1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

PROBLEMS HJT log file inside

Discussion in 'Virus & Other Malware Removal' started by jewelinda, Apr 1, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    Major things happening the last few days. 1) insufferable amount of pop-ups (IE powered by Comcast) 2)over 100 shortcut messages (EXAMPLE: MORZE5.lnk refers to a location that is unavailable) at boot-up that have to be clicked through. I do see these on the HJT log and know you will know how to help. 3) Computer crashes, blue screen, white screen, you name it, several times a day.
    What I did BEFORE I ran this log. I updated Adavare 6 and ran then deleted all it said, then ran spybot and that was all clear.
    Here is the HJT log:Logfile of HijackThis v1.97.7
    Scan saved at 10:49:36 AM, on 4/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\WINDOWS\WBLCG0L5.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\PROGRAM FILES\PALM\HOTSYNC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MEMTURBO\MEMTURBO.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A0E4-EA6FA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSCUZ2.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
    O4 - HKLM\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
    O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
    O4 - Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
    O4 - Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
    O4 - Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
    O4 - Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
    O4 - Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
    O4 - Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
    O4 - Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
    O4 - Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
    O4 - Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
    O4 - Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
    O4 - Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
    O4 - Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
    O4 - Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
    O4 - Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
    O4 - Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
    O4 - Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
    O4 - Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
    O4 - Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
    O4 - Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
    O4 - Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
    O4 - Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
    O4 - Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
    O4 - Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
    O4 - Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
    O4 - Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
    O4 - Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
    O4 - Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
    O4 - Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
    O4 - Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
    O4 - Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O4 - Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
    O4 - Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
    O4 - Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
    O4 - Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
    O4 - Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
    O4 - Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
    O4 - Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
    O4 - Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
    O4 - Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
    O4 - Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
    O4 - Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
    O4 - Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
    O4 - Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
    O4 - Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
    O4 - Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
    O4 - Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
    O4 - Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
    O4 - Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
    O4 - Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
    O4 - Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
    O4 - Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
    O4 - Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
    O4 - Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
    O4 - Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
    O4 - Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
    O4 - Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
    O4 - Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
    O4 - Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
    O4 - Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
    O4 - Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
    O4 - Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
    O4 - Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
    O4 - Global Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
    O4 - Global Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
    O4 - Global Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
    O4 - Global Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
    O4 - Global Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
    O4 - Global Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
    O4 - Global Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
    O4 - Global Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
    O4 - Global Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
    O4 - Global Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
    O4 - Global Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
    O4 - Global Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
    O4 - Global Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
    O4 - Global Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
    O4 - Global Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
    O4 - Global Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
    O4 - Global Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
    O4 - Global Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
    O4 - Global Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
    O4 - Global Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
    O4 - Global Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
    O4 - Global Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
    O4 - Global Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
    O4 - Global Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
    O4 - Global Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
    O4 - Global Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
    O4 - Global Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
    O4 - Global Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
    O4 - Global Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
    O4 - Global Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
    O4 - Global Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
    O4 - Global Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
    O4 - Global Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
    O4 - Global Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
    O4 - Global Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
    O4 - Global Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
    O4 - Global Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
    O4 - Global Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
    O4 - Global Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
    O4 - Global Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
    O4 - Global Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
    O4 - Global Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
    O4 - Global Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
    O4 - Global Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
    O4 - Global Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
    O4 - Global Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
    O4 - Global Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
    O4 - Global Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
    O4 - Global Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
    O4 - Global Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
    O4 - Global Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
    O4 - Global Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
    O4 - Global Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
    O4 - Global Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
    O4 - Global Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
    O4 - Global Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
    O4 - Global Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
    O4 - Global Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
    O4 - Global Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
    O4 - Global Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
    O4 - Global Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
    O4 - Global Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
    O4 - Global Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about :blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about :blank
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: PowerSearch - {4E7BD74F-2B8D-469E-A0E4-EA6FA787AD2D} - C:\PROGRA~1\POWERS~1\TOOLBAR\PWRSCUZ2.DLL
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE

    Re-boot and delete:
    C:\PROGRAM FILES\MYWEBSEARCH [FOLDER]

    Now Ctrl-Alt-Delete and end task on: WBLCG0L5.EXE
    [end its process as many times as it takes till its gone]

    Re-run HijackThis and "fix" all these entries:

    O4 - HKLM\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
    O4 - HKCU\..\Run: [WBLCG0L5.EXE] C:\WINDOWS\WBLCG0L5.EXE /dk
    O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
    O4 - Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
    O4 - Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
    O4 - Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
    O4 - Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
    O4 - Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
    O4 - Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
    O4 - Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
    O4 - Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
    O4 - Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
    O4 - Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
    O4 - Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
    O4 - Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
    O4 - Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
    O4 - Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
    O4 - Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
    O4 - Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
    O4 - Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
    O4 - Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
    O4 - Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
    O4 - Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
    O4 - Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
    O4 - Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
    O4 - Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
    O4 - Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
    O4 - Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
    O4 - Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
    O4 - Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
    O4 - Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
    O4 - Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
    O4 - Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
    O4 - Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
    O4 - Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
    O4 - Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
    O4 - Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
    O4 - Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
    O4 - Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
    O4 - Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
    O4 - Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
    O4 - Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
    O4 - Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
    O4 - Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
    O4 - Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
    O4 - Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
    O4 - Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
    O4 - Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
    O4 - Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
    O4 - Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
    O4 - Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
    O4 - Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
    O4 - Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
    O4 - Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
    O4 - Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
    O4 - Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
    O4 - Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
    O4 - Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
    O4 - Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
    O4 - Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
    O4 - Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
    O4 - Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
    O4 - Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
    O4 - Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
    O4 - Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
    O4 - Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
    O4 - Global Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe
    O4 - Global Startup: 89KZ6A6H.lnk = C:\WINDOWS\89kz6a6h.exe
    O4 - Global Startup: RX22PUNR.lnk = C:\WINDOWS\rx22punr.exe
    O4 - Global Startup: OKIW1Q96.lnk = C:\WINDOWS\okiw1q96.exe
    O4 - Global Startup: 69EDPU44.lnk = C:\WINDOWS\69edpu44.exe
    O4 - Global Startup: NQ94817E.lnk = C:\WINDOWS\nq94817e.exe
    O4 - Global Startup: U8BVU0ZI.lnk = C:\WINDOWS\u8bvu0zi.exe
    O4 - Global Startup: 50R350W2.lnk = C:\WINDOWS\50r350w2.exe
    O4 - Global Startup: O6L6A5KK.lnk = C:\WINDOWS\o6l6a5kk.exe
    O4 - Global Startup: ZM40H23N.lnk = C:\WINDOWS\zm40h23n.exe
    O4 - Global Startup: UV1WQL95.lnk = C:\WINDOWS\uv1wql95.exe
    O4 - Global Startup: ZDWZBB0P.lnk = C:\WINDOWS\zdwzbb0p.exe
    O4 - Global Startup: VU5F2DG8.lnk = C:\WINDOWS\vu5f2dg8.exe
    O4 - Global Startup: KJ053GFM.lnk = C:\WINDOWS\kj053gfm.exe
    O4 - Global Startup: M7R61LDR.lnk = C:\WINDOWS\m7r61ldr.exe
    O4 - Global Startup: 00FWKFRZ.lnk = C:\WINDOWS\00fwkfrz.exe
    O4 - Global Startup: O66BP1WP.lnk = C:\WINDOWS\o66bp1wp.exe
    O4 - Global Startup: 67TJEBUM.lnk = C:\WINDOWS\67tjebum.exe
    O4 - Global Startup: MXFV6LF1.lnk = C:\WINDOWS\mxfv6lf1.exe
    O4 - Global Startup: NXI65K20.lnk = C:\WINDOWS\nxi65k20.exe
    O4 - Global Startup: L07881TL.lnk = C:\WINDOWS\l07881tl.exe
    O4 - Global Startup: 00UD5LUN.lnk = C:\WINDOWS\00ud5lun.exe
    O4 - Global Startup: EPBFN492.lnk = C:\WINDOWS\epbfn492.exe
    O4 - Global Startup: 24811TTQ.lnk = C:\WINDOWS\24811ttq.exe
    O4 - Global Startup: VONB17ZH.lnk = C:\WINDOWS\vonb17zh.exe
    O4 - Global Startup: BHYQC0QJ.lnk = C:\WINDOWS\bhyqc0qj.exe
    O4 - Global Startup: L5WU0HDQ.lnk = C:\WINDOWS\l5wu0hdq.exe
    O4 - Global Startup: CL59OOWD.lnk = C:\WINDOWS\cl59oowd.exe
    O4 - Global Startup: YYE44QWZ.lnk = C:\WINDOWS\yye44qwz.exe
    O4 - Global Startup: 4L3T26H7.lnk = C:\WINDOWS\4l3t26h7.exe
    O4 - Global Startup: ON2YB1AJ.lnk = C:\WINDOWS\on2yb1aj.exe
    O4 - Global Startup: DHOBPG09.lnk = C:\WINDOWS\dhobpg09.exe
    O4 - Global Startup: MWIWCGTQ.lnk = C:\WINDOWS\mwiwcgtq.exe
    O4 - Global Startup: POZCOHE0.lnk = C:\WINDOWS\pozcohe0.exe
    O4 - Global Startup: 8EP74B0A.lnk = C:\WINDOWS\8ep74b0a.exe
    O4 - Global Startup: EO5NN8YO.lnk = C:\WINDOWS\eo5nn8yo.exe
    O4 - Global Startup: GDZLOVIJ.lnk = C:\WINDOWS\gdzlovij.exe
    O4 - Global Startup: 8E1V0ERW.lnk = C:\WINDOWS\8e1v0erw.exe
    O4 - Global Startup: B0Z3JNCY.lnk = C:\WINDOWS\b0z3jncy.exe
    O4 - Global Startup: B773K0CX.lnk = C:\WINDOWS\b773k0cx.exe
    O4 - Global Startup: 0X37CUXI.lnk = C:\WINDOWS\0x37cuxi.exe
    O4 - Global Startup: W2U3DKP6.lnk = C:\WINDOWS\w2u3dkp6.exe
    O4 - Global Startup: TF0T7Q8R.lnk = C:\WINDOWS\tf0t7q8r.exe
    O4 - Global Startup: 2AM2UER1.lnk = C:\WINDOWS\2am2uer1.exe
    O4 - Global Startup: 4Z4ULQLY.lnk = C:\WINDOWS\4z4ulqly.exe
    O4 - Global Startup: VFQH1P96.lnk = C:\WINDOWS\vfqh1p96.exe
    O4 - Global Startup: 0QKT2D8R.lnk = C:\WINDOWS\0qkt2d8r.exe
    O4 - Global Startup: 932E0HMU.lnk = C:\WINDOWS\932e0hmu.exe
    O4 - Global Startup: Q5R3H8WA.lnk = C:\WINDOWS\q5r3h8wa.exe
    O4 - Global Startup: 006CMV5B.lnk = C:\WINDOWS\006cmv5b.exe
    O4 - Global Startup: CQ40J681.lnk = C:\WINDOWS\cq40j681.exe
    O4 - Global Startup: ODAN0Z6P.lnk = C:\WINDOWS\odan0z6p.exe
    O4 - Global Startup: VRYHE9O4.lnk = C:\WINDOWS\vryhe9o4.exe
    O4 - Global Startup: Z55FQNM0.lnk = C:\WINDOWS\z55fqnm0.exe
    O4 - Global Startup: 1YTEONDA.lnk = C:\WINDOWS\1yteonda.exe
    O4 - Global Startup: LHHVJ9ZQ.lnk = C:\WINDOWS\lhhvj9zq.exe
    O4 - Global Startup: 4WERVRG9.lnk = C:\WINDOWS\4wervrg9.exe
    O4 - Global Startup: 952CWW1T.lnk = C:\WINDOWS\952cww1t.exe
    O4 - Global Startup: CTEGR1K3.lnk = C:\WINDOWS\ctegr1k3.exe
    O4 - Global Startup: UTL36T0R.lnk = C:\WINDOWS\utl36t0r.exe
    O4 - Global Startup: CLRO9KQ1.lnk = C:\WINDOWS\clro9kq1.exe
    O4 - Global Startup: X9RQI8PZ.lnk = C:\WINDOWS\x9rqi8pz.exe
    O4 - Global Startup: WBLCG0L5.lnk = C:\WINDOWS\wblcg0l5.exe
    Thats ALL the o4 Global startups except SpywareGuard Kodak and MemTurbo

    Reboot into safe mode by following instructions here: http://helpdesk.its.bethel.edu/resnet/Documents/Antivirus/Safemode.html
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Locate and delete:
    C:\WINDOWS\WBLCG0L5.EXE
    Do a "start/find" and delete any and all references to
    BrowserHelper.dll [FILE]


    Re-boot once more and post another HijackThis log.

    ;)
     
  3. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    I did all that you suggested. Here is the new log:
    Logfile of HijackThis v1.97.7
    Scan saved at 2:23:58 PM, on 4/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\WINDOWS\AAKHVNFD.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\PROGRAM FILES\MEMTURBO\MEMTURBO.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    It has come back as happens in many of these cases
    Thsi is a fix that has been proven to work now

    download this file here (Adtomi Cleanup.zip).
    http://www.wilderssecurity.com/attachments/9x_Adtomi_Cleanup.zip for 98 or ME
    http://www.wilderssecurity.com/attachments/XPAdtomi_Cleanup.zip for XP

    or alternatively from
    http://www.thespykiller.co.uk/downloads.htm


    It was created by Mosaic1 and is available here with her kind permission
    And follow the instructions.

    First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

    Unzip it to C:\Windows

    See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must

    be online for this part

    --A web page from Adtomi would appear "-uninstall was succesful!"
    then go off line
    (note not all infections have this icon, so if it isn't there then don't worry)

    next press ctrl+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
    and there might also be morze1 running, if so end that process as well

    In your case the process to stop is AAKHVNFD.EXE

    if you don't have any strange named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first

    Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

    ***Do not Touch the VBS files. The bat file will run the scripts.

    It will remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the BHO
    Start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.
     
  5. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    OK. I downloaded Adtomi Cleanup and I THINK I followed instructions. I am not sure about the scripts things if I have that disabled or not. How do I check that? I am not sure that any think actually happened when I ran that program. DOS Screen came up and I followed instructions, but I didn't have to create any back up file. Oddly named files???? the one I ended was hpzsta01 (or something very close to that). Here is the new HJT file:
    Logfile of HijackThis v1.97.7
    Scan saved at 3:08:33 PM, on 4/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\WINDOWS\AAKHVNFD.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\HPZSTATX.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [AAKHVNFD.EXE] C:\WINDOWS\AAKHVNFD.EXE /dk
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
     
  6. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Nope.............its still hanging around.........thanx to Derek for the links......i had lost my page for Mosaic1`s script so i was trying to do the manual removal.

    Run the fix again......but this time,re-boot and do a run>search for "BrowserHelper.dll"
    And delete any reference to it.
    This is an extremely stubborn parasite to remove......
    I will be back in here an an hour or so,but dvk is one of the "top bananas" with this one......your in good hands.
    ;)
     
  7. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    I will follow your instructions and post back. I am VERY GRATEFUL for your help!!! THANKS! Well, back to WORK!:)
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    before doing anything else, open msconfig and make sure everything is enabled on the start up tab

    You have stopped the wrong file running, ignore the files taht start with HP

    i said in post 4 the name of the file to stop

    C:\WINDOWS\AAKHVNFD.EXE

    please do all of what I said in post 4 again but this time stop teh C:\WINDOWS\AAKHVNFD.EXE file running first, otherwise it won't work
     
  9. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    Trying again! Here is the new. I checked for that odd named file (not there), I made sure ALL of the items were checked under the start-up tab in msconfig, then ran the adtomi, and saved file. Here it is:
    Logfile of HijackThis v1.97.7
    Scan saved at 4:17:51 PM, on 4/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MEMTURBO\MEMTURBO.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\PROGRAM FILES\PALM\HOTSYNC.EXE
    C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O4 - Startup: Reboot.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
    O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    ok to check what we have cured please go to the C:\Windows\Adtomi Cleanup folder and double click on the adtomi.txt file, when it opens in notepad, copy it's contents and paste here
     
  11. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    4/1/2004 2:59:00 PM
    No Larger Files Found

    4/1/2004 2:59:15 PM
    No Smaller Files Found

    4/1/2004 3:06:11 PM
    No Smaller Files Found

    4/1/2004 3:06:20 PM
    No Larger Files Found

    4/1/2004 3:33:29 PM
    No Smaller Files Found

    4/1/2004 3:33:49 PM
    No Larger Files Found

    4/1/2004 3:53:10 PM
    No Smaller Files Found

    4/1/2004 3:53:39 PM
    No Larger Files Found

    4/1/2004 4:08:57 PM
    No Smaller Files Found

    4/1/2004 4:09:28 PM
    No Larger Files Found
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    there should have been a list of files it deleted, since there aren't any, we must assume that all the files are still on the computer

    so print out the long list of files in post 2 so you can refer to it

    where it has this on the list,
    O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
    O4 - Global Startup: YTEJ0D4O.lnk = C:\WINDOWS\ytej0d4o.exe
    O4 - Global Startup: A56LPGI0.lnk = C:\WINDOWS\a56lpgi0.exe

    the actual files you are looking for to delete are these
    C:\WINDOWS\morze5.exe
    C:\WINDOWS\ytej0d4o.exe
    C:\WINDOWS\a56lpgi0.exe

    and so on all the way down.

    and this one C:\WINDOWS\AAKHVNFD.EXE

    and delete them all

    hopefully you will find that they have been deleted somewhere in the previous steps and it's just that the log didn't register them as being deleted.
     
  13. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    THANKS for all your help. I couldn't find any of those files so here is another HJT log just for you to hopefully give the all clear. If not OK, I will continue to work on it.
    Logfile of HijackThis v1.97.7
    Scan saved at 6:41:42 PM, on 4/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\TREND PC-CILLIN 2000\POP3TRAP.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
    C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
    C:\PROGRAM FILES\COMMON FILES\INTUIT\QUICKBOOKS\QBUPDATE\QBUPDATE.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLWBSPD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\Run: [pop3trap.exe] "C:\Program Files\Trend PC-cillin 2000\pop3trap.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [ctst] C:\WINDOWS\ctst.exe
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\RunServices: [PCCIOMON.EXE] "C:\Program Files\Trend PC-cillin 2000\PCCIOMON.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo\MemTurbo.exe
    O4 - Startup: Reboot.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\PMREMIND.EXE
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe
    O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: ICQ Lite (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: RoboForm (HKLM)
    O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
    O9 - Extra button: Fill Forms (HKLM)
    O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
    O9 - Extra button: Save (HKLM)
    O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
    O12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37981.6512152778
    O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://66.48.68.135/save/makeover.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.joycevedral.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
    O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol.com/help/engine/aolcinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    It all looks clean now
     
  15. jewelinda

    jewelinda Thread Starter

    Joined:
    Apr 1, 2004
    Messages:
    77
    Everything is working SOOOO much better, thanks to you Derek and Steve. :D :D
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216535

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice