1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] I think I have peper.A trojan. HJT included

Discussion in 'Virus & Other Malware Removal' started by superdeluxe, Apr 15, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    Hello.

    I am having some serious problems, I think have the peper.A trojan, as when I look at task master..all these wierd looking programs are in it wierd letters and numbers.

    Also my computer is running so slow, and pop ups galore. PLEASE HELP

    I have already ran CWS shredder and spybot s and d before running Hijack. I have also downloaded the drpeper uninstaller. But I clicked on it..and all it says is too it does not run in dos.

    here is my HJT log

    Logfile of HijackThis v1.97.7
    Scan saved at 8:38:11 PM, on 4/15/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\[email protected]\[email protected]
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
    C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\TEMP\HD9C0.EXE
    C:\WINDOWS\TEMP\WJCP.EXE
    C:\WINDOWS\TEMP\BP5S.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\APPLICATION DATA\OSES.EXE
    C:\WINDOWS\SYSTEM\WNSTSSV.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\PCPOSTB.EXE
    C:\MY DOCUMENTS\OTTO'S STUFF\ORDER CONFIRMATION1_FILES\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hkcu
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.livejournal.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [HD9C0] C:\WINDOWS\TEMP\HD9C0.EXE
    O4 - HKLM\..\Run: [WJCP] C:\WINDOWS\TEMP\WJCP.EXE
    O4 - HKLM\..\Run: [BP5S] C:\WINDOWS\TEMP\BP5S.EXE
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [qzkb] C:\WINDOWS\qzkb.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\Run: [PCPOSTB] C:\WINDOWS\SYSTEM\PCPOSTB.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Dcas] C:\WINDOWS\Application Data\oses.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\SYSTEM\wnstssv.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
     
  2. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    You still have a CWS infection, make sure CWShredder is updated & all windows are closed B4 running.

    Download & instal Adaware from http://majorgeeks.com/download.php?det=506
    & update it B4 scanning.
    In settings under 'scanning,' have it set to
    'scan within archives,'
    'scan active processes,'
    'scan registry,'
    'deepscan registry'
    'scan my IE Favourites for banned URL's,'
    'scan my host's file.'
    Also in tweaks under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion.'
    Remove what it finds by placing a check in the box to the left of the object.

    Download & instal Spybot S&D from http://www.safer-networking.org/index.php?page=download Update it B4 scanning. Go into settings & have it check for Beta releases also & download if available.
    After the scan is complete, have spybot fix everything marked RED.
    On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. Download that & you can keep it updated by selecting the same link that you use to download it.

    Reboot after doing this & post another log please.
     
  3. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    Thank you for your help.

    I updated my CWS shredder and found some stuff.

    I ran ad-aware, with all the things you suggested.

    I updated spybot, ran that, and also immunized.

    I have rebooted and here is my HJT log.

    Thanks again

    ogfile of HijackThis v1.97.7
    Scan saved at 9:50:24 PM, on 4/15/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\PROGRAM FILES\[email protected]\[email protected]
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
    C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TEMP\HD9C0.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\TEMP\WJCP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMP\BP5S.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\APPLICATION DATA\OSES.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\WNSTSSV.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\CHANDG.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.livejournal.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [HD9C0] C:\WINDOWS\TEMP\HD9C0.EXE
    O4 - HKLM\..\Run: [WJCP] C:\WINDOWS\TEMP\WJCP.EXE
    O4 - HKLM\..\Run: [BP5S] C:\WINDOWS\TEMP\BP5S.EXE
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [qzkb] C:\WINDOWS\qzkb.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\Run: [CHANDG] C:\WINDOWS\SYSTEM\CHANDG.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [Dcas] C:\WINDOWS\Application Data\oses.exe
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\SYSTEM\wnstssv.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
     
  4. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Close all (browser) windows & have HJT fix these entries=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa

    O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
    O2 - BHO: IE Agent - {00000000-0000-0000-0000-000000000221} - C:\PROGRAM FILES\LYCOS\IEAGENT\CSIE.DLL
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\BXXS5.DLL

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

    O4 - HKLM\..\Run: [HD9C0] C:\WINDOWS\TEMP\HD9C0.EXE
    O4 - HKLM\..\Run: [WJCP] C:\WINDOWS\TEMP\WJCP.EXE
    O4 - HKLM\..\Run: [BP5S] C:\WINDOWS\TEMP\BP5S.EXE
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\BXXS5.DLL,DllRun
    O4 - HKLM\..\Run: [WhenUSearch] C:\PROGRA~1\WHENUS~1\Search.exe
    O4 - HKLM\..\Run: [qzkb] C:\WINDOWS\qzkb.exe
    O4 - HKCU\..\Run: [Dcas] C:\WINDOWS\Application Data\oses.exe

    Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 & navigate to & delete

    C:\PROGRAM FILES\LYCOS< this one
    C:\PROGRA~1\INCRED~1< this one
    C:\PROGRA~1\TOOLBAR< this one
    C:\WINDOWS\TEMP\HD9C0.EXE< entire contents of this folder
    C:\WINDOWS\BXXS5.DLL< this one
    C:\PROGRA~1\WHENUS~1< this one
    C:\WINDOWS\qzkb.exe< this one
    C:\WINDOWS\Application Data\oses.exe< this one

    In order to view these files you may have to select 'show hidden files/folders.' Instructions here on how to http://www.xtra.co.nz/help/0,,4155-1916458,00.html


    I don't recognise this file O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\SYSTEM\wnstssv.exe can you find it & get the properties & version & any other info on it please.

    Reboot then post a new log plz.
     
  5. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    Thanks again for your expertise in this matter.

    I did everything you asked me too.

    here is new HJT log, followed by your request of information for wnstssv

    Logfile of HijackThis v1.97.7
    Scan saved at 4:53:51 PM, on 4/16/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\PROGRAM FILES\[email protected]\[email protected]
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\SYSTEM\WNSTSSV.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\LECLI32O.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.livejournal.com/
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [LECLI32O] C:\WINDOWS\SYSTEM\LECLI32O.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\SYSTEM\wnstssv.exe
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab


    WNSTSSV Properties:
    Type of File: Application
    Description: Sear1
    Size:106kb
    size on disk: 112kb
    File Version 1.0.0.1
    Description: sear1 MFC Application
    Copyright (c) 2002
    Created : Monday APril 12, 2004 11:12:23pm
    Modified : Monday April 12, 2004 11:12:24pm

    (FYI, this is about the same date that all my bad files had on it..just past 11pm on monday.)
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,247
    That particular file is adware from a program called Purity

    This is info I found on it

    Overview
    PurityScan.b, also called PuritySweep, is distributed by Clickspring LLC and bundled with programs such as Grokster. PurityScan.b starts automatically after reboot and spawns pop-up windows. PurityScan.b has an automatic update feature and may install third party products. PurityScan.b drops its file in %SystemDir%.

    Files
    wtstr.exe, wtssvtr.exe, wtssu.exe, wtssvsu.exe, wtssvit.exe, wnscpsv.exe, wnscpsu.exe, wnscptr.exe, wnscpcc.exe, wnstscc.exe, wnstsit.exe, wnstssv.exe, wnststr.exe, wnstssu.exe, wcpsu.exe, wcpcc.exe, wcpsvsu.exe, wcpsvit.exe, wtscc.exe, wtssvcc.exe, wtsit.exe, wtsitcc.exe

    Cookie
     
  7. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    Can it be killed?
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yes it can be killed.

    Do you have any idea what this is?

    O4 - HKLM\..\Run: [LECLI32O] C:\WINDOWS\SYSTEM\LECLI32O.exe

    If not Go here

    Scroll to the bottom of the page and look for the Submit file section.

    Click on Browse

    Navigate to the :\WINDOWS\SYSTEM folder and upload the .... LECLI32O.exe.... file and let us know what you find.


    Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

    O4 - HKLM\..\Run: [LECLI32O] C:\WINDOWS\SYSTEM\LECLI32O.exe

    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q

    O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\SYSTEM\wnstssv.exe


    Restart to safe mode and delete:

    The C:\WINDOWS\SYSTEM\wnstssv.exe file
    The C:\Program Files\ClockSync folder
     
  9. stillearning

    stillearning

    Joined:
    Mar 15, 2004
    Messages:
    389
    Close all (browser) windows & have HJT fix these entries=

    O4 - HKCU\..\Run: [WNSA] C:\WINDOWS\SYSTEM\wnstssv.exe

    Reboot into safe mode following the instructions here. http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406 & navigate to & delete
    C:\WINDOWS\SYSTEM\wnstssv.exe< this one

    That should nuke it.
    Show us another log after to make sure it's gone plz.

    EDIT. Too slow again.
     
  10. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    I have no clue what the Lego thing is

    So i am going to try that..then do everything else that is suggested..

    HJT coming in about 20-30 minutes thanks!
     
  11. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    Current object: LECLI32O.exe

    LECLI32O.exe Infected: TrojanDownloader.Win32.VB.ca
    LECLI32O.exe Infected: TrojanDownloader.Win32.VB.ca


    Statistics:
    Known viruses: 86916 Updated: 17.04.2004
    File size (Kb): 64 Scan time: 00:00:01
    Speed (Kb/sec): 65 Virus bodies: 2
    Archives: 0 Packed: 0
    Folders: 0 Files: 1
    Suspicious: 0 Warnings: 0
     
  12. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    Here is the HJT log.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:03:58 PM, on 4/16/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\LXSUPMON.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\PROGRAM FILES\[email protected]\[email protected]
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\IGFXTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 5\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\PROGRAM FILES\AIM95\AIM.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.livejournal.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.livejournal.com/
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [seticlient] C:\Program Files\[email protected]\[email protected] -min
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM\hkcmd.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CREATECD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: AIM (HKLM)
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Make sure this entry hasn't returned in HJT:

    O4 - HKLM\..\Run: [LECLI32O] C:\WINDOWS\SYSTEM\LECLI32O.exe

    If it has fix it then boot to safe mode and delete the LECLI32O.exe file.
     
  14. superdeluxe

    superdeluxe Thread Starter

    Joined:
    Apr 15, 2004
    Messages:
    41
    Well it looks like it hasnt come back...soooo.
     
  15. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Did you delete the LECLI32O.exe file?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220870

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice