1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

ads 234 - powerful voodoo that as taken over

Discussion in 'Virus & Other Malware Removal' started by Big Daddy, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Big Daddy

    Big Daddy Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    2
    Hi Gang,
    Having a problem with Ads 234....ran spybot, adaware, Mcafee etc to no avail..ran Hijack This! and have posted log....have read other threads on here related to this issue but don't have the experience to fix them ..
    appreciate any help. Running Win XP
    Logfile of HijackThis v1.98.2
    Scan saved at 5:23:45 PM, on 9/5/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\vnxserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\documents and settings\daddy\local settings\temp\o7wyeP.exe
    C:\documents and settings\daddy\local settings\temp\1Z.exe
    C:\documents and settings\daddy\local settings\temp\5HzxeP2.exe
    C:\documents and settings\daddy\local settings\temp\qu.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\documents and settings\daddy\local settings\temp\o7wyeP.exe
    C:\documents and settings\daddy\local settings\temp\1Z.exe
    C:\documents and settings\daddy\local settings\temp\5HzxeP2.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\WINDOWS\SYSTEM32\notepad.exe
    C:\Program Files\Hijack This!\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {6FDC3A46-B3DB-4A4B-888C-3B3761DB373F} - C:\WINDOWS\System32\a3cd.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Daddy\Local Settings\Temp\IVqaG6Z.dll
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O3 - Toolbar: (no name) - {572DCA2F-51C6-4B93-8570-1B8AC05C73CB} - (no file)
    O3 - Toolbar: (no name) - {F97D5BF3-F892-4FD4-B121-FDA306014966} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [ELRYFLS] C:\WINDOWS\ELRYFLS.exe
    O4 - HKLM\..\Run: [OZNDKHSBI] C:\WINDOWS\OZNDKHSBI.exe
    O4 - HKLM\..\Run: [YCJTLR] C:\WINDOWS\YCJTLR.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
    O4 - HKLM\..\Run: [HPb] C:\documents and settings\jaa\local settings\temp\HPb.exe
    O4 - HKLM\..\Run: [s7Eg35l] C:\WINDOWS\System32\dmoiperf.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [o7wyeP] C:\documents and settings\daddy\local settings\temp\o7wyeP.exe
    O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
    O4 - HKLM\..\Run: [1Z] C:\documents and settings\daddy\local settings\temp\1Z.exe
    O4 - HKLM\..\Run: [aFcBAb] C:\documents and settings\daddy\local settings\temp\aFcBAb.exe
    O4 - HKLM\..\Run: [5HzxeP2] C:\documents and settings\daddy\local settings\temp\5HzxeP2.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Fah1r6.exe
    O4 - HKLM\..\Run: [qu] C:\documents and settings\daddy\local settings\temp\qu.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [o7wyeP.exe] C:\documents and settings\daddy\local settings\temp\o7wyeP.exe
    O4 - HKLM\..\Run: [1Z.exe] C:\documents and settings\daddy\local settings\temp\1Z.exe
    O4 - HKLM\..\Run: [5HzxeP2.exe] C:\documents and settings\daddy\local settings\temp\5HzxeP2.exe
    O4 - HKLM\..\Run: [qu.exe] C:\documents and settings\daddy\local settings\temp\qu.exe
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: video01.mpeg[1].lnk = C:\WINDOWS\video01.mpeg[1].exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: {1EEC3C99-7AA3-4F6E-B381-AF6942B51618} - http://www.lazychestnuts.net/0015/ph/pup.CAB
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004a_pack_XP.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

    Muchas Gracias Amigos and Amigas - BD
     
  2. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Remove these from HJT (make sure all other windows are closed):
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {6FDC3A46-B3DB-4A4B-888C-3B3761DB373F} - C:\WINDOWS\System32\a3cd.dll (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Daddy\Local Settings\Temp\IVqaG6Z.dll
    O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
    O3 - Toolbar: (no name) - {572DCA2F-51C6-4B93-8570-1B8AC05C73CB} - (no file)
    O3 - Toolbar: (no name) - {F97D5BF3-F892-4FD4-B121-FDA306014966} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
    O4 - HKLM\..\Run: [ELRYFLS] C:\WINDOWS\ELRYFLS.exe
    O4 - HKLM\..\Run: [OZNDKHSBI] C:\WINDOWS\OZNDKHSBI.exe
    O4 - HKLM\..\Run: [YCJTLR] C:\WINDOWS\YCJTLR.exe
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [o7wyeP] C:\documents and settings\daddy\local settings\temp\o7wyeP.exe
    O4 - HKLM\..\Run: [1Z] C:\documents and settings\daddy\local settings\temp\1Z.exe
    O4 - HKLM\..\Run: [aFcBAb] C:\documents and settings\daddy\local settings\temp\aFcBAb.exe
    O4 - HKLM\..\Run: [5HzxeP2] C:\documents and settings\daddy\local settings\temp\5HzxeP2.exe
    O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Fah1r6.exe
    O4 - HKLM\..\Run: [qu] C:\documents and settings\daddy\local settings\temp\qu.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [o7wyeP.exe] C:\documents and settings\daddy\local settings\temp\o7wyeP.exe
    O4 - HKLM\..\Run: [1Z.exe] C:\documents and settings\daddy\local settings\temp\1Z.exe
    O4 - HKLM\..\Run: [5HzxeP2.exe] C:\documents and settings\daddy\local settings\temp\5HzxeP2.exe
    O4 - HKLM\..\Run: [qu.exe] C:\documents and settings\daddy\local settings\temp\qu.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: video01.mpeg[1].lnk = C:\WINDOWS\video01.mpeg[1].exe
    O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe (file missing)
    O16 - DPF: {1EEC3C99-7AA3-4F6E-B381-AF6942B51618} - http://www.lazychestnuts.net/0015/ph/pup.CAB


    Next, Download the file below and run it (remain online while running the file)
    http://www.zerosrealm.com/downloads/uninst.exe

    Now go to add/remove programs (in the control panel) and see if you find any of the items below. If you do, uninstal them:
    WebRebates
    WebOffers


    Download these two program (and update them) but do not scan with them yet.

    1. Download Ad-Aware SE 1.03 from http://majorgeeks.com/download.php?det=506/
    2. Install the program, open it check to make sure you have the latest reference file by clicking on webupdate. Make sure that your reference file reads SE1R6 30.08.2004 (or higher number/date). If it does not then make sure to run web update and download the new reference file.
    3. Make sure the that all settings under the Scanning Button are turned to ON

    then
    1. Download Spyboy S&D from this page
    2. Open and install the program then click here and follow the instructions for updating the program. Download all available updates.





    Now reboot to safe mode, enable viewing of hidden/system files (instructions below)

    How to boot to safe mode - http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    How to enable viewing of hidden/system files - http://www.xtra.co.nz/help/0,,4155-1916458,00.html

    Now in safe mode:

    Empty the temp folder (the folder below) by deleting everything besides the History Folder and the Temporary Internet Files Folder.
    C:\documents and settings\daddy\local settings\temp

    Next, do that for each user account (each folder in C:\documents and settings)
    ex:
    C:\documents and settings\username\local settings\temp

    Open internet Explorer, click Tools>Internet Options then click Delete files and check delete all offline content.

    Next, Delete the following folders:
    C:\PROGRAM FILES\Toolbar
    C:\Program Files\Web_Rebates
    C:\Program Files\Web Offer
    C:\Program Files\couponsandoffers

    and these files (note that some might not be present):
    C:\WINDOWS\ELRYFLS.exe
    C:\WINDOWS\OZNDKHSBI.exe
    C:\WINDOWS\YCJTLR.exe
    C:\WINDOWS\video01.mpeg[1].exe
    C:\WINDOWS\System32\ms.exe

    Now (while still in safe mode) scan with ad-aware and spybot and let them remove everything they find.

    Reboot and then post a new hijackthislog
     
  3. Big Daddy

    Big Daddy Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    2
    Seems to have helped quite a bit....still see two entries on HJT that you mentioned to delete, namely
    1. the 04 Startup video 1
    2. and the 02-BHO E blah blah (but says file missing so may be ok)

    Also, These two entries look funny to me, no?
    a. O4 - HKLM\..\Run: [HPb] C:\documents and settings\jaa\local settings\temp\HPb.exe
    b. O4 - HKLM\..\Run: [s7Eg35l] C:\WINDOWS\System32\dmoiperf.exe
    Really appreciate your help.....



    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\vnxserv.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\Optimum Online\Netsurf.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Palm\hotsync.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hijack This!\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Daddy\Local Settings\Temp\GbB.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Desksite CMA] C:\Program Files\desksite\bin\cma.exe
    O4 - HKLM\..\Run: [HPb] C:\documents and settings\jaa\local settings\temp\HPb.exe
    O4 - HKLM\..\Run: [s7Eg35l] C:\WINDOWS\System32\dmoiperf.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Optimum Online] C:\Program Files\Optimum Online\Netsurf.exe -tray
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~2\POPUPS~1.EXE"
    O4 - Startup: video01.mpeg[1].lnk = C:\WINDOWS\video01.mpeg[1].exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: officejet 6100.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004a_pack_XP.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
     
  4. Nok1

    Nok1

    Joined:
    Feb 15, 2004
    Messages:
    826
    Remove these items (make sure to close all windows besides HJT):

    O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Daddy\Local Settings\Temp\GbB.dll (file missing)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [HPb] C:\documents and settings\jaa\local settings\temp\HPb.exe
    O4 - HKLM\..\Run: [s7Eg35l] C:\WINDOWS\System32\dmoiperf.exe
    O4 - Startup: video01.mpeg[1].lnk = C:\WINDOWS\video01.mpeg[1].exe


    Once again follow my previous intructions to make sure that all the temp directories are cleaned.

    Delete the following files in safe mode:

    C:\WINDOWS\System32\dmoiperf.exe
    C:\WINDOWS\video01.mpeg[1].exe
    C:\documents and settings\jaa\local settings\temp\HPb.exe

    Pcsv.exe << "Delfin Promulgate - adware based media viewer by The Delfin Project [http://www.delfinproject.com/services.shtml]". You might want to get rid of that by seeing if you can get rid of it by going to add/remove programs.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270532

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice