1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please Help with updated HJ This log!

Discussion in 'Virus & Other Malware Removal' started by cantes903, Feb 2, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. cantes903

    cantes903 Thread Starter

    Joined:
    Jul 3, 2003
    Messages:
    25
    Please help with this log. I have run Ad-Aware and Spybot already. I appreciate any assistance!

    Logfile of HijackThis v1.97.7
    Scan saved at 5:55:01 PM, on 2/2/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\UPDDMAIL.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
    C:\WINDOWS\SYSTEM\NDRV.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\DIGITAL IMAGE\MONITOR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
    C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\AD-AWARE.EXE
    C:\WINDOWS\DESKTOP\SECURITY\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [2yicoqvv] C:\WINDOWS\TEMP\2YICOQVV.EXE
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\Kioh5p4.exe
    O4 - HKLM\..\Run: [SPWL32M] C:\WINDOWS\SYSTEM\SPWL32M.exe
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPE1E2.TMP
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AutoLoaderqxpG1IPkXKKN] "C:\WINDOWS\SYSTEM\TWAROWSE.EXE"
    O4 - HKLM\..\Run: [q26g36S] TWAROWSE.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP43B2.TMP
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
    O4 - HKCU\..\Run: [Cida] C:\WINDOWS\Application Data\teda.exe
    O4 - HKCU\..\Run: [b1pmRWemg] UPDDMAIL.EXE
    O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
    O4 - HKCU\..\RunServices: [Cida] C:\WINDOWS\Application Data\teda.exe
    O4 - HKCU\..\RunServices: [b1pmRWemg] UPDDMAIL.EXE
    O4 - HKCU\..\RunServices: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
    O4 - Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
    O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: -
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peaks/peaks-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahjong/mahjong-ob-assets.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.3.35/euchre/euchre-ob-assets.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38113.7042476852
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/holdem/holdem-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.4.31/greenback/greenback-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.3.35/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popfu/popfu-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.3.35/flinger/flinger-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-6.0.4.37/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.4.31/waterwheel/waterwheel-ob-assets.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4382/mcfscan.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hearts/hearts-ob-assets.cab
    O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.4.37/jigsaw/jigsaw-ob-assets.cab
    O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.1.29/aces/aces-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/cctank/cctank-ob-assets.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.31/canasta/canasta-ob-assets.cab
    O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.37/spider/spider-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.com/applet-6.0.4.37/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.0.4.37/pool2/pool-ob-assets.cab
    O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.1.1.29/mlslots/mlslots-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/poppit/poppit-ob-assets.cab
    O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/pinochle/pinochle-ob-assets.cab
     
  2. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
  3. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Please do this before you post the log from the new HJT:

    Click http://downloads.subratam.org/PeperFix.exe

    to downloadthe PeperFix.exe tool to get rid of the peper trojan:

    Click on the PeperFix.exe to launch it.

    Click the Find and Fix button.

    It will scan the %systemroot% folder and locate all the peper files. You will be prompted to restart your computer. Restart and it will delete the peper files.
     
  4. cantes903

    cantes903 Thread Starter

    Joined:
    Jul 3, 2003
    Messages:
    25
    Here is my new log using an updated version of HJ This. I hope this is the most recent version as I was not able to access majorgeeks.com so I got the program elsewhere. Once again I have already used Spybot and Ad-Aware. Thanks for any help.

    Logfile of HijackThis v1.99.0
    Scan saved at 7:07:28 PM, on 2/2/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\UPDDMAIL.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\DIGITAL IMAGE\MONITOR.EXE
    C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [2yicoqvv] C:\WINDOWS\TEMP\2YICOQVV.EXE
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\Kioh5p4.exe
    O4 - HKLM\..\Run: [SPWL32M] C:\WINDOWS\SYSTEM\SPWL32M.exe
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPE1E2.TMP
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [AutoLoaderqxpG1IPkXKKN] "C:\WINDOWS\SYSTEM\TWAROWSE.EXE"
    O4 - HKLM\..\Run: [q26g36S] TWAROWSE.EXE
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP43B2.TMP
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
    O4 - HKCU\..\Run: [Cida] C:\WINDOWS\Application Data\teda.exe
    O4 - HKCU\..\Run: [b1pmRWemg] UPDDMAIL.EXE
    O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
    O4 - Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
    O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: -
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peaks/peaks-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.3.35/euchre/euchre-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/holdem/holdem-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.4.31/greenback/greenback-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.3.35/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popfu/popfu-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.3.35/flinger/flinger-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-6.0.4.37/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.4.31/waterwheel/waterwheel-ob-assets.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4382/mcfscan.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hearts/hearts-ob-assets.cab
    O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.4.37/jigsaw/jigsaw-ob-assets.cab
    O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.1.29/aces/aces-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/cctank/cctank-ob-assets.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.31/canasta/canasta-ob-assets.cab
    O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.37/spider/spider-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.com/applet-6.0.4.37/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.0.4.37/pool2/pool-ob-assets.cab
    O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.1.1.29/mlslots/mlslots-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/poppit/poppit-ob-assets.cab
    O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/pinochle/pinochle-ob-assets.cab
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,043
    I have merged your threads together and closed the other one. Please do not start new threads each time you post as it gets confusing for those who are trying to help you.

    Please continue posting in this thread only until the problem is resolved.
     
  6. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    You should also create a folder on the desktop and MOVE HIJACK THIS into it.
     
  7. cantes903

    cantes903 Thread Starter

    Joined:
    Jul 3, 2003
    Messages:
    25
    I have done all you have said. I'm still hoping someone will be able to help me get rid of stuff I don't need though.
     
  8. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O4 - HKLM\..\Run: [AutoLoaderqxpG1IPkXKKN] "C:\WINDOWS\SYSTEM\TWAROWSE.EXE"
    O4 - HKLM\..\Run: [q26g36S] TWAROWSE.EXE
    O4 - HKLM\..\Run: [Upsfc] C:\WINDOWS\TEMP\APP43B2.TMP


    You still have some issues, those among others, sit tight, I'm sure Cookiegal is lurking somewhere ;)
     
  9. cantes903

    cantes903 Thread Starter

    Joined:
    Jul 3, 2003
    Messages:
    25
    Ok, thanks AcaCandy :D . I have done what you said and here is the new log with the changes.
    Logfile of HijackThis v1.99.0
    Scan saved at 1:27:29 AM, on 2/3/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\VPTRAY.EXE
    C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\UPDDMAIL.EXE
    C:\PROGRAM FILES\DIGITAL IMAGE\MONITOR.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [2yicoqvv] C:\WINDOWS\TEMP\2YICOQVV.EXE
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\Kioh5p4.exe
    O4 - HKLM\..\Run: [SPWL32M] C:\WINDOWS\SYSTEM\SPWL32M.exe
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPE1E2.TMP
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTRAY.EXE
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
    O4 - HKCU\..\Run: [Cida] C:\WINDOWS\Application Data\teda.exe
    O4 - HKCU\..\Run: [b1pmRWemg] UPDDMAIL.EXE
    O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
    O4 - Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: -
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peaks/peaks-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.3.35/euchre/euchre-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/holdem/holdem-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.4.31/greenback/greenback-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.3.35/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popfu/popfu-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.3.35/flinger/flinger-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-6.0.4.37/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.4.31/waterwheel/waterwheel-ob-assets.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4382/mcfscan.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hearts/hearts-ob-assets.cab
    O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.4.37/jigsaw/jigsaw-ob-assets.cab
    O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.1.29/aces/aces-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/cctank/cctank-ob-assets.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.31/canasta/canasta-ob-assets.cab
    O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.37/spider/spider-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.com/applet-6.0.4.37/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.0.4.37/pool2/pool-ob-assets.cab
    O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.1.1.29/mlslots/mlslots-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/poppit/poppit-ob-assets.cab
    O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/pinochle/pinochle-ob-assets.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
     
  10. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    O4 - HKLM\..\Run: [2yicoqvv] C:\WINDOWS\TEMP\2YICOQVV.EXE
    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\Kioh5p4.exe
    O4 - HKLM\..\Run: [SPWL32M] C:\WINDOWS\SYSTEM\SPWL32M.exe
    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPE1E2.TMP
    O4 - HKCU\..\Run: [Cida] C:\WINDOWS\Application Data\teda.exe ?????
    O4 - HKCU\..\Run: [b1pmRWemg] UPDDMAIL.EXE ????

    There are those too, but please sit tight, I don't read the logs well, but in addition to fixing these things, you need to track them down and zap them from the computer too.

    Where o where is Cookiegal? :D

    mjack? Are you still here?
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

    Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

    Restart your computer and post a new HJT log.
     
  12. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Well I'm not cookiegal :D but lets see what we can do
    QUOTE=mjack547]Please do this before you post the log from the new HJT:

    Click http://downloads.subratam.org/PeperFix.exe

    to downloadthe PeperFix.exe tool to get rid of the peper trojan:

    Click on the PeperFix.exe to launch it.

    Click the Find and Fix button.

    It will scan the %systemroot% folder and locate all the peper files. You will be prompted to restart your computer. Restart and it will delete the peper files.[/QUOTE]



    Run hijackthis and fix the following items. Be sure all windows are closed except for hijackthis.



    O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)

    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\TOOLS\IESDSG.DLL (file missing)

    O4 - HKLM\..\Run: [2yicoqvv] C:\WINDOWS\TEMP\2YICOQVV.EXE

    O4 - HKLM\..\Run: [[email protected]] C:\WINDOWS\SYSTEM\Kioh5p4.exe

    O4 - HKLM\..\Run: [SPWL32M] C:\WINDOWS\SYSTEM\SPWL32M.exe

    O4 - HKLM\..\Run: [Prein] C:\WINDOWS\TEMP\APPE1E2.TMP


    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

    O4 - HKCU\..\Run: [Cida] C:\WINDOWS\Application Data\teda.exe

    O4 - HKCU\..\Run: [b1pmRWemg] UPDDMAIL.EXE


    Reboot in safe mode


    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"


    Now is safe mode delete this if they are still there.

    C:\WINDOWS\TEMP\2YICOQVV.EXE
    C:\WINDOWS\SYSTEM\Kioh5p4.exe

    C:\WINDOWS\SYSTEM\SPWL32M.exe

    C:\WINDOWS\TEMP\APPE1E2.TMP

    C:\Program Files\BroadJump\Client Foundation\CFD.exe
    C:\WINDOWS\Application Data\teda.exe


    Delete your temporary files:


    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the recycle bin.

    Reboot and post a new hijackthis log
     
  13. cantes903

    cantes903 Thread Starter

    Joined:
    Jul 3, 2003
    Messages:
    25
    Ok, I have done everything you all have said. There were some problems or differences... listed here:
    * I ran PeperFix.exe yesterday like I was advised and got the notation, "No Peper Files were Detected." I ran it again today and got the same note.
    * in my Search I did not have a option of "More Advanced Options". There was no where on my search screen for choosing the options such as "Search System Folders" or "Search hidden files and folders".
    * Under My Computer I checked the options to hide extentions but there was no option for "Hide protected operating system files".
    * I could not locate any of the files you listed in C:\WINDOWS\TEMP\, C:\WINDOWS\System, C:\Program Files\BroadJump, or C:\WINDOWS\Application Data\.
    * I deleted the temp files directly from the folder but when I then ran the %temp% there were no files to delete. All the rest went fine.

    Here is my updated HJ this log:

    Logfile of HijackThis v1.99.0
    Scan saved at 1:25:26 PM, on 2/3/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\DEFWATCH.EXE
    C:\PROGRAM FILES\SYMANTEC ANTIVIRUS\RTVSCN95.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMGR.EXE
    C:\PROGRAM FILES\LEXMARK X74-X75\LXBBBMON.EXE
    C:\PROGRAM FILES\DIGITAL IMAGE\MONITOR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
    C:\WINDOWS\DESKTOP\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BellSouth
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r21.mchsi.com
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [LexStart] lexstart.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\SYMANT~1\DEFWATCH.EXE
    O4 - HKLM\..\RunServices: [rtvscn95] C:\PROGRA~1\SYMANT~1\RTVSCN95.EXE
    O4 - HKCU\..\Run: [Start WingMan Profiler] "c:\Program Files\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "c:\Program Files\Logitech\WingMan Software\lwemon.exe /noui"
    O4 - Startup: Digital Image Monitor.lnk = C:\Program Files\Digital Image\Monitor.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: -
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
    O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.0.4.37/peaks/peaks-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.0.3.35/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-6.0.3.35/euchre/euchre-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://game4.pogo.com/applet-6.0.4.31/holdem/holdem-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.0.4.31/greenback/greenback-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.3.35/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.0.4.37/popfu/popfu-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.0.3.35/flinger/flinger-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-6.0.4.37/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-6.0.4.31/waterwheel/waterwheel-ob-assets.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4382/mcfscan.cab
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb10.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-6.0.3.35/hearts/hearts-ob-assets.cab
    O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.4.37/jigsaw/jigsaw-ob-assets.cab
    O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.1.1.29/aces/aces-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-6.0.4.37/gin/gin-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0.4.37/wordjong/wordjong-ob-assets.cab
    O16 - DPF: Armored Attack by pogo - http://game4.pogo.com/applet-6.0.3.35/cctank/cctank-ob-assets.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.4.31/canasta/canasta-ob-assets.cab
    O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.com/applet-6.0.4.37/spider/spider-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://game6.pogo.com/applet-6.0.4.37/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: High Stakes Pool by pogo - http://game4.pogo.com/applet-6.0.4.37/pool2/pool-ob-assets.cab
    O16 - DPF: Multiline Slots by pogo - http://game6.pogo.com/applet-6.1.1.29/mlslots/mlslots-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/poppit/poppit-ob-assets.cab
    O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/pinochle/pinochle-ob-assets.cab
    O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple.com/TSWeb/msrdp.cab
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Looks good now. Are you having any problems?
     
  15. cantes903

    cantes903 Thread Starter

    Joined:
    Jul 3, 2003
    Messages:
    25
    It seems to be a little better. It still gets hung up at times. Thankfully I'm getting a new computer in a couple of weeks! I want to get this one cleaned up for my son to use though (of course he's only 4 so he won't use it for much more than games.) If anyone has any suggestions on which computer to buy please let me know. I want desktop, cd and dvd burner, flat screen with plenty of memory or hard drive. Thanks again!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326114

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice