hijack this log...need help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

innerd00r

Thread Starter
Joined
Sep 20, 2003
Messages
3
hi all,

don't know if this is where i should do this but i don't know where else to post ;)

can someone help me with this log file...i've got lycos crap all over my machine...ran adware, but don't think i got it all.

thank you so much!

bill thompson

Logfile of HijackThis v1.97.2
Scan saved at 4:39:47 AM, on 9/20/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\IEDRIVER\IEDRIVER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\UPTODATE.EXE
C:\WINDOWS\SYSTEM\20792788.EXE
C:\PROGRAM FILES\ALSET\HELPEXPRESS\BILLY THOMPSON\HXDL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\EOYFKM07.EXE
C:\WINDOWS\SYSTEM\ASJJSI.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecolirecords.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ecolirecords.com/
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {2bf985c1-84e1-11d7-b157-444553540000} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\GntDkc.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [89986819.exe] C:\WINDOWS\System\89986819.exe
O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Billy Thompson\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .gif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = texas.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.207.0.3,206.127.0.3


StartupList report, 9/20/03, 5:00:54 AM
StartupList version: 1.52
Started from : E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.50 (5.50.4134.0600)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\IEDRIVER\IEDRIVER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\UPTODATE.EXE
C:\WINDOWS\SYSTEM\20792788.EXE
C:\PROGRAM FILES\ALSET\HELPEXPRESS\BILLY THOMPSON\HXDL.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\EOYFKM07.EXE
C:\WINDOWS\SYSTEM\ASJJSI.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
2W#WRF93K7RWWK = C:\WINDOWS\SYSTEM\GntDkc.exe
IEDriver = C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
RunWindowsUpdate = C:\WINDOWS\UPTODATE.EXE
89986819.exe = C:\WINDOWS\System\89986819.exe
Ad-aware = E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HXDL.EXE = C:\Program Files\Alset\HelpExpress\Billy Thompson\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.INI listing:
(Created 20/9/2003, 3:52:2)

[Rename]
NUL=c:\program files\media\media\statblaster.dll
NUL=c:\program files\media\media\statblaster.exe
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][3].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[3].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-bs[1].txt
NUL=c:\windows\cookies\billy [email protected]www.mp3search[1].txt
NUL=c:\windows\cookies\billy [email protected]entrypoint[2].txt
NUL=c:\windows\cookies\billy [email protected]analyst[1].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[1].txt
NUL=c:\windows\cookies\billy [email protected][4].txt
NUL=c:\windows\cookies\billy [email protected]rtising[1].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]entrypoint[1].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[1].txt
NUL=c:\windows\cookies\billy [email protected]ag[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]rver[1].txt
NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[2].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]mountain[1].txt
NUL=c:\windows\cookies\billy [email protected]www.paypopup[1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]ag[1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\application data\main_01.gif
NUL=c:\windows\temp\shortcuts.txt
NUL=c:\windows\system\stlbdist.xml
NUL=c:\ttil_starblaster.exe
NUL=c:\superbarinstaller_wildmedia.exe
NUL=c:\windows\application data\wdrr.exe
NUL=c:\program files\istsvc\istsvc.exe
NUL=c:\program files\clearsearch\loader.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 20/9/2003, 2:15:40)

[Rename]
NUL=c:\program files\clocksync\uninst.exe
NUL=c:\program files\save\save.htm
NUL=c:\program files\ddm\ncmyb.dll
NUL=c:\windows\rundll16.dll
NUL=c:\windows\rundll16.exe
NUL=c:\windows\mcgmptjdt.exe
NUL=c:\windows\cookies\billy [email protected]person[4].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][5].txt
NUL=c:\windows\cookies\billy [email protected][3].txt
NUL=c:\windows\cookies\billy [email protected][4].txt
NUL=c:\windows\cookies\billy [email protected]ic[2].txt
NUL=c:\windows\cookies\billy [email protected]www.paypopup[1].txt
NUL=c:\windows\cookies\billy [email protected]person[1].txt
NUL=c:\windows\cookies\billy [email protected]www.paypopup[2].txt
NUL=c:\windows\cookies\billy [email protected]ted[2].txt
NUL=c:\windows\cookies\billy [email protected][5].txt
NUL=c:\windows\cookies\billy [email protected][3].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected]www.angelfire[1].txt
NUL=c:\windows\cookies\[email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\[email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]getrack[1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]person[2].txt
NUL=c:\windows\temporary internet files\content.ie5\03a1idi5\istbar[1].dll
NUL=c:\windows\temporary internet files\content.ie5\m1yzsl67\0006[1].cab
NUL=c:\windows\downloaded program files\istactivex.dll
NUL=c:\windows\application data\ncmyb.dll
NUL=c:\windows\temp\kvlhookwin.dll
NUL=c:\windows\temp\del2292.tmp
NUL=c:\windows\system\bho001.dll
NUL=c:\windows\system\update_com.dll
NUL=c:\windows\system\rsp001.dll
NUL=c:\nlnp071.exe
NUL=c:\program files\clocksync\sync.exe
NUL=c:\program files\save\save.exe
NUL=c:\program files\save\saveuninst.exe
NUL=c:\program files\ddm\msbb.exe
NUL=c:\program files\ddm\fleok\msbb.exe
NUL=c:\windows\rundll16.dll
NUL=c:\windows\ezinstall.exe
NUL=c:\windows\cookies\billy [email protected]racker[2].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected]ox[2].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected]link[2].txt
NUL=c:\windows\cookies\billy [email protected][11].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]lick[1].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]rtising[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]nction[1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected]ificpop[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]ox[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]ox[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]rver[1].txt
NUL=c:\windows\system\ezstub.exe
NUL=c:\windows\system\install_all.dll
NUL=c:\windows\system\winstart001.exe
NUL=c:\program files\bargain buddy\bin\bargains.exe
NUL=c:\windows\rundll16.exe
NUL=C:\PROGRA~1\BARGAI~1\BIN\APUC.DLL
NUL=C:\WINDOWS\TEMP\A~NSISU_.EXE
NUL=C:\WINDOWS\TEMP\B~NSISU_.EXE
NUL=C:\WINDOWS\TEMP\B~NSISU_.EXE
NUL=C:\WINDOWS\TEMP\C~NSISU_.EXE
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
C:\Csound\Bin;
SFDIR=c:\Csound\Rendered
SET SSDIR=c:\Csound\Samples
SET SADIR=c:\Csound\Analysis

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
(no name) - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL - {269B6797-664E-48AA-B283-B012BDF6E525}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Scan for Viruses.job
Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741

[ddm_download.ddm_control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DDM_CONTROL.OCX
CODEBASE = http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 12,374 bytes
Report generated in 0.900 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Oct 9, 2001
Messages
9,396
welcome to T.S.G Bill:)

run hijackthis again and put a checkmark against these entries....double check
in case you miss anything
.....then,close all browser and outlook windows and "fix checked"


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
O3 - Toolbar: (no name) - {2bf985c1-84e1-11d7-b157-444553540000} - (no file)
O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\GntDkc.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe

post a 2nd log to make sure nothing was missed.
;)
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
O4 - HKLM\..\Run: [89986819.exe] C:\WINDOWS\System\89986819.exe
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Billy Thompson\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB


re-boot into safe mode and delete:
C:\WINDOWS\SYSTEM\NZDD.DLL
C:\PROGRA~1\INCRED~1
C:\WINDOWS\SYSTEM\GntDkc.exe
C:\WINDOWS\SYSTEM\IEDrive
C:\WINDOWS\UPTODATE.EXE
C:\WINDOWS\System\89986819.exe


post a 2nd log to make sure nothing was missed
;)
 

innerd00r

Thread Starter
Joined
Sep 20, 2003
Messages
3
hi steve...thank you..some of the files had slightly different names...i didn't delete them but was worried that it was renaming some files to hide from this process...here's the new log file...thank you so much for your help!

bill

Logfile of HijackThis v1.97.2
Scan saved at 11:11:41 AM, on 9/20/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\11938112.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\QBCJF.EXE
C:\WINDOWS\SYSTEM\QBCJF.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecolirecords.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ecolirecords.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\Mdl7.exe
O4 - HKLM\..\Run: [82429140.exe] C:\WINDOWS\System\82429140.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .gif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = texas.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.207.0.3,206.127.0.3



StartupList report, 9/20/03, 11:14:23 AM
StartupList version: 1.52
Started from : E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.50 (5.50.4134.0600)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\11938112.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\QBCJF.EXE
C:\WINDOWS\SYSTEM\QBCJF.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
Ad-aware = E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
2W#WRF93K7RWWK = C:\WINDOWS\SYSTEM\Mdl7.exe
82429140.exe = C:\WINDOWS\System\82429140.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 20/9/2003, 3:52:2)

[Rename]
NUL=c:\program files\media\media\statblaster.dll
NUL=c:\program files\media\media\statblaster.exe
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][3].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[3].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-bs[1].txt
NUL=c:\windows\cookies\billy [email protected]www.mp3search[1].txt
NUL=c:\windows\cookies\billy [email protected]entrypoint[2].txt
NUL=c:\windows\cookies\billy [email protected]analyst[1].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[1].txt
NUL=c:\windows\cookies\billy [email protected][4].txt
NUL=c:\windows\cookies\billy [email protected]rtising[1].txt
NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]entrypoint[1].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[1].txt
NUL=c:\windows\cookies\billy [email protected]ag[2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]rver[1].txt
NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[2].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][2].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]mountain[1].txt
NUL=c:\windows\cookies\billy [email protected]www.paypopup[1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected]ag[1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\cookies\billy [email protected][1].txt
NUL=c:\windows\application data\main_01.gif
NUL=c:\windows\temp\shortcuts.txt
NUL=c:\windows\system\stlbdist.xml
NUL=c:\ttil_starblaster.exe
NUL=c:\superbarinstaller_wildmedia.exe
NUL=c:\windows\application data\wdrr.exe
NUL=c:\program files\istsvc\istsvc.exe
NUL=c:\program files\clearsearch\loader.exe

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
SET BLASTER=A220 I7 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
C:\Csound\Bin;
SFDIR=c:\Csound\Rendered
SET SSDIR=c:\Csound\Samples
SET SADIR=c:\Csound\Analysis

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Scan for Viruses.job
Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 7,071 bytes
Report generated in 0.305 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Oct 9, 2001
Messages
9,396
run H/T in safe mode....make a note of where these(the items in red only) are and "fix" from there.

O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\Mdl7.exe
O4 - HKLM\..\Run: [82429140.exe] C:\WINDOWS\System\82429140.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

just the 2 red entries.
and before you delete them can you send me a zipped copy of each one please for analysis. [email protected]

thanx.


let us know how it goes
;)
 

innerd00r

Thread Starter
Joined
Sep 20, 2003
Messages
3
Hey Steve,

thanx again. i think it worked but those files had changed names again...here's what i 'fixed':
O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\Vryu.exe
O4 - HKLM\..\Run: [24413698.exe] C:\WINDOWS\System\24413698.exe

weird thing is that in looking in w. explorer, all those other ones i should have fixed in h/t but that the names kept changing are in there:
18111819.exe, 24413698.exe, 33668154.exe (all 36kb, all on 09/15)...and of course these are there too: mdl7.exe, vryu.exe, and zyv5.exe...

so i'll send copies in zip files...and then i should delete them? as in w.explorer, just go in and delete? or in h/t? thanx! you guys are life savers...

bill
ps..new h/t printout is below to be sure.
pss...yes, i used limewire about 2 years ago but uninstalled it because i had dial up and it was too slow...but had exactly that problem your link pointed to...

Logfile of HijackThis v1.97.2
Scan saved at 11:38:27 AM, on 9/21/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecolirecords.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ecolirecords.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .gif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = texas.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.207.0.3,206.127.0.3
 
Joined
Oct 9, 2001
Messages
9,396
just fix these bill.
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm


and this is what was in the files you sent me.


Current object: winmail.dat


Current object: winmail.dat

winmail.dat/ Archive: ZIP
winmail.dat//Mdl7.exe Infected: TrojanDownloader.Win32.VB.q
winmail.dat//24413698.exe Infected: Trojan.Win32.StartPade.ae
winmail.dat//33668154.exe Infected: Trojan.Win32.StartPade.ae
winmail.dat//84492129.exe Infected: Trojan.Win32.StartPade.ae
winmail.dat//18111819.exe Infected: Trojan.Win32.StartPade.ae
winmail.dat//Vryu.exe Infected: TrojanDownloader.Win32.VB.q
winmail.dat//Zyv5.exe Infected: TrojanDownloader.Win32.VB.q
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top