file missing)
    O2 - BHO: Class - {EE37178B-E57C-4045-A483-E895595C72A5} - C:\WINDOWS\SDKDY.DLL
    O2 - BHO: Class - {3D1F3C37-49CA-66D3-9877-04375ADE521D} - C:\WINDOWS\APPAC32.DLL (file missing)
    O2 - BHO: Class - {46CBB635-BE2E-414C-B36B-6C899CEAC5B7} - C:\WINDOWS\ADDGE32.DLL (file missing)
    O2 - BHO: Class - {D5622A73-BE5E-84D8-3B85-F319536A4696} - C:\WINDOWS\NTCK32.DLL (file missing)
    O2 - BHO: Class - {25AF4569-BD8E-E75D-973D-8A48519B2603} - C:\WINDOWS\SYSTEM\NTTY32.DLL (file missing)
    O2 - BHO: Class - {E13C4480-BCC9-AD1D-7FC9-BD1A2CBDA6A4} - C:\WINDOWS\SYSTEM\APISR.DLL (file missing)
    O2 - BHO: Class - {6D48F634-DFAF-1764-FBD6-1DD58A4594FD} - C:\WINDOWS\SDKNH32.DLL (file missing)
    O2 - BHO: Class - {EFEA02E1-0B01-3C73-AF6A-DE0AAB6EDEEB} - C:\WINDOWS\SYSTEM\JAVAUJ32.DLL (file missing)
    O2 - BHO: Class - {6D58C8C3-0A00-0929-E359-77C521C2D819} - C:\WINDOWS\NTGB32.DLL (file missing)
    O2 - BHO: Class - {0E3716B0-8EAC-AF20-3EB8-BF8DD253519C} - C:\WINDOWS\SYSTEM\MSVT32.DLL (file missing)
    O2 - BHO: Class - {93F1C865-3803-9149-D3C4-3BB5A30E7516} - C:\WINDOWS\WINDM.DLL (file missing)
    O2 - BHO: Class - {D476235C-961C-D6D6-CAE8-B8289B91FF7B} - C:\WINDOWS\JAVAMG.DLL (file missing)
    O2 - BHO: Class - {D757C266-5087-B9EF-B128-EDF9DA763B6F} - C:\WINDOWS\ATLRC.DLL (file missing)
    O2 - BHO: Class - {369F1E9D-92BF-04C9-EE95-65CDB1144E13} - C:\WINDOWS\SYSTEM\SYSGQ32.DLL (file missing)
    O2 - BHO: Class - {9615F477-B7B7-A69E-C5E8-C69E371F6C5C} - C:\WINDOWS\CRBE32.DLL (file missing)
    O2 - BHO: Class - {DB309419-3C5C-375B-8765-4F2EE5877F1F} - C:\WINDOWS\APPKN32.DLL (file missing)
    O2 - BHO: Class - {44A73433-E13D-79D4-D26D-9CDD83E71551} - C:\WINDOWS\IEDJ32.DLL (file missing)
    O2 - BHO: Class - {C0B22569-4E16-8930-32EF-CE7B1D191BC0} - C:\WINDOWS\SYSTEM\NETYV32.DLL (file missing)
    O2 - BHO: Class - {3ADBDF49-47B7-70B8-7E62-B9F953421BB1} - C:\WINDOWS\SYSTEM\NTLZ32.DLL (file missing)
    O2 - BHO: Class - {0DB31801-4071-A832-F6B3-6C9C46EF4A2D} - C:\WINDOWS\SYSTEM\IEVG.DLL (file missing)
    O2 - BHO: Class - {EDF94985-0AA4-714B-4D3F-E2B133CFEEAD} - C:\WINDOWS\IEWW.DLL (file missing)
    O2 - BHO: Class - {12279319-F31A-C38D-DA45-167674E3992B} - C:\WINDOWS\SYSTEM\WINVB.DLL (file missing)
    O2 - BHO: Class - {23448DC9-3E89-9556-DAA1-31611C8C8C86} - C:\WINDOWS\IPUA32.DLL (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [ATLQQ.EXE] C:\WINDOWS\SYSTEM\ATLQQ.EXE
    O4 - HKLM\..\RunServices: [NTAV32.EXE] C:\WINDOWS\NTAV32.EXE
    O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
    O4 - HKLM\..\RunServices: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [IPVZ32.EXE] C:\WINDOWS\SYSTEM\IPVZ32.EXE
    O4 - HKLM\..\RunServices: [SYSYJ32.EXE] C:\WINDOWS\SYSTEM\SYSYJ32.EXE
    O4 - HKLM\..\RunServices: [NTPQ32.EXE] C:\WINDOWS\NTPQ32.EXE
    O4 - HKLM\..\RunServices: [NTTY32.EXE] C:\WINDOWS\NTTY32.EXE
    O4 - HKLM\..\RunServices: [ADDKB32.EXE] C:\WINDOWS\SYSTEM\ADDKB32.EXE
    O4 - HKLM\..\RunServices: [ATLWT32.EXE] C:\WINDOWS\SYSTEM\ATLWT32.EXE
    O4 - HKLM\..\RunServices: [D3QA32.EXE] C:\WINDOWS\D3QA32.EXE
    O4 - HKLM\..\RunServices: [NETUT.EXE] C:\WINDOWS\SYSTEM\NETUT.EXE
    O4 - HKLM\..\RunServices: [D3JE.EXE] C:\WINDOWS\SYSTEM\D3JE.EXE
    O4 - HKLM\..\RunServices: [NTHU.EXE] C:\WINDOWS\NTHU.EXE
    O4 - HKLM\..\RunServices: [IPWQ.EXE] C:\WINDOWS\SYSTEM\IPWQ.EXE
    O4 - HKLM\..\RunServices: [JAVADU.EXE] C:\WINDOWS\SYSTEM\JAVADU.EXE
    O4 - HKLM\..\RunServices: [NETHG32.EXE] C:\WINDOWS\NETHG32.EXE
    O4 - HKLM\..\RunServices: [ATLPC.EXE] C:\WINDOWS\SYSTEM\ATLPC.EXE
    O4 - HKLM\..\RunServices: [CRDK.EXE] C:\WINDOWS\CRDK.EXE
    O4 - HKLM\..\RunServices: [NETBL32.EXE] C:\WINDOWS\NETBL32.EXE
    O4 - HKLM\..\RunServices: [ATLBA32.EXE] C:\WINDOWS\ATLBA32.EXE
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O4 - Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://www.messagebay.com/code1/mbayactx.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
     
    ELMO4635, Jul 19, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is system restore still disabled?
    Have you rebooted this PC since posting your last HijackThis log?
    If yes, stop rebooting.
    If no, good.

    In either case, run HijackThis and fix only these lines:
    O2 - BHO: Class - {0E36C91F-E8C5-668C-6824-711A0D9B3543} - C:\WINDOWS\SYSTEM\ATLQQ.DLL (file missing)
    O2 - BHO: Class - {C14A63C4-80B0-D977-7CCE-440563F34821} - C:\WINDOWS\SYSGA.DLL (file missing)
    O2 - BHO: Class - {3D1F3C37-49CA-66D3-9877-04375ADE521D} - C:\WINDOWS\APPAC32.DLL (file missing)
    O2 - BHO: Class - {46CBB635-BE2E-414C-B36B-6C899CEAC5B7} - C:\WINDOWS\ADDGE32.DLL (file missing)
    O2 - BHO: Class - {D5622A73-BE5E-84D8-3B85-F319536A4696} - C:\WINDOWS\NTCK32.DLL (file missing)
    O2 - BHO: Class - {25AF4569-BD8E-E75D-973D-8A48519B2603} - C:\WINDOWS\SYSTEM\NTTY32.DLL (file missing)
    O2 - BHO: Class - {E13C4480-BCC9-AD1D-7FC9-BD1A2CBDA6A4} - C:\WINDOWS\SYSTEM\APISR.DLL (file missing)
    O2 - BHO: Class - {6D48F634-DFAF-1764-FBD6-1DD58A4594FD} - C:\WINDOWS\SDKNH32.DLL (file missing)
    O2 - BHO: Class - {EFEA02E1-0B01-3C73-AF6A-DE0AAB6EDEEB} - C:\WINDOWS\SYSTEM\JAVAUJ32.DLL (file missing)
    O2 - BHO: Class - {6D58C8C3-0A00-0929-E359-77C521C2D819} - C:\WINDOWS\NTGB32.DLL (file missing)
    O2 - BHO: Class - {0E3716B0-8EAC-AF20-3EB8-BF8DD253519C} - C:\WINDOWS\SYSTEM\MSVT32.DLL (file missing)
    O2 - BHO: Class - {93F1C865-3803-9149-D3C4-3BB5A30E7516} - C:\WINDOWS\WINDM.DLL (file missing)
    O2 - BHO: Class - {D476235C-961C-D6D6-CAE8-B8289B91FF7B} - C:\WINDOWS\JAVAMG.DLL (file missing)
    O2 - BHO: Class - {D757C266-5087-B9EF-B128-EDF9DA763B6F} - C:\WINDOWS\ATLRC.DLL (file missing)
    O2 - BHO: Class - {369F1E9D-92BF-04C9-EE95-65CDB1144E13} - C:\WINDOWS\SYSTEM\SYSGQ32.DLL (file missing)
    O2 - BHO: Class - {9615F477-B7B7-A69E-C5E8-C69E371F6C5C} - C:\WINDOWS\CRBE32.DLL (file missing)
    O2 - BHO: Class - {DB309419-3C5C-375B-8765-4F2EE5877F1F} - C:\WINDOWS\APPKN32.DLL (file missing)
    O2 - BHO: Class - {44A73433-E13D-79D4-D26D-9CDD83E71551} - C:\WINDOWS\IEDJ32.DLL (file missing)
    O2 - BHO: Class - {C0B22569-4E16-8930-32EF-CE7B1D191BC0} - C:\WINDOWS\SYSTEM\NETYV32.DLL (file missing)
    O2 - BHO: Class - {3ADBDF49-47B7-70B8-7E62-B9F953421BB1} - C:\WINDOWS\SYSTEM\NTLZ32.DLL (file missing)
    O2 - BHO: Class - {0DB31801-4071-A832-F6B3-6C9C46EF4A2D} - C:\WINDOWS\SYSTEM\IEVG.DLL (file missing)
    O2 - BHO: Class - {EDF94985-0AA4-714B-4D3F-E2B133CFEEAD} - C:\WINDOWS\IEWW.DLL (file missing)
    O2 - BHO: Class - {12279319-F31A-C38D-DA45-167674E3992B} - C:\WINDOWS\SYSTEM\WINVB.DLL (file missing)
    O2 - BHO: Class - {23448DC9-3E89-9556-DAA1-31611C8C8C86} - C:\WINDOWS\IPUA32.DLL (file missing)

    - run this online scan again: http://housecall.trendmicro.com/hou.../start_corp.asp
    and tell me what it finds this time and if it indicates that it was able to fix (clean) the problem.

    Post another log (make sure you do not reboot or shutdown unless I tell you to).
     
    Last edited: Jul 19, 2004
    chaslang, Jul 19, 2004
    #11
  12. ELMO4635

    ELMO4635 Private E-2

    Well... yes, the PC was rebooted... I will leave it on this time! LOL

    I just finished the Trend Micro Virus scan and it found a JOKE SMALLPEN Virus in a ZipFile from 2 years ago... but that was it!

    Want another HiJack This Log?

    Logfile of HijackThis v1.98.0
    Scan saved at 10:49:19 PM, on 7/19/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SCARDSVR.EXE
    C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATLPC.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\NETBL32.EXE
    C:\WINDOWS\CRDK.EXE
    C:\WINDOWS\WINZE.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
    C:\COMPAQ\EAKDRV\STARTDRV.EXE
    C:\COMPAQ\EAKDRV\EAKDRV.EXE
    C:\COMPAQ\EAKDRV\EAUSBKBD.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\ATLQQ.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\PROGRAM FILES\EFAX MESSENGER PLUS\DLLCMD32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\APILF32.EXE
    C:\WINDOWS\SYSTEM\ATLPC.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\NTHC.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
    C:\DOWNLOADS\TROJAN STUFF\HIJACKTHIS V1.98\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\pxbrj.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pxbrj.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pxbrj.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\pxbrj.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\pxbrj.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pxbrj.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [ATLQQ.EXE] C:\WINDOWS\SYSTEM\ATLQQ.EXE
    O4 - HKLM\..\RunServices: [NTAV32.EXE] C:\WINDOWS\NTAV32.EXE
    O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
    O4 - HKLM\..\RunServices: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O4 - Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://www.messagebay.com/code1/mbayactx.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
     
    ELMO4635, Jul 19, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You did not answer this question:

    Is system restore still disabled?
     
    chaslang, Jul 19, 2004
    #13
  14. ELMO4635

    ELMO4635 Private E-2

    Yes, it is still disabled...
     
    ELMO4635, Jul 20, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Before starting to execute the steps below read through all of them to make sure you understand them and that you can execute all of them.

    Make sure you print these or save them to a file on your PC because I am going to have you disconnect your PC from the internet at a certain point (Not Yet!). Once disconnected, do not connect again until I tell you to do so.
    Make sure you have current Ad-aware: http://www.majorgeeks.com/download506.html
    make sure Ad-aware reference file is updated. At time of writing we are at: 01R333 18.07.2004
    Also first read about how to set Ad-aware for a fullscan: http://www.lavahelp.com/howto/fullscan/index.html

    1) Disable system restore and reboot! Here how to do that: http://www.majorgeeks.com/vb/showthread.php?t=31668
    2) Make sure you have enabled viewing of Hidden Files and Folders with Windows Explorer. To see how to do that, see this: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    3) Make sure you know how to boot in safe mode too (but don't do it yet!):
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

    4) Disconnect from the internet (pull your ethernet cable if you have DSL or cable modem. If you have an analog mode, drop your connection!)

    5) Now click Start, Run, and enter the following command "notepad C:\WINDOWS\system\pxbrj.dll" (without the quotes) and click OK. Now in the notepad window, hit CTRL-A to select all contents of the file then hit the Delete key to delete all lines of the file. Now save the file (yes as an empty file).

    Now using Windows Explorer, locate the file C:\WINDOWS\system\pxbrj.dll and right click on it and select Properties and change the attributes to Read Only and click OK.

    6) Use Task Manager (CTRL-ALT-DEL) to end the below Processes if found (make sure you look for multiple instances of the same filename as I gave below. You log did show it that way.):
    ATLPC.EXE
    ATLBA32.EXE
    ATLQQ.EXE
    NETBL32.EXE
    CRDK.EXE
    ATLBA32.EXE
    APILF32.EXE
    ATLPC.EXE
    ATLBA32.EXE
    NTHC.EXE
    NTAV32.EXE

    If you do not find these processes running, just continue with the next steps. Keep track of what you do find and tell me.

    7) Now shut down all applications (especially IE and Windows explorer) an run HijackThis. Have it fix only what I give you below:

    O4 - HKLM\..\Run: [ATLQQ.EXE] C:\WINDOWS\SYSTEM\ATLQQ.EXE
    O4 - HKLM\..\RunServices: [NTAV32.EXE] C:\WINDOWS\NTAV32.EXE

    8) Now reboot in safe mode (via method given in step 3) and then delete the following if found:

    C:\WINDOWS\APILF32.EXE
    C:\WINDOWS\SYSTEM\ATLPC.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\SYSTEM\ATLQQ.EXE
    C:\WINDOWS\SYSTEM\ATLPC.EXE
    C:\WINDOWS\CRDK.EXE
    C:\WINDOWS\NETBL32.EXE
    C:\WINDOWS\NTHC.EXE
    C:\WINDOWS\NTAV32.EXE
    C:\WINDOWS\WINZE.EXE

    9) Now while still in safe mode run only Hijack This and have it fix the below lines (if still there):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\pxbrj.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pxbrj.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pxbrj.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\pxbrj.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\pxbrj.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pxbrj.dll/index.html#96676
    R3 - Default URLSearchHook is missing

    10) Right click on your Internet Explorer icon and select Properties. Set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Clcik Delete Files select Delete all Offline content too, Click OK. When it finishes Click OK.

    11) Now (still in safe mode) run Ad-aware in fullscan mode and clean what it finds.

    12) Now click Start, Run, and in the Open box enter "regedit" (without the
    quotes). Now navigate thru the registry to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

    Click the [+] next to uninstall. Scroll down until you see the NAMES of
    programs (skip past the lines with numbers in {,} ). See if you can find
    any of the following listed:
    HSA = Home Search Agent or Home_Search_Assistent (yes, the spelling of
    assistant is wrong)
    SA = Search Assistant
    SW = Shopping Wizzard

    If you find any of them, select one at a time, and hit your delete key.
    Once you delete all three, you can exit the registry editor.

    As an alternate approach save the following 4 lines to a file called
    hsafix.reg, then using windows explorer double click on the hsafix.reg file
    a merge the fix into the registry.
    REGEDIT4
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    13) Now reboot normal mode.
    14) Before running anything else run HijackThis and save a log.
    15) Connect here to MG's and post the new log. Then continue running and let's see how everything is working.
     
    chaslang, Jul 20, 2004
    #15
  16. ELMO4635

    ELMO4635 Private E-2

    While I was waiting for your resoponse, I ran HiJackThis again... and now it shows the DLL FIle as EGRND.DLL, as the one in all the problems...

    Do I just do the "fixes" on this new DLL??
     
    ELMO4635, Jul 20, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure where you mean. What caused your log to change? You'll need to post another now. There is no sense continuing if items have changed.
     
    chaslang, Jul 20, 2004
    #17
  18. ELMO4635

    ELMO4635 Private E-2

    Logfile of HijackThis v1.98.0
    Scan saved at 11:50:44 PM, on 7/19/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SCARDSVR.EXE
    C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\ATLPC.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\NETBL32.EXE
    C:\WINDOWS\CRDK.EXE
    C:\WINDOWS\WINZE.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\CPQMLDET.EXE
    C:\COMPAQ\EAKDRV\STARTDRV.EXE
    C:\COMPAQ\EAKDRV\EAKDRV.EXE
    C:\COMPAQ\EAKDRV\EAUSBKBD.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\ATLQQ.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\PROGRAM FILES\EFAX MESSENGER PLUS\DLLCMD32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\APILF32.EXE
    C:\WINDOWS\SYSTEM\ATLPC.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\NTHC.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\SHELLMON.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLWBSPD.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\SYSTEM\APPUM.EXE
    C:\WINDOWS\ATLBA32.EXE
    C:\WINDOWS\CRHD32.EXE
    C:\WINDOWS\CRHD32.EXE
    C:\WINDOWS\NTYW32.EXE
    C:\DOWNLOADS\TROJAN STUFF\HIJACKTHIS V1.98\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\egrnd.dll/sp.html#96676
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://egrnd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://egrnd.dll/index.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\egrnd.dll/sp.html#96676
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\egrnd.dll/sp.html#96676
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://egrnd.dll/index.html#96676
    R3 - Default URLSearchHook is missing
    F1 - win.ini: run=hpfsched
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Class - {3D1F3C37-49CA-66D3-9877-04375ADE521D} - C:\WINDOWS\APPAC32.DLL (file missing)
    O2 - BHO: Class - {C14A63C4-80B0-D977-7CCE-440563F34821} - C:\WINDOWS\SYSGA.DLL
    O2 - BHO: Class - {210E4D1E-1772-E5BB-3A77-402CC4AEF532} - C:\WINDOWS\CRHS.DLL (file missing)
    O2 - BHO: Class - {15E32CB6-95A0-5363-B55E-CF4CDA121F27} - C:\WINDOWS\MSCD32.DLL (file missing)
    O2 - BHO: Class - {EE37178B-E57C-4045-A483-E895595C72A5} - C:\WINDOWS\SDKDY.DLL (file missing)
    O2 - BHO: Class - {9A9A8EE2-E2CE-CF00-010E-4EC2085C180F} - C:\WINDOWS\SYSTEM\APPGZ32.DLL (file missing)
    O2 - BHO: Class - {0E36C91F-E8C5-668C-6824-711A0D9B3543} - C:\WINDOWS\SYSTEM\ATLQQ.DLL (file missing)
    O2 - BHO: Class - {2061BB23-DCA4-0D83-B4A7-56779D602DB2} - C:\WINDOWS\SYSMS32.DLL (file missing)
    O2 - BHO: Class - {0CE67B94-2E2C-93A0-43E8-4B02D9C12BD3} - C:\WINDOWS\SYSTEM\ATLIG32.DLL (file missing)
    O2 - BHO: Class - {C50C3867-EF0D-F996-B6E2-672B60D6ED50} - C:\WINDOWS\APIZQ32.DLL (file missing)
    O2 - BHO: Class - {766B0131-4015-93FF-E8F7-453A0E211961} - C:\WINDOWS\SYSTEM\NTTT.DLL (file missing)
    O2 - BHO: Class - {588A083D-3EC5-A393-A9A0-E5DD1BC3F762} - C:\WINDOWS\SYSTEM\CRDO32.DLL (file missing)
    O2 - BHO: Class - {4230B786-8F52-5877-3237-0F1B6BFC64B3} - C:\WINDOWS\SYSTEM\WINOE.DLL (file missing)
    O2 - BHO: Class - {5672786C-EFC5-75B8-FF9A-A2EDABD54F2E} - C:\WINDOWS\SYSTEM\WINOP.DLL (file missing)
    O2 - BHO: Class - {F960E6C0-0930-66A3-4D6F-92DE39605CFF} - C:\WINDOWS\SYSTEM\APPTJ32.DLL (file missing)
    O2 - BHO: Class - {5C6B1178-B2A9-5AF4-A37F-F0397235BA97} - C:\WINDOWS\MFCSI.DLL
    O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\NTLP32.DLL (file missing)
    O2 - BHO: Class - {F3EE7183-7565-ABA9-4792-A7E2D8EC68ED} - C:\WINDOWS\SYSTEM\NTOE.DLL (file missing)
    O2 - BHO: Class - {EBB4E16E-5D9E-03FE-9154-878A47820316} - C:\WINDOWS\APIMU32.DLL (file missing)
    O2 - BHO: Class - {20621C38-E145-4E92-7BAB-78738EF4B005} - C:\WINDOWS\SYSTEM\CRUO32.DLL (file missing)
    O2 - BHO: Class - {C0C0E675-BCA8-D1EC-49B2-D7620FCDD5BE} - C:\WINDOWS\NTDP.DLL (file missing)
    O2 - BHO: Class - {8BBE09CB-8D65-3C5D-8EE4-0A0EE5FF3E58} - C:\WINDOWS\SYSTEM\MFCWO32.DLL (file missing)
    O2 - BHO: Class - {DF137210-EFBA-66EB-84A5-5AB6CA0A96F9} - C:\WINDOWS\SYSTEM\NETNX32.DLL (file missing)
    O2 - BHO: Class - {40D52E4D-88EF-4038-EB92-B7CC25BCF511} - C:\WINDOWS\SYSTEM\APIVY.DLL (file missing)
    O2 - BHO: Class - {149E3520-76B1-18D1-BA44-E4375DF430CA} - C:\WINDOWS\APPMT32.DLL (file missing)
    O2 - BHO: Class - {DC0E2D8F-285B-98A6-1EFF-E94EDB01C121} - C:\WINDOWS\SYSTEM\IEYV32.DLL (file missing)
    O2 - BHO: Class - {064D7349-A77F-B038-ADF3-F789A75B907C} - C:\WINDOWS\SYSTEM\JAVAQQ32.DLL (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [WCOLOREAL] C:\Program Files\COMPAQ\COLOREAL\COLOREAL.EXE
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\CPQMLDET.exe
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Compaq\eakdrv\STARTDRV.exe
    O4 - HKLM\..\Run: [CpqBootPerfDb] C:\Cpqs\Scom\CpqBootPerfDb.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [ATLQQ.EXE] C:\WINDOWS\SYSTEM\ATLQQ.EXE
    O4 - HKLM\..\RunServices: [NTAV32.EXE] C:\WINDOWS\NTAV32.EXE
    O4 - HKLM\..\RunServices: [ScardSvr] C:\WINDOWS\SYSTEM\ScardSvr.exe
    O4 - HKLM\..\RunServices: [Compaq_RBA] C:\PROGRAM FILES\COMPAQ\COMPAQ MESSAGE SCREENER\BIN\COMPAQ-RBA.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ATLBA32.EXE] C:\WINDOWS\ATLBA32.EXE
    O4 - HKLM\..\RunServices: [APPUM.EXE] C:\WINDOWS\SYSTEM\APPUM.EXE
    O4 - HKLM\..\RunServices: [CRHD32.EXE] C:\WINDOWS\CRHD32.EXE
    O4 - HKLM\..\RunServices: [NTYW32.EXE] C:\WINDOWS\NTYW32.EXE
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O4 - Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://www.messagebay.com/code1/mbayactx.cab
    O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {127698E4-E730-4E5C-A2B1-21490A70C8A1} (CEnroll Class) - http://www.moairocks.com/xenroll.dll
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL
     
    ELMO4635, Jul 20, 2004
    #18
  19. ELMO4635

    ELMO4635 Private E-2

    WAIT A MINUTE.... everytime I run HiJAck THis and save a log file to a XYZ.txt, my notepad opens up, shows me the info in the log and immediatly shuts down!! The only way I can then view it is through Windows Explorer, to copy and paste it to this forum.... then when I run HiJack this again, the DLL is changed!!! Soooooo, is it notepad or Windows explo0rer that is changing this thing????

    Eldon
     
    ELMO4635, Jul 20, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    CRAP! What were you doing in between the previous log and this one? What in the world cause all these changes?

    And your correct do not do the reboot on the first step after disabling system restore. You can skip that step anyway since you had already disabled it.
     
    chaslang, Jul 20, 2004
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    More than likely it is Win Explorer. But I would not be surprized if this piece of crap were attaching itself to both notepad and WinExplorer since the jerks who wrote it know we use them to fix these problems.
     
    chaslang, Jul 20, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Bring up a notepad session by yourself and see if it stays open. If so, navigate to the place you saved you HijackThis log and load it. Does it still stay open?
     
    chaslang, Jul 20, 2004
    #22
  23. ELMO4635

    ELMO4635 Private E-2

    Do I need to have all my "Critical Updates" from Microsoft updated before we work on this? Or, can they wait until we find the problems??
     
    ELMO4635, Jul 20, 2004
    #23
  24. ELMO4635

    ELMO4635 Private E-2

    <Start> <Accessories> <Notepad>

    stays open fine... then when I do <File> <Open> and get a windows explorer type screen it almost immediatly closes itself....
     
    ELMO4635, Jul 20, 2004
    #24
  25. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you way out of date? Or is this something new that just popped up?

    Did you try what I asked with notepad yet?
     
    chaslang, Jul 20, 2004
    #25
  26. ELMO4635

    ELMO4635 Private E-2

    yes, I think I am way out of date... looks like 10 critical updates need to be updated...

    Yes, see my previous post about the Notepad
     
    ELMO4635, Jul 20, 2004
    #26
  27. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 20, 2004
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In fact do what the link I gave you said:

    Windows ME:
    Download the copy for your Windows version and unzip it first into the folder C:\WINDOWS\Options\cabs (overwriting any existing copy), then into the folder it needs to go for your Windows version.

    The last part is (for your version) is c:\windows
     
    chaslang, Jul 20, 2004
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jul 20, 2004
    #29
  30. ELMO4635

    ELMO4635 Private E-2

    Downloaded it and now when I run HJT, it saves to the file and Notepad stays open....

    Now what are next steps... should I update MS WinMe with the Critical Updates and then post a new Log File tomorrow night??
     
    ELMO4635, Jul 20, 2004
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you see below to run those two items.
     
    chaslang, Jul 20, 2004
    #31
  32. ELMO4635

    ELMO4635 Private E-2

    CWSHREDDER:

    CWShredder v1.59.1 scan only report
    Please understand that a CWShredder 'Scan only' report
    might not be sufficient to troubleshoot an infected system.
    You can use HijackThis for that:
    http://www.merijn.org/files/hijackthis.zip
    http://www.spywareinfo.com/~merijn/files/hijackthis.zip

    Windows ME (4.90.3000 )
    Windows dir: C:\WINDOWS
    Windows system dir: C:\WINDOWS\SYSTEM
    AppData folder: C:\WINDOWS\Application Data
    Username: default

    Hosts file not present
    Found Win.ini file: C:\WINDOWS\win.ini (11221 bytes, A)
    Found line in Win.ini: load=
    Found line in Win.ini: Run=hpfsched
    Found System.ini file: C:\WINDOWS\system.ini (2315 bytes, -)
    Found line in System.ini: shell=Explorer.exe

    - END OF REPORT -
     
    ELMO4635, Jul 20, 2004
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to select FIX (not Scan Only) with CWShredder and see if it finds anything.
     
    chaslang, Jul 20, 2004
    #33
  34. ELMO4635

    ELMO4635 Private E-2

    CoolWWWSearch.... not found on System

    Also, ran "FIX" on the other and it did not find anything....
     
    ELMO4635, Jul 20, 2004
    #34
  35. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay how much more time do you want to spend on this tonight. I will not be home tomorrow night until about 12:00PM EST. I will have some time here and there during the day. Do you want to get all of your Win Updates and continue at a later time?
     
    chaslang, Jul 20, 2004
    #35
  36. ELMO4635

    ELMO4635 Private E-2

    YES, that sounds good....

    I will update all the MS Critical Updates... and will post a new HJT log tomorrow...

    THANKS FOR ALL YOUR HELP!!!!!!!!!!
     
    ELMO4635, Jul 20, 2004
    #36
  37. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem! Remember...after posting the log, do not reboot or shutdown.
     
    chaslang, Jul 20, 2004
    #37

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds