1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Solved] Please help, coolweb trojan. hijackthis log included

Discussion in 'Virus & Other Malware Removal' started by jedi5, Apr 7, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jedi5

    jedi5 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    6
    Hello everone.
    My computer just got hit with the coolweb trojan. So far I've run spybot, adware, bazooka, cwshredder and nothing seems to work.
    Can someone please take a look at my hijack log and help me out.

    Thanks to all who reply.

    Rafael


    Logfile of HijackThis v1.97.7
    Scan saved at 12:33:14 PM, on 4/7/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\E_S10IC2.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\NETZERO\EXEC.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\6AHBY3FF.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
    O4 - HKCU\..\Run: [6AHBY3FF.EXE] C:\WINDOWS\6AHBY3FF.EXE /dk
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE" /autocheck
    O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
    O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
    O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
    O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
    O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
    O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
    O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
    O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
    O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
    O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
    O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
    O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
    O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
    O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
    O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
    O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
    O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
    O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
    O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
    O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
    O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
    O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
    O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
    O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
    O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
    O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
    O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
     
  2. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Download this file here (Adtomi Cleanup.zip).
    http://www.wilderssecurity.com/atta...omi_Cleanup.zip for 98 or ME
    http://www.wilderssecurity.com/atta...omi_Cleanup.zip for XP

    or alternatively from
    http://www.thespykiller.co.uk/downloads.htm


    It was created by Mosaic1 and is available here with her kind permission
    And follow the instructions.

    First If you have a Script Blocking Program enabled, disable it first so the scripts may run.

    Unzip it to C:\Windows

    See if there is an Adtomi or yahoo stocks icon in your system tray , it might be a red ?? and if so right click and select remove , you must

    be online for this part

    --A web page from Adtomi would appear "-uninstall was succesful!"
    then go off line
    (note not all infections have this icon, so if it isn't there then don't worry)

    next press ctrl+ ALT+DEL once to bring up task manage & stop the running process on the funny named file with 8 assorted letters & numbers, that will be listed towards the bottom of the running process list in your hijackthis log,
    and there might also be morze1 running, if so end that process as well

    In your case the process to stop is 6AHBY3FF.EXE

    if you don't have any strange named exe files running or you can't stop it running, then DO NOT CONTINUE, please ask for more help first

    Now locate and Double Click Cleanup.bat that is in the folder you unzipped ( C:\Windows\Adtomi Cleanup )

    ***Do not Touch the VBS files. The bat file will run the scripts.

    It will remove the Adtomi Spyware files from the Windows Folder
    Clean the Startup Folders
    Create Backups of the Adtomi exe files it deletes and save them in this folder
    Create a list of all oddly named files deleted from the Windows Folder
    Uninstall the BHO
    Start HijackThis and give you directions on what to remove.

    When you have finished please restart the computer.

    Run HijackThis again and post the contents of your new log and the contents of Adtomi.txt in your next reply in your Forum Topic.

    ;)
     
  3. jedi5

    jedi5 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    6
    Hi Steve.
    Thanks for your quick response.

    Here is latest hijack after I did what you suggested.

    I couldn't find the Adtomi text though...

    Logfile of HijackThis v1.97.7
    Scan saved at 1:40:27 PM, on 4/7/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\E_S10IC2.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\NETZERO\EXEC.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\WINDOWS\T4LB0D80.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
    O4 - HKCU\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk
    O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
    O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
    O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
    O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
    O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
    O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
    O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
    O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
    O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
    O4 - Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
    O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
    O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
    O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
    O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
    O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
    O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
    O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
    O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
    O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
    O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
    O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
    O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
    O4 - Global Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
    O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
    O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
    O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
    O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
    O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
    O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
     
  4. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    This is a very tough parasite to remove:rolleye: sometimes the removal tool works and others it does not.

    You will notice the file has morphed(changed its name)

    Cntrl-Alt-Del on this like you did the 1st time until its gone from the task list.
    T4LB0D80.EXE



    Run hijackthis again and put a checkmark against these entries....double check
    in case you miss anything....
    .....then,close all browser and outlook windows and "fix checked"

    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

    O4 - HKLM\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk

    O4 - HKCU\..\Run: [T4LB0D80.EXE] C:\WINDOWS\T4LB0D80.EXE /dk
    (Note:there are 2 instances of that one)

    O4 - Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
    O4 - Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
    O4 - Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
    O4 - Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
    O4 - Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
    O4 - Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
    O4 - Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
    O4 - Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
    O4 - Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
    O4 - Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
    O4 - Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
    O4 - Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
    O4 - Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
    O4 - Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe
    O4 - Global Startup: QN2CKC6J.lnk = C:\WINDOWS\qn2ckc6j.exe
    O4 - Global Startup: BOVYP0DU.lnk = C:\WINDOWS\bovyp0du.exe
    O4 - Global Startup: 294L01Q8.lnk = C:\WINDOWS\294l01q8.exe
    O4 - Global Startup: 6BBLCPH3.lnk = C:\WINDOWS\6bblcph3.exe
    O4 - Global Startup: 0E1E2833.lnk = C:\WINDOWS\0e1e2833.exe
    O4 - Global Startup: 71PWFHUA.lnk = C:\WINDOWS\71pwfhua.exe
    O4 - Global Startup: 6YU6CNCF.lnk = C:\WINDOWS\6yu6cncf.exe
    O4 - Global Startup: 6AHBY3FF.lnk = C:\WINDOWS\6ahby3ff.exe
    O4 - Global Startup: T4LB0D80.lnk = C:\WINDOWS\t4lb0d80.exe
    O4 - Global Startup: L1H601L0.lnk = C:\WINDOWS\l1h601l0.exe
    O4 - Global Startup: IA02HTW2.lnk = C:\WINDOWS\ia02htw2.exe
    O4 - Global Startup: VYLQ5OEE.lnk = C:\WINDOWS\vylq5oee.exe
    O4 - Global Startup: 5NO3RRZG.lnk = C:\WINDOWS\5no3rrzg.exe
    O4 - Global Startup: Y2J7G4Y4.lnk = C:\WINDOWS\y2j7g4y4.exe
    O4 - Global Startup: 9UE1R90V.lnk = C:\WINDOWS\9ue1r90v.exe


    Remember safe mode?
    Go there and delete:
    C:\WINDOWS\T4LB0D80.EXE
    And BrowserHelper.dll <-- file .. from any and all locations it is found. You may have to do a "start">"run">Search" for it.

    Reboot once more.

    Now please show us a fresh HijackThis log .
    ;)
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Edit:C:\WINDOWS\BrowserHelper.dll is one location but i would do a search for any more.
    If im not around when you get back ill try to find a tech to keep an eye on this post.
    ;)
     
  6. jedi5

    jedi5 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    6
    I think I got browswerhelper.dll.
    I searched twice after I deleted it the first time and nothing showed up.
    Here is my latest hijack log.

    Please advise.

    Thanks
    Rafael

    Logfile of HijackThis v1.97.7
    Scan saved at 2:30:37 PM, on 4/7/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\WINDOWS\SYSTEM\E_S10IC2.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\NETZERO\EXEC.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
     
  7. jedi5

    jedi5 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    6
    I ran the latest Adtomi Cleaner and this is the latest hijack log I have:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:06:29 PM, on 4/7/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQINET.EXE
    C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
    C:\CPQS\BWTOOLS\SCCENTER.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\E_S10IC2.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
    C:\PROGRAM FILES\NETZERO\EXEC.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\WSCRIPT.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE

    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
    O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
    O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
    O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
    O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\sccenter.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O7 "EPUSB1:" /M "Stylus CX5200"
    O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [uoltray] C:\PROGRAM FILES\NETZERO\EXEC.EXE regrun
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
    O12 - Plugin for .SWF: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://forumchat.compuserve.com/applets/RTCChat.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38083.8697685185
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
     
  8. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    $teve asked me to stop by this thread ...

    I don't see anything malicious in that HJT log ... is your problem solved?
     
  9. jedi5

    jedi5 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    6
    LOL, you're asking me??? :) :) :)

    As far as I can tell, no problems here. I've rebooted this machine several times now and I'm not getting any of those error messages nor am i getting 100 popups.

    Do you you think the problem has been solved now?

    Thanks for looking.
    Rafael
     
  10. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Yes....its gone...........thats excellent news(y)
    Now all you need to do is get some protection or it will happen again for sure.
    Click the "Want to know" link.
    ;)
     
  11. winchester73

    winchester73

    Joined:
    Aug 18, 2003
    Messages:
    2,438
    Yes, the problem is solved ...
     
  12. jedi5

    jedi5 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    6
    Sorry to bump this thread but I wantd to thank Steve, Winchester, and this Site for helping me out.

    This site rocks.
    I'll have to put you guys on my favorites now...

    <righ behind my porn> :p :p


    Thanks again

    Rafael :) :)
     
  13. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Rafael........thanx for the flowers.......your welcome....
    always a pleasure(y)
    ;)
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    Anyone else with a similar problem please start a "New Thread".
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/218065

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice