MORZE5.lnk

schony · Apr 2, 2004

I am having trouble with constant pop ups on my machine. I ran hijack this. Attached is the log. Please help!

Flrman1 · Apr 2, 2004

I'm pasting you log in the thread.

Logfile of HijackThis v1.97.7
Scan saved at 4:50:30 PM, on 4/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\WINDOWSUPD1.EXE
C:\PROGRAM FILES\DOWNLOADWARE\DW.EXE
C:\WINDOWS\9XOY4A6V.EXE
C:\WINDOWS\SYSTEM\OLDERF.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\57CL6KSX\HIJACKTHIS[1].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bunyanfamilybooks.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\PROGRAM FILES\SCBAR\V2\SCBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\PROGRAM FILES\SCBAR\V2\SCBAR.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD1.EXE
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [SearchEnhancement] "C:\PROGRAM FILES\SCBAR\V2\SCBAR.EXE" /U
O4 - HKLM\..\Run: [olderf] C:\WINDOWS\SYSTEM\olderf.exe
O4 - HKLM\..\Run: [9XOY4A6V.EXE] C:\WINDOWS\9XOY4A6V.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\SYSTEM\realupd.exe
O4 - HKCU\..\Run: [9XOY4A6V.EXE] C:\WINDOWS\9XOY4A6V.EXE /dk
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: P0WXP04X.lnk = C:\WINDOWS\p0wxp04x.exe
O4 - Startup: V31M7IJN.lnk = C:\WINDOWS\v31m7ijn.exe
O4 - Startup: N4UY5KIT.lnk = C:\WINDOWS\n4uy5kit.exe
O4 - Startup: F7G0YCHT.lnk = C:\WINDOWS\f7g0ycht.exe
O4 - Startup: 2UGN248C.lnk = C:\WINDOWS\2ugn248c.exe
O4 - Startup: IL50LUG0.lnk = C:\WINDOWS\il50lug0.exe
O4 - Startup: UQ024J30.lnk = C:\WINDOWS\uq024j30.exe
O4 - Startup: 47RM0KAT.lnk = C:\WINDOWS\47rm0kat.exe
O4 - Startup: 9GIV090P.lnk = C:\WINDOWS\9giv090p.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: AN4771VU.lnk = C:\WINDOWS\an4771vu.exe
O4 - Startup: 44X1JGAB.lnk = C:\WINDOWS\44x1jgab.exe
O4 - Startup: ZWI07IZA.lnk = C:\WINDOWS\zwi07iza.exe
O4 - Startup: TJQZ6IGU.lnk = C:\WINDOWS\tjqz6igu.exe
O4 - Startup: 21VMRB0E.lnk = C:\WINDOWS\21vmrb0e.exe
O4 - Startup: RWNDT289.lnk = C:\WINDOWS\rwndt289.exe
O4 - Startup: V4DJYWG0.lnk = C:\WINDOWS\v4djywg0.exe
O4 - Startup: K00T6HO5.lnk = C:\WINDOWS\k00t6ho5.exe
O4 - Startup: 09GMBWCT.lnk = C:\WINDOWS\09gmbwct.exe
O4 - Startup: 07XIG0AP.lnk = C:\WINDOWS\07xig0ap.exe
O4 - Startup: 2G88D1NV.lnk = C:\WINDOWS\2g88d1nv.exe
O4 - Startup: 0FCCVJ1W.lnk = C:\WINDOWS\0fccvj1w.exe
O4 - Startup: 2VMYUYM8.lnk = C:\WINDOWS\2vmyuym8.exe
O4 - Startup: 33ZJJIXX.lnk = C:\WINDOWS\33zjjixx.exe
O4 - Startup: 01RERI8F.lnk = C:\WINDOWS\01reri8f.exe
O4 - Startup: I7ZKGKKN.lnk = C:\WINDOWS\i7zkgkkn.exe
O4 - Startup: IBJ1NTRM.lnk = C:\WINDOWS\ibj1ntrm.exe
O4 - Startup: YK0PUKKV.lnk = C:\WINDOWS\yk0pukkv.exe
O4 - Startup: KY994XLA.lnk = C:\WINDOWS\ky994xla.exe
O4 - Startup: GLAWAHKQ.lnk = C:\WINDOWS\glawahkq.exe
O4 - Startup: NJ6QHWDU.lnk = C:\WINDOWS\nj6qhwdu.exe
O4 - Startup: GW8WRK9C.lnk = C:\WINDOWS\gw8wrk9c.exe
O4 - Startup: O43W4YP4.lnk = C:\WINDOWS\o43w4yp4.exe
O4 - Startup: M5B1WOLT.lnk = C:\WINDOWS\m5b1wolt.exe
O4 - Startup: MN061230.lnk = C:\WINDOWS\mn061230.exe
O4 - Startup: P0WYR34I.lnk = C:\WINDOWS\p0wyr34i.exe
O4 - Startup: GFVP66E3.lnk = C:\WINDOWS\gfvp66e3.exe
O4 - Startup: IG8Q2TBM.lnk = C:\WINDOWS\ig8q2tbm.exe
O4 - Startup: 5NIBXIRN.lnk = C:\WINDOWS\5nibxirn.exe
O4 - Startup: YA74F0PL.lnk = C:\WINDOWS\ya74f0pl.exe
O4 - Startup: EGL1790U.lnk = C:\WINDOWS\egl1790u.exe
O4 - Startup: 9XOY4A6V.lnk = C:\WINDOWS\9xoy4a6v.exe
O4 - Global Startup: 07XIG0AP.lnk = C:\WINDOWS\07xig0ap.exe
O4 - Global Startup: P0WXP04X.lnk = C:\WINDOWS\p0wxp04x.exe
O4 - Global Startup: YK0PUKKV.lnk = C:\WINDOWS\yk0pukkv.exe
O4 - Global Startup: YA74F0PL.lnk = C:\WINDOWS\ya74f0pl.exe
O4 - Global Startup: KY994XLA.lnk = C:\WINDOWS\ky994xla.exe
O4 - Global Startup: EGL1790U.lnk = C:\WINDOWS\egl1790u.exe
O4 - Global Startup: 9XOY4A6V.lnk = C:\WINDOWS\9xoy4a6v.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2988425926
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab

Flrman1 · Apr 2, 2004

You have been infected by the adtomi parasite.

This is the script put together by Mosaic1 to remove adtomi.

Click here to download 9xAdtomi Cleanup.zip.

Unzip the files to a folder of your choice.

Open the folder and Double Click Cleanup.bat

NOTE: Do not Touch the VBS files. The bat file will run the scripts all by itself.

It will:

- remove the Adtomi Spyware files from the Windows Folder
- Clean the Startup Folders
- Create Backups of the Adtomi exe files it deletes and save them in this folder
- Create a list of all oddly named files deleted from the Windows Folder
- Uninstall the Browserhelper.dll browser plugin
- Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Come back here and post another Hijack This log.

Flrman1 · Apr 2, 2004

Before you post the next log please do the following also:

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on Check for updates now and download the latest referencefiles.

Make sure the following settings are made and on -------ON=GREEN

From main window :Click Start then Activate in-depth scan (recommended)

Click Use custom scanning options then click Customize and have these options selected: Under Drives and Folders put a check by Scan within archives and below that under Memory and Registry put a check by all the options there.

Now click on the Tweak button in that same window. Under Scanning engine select Unload recognized processes during scanning and under Cleaning Engine select Let windows remove files in use at next reboot

Click proceed to save your settings.

Now to scan just click the Next button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)

Restart your computer.

Then go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press Online and Search for Updates .

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.

Come back here and post another Hijack This log and we'll get rid of what's left.

schony · Apr 2, 2004

Here is the new log
thanks!
schony

Flrman1 · Apr 2, 2004

Logfile of HijackThis v1.97.7
Scan saved at 6:06:18 PM, on 4/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\WINDOWSUPD1.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\TEMP\TD_0005.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bunyanfamilybooks.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD1.EXE
O4 - HKLM\..\Run: [LKAGD9TE.EXE] C:\WINDOWS\LKAGD9TE.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\SYSTEM\realupd.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: LKAGD9TE.lnk = C:\WINDOWS\lkagd9te.exe
O4 - Startup: 9GIV090P.lnk = C:\WINDOWS\9giv090p.exe
O4 - Startup: GFVP66E3.lnk = C:\WINDOWS\gfvp66e3.exe
O4 - Startup: 9XOY4A6V.lnk = C:\WINDOWS\9xoy4a6v.exe
O4 - Global Startup: LKAGD9TE.lnk = C:\WINDOWS\lkagd9te.exe
O4 - Global Startup: 9XOY4A6V.lnk = C:\WINDOWS\9xoy4a6v.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2988425926
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab

Flrman1 · Apr 2, 2004

Run the cleanup script again and restart your computer.

schony · Apr 2, 2004

Ok I ran the cleanup utility. Here is the new log
Thanks!
schony

Flrman1 · Apr 2, 2004

Logfile of HijackThis v1.97.7
Scan saved at 6:29:12 PM, on 4/2/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\SCANSOFT\OMNIPAGESE\OPWARE32.EXE
C:\WINDOWS\WINDOWSUPD1.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\UT3Y6FH4.EXE
C:\WINDOWS\TEMP\TD_0005.DIR\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bunyanfamilybooks.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD1.EXE
O4 - HKLM\..\Run: [UT3Y6FH4.EXE] C:\WINDOWS\UT3Y6FH4.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\SYSTEM\realupd.exe
O4 - HKCU\..\Run: [UT3Y6FH4.EXE] C:\WINDOWS\UT3Y6FH4.EXE /dk
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Compaq Knowledge Center.lnk = C:\Program Files\Compaq Knowledge Center\bin\silent.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: HHCC8W23.lnk = C:\WINDOWS\hhcc8w23.exe
O4 - Startup: 0Z0QTPGD.lnk = C:\WINDOWS\0z0qtpgd.exe
O4 - Startup: UT3Y6FH4.lnk = C:\WINDOWS\ut3y6fh4.exe
O4 - Startup: GFVP66E3.lnk = C:\WINDOWS\gfvp66e3.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 0Z0QTPGD.lnk = C:\WINDOWS\0z0qtpgd.exe
O4 - Global Startup: HHCC8W23.lnk = C:\WINDOWS\hhcc8w23.exe
O4 - Global Startup: UT3Y6FH4.lnk = C:\WINDOWS\ut3y6fh4.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.bulletinboards.com/CFIDE/classes/CFJava.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.2988425926
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {91602283-B7B5-11D3-A32A-005004B0E00E} (DiscoverWhy Class) - http://216.132.173.29/CabFiles/dwInfo.cab

Flrman1 · Apr 2, 2004

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R3 - Default URLSearchHook is missing

O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRA~1\LYCOS\IEAGENT\CSIE.DLL

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WINDOWSUPD1.EXE

O4 - HKLM\..\Run: [UT3Y6FH4.EXE] C:\WINDOWS\UT3Y6FH4.EXE /dk

O4 - HKCU\..\Run: [RealUpdater] C:\WINDOWS\SYSTEM\realupd.exe

O4 - HKCU\..\Run: [UT3Y6FH4.EXE] C:\WINDOWS\UT3Y6FH4.EXE /dk

O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe

O4 - Startup: HHCC8W23.lnk = C:\WINDOWS\hhcc8w23.exe

O4 - Startup: 0Z0QTPGD.lnk = C:\WINDOWS\0z0qtpgd.exe

O4 - Startup: UT3Y6FH4.lnk = C:\WINDOWS\ut3y6fh4.exe

O4 - Startup: GFVP66E3.lnk = C:\WINDOWS\gfvp66e3.exe

O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe

O4 - Global Startup: 0Z0QTPGD.lnk = C:\WINDOWS\0z0qtpgd.exe

O4 - Global Startup: HHCC8W23.lnk = C:\WINDOWS\hhcc8w23.exe

O4 - Global Startup: UT3Y6FH4.lnk = C:\WINDOWS\ut3y6fh4.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Restart to safe mode.

How to start your computer in safe mode

First in safe mode Click on My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Apply then OK. Click Yes to confirm.

Now navigate to the C:\Windows folder and delte these files:

BrowserHelper.dll
WINDOWSUPD1.EXE
UT3Y6FH4.EXE
morze1.exe
hhcc8w23.exe
0z0qtpgd.exe
ut3y6fh4.exe
gfvp66e3.exe

Next go to the C:\Windows\System folder and delete this file:

realupd.exe

dvk01 · Apr 5, 2004

before you run the clean up script, you MUST stop the loader file runnin g first,

These are the full instructions

First If you have a Script Blocking Program enabled, disable it so the scripts will run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must be online for this part
--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry, just continue to the next step)

next press ctrl+ ALT+DEL once to bring up task manager, look in applications for the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log, If it isn't listed in the applications, then look in processes tab.

In your case the file/ process to stop is : C:\WINDOWS\UT3Y6FH4.EXE
then press end task or end process and make sure that entry has disapeared from the list.
if you can't stop it running, then DO NOT CONTINUE, please ask for more help first and there might also be morze1 running, if so end that process as well.

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

Make sure all Browser and folder windows are closed and it will do everything automatically for you.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

Log in or Sign up

MORZE5.lnk

schony Thread Starter

Attached Files:

hijackthis.log

Flrman1

Flrman1

Flrman1

schony Thread Starter

Attached Files:

hijackthis3.log.txt

Flrman1

Flrman1

schony Thread Starter

Attached Files:

hijackthis.log

Flrman1

Flrman1

dvk01 Moderator Malware Specialist

Sponsor

Welcome to Tech Support Guy!

MORZE5.lnk

schony Thread Starter

Attached Files:

schony Thread Starter

Attached Files:

schony Thread Starter

Attached Files:

dvk01 Moderator Malware Specialist

Sponsor

Welcome to Tech Support Guy!

Useful Searches