1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hijack this log...need help

Discussion in 'Virus & Other Malware Removal' started by innerd00r, Sep 20, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. innerd00r

    innerd00r Thread Starter

    Joined:
    Sep 20, 2003
    Messages:
    3
    hi all,

    don't know if this is where i should do this but i don't know where else to post ;)

    can someone help me with this log file...i've got lycos crap all over my machine...ran adware, but don't think i got it all.

    thank you so much!

    bill thompson

    Logfile of HijackThis v1.97.2
    Scan saved at 4:39:47 AM, on 9/20/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\SYSTEM\IEDRIVER\IEDRIVER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\UPTODATE.EXE
    C:\WINDOWS\SYSTEM\20792788.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\BILLY THOMPSON\HXDL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\EOYFKM07.EXE
    C:\WINDOWS\SYSTEM\ASJJSI.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
    E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecolirecords.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ecolirecords.com/
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: (no name) - {2bf985c1-84e1-11d7-b157-444553540000} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\GntDkc.exe
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [89986819.exe] C:\WINDOWS\System\89986819.exe
    O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Billy Thompson\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
    O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .gif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = texas.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.207.0.3,206.127.0.3


    StartupList report, 9/20/03, 5:00:54 AM
    StartupList version: 1.52
    Started from : E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v5.50 (5.50.4134.0600)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\WINDOWS\SYSTEM\IEDRIVER\IEDRIVER.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\UPTODATE.EXE
    C:\WINDOWS\SYSTEM\20792788.EXE
    C:\PROGRAM FILES\ALSET\HELPEXPRESS\BILLY THOMPSON\HXDL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\EOYFKM07.EXE
    C:\WINDOWS\SYSTEM\ASJJSI.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
    E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
    2W#WRF93K7RWWK = C:\WINDOWS\SYSTEM\GntDkc.exe
    IEDriver = C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe
    RunWindowsUpdate = C:\WINDOWS\UPTODATE.EXE
    89986819.exe = C:\WINDOWS\System\89986819.exe
    Ad-aware = E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
    NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    HXDL.EXE = C:\Program Files\Alset\HelpExpress\Billy Thompson\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.INI listing:
    (Created 20/9/2003, 3:52:2)

    [Rename]
    NUL=c:\program files\media\media\statblaster.dll
    NUL=c:\program files\media\media\statblaster.exe
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][3].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[3].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-bs[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.mp3search[1].txt
    NUL=c:\windows\cookies\billy [email protected]entrypoint[2].txt
    NUL=c:\windows\cookies\billy [email protected]analyst[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[1].txt
    NUL=c:\windows\cookies\billy [email protected][4].txt
    NUL=c:\windows\cookies\billy [email protected]rtising[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]entrypoint[1].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[1].txt
    NUL=c:\windows\cookies\billy [email protected]ag[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]rver[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[2].txt
    NUL=c:\windows\cookies\billy thom[email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]mountain[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.paypopup[1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]ag[1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\application data\main_01.gif
    NUL=c:\windows\temp\shortcuts.txt
    NUL=c:\windows\system\stlbdist.xml
    NUL=c:\ttil_starblaster.exe
    NUL=c:\superbarinstaller_wildmedia.exe
    NUL=c:\windows\application data\wdrr.exe
    NUL=c:\program files\istsvc\istsvc.exe
    NUL=c:\program files\clearsearch\loader.exe

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 20/9/2003, 2:15:40)

    [Rename]
    NUL=c:\program files\clocksync\uninst.exe
    NUL=c:\program files\save\save.htm
    NUL=c:\program files\ddm\ncmyb.dll
    NUL=c:\windows\rundll16.dll
    NUL=c:\windows\rundll16.exe
    NUL=c:\windows\mcgmptjdt.exe
    NUL=c:\windows\cookies\billy [email protected]person[4].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][5].txt
    NUL=c:\windows\cookies\billy [email protected][3].txt
    NUL=c:\windows\cookies\billy [email protected][4].txt
    NUL=c:\windows\cookies\billy [email protected]ic[2].txt
    NUL=c:\windows\cookies\billy [email protected]www.paypopup[1].txt
    NUL=c:\windows\cookies\billy [email protected]person[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.paypopup[2].txt
    NUL=c:\windows\cookies\billy [email protected]ted[2].txt
    NUL=c:\windows\cookies\billy [email protected][5].txt
    NUL=c:\windows\cookies\billy [email protected][3].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected]www.angelfire[1].txt
    NUL=c:\windows\cookies\[email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\[email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]getrack[1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]person[2].txt
    NUL=c:\windows\temporary internet files\content.ie5\03a1idi5\istbar[1].dll
    NUL=c:\windows\temporary internet files\content.ie5\m1yzsl67\0006[1].cab
    NUL=c:\windows\downloaded program files\istactivex.dll
    NUL=c:\windows\application data\ncmyb.dll
    NUL=c:\windows\temp\kvlhookwin.dll
    NUL=c:\windows\temp\del2292.tmp
    NUL=c:\windows\system\bho001.dll
    NUL=c:\windows\system\update_com.dll
    NUL=c:\windows\system\rsp001.dll
    NUL=c:\nlnp071.exe
    NUL=c:\program files\clocksync\sync.exe
    NUL=c:\program files\save\save.exe
    NUL=c:\program files\save\saveuninst.exe
    NUL=c:\program files\ddm\msbb.exe
    NUL=c:\program files\ddm\fleok\msbb.exe
    NUL=c:\windows\rundll16.dll
    NUL=c:\windows\ezinstall.exe
    NUL=c:\windows\cookies\billy [email protected]racker[2].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected]ox[2].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected]link[2].txt
    NUL=c:\windows\cookies\billy [email protected][11].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]lick[1].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]rtising[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected]ificpop[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]ox[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]ox[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]rver[1].txt
    NUL=c:\windows\system\ezstub.exe
    NUL=c:\windows\system\install_all.dll
    NUL=c:\windows\system\winstart001.exe
    NUL=c:\program files\bargain buddy\bin\bargains.exe
    NUL=c:\windows\rundll16.exe
    NUL=C:\PROGRA~1\BARGAI~1\BIN\APUC.DLL
    NUL=C:\WINDOWS\TEMP\A~NSISU_.EXE
    NUL=C:\WINDOWS\TEMP\B~NSISU_.EXE
    NUL=C:\WINDOWS\TEMP\B~NSISU_.EXE
    NUL=C:\WINDOWS\TEMP\C~NSISU_.EXE
    NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
    SET BLASTER=A220 I7 D1 H5 P330 T6
    SET CTSYN=C:\WINDOWS
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    C:\Csound\Bin;
    SFDIR=c:\Csound\Rendered
    SET SSDIR=c:\Csound\Samples
    SET SADIR=c:\Csound\Analysis

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\WINDOWS\SYSTEM\NZDD.DLL - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C}
    (no name) - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
    NavErrRedir Class - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL - {269B6797-664E-48AA-B283-B012BDF6E525}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Scan for Viruses.job
    Symantec NetDetect.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741

    [ddm_download.ddm_control]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DDM_CONTROL.OCX
    CODEBASE = http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 12,374 bytes
    Report generated in 0.900 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    welcome to T.S.G Bill:)

    run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything
    .....then,close all browser and outlook windows and "fix checked"


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\sb.htm
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - C:\PROGRA~1\INCRED~1\BHO\BHO.DLL
    O3 - Toolbar: (no name) - {2bf985c1-84e1-11d7-b157-444553540000} - (no file)
    O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\GntDkc.exe
    O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\SYSTEM\IEDriver\IEDriver.exe

    post a 2nd log to make sure nothing was missed.
    ;)
    O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\UPTODATE.EXE
    O4 - HKLM\..\Run: [89986819.exe] C:\WINDOWS\System\89986819.exe
    O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\Billy Thompson\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
    O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB


    re-boot into safe mode and delete:
    C:\WINDOWS\SYSTEM\NZDD.DLL
    C:\PROGRA~1\INCRED~1
    C:\WINDOWS\SYSTEM\GntDkc.exe
    C:\WINDOWS\SYSTEM\IEDrive
    C:\WINDOWS\UPTODATE.EXE
    C:\WINDOWS\System\89986819.exe


    post a 2nd log to make sure nothing was missed
    ;)
     
  3. innerd00r

    innerd00r Thread Starter

    Joined:
    Sep 20, 2003
    Messages:
    3
    hi steve...thank you..some of the files had slightly different names...i didn't delete them but was worried that it was renaming some files to hide from this process...here's the new log file...thank you so much for your help!

    bill

    Logfile of HijackThis v1.97.2
    Scan saved at 11:11:41 AM, on 9/20/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\11938112.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\QBCJF.EXE
    C:\WINDOWS\SYSTEM\QBCJF.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecolirecords.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ecolirecords.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\Mdl7.exe
    O4 - HKLM\..\Run: [82429140.exe] C:\WINDOWS\System\82429140.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
    O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .gif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = texas.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.207.0.3,206.127.0.3



    StartupList report, 9/20/03, 11:14:23 AM
    StartupList version: 1.52
    Started from : E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    Detected: Windows 98 SE (Win9x 4.10.2222A)
    Detected: Internet Explorer v5.50 (5.50.4134.0600)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\11938112.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\QBCJF.EXE
    C:\WINDOWS\SYSTEM\QBCJF.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\NOTEPAD.EXE

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\WINDOWS\Start Menu\Programs\StartUp]
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    SystemTray = SysTray.Exe
    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    AudioHQ = C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
    Ad-aware = E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
    NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    2W#WRF93K7RWWK = C:\WINDOWS\SYSTEM\Mdl7.exe
    82429140.exe = C:\WINDOWS\System\82429140.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SchedulingAgent = mstask.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=Explorer.exe
    SCRNSAVE.EXE=
    drivers=mmsystem.dll power.drv

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 20/9/2003, 3:52:2)

    [Rename]
    NUL=c:\program files\media\media\statblaster.dll
    NUL=c:\program files\media\media\statblaster.exe
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][3].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[3].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-bs[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.mp3search[1].txt
    NUL=c:\windows\cookies\billy [email protected]entrypoint[2].txt
    NUL=c:\windows\cookies\billy [email protected]analyst[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[1].txt
    NUL=c:\windows\cookies\billy [email protected][4].txt
    NUL=c:\windows\cookies\billy [email protected]rtising[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.eyeblaster-ds[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]entrypoint[1].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[1].txt
    NUL=c:\windows\cookies\billy [email protected]ag[2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]rver[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.searchtraffic[2].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][2].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]mountain[1].txt
    NUL=c:\windows\cookies\billy [email protected]www.paypopup[1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected]ag[1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\cookies\billy [email protected][1].txt
    NUL=c:\windows\application data\main_01.gif
    NUL=c:\windows\temp\shortcuts.txt
    NUL=c:\windows\system\stlbdist.xml
    NUL=c:\ttil_starblaster.exe
    NUL=c:\superbarinstaller_wildmedia.exe
    NUL=c:\windows\application data\wdrr.exe
    NUL=c:\program files\istsvc\istsvc.exe
    NUL=c:\program files\clearsearch\loader.exe

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    C:\PROGRA~1\NORTON~1\NAVDX.EXE /Startup
    SET BLASTER=A220 I7 D1 H5 P330 T6
    SET CTSYN=C:\WINDOWS
    C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM
    C:\Csound\Bin;
    SFDIR=c:\Csound\Rendered
    SET SSDIR=c:\Csound\Samples
    SET SADIR=c:\Csound\Analysis

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    Scan for Viruses.job
    Symantec NetDetect.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

    --------------------------------------------------
    End of report, 7,071 bytes
    Report generated in 0.305 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    run H/T in safe mode....make a note of where these(the items in red only) are and "fix" from there.

    O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\Mdl7.exe
    O4 - HKLM\..\Run: [82429140.exe] C:\WINDOWS\System\82429140.exe

    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

    just the 2 red entries.
    and before you delete them can you send me a zipped copy of each one please for analysis. [email protected]

    thanx.


    let us know how it goes
    ;)
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
  6. innerd00r

    innerd00r Thread Starter

    Joined:
    Sep 20, 2003
    Messages:
    3
    Hey Steve,

    thanx again. i think it worked but those files had changed names again...here's what i 'fixed':
    O4 - HKLM\..\Run: [2W#WRF93K7RWWK] C:\WINDOWS\SYSTEM\Vryu.exe
    O4 - HKLM\..\Run: [24413698.exe] C:\WINDOWS\System\24413698.exe

    weird thing is that in looking in w. explorer, all those other ones i should have fixed in h/t but that the names kept changing are in there:
    18111819.exe, 24413698.exe, 33668154.exe (all 36kb, all on 09/15)...and of course these are there too: mdl7.exe, vryu.exe, and zyv5.exe...

    so i'll send copies in zip files...and then i should delete them? as in w.explorer, just go in and delete? or in h/t? thanx! you guys are life savers...

    bill
    ps..new h/t printout is below to be sure.
    pss...yes, i used limewire about 2 years ago but uninstalled it because i had dial up and it was too slow...but had exactly that problem your link pointed to...

    Logfile of HijackThis v1.97.2
    Scan saved at 11:38:27 AM, on 9/21/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    E:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yyep.com/search/search02.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ecolirecords.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://ecolirecords.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ACROBAT\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
    O4 - HKLM\..\Run: [Ad-aware] E:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE +c
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm
    O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .gif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .aiff: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37660.2768865741
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = texas.net
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.207.0.3,206.127.0.3
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    just fix these bill.
    O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
    O8 - Extra context menu item: LimeShop Preferences - file://c:\Program Files\topMoxie\TEMP\limeshop_script.htm


    and this is what was in the files you sent me.


    Current object: winmail.dat


    Current object: winmail.dat

    winmail.dat/ Archive: ZIP
    winmail.dat//Mdl7.exe Infected: TrojanDownloader.Win32.VB.q
    winmail.dat//24413698.exe Infected: Trojan.Win32.StartPade.ae
    winmail.dat//33668154.exe Infected: Trojan.Win32.StartPade.ae
    winmail.dat//84492129.exe Infected: Trojan.Win32.StartPade.ae
    winmail.dat//18111819.exe Infected: Trojan.Win32.StartPade.ae
    winmail.dat//Vryu.exe Infected: TrojanDownloader.Win32.VB.q
    winmail.dat//Zyv5.exe Infected: TrojanDownloader.Win32.VB.q
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166108

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice