[Solved] Please help, coolweb trojan. hijackthis log included

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

jedi5

Thread Starter
Joined
Apr 7, 2004
Messages
6
Hello everone.
My computer just got hit with the coolweb trojan. So far I've run spybot, adware, bazooka, cwshredder and nothing seems to work.
Can someone please take a look at my hijack log and help me out.

Thanks to all who reply.

Rafael


Logfile of HijackThis v1.97.7
Scan saved at 12:33:14 PM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\6AHBY3FF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
 
Joined
Oct 9, 2001
Messages
9,396
Download this file here (Adtomi Cleanup.zip).
http://www.wilderssecurity.com/atta...omi_Cleanup.zip for 98 or ME
http://www.wilderssecurity.com/atta...omi_Cleanup.zip for XP

or alternatively from
http://www.thespykiller.co.uk/downloads.htm


It was created by Mosaic1 and is available here with her kind permission
And follow the instructions.

First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

Unzip it to C:\Windows

See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must

be online for this part

--A web page from Adtomi would appear "-uninstall was succesful!"
then go off line
(note not all infections have this icon, so if it isn't there then don't worry)

next press ctrl+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
and there might also be morze1 running, if so end that process as well

In your case the process to stop is 6AHBY3FF.EXE

if you don't have any strange named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first

Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

***Do not Touch the VBS files. The bat file will run the scripts.

It will remove the Adtomi Spyware files from the Windows Folder
Clean the Startup Folders
Create Backups of the Adtomi exe files it deletes and save them in this folder
Create a list of all oddly named files deleted from the Windows Folder
Uninstall the BHO
Start HijackThis and give you directions on what to remove.

When you have finished please restart the computer.

Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

;)
 

jedi5

Thread Starter
Joined
Apr 7, 2004
Messages
6
Hi Steve.
Thanks for your quick response.

Here is latest hijack after I did what you suggested.

I couldn't find the Adtomi text though...

Logfile of HijackThis v1.97.7
Scan saved at 1:40:27 PM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\T4LB0D80.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O4 - HKCU\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk
O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Global Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
 
Joined
Oct 9, 2001
Messages
9,396
This is a very tough parasite to remove:rolleye: sometimes the removal tool works and others it does not.

You will notice the file has morphed(changed its name)

Cntrl-Alt-Del on this like you did the 1st time until its gone from the task list.
T4LB0D80.EXE



Run hijackthis again and put a checkmark against these entries....double check
in case you miss anything....
.....then,close all browser and outlook windows and "fix checked"

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O4 - HKLM\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk

O4 - HKCU\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk
(Note:there are 2 instances of that one)

O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
O4 - Global Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe


Remember safe mode?
Go there and delete:
C:\WINDOWS\T4LB0D80.EXE
And BrowserHelper.dll <-- file .. from any and all locations it is found. You may have to do a "start">"run">Search" for it.

Reboot once more.

Now please show us a fresh HijackThis log .
;)
 
Joined
Oct 9, 2001
Messages
9,396
Edit:C:\WINDOWS\BrowserHelper.dll is one location but i would do a search for any more.
If im not around when you get back ill try to find a tech to keep an eye on this post.
;)
 

jedi5

Thread Starter
Joined
Apr 7, 2004
Messages
6
I think I got browswerhelper.dll.
I searched twice after I deleted it the first time and nothing showed up.
Here is my latest hijack log.

Please advise.

Thanks
Rafael

Logfile of HijackThis v1.97.7
Scan saved at 2:30:37 PM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
 

jedi5

Thread Starter
Joined
Apr 7, 2004
Messages
6
I ran the latest Adtomi Cleaner and this is the latest hijack log I have:

Logfile of HijackThis v1.97.7
Scan saved at 4:06:29 PM, on 4/7/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\CPQS\BWTOOLS\SCCENTER.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\NETZERO\EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\WSCRIPT.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
 
Joined
Aug 18, 2003
Messages
2,438
$teve asked me to stop by this thread ...

I don't see anything malicious in that HJT log ... is your problem solved?
 

jedi5

Thread Starter
Joined
Apr 7, 2004
Messages
6
LOL, you're asking me??? :) :) :)

As far as I can tell, no problems here. I've rebooted this machine several times now and I'm not getting any of those error messages nor am i getting 100 popups.

Do you you think the problem has been solved now?

Thanks for looking.
Rafael
 
Joined
Oct 9, 2001
Messages
9,396
Yes....its gone...........thats excellent news(y)
Now all you need to do is get some protection or it will happen again for sure.
Click the "Want to know" link.
;)
 

jedi5

Thread Starter
Joined
Apr 7, 2004
Messages
6
Sorry to bump this thread but I wantd to thank Steve, Winchester, and this Site for helping me out.

This site rocks.
I'll have to put you guys on my favorites now...

<righ behind my porn> :p :p


Thanks again

Rafael :) :)
 
Joined
Oct 9, 2001
Messages
9,396
Rafael........thanx for the flowers.......your welcome....
always a pleasure(y)
;)
 
Joined
Jul 26, 2002
Messages
46,349
I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top