1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: HOMM2GOLD-dm.exe

Discussion in 'Virus & Other Malware Removal' started by bobc, Jan 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. bobc

    bobc Thread Starter

    Joined:
    Aug 26, 2003
    Messages:
    322
    I have recently acquired the file HOMM2GOLD-dm.exe which resides in my c:\temp directory. It appears to be accessed on a daily basis and resists deletion. I am unclear as to what the file is for or what it may be doing. The only recent known change to my system is the installation of a Netgear Router. Does anyone know anything about HOMM2GOLD-dm.exe?

    Bobc
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, It's been seen as TryMedia adware junk- delete it.

    If you want to check, post a Hijackthis log:

    go to Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

    Here is a good temp file cleanup tool:

    Download ATFCleaner by Atribune & save it to your desktop. DO NOT use it yet. We will use it in Safe Mode, later
    As you probably know, deleting Cookies can result in you having to type in your username and passwords at ALL sites that use logins, like this site does, so if you willy nilly delete cookies, which is safe enough to do, you will have to re-establish these cookies and login the first time you visit any site like that.
    ATF Cleaner has a way to save those cookies you would like to keep but it will require some time. If you DO KNOW or have saved all your Passwords and login usernames you can delete all cookies.

    * Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu"
    Use your arrow keys to move to "Safe Mode" and press your Enter key.

    Next, start up ATFCleaner:

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    Restart the computer.
     
  3. bobc

    bobc Thread Starter

    Joined:
    Aug 26, 2003
    Messages:
    322
    Thanks Byteman.
    I have run ATF-Cleaner, but HOMM2GOLD-dm.exe still resists deletion. I haven't tried running Ad-Aware SE yet but will do so now.

    Meantime - Here's my Hijackthis log (Still version 1.99):

    [edited by Byteman---hi, you have Word Wrap checked in the Format options of Notepad, please uncheck it so the future HJT logs displayslike this, OK?]

    Logfile of HijackThis v1.99.1
    Scan saved at 16:50:41, on 28/01/07
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\System32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\WINNT\system32\PRPCUI.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\WINNT\system32\internat.exe
    C:\Documents and Settings\bobc\Application Data\My-disgo\MyKey disgo.exe
    C:\HPDESK\hppddir.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
    C:\VirusTools\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.euro.dell.com/countries/uk/enu/gen/default.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.orange.co.uk/iesearch/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.orange.co.uk/
    N3 - Netscape 7: user_pref("browser.search.defaultengine",
    "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    (C:\Documents and Settings\bobc\Application
    Data\Mozilla\Profiles\default\w1jin88a.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -
    earch & Destroy\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
    c:\winnt\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec
    Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator
    5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\bobc\Application Data\My-disgo\MyKey
    disgo.exe
    O4 - Startup: 3DO - Might and Magic VII Registration.lnk = F:\Games\3DO\Might and Magic
    VII\Register\Remind32.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital
    Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital
    Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft
    Office\Office\1033\OLFSNT40.EXE
    O8 - Extra context menu item: &Google Search -
    res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Save To Palm - c:\Program Files\Palm\HandStoryME.htm
    O8 - Extra context menu item: &Translate English Word -
    res://c:\winnt\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links -
    res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: C&lip To Palm - c:\Program Files\Palm\HandStoryMEC.htm
    O8 - Extra context menu item: Cached Snapshot of Page -
    res://c:\winnt\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages -
    res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English -
    res://c:\winnt\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Save To Palm - {6C8741AB-53B4-476e-BE7C-F519AD8A6494} - c:\Program
    Files\Palm\HandStoryTE.htm
    O9 - Extra 'Tools' menuitem: &Save To Palm - {6C8741AB-53B4-476e-BE7C-F519AD8A6494} -
    c:\Program Files\Palm\HandStoryTE.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk/
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTim
    eInstaller.exe
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
    http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?11447
    78097555
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
    http://toolbar.google.com/data/GoogleActivate.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINNT\System32\DRIVERS\CDANTSRV.EXE
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software
    Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
    Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program
    Files\Kerio\Personal Firewall 4\kpf4ss.exe
    023 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
    C:\WINNT\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
     
  4. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, The former Ewido trojan remover now called AVG Antispyware, will remove that file for you, at least I see where it has, so let's have you try it out.

    Save the directions to a Notepad text file to your desktop so you have them to refer to while in Safe Mode, as the Internet and these posts are not available in Safe Mode....

    The settings are done during the installation, and there is some buttons to press when you go to scan is all it is- looks complicated but really not. You do the complete scan while in Safe Mode as shown below


    You must set the settings as shown, and update the program before you scan with it, and set the items shown exactly as they are in the guide below, OK?

    AVG ANTISPYWARE
    Please read through all this reply before you begin.
    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security
    • Click on Change state next to Resident shield. It should now change to inactive. (Default should be n/a)
    • Click on Change state next to Automatic updates. It should now change to inactive. (same it should look like n/a)
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit.
    • Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update AVG Anti-spyware. Only if you cannot update over the Web!
    AVG Antispyware Updates

    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
    ______________________________
    • If the computer is running, shut down Windows, and then turn off the power.
    • Reboot your computer TO Safe Mode. Here's how:
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ______________________________

    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan?" check all (default).
    • Under "Possibly unwanted software" check all (default).
    • Under "What to Scan?" make sure "Scan every file" is selected (default).
    • Under "Reports" select "Automatically generate report after every scan" and
      UNcheck "Only if threats were found".
    • 2. Click the "Scan" tab to return to scanning options.
    • 3.If you were scanning now, you would Click "Complete System Scan" to start.
    • 4. When the scan finished you'd be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?
    • 5. Click on "Save Report" to view all completed scans.
    • Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
    • Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    • 6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
     
  5. bobc

    bobc Thread Starter

    Joined:
    Aug 26, 2003
    Messages:
    322
    Hi Byteman.
    That took a while!
    HOMM2GOLD-dm.exe now gone. Also another (Dropper.Small ) that I didn't know was there. Should I worry about what that one might have done? Thanks.
    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 02:39:41 29/01/07

    + Scan result:

    C:\Temp\HOMM2GOLD-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
    C:\Downloads\Trainers\RA2\ra2102e.zip/ra2102e.exe -> Dropper.Small : Cleaned with backup (quarantined).

    ::Report end
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Well, usually when something like that is found, we have you do some further scanning- it's only logical to check.

    Here are two online antivirus plus scanners...Panda fixes only virus/some trojan but is very good at showing exactly where spy and adware lurks in your computer which is why we use it.

    I don't see any need to rush, do these scans when you have some time as they will take a while, similar to
    AVG's....

    Kaspersky is very good as well.

    HERE to run Panda's ActiveScan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Or this one: Kaspersky
    • Please go HERE and click Kaspersky Online Scanner
    • Read and Accept the Agreement
    • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • If you see a Windows dialog asking if you want to install this software, click the Install button.
    • The program will launch and then begin downloading the latest definition files,
    • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
    • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
    • Under "Please select a target to scan:", click My Computer to start the scan.
    • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
    • Copy and Paste the contents of the on line scanner results into a Reply here in your thread, along with a new HJT log and log from any other scans you run.

    Then after we see those results and get anything else fixed, you won't be done until we clean out the old infected System Restore Points--- in case you ever had to use one, it would only put back this malware you worked to remove. We will do that as last step.

    Good work by the way!
     
  7. bobc

    bobc Thread Starter

    Joined:
    Aug 26, 2003
    Messages:
    322
    Thanks Byteman.
    I'm still using a dial-up so I may wait a while before doing any on line scanning.
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi,, That's OK. Just post back here if anything comes back.

    First thing to do, is post the Hijackthis log with a note about what you are getting such as popups, alerts from antivirus etc.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538835

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice