Solved: registry bug?

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

rendds

Thread Starter
Joined
Jun 13, 2006
Messages
81
HI, my laptop seems to have been infected, but none of the tools I have tried have been sucessful in getting to this thing. But the problem comes up frequently in a pop up error box re:
36110103225362368.exe
I have seached these forums and googled it and come up with nothing. Can anyone help me find out what this is and why it is making my laptop and me miserable?
This is an old compaq laptop presario 1200 running Windows ME.
I have run ad AwareSE and tried to run system mechanic, but it will not work on my machine.
Any ideas?
Thanks,
Rich:confused:
 

bonk

Banned
Joined
Sep 8, 2005
Messages
11,097
Howdy,

The best thing would be to post a Hijack Log in the Security Section of this site..

Download Hijack This to your desktop open it and click on the Hijack.exe it will open and use the default path, check do you wish an Icon.......click on Icon and choose scan system and save a logfile usually in notepad.....copy and paste the logfile in your next post, using Ctrl+A to copy All and Ctrl+C to copy and Ctrl+V to paste.
 

rendds

Thread Starter
Joined
Jun 13, 2006
Messages
81
Here is the HJT log, even getting this took numerous tries as the computer kept giving errors and freezing up.
Logfile of HijackThis v1.99.1
Scan saved at 7:54:35 AM, on 1/10/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX 4\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\3611010322516384.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 6\SMSYSTEMANALYZER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 6\SYSMECH6.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sbc.yahoo.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: (no name) - {EC479F43-4709-D2F1-3869-921FEDA23C69} - (no file)
F1 - win.ini: load=c:\quickenw\BILLMNDW.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox 4\mm_tray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Belkin WLAN] C:\WINDOWS\SYSTEM\bcmwltry.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [cspgk.exe] cspgk.exe
O4 - HKLM\..\Run: [dmltg.exe] C:\WINDOWS\SYSTEM\dmltg.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [lpt] sysmon12.exe
O4 - HKCU\..\Run: [xwiz] NSYSCPLSTR.exe
O4 - HKCU\..\Run: [defect08] Shaitan1678.exe
O4 - HKCU\..\Run: [WinMedia] "C:\361101032251898059.exe "
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O4 - HKCU\..\Run: [Winstq] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstx] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstj] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsts] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstz] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstt] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsti] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstw] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstl] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstb] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstr] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsth] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstc] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstn] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstp] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstg] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstv] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsta] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsty] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstu] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winste] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstk] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstm] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstf] C:\36110103225362368.exe
O4 - HKCU\..\Run: [WinUpdate] "C:\361101032251909781.exe "
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [WinUpgrade] "C:\361101032251908218.exe "
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Compaq Knowledge Center.lnk = ?
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPDSPLAY.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.92,85.255.112.195
 

WhitPhil

Gone but never forgotten
Trusted Advisor
Joined
Oct 4, 2000
Messages
8,684
I've asked that this be moved to Security to get instructions on how to remove your "nasties".
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout fom

http://downloads.subratam.org/Fixwareout.exe
or
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
 

rendds

Thread Starter
Joined
Jun 13, 2006
Messages
81
Back again,
I had to restart a couple extra times due to freezing up. Here are the logs:
Fixwareout
Last edited 1/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B871CC73548C-6329-A2E4-3565-4D0112AA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3B52787A7CDF-534A-64A4-78B9-E1D5D8B4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\gtlmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm


Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"cspgk.exe"=-
"dmltg.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be legitimate FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...

»»»»» Misc files

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM\CSHCG.EXE 51,262 2006-06-06
C:\WINDOWS\SYSTEM\CSIBE.EXE 51,262 2006-06-06
C:\WINDOWS\SYSTEM\CSWNZ.EXE 51,801 2006-11-07
C:\WINDOWS\SYSTEM\CSWXE.EXE 51,801 2006-11-07
C:\WINDOWS\SYSTEM\CSPUP.EXE 51,801 2006-11-07
C:\WINDOWS\SYSTEM\DMSWV.EXE 44,112 2000-06-08
C:\WINDOWS\SYSTEM\DMQUF.EXE 44,112 2000-06-08
C:\WINDOWS\SYSTEM\DMWVE.EXE 60,966 2000-06-08


Logfile of HijackThis v1.99.1
Scan saved at 4:23:39 PM, on 1/10/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX 4\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\3611010322516384.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\36110103225362368.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 6\SMSYSTEMANALYZER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMP\TD_0002.DIR\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: (no name) - {EC479F43-4709-D2F1-3869-921FEDA23C69} - (no file)
F1 - win.ini: load=c:\quickenw\BILLMNDW.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox 4\mm_tray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Belkin WLAN] C:\WINDOWS\SYSTEM\bcmwltry.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [lpt] sysmon12.exe
O4 - HKCU\..\Run: [xwiz] NSYSCPLSTR.exe
O4 - HKCU\..\Run: [defect08] Shaitan1678.exe
O4 - HKCU\..\Run: [WinMedia] "C:\361101032251898059.exe "
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O4 - HKCU\..\Run: [Winstq] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstx] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstj] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsts] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstz] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstt] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsti] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstw] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstl] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstb] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstr] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsth] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstc] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstn] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstp] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstg] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstv] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsta] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsty] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstu] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winste] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstk] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstm] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstf] C:\36110103225362368.exe
O4 - HKCU\..\Run: [WinUpdate] "C:\361101032251909781.exe "
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [WinUpgrade] "C:\361101032251908218.exe "
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Compaq Knowledge Center.lnk = ?
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPDSPLAY.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.92,85.255.112.195

Thanks
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First HJT MUST be in it's own folder NOT a temp folder to fix properly so

go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


R3 - URLSearchHook: (no name) - {EC479F43-4709-D2F1-3869-921FEDA23C69} - (no file)
O4 - HKCU\..\Run: [lpt] sysmon12.exe
O4 - HKCU\..\Run: [xwiz] NSYSCPLSTR.exe
O4 - HKCU\..\Run: [defect08] Shaitan1678.exe
O4 - HKCU\..\Run: [WinMedia] "C:\361101032251898059.exe "
O4 - HKCU\..\Run: [Winsvr] C:\3611010322516384.exe
O4 - HKCU\..\Run: [Winstq] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstx] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstj] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsts] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstz] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstt] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsti] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstw] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstl] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsto] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstb] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstr] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsth] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstc] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstn] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstp] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstg] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstv] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsta] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winsty] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstd] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstu] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winste] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstk] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstm] C:\36110103225362368.exe
O4 - HKCU\..\Run: [Winstf] C:\36110103225362368.exe
O4 - HKCU\..\Run: [WinUpdate] "C:\361101032251909781.exe "
O4 - HKCU\..\Run: [WinUpgrade] "C:\361101032251908218.exe "
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 85.255.113.92,85.255.112.195


now Start killbox, paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

[Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

C:\WINDOWS\SYSTEM\CSHCG.EXE
C:\WINDOWS\SYSTEM\CSIBE.EXE
C:\WINDOWS\SYSTEM\CSWNZ.EXE
C:\WINDOWS\SYSTEM\CSWXE.EXE
C:\WINDOWS\SYSTEM\CSPUP.EXE
C:\WINDOWS\SYSTEM\DMSWV.EXE
C:\WINDOWS\SYSTEM\DMQUF.EXE
C:\WINDOWS\SYSTEM\DMWVE.EXE
C:\3611010322516384.EXE
C:\36110103225362368.EXE
C:\361101032251908218.exe
C:\361101032251909781.exe
C:\361101032251898059.exe
C:\WINDOWS\SYSTEM\sysmon12.exe
C:\WINDOWS\SYSTEM\NSYSCPLSTR.exe
C:\WINDOWS\SYSTEM\Shaitan1678.exe


Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select ALL options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

then Now we need to reset your hijacked DNS settings

To set your DNS, you need to find the Internet Protocol window.

For Users on a Dial-up Connection:
Go to My Computer>Dialup Networking.
Right-click your internet connection and select Properties.
A window will open - click the Server Types tab. Click TCP/IP Settings.

For All Other Users:
Go to Control Panel>Network Connections and select your local network.
Click Properties, then select Internet Protocol (TCP/IP).
Click Properties.

You will see a window - this is the Internet Protocol window. Select "Obtain DNS server automatically" and press OK

now go to start/run & type cmd press OK

when the black screen opens type this exactly including all spaces

ipconfig /flushdns and press OK then close that black screen

reboot & post a fresh HJT log please

then as you have NO antivirus and that is why you were infected

Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
 

rendds

Thread Starter
Joined
Jun 13, 2006
Messages
81
Hi again,
here is the new HJT log, but I had a fewproblems following the instructions posted above.
The following files : C:\WINDOWS\SYSTEM\sysmon12.exe, C:\WINDOWS\SYSTEM\NSYSCPLSTR.exe, and
C:\WINDOWS\SYSTEM\Shaitan1678.exe all resulted in a pop up window during the KILLBOX saying 'this file does not seem to exist'
I then was unable to have any luck at all following the directions for resetting the DNS settings. My control panel did not have "Network Connections" icon. I do have an "Internet Options", a "Network", and a"Dial up Networking" icon to choose from, but was unsure of how to proceed.
I then ran the ipconfig /fushdns and the black box went away on its own without me having to close it.
I then ran a new HJT and have posted the log below.
I will now proceed with the Dr.Web CureIt download and wait to hear back.
Thank you very much

Logfile of HijackThis v1.99.1
Scan saved at 4:51:27 PM, on 1/11/2007

Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX 4\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 6\SMSYSTEMANALYZER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: load=c:\quickenw\BILLMNDW.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox 4\mm_tray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Belkin WLAN] C:\WINDOWS\SYSTEM\bcmwltry.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Compaq Knowledge Center.lnk = ?
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPDSPLAY.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
the HJT log looks clear now so lets see what Dr web finds
 

rendds

Thread Starter
Joined
Jun 13, 2006
Messages
81
Thanks,
I notice my computer is about three or more times faster now. You mentioned I didn't have any anti-virus and I don't currently because system mechanic wouldn't run and their online help suggested turning it off, which I tried and it still didn't work so I removed it to see if that would help, shich it did not. I had Norton system works but will check the security forum and get what is most recommended once we are finished here. Of course, I will appreciate your recommendation as well.
Here are the DrCure report and a new HJT log from this morning
Thanks again

ScanLog.txt;C:\Program Files\Registry Cleaner\Log;Probably MACRO.IRC.WORM.Virus;Incurable.Moved.;
r3ily2i7.exe;C:\WINDOWS;Trojan.DownLoader.17087;Deleted.;
zsx330ka.exe;C:\WINDOWS;Trojan.DownLoader.14850;Deleted.;
1pvwms6w.exe;C:\WINDOWS;Trojan.DownLoader.17087;Deleted.;
4d3j49gs.exe;C:\WINDOWS;Trojan.DownLoader.13343;Deleted.;
3sntjf73.exe;C:\WINDOWS;Trojan.DownLoader.17087;Deleted.;
o7tht8zy.exe;C:\WINDOWS;Trojan.DownLoader.17087;Deleted.;
fivldykz.exe;C:\WINDOWS;Trojan.DownLoader.17087;Deleted.;
setup.exe;C:\WINDOWS\All Users\Application Data\AOL Downloads\CCU_SUITE_1.0.48.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
Process.exe;C:\WINDOWS\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\WINDOWS\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
ouhqd.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Deleted.;
dxbql.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Deleted.;
eyyyp.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Deleted.;
howiper.exe;C:\WINDOWS\SYSTEM;Trojan.DownLoader.10747;Deleted.;
favset.exe;C:\WINDOWS\SYSTEM;Trojan.Favadd;Deleted.;
{B60664E8-A503-4584-AAD0-D2C75E2F61AF}.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Deleted.;
{1C8B35B6-AA59-4519-BD5F-16372701380B}.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Deleted.;
zjukn.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Deleted.;
rzdtx.exe;C:\WINDOWS\SYSTEM;Trojan.DnsChange;Deleted.;
A0028456.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.9145 - write error - write error;;
A0028458.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.9145 - write error - write error;;
A0028460.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028462.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028464.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028466.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.5401 - write error - write error;;
A0028468.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.5401 - write error - write error;;
A0028470.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028472.CPY;C:\_RESTORE\TEMP;Trojan.Click.1628 - write error - write error;;
A0028480.CPY;C:\_RESTORE\TEMP;Trojan.Click.1570 - write error - write error;;
A0028482.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028484.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028486.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028825.CPY;C:\_RESTORE\TEMP;Adware.Cfd;Incurable.Will be moved after reboot.;
A0028828.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.13575 - write error - write error;;
A0028830.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.14207 - write error - write error;;
A0028832.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.14715 - write error - write error;;
A0028834.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.15553 - write error - write error;;
A0028836.CPY;C:\_RESTORE\TEMP;Trojan.Click.1570 - write error - write error;;
A0028838.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.14810 - write error - write error;;
A0028840.CPY;C:\_RESTORE\TEMP;Trojan.Click.1570 - write error - write error;;
A0028842.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.15214 - write error - write error;;
A0028844.CPY;C:\_RESTORE\TEMP;Trojan.Click.1570 - write error - write error;;
A0028846.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17014 - write error - write error;;
A0028848.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028850.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028852.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028854.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028856.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028858.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028860.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028862.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028864.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028866.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028868.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028870.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028872.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028880.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028882.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.14850 - write error - write error;;
A0028884.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028886.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.13343 - write error - write error;;
A0028888.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028890.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028892.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.17087 - write error - write error;;
A0028894.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028896.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028898.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028900.CPY;C:\_RESTORE\TEMP;Trojan.DownLoader.10747 - write error - write error;;
A0028902.CPY;C:\_RESTORE\TEMP;Trojan.Favadd - write error - write error;;
A0028904.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028906.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028908.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
A0028910.CPY;C:\_RESTORE\TEMP;Trojan.DnsChange - write error - write error;;
CSHCG.EXE;C:\!KillBox;Trojan.DownLoader.9145;Deleted.;
CSIBE.EXE;C:\!KillBox;Trojan.DownLoader.9145;Deleted.;
CSWNZ.EXE;C:\!KillBox;Trojan.DnsChange;Deleted.;
CSWXE.EXE;C:\!KillBox;Trojan.DnsChange;Deleted.;
CSPUP.EXE;C:\!KillBox;Trojan.DnsChange;Deleted.;
DMSWV.EXE;C:\!KillBox;Trojan.DownLoader.5401;Deleted.;
DMQUF.EXE;C:\!KillBox;Trojan.DownLoader.5401;Deleted.;
DMWVE.EXE;C:\!KillBox;Trojan.DnsChange;Deleted.;
3611010322516384.EXE;C:\!KillBox;Trojan.Click.1628;Deleted.;
36110103225362368.EXE;C:\!KillBox;Trojan.Click.1570;Deleted.;
361101032251908218.EXE;C:\!KillBox;Trojan.DownLoader.17087;Deleted.;
361101032251909781.exe;C:\!KillBox;Trojan.DownLoader.17087;Deleted.;
361101032251898059.exe;C:\!KillBox;Trojan.DownLoader.17087;Deleted.;




Logfile of HijackThis v1.99.1
Scan saved at 10:44:15 AM, on 1/12/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPLPR.EXE
C:\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX 4\MM_TRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\BCMWLTRY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\IOLO\SYSTEM MECHANIC 6\SMSYSTEMANALYZER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOLTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
F1 - win.ini: load=c:\quickenw\BILLMNDW.EXE
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox 4\mm_tray.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Belkin WLAN] C:\WINDOWS\SYSTEM\bcmwltry.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Compaq Knowledge Center.lnk = ?
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avbabelfish&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avlinksearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=avhostsearch&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirectors/presario/srchredir.dll?s=altavista&c=3c00&LC=0409 (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPDSPLAY.DLL
O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin9x/AvSniff.cab
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
next step

Turn off system restore by following instructions here
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point.

then
urgently install an antivirus

one free one that many users of this forum use successfully is
AVG from http://free.grisoft.com/freeweb.php/doc/1/

or Avast from http://www.avast.com/eng/free_virus_protectio.html
or Antivir from http://www.free-av.com/
 

rendds

Thread Starter
Joined
Jun 13, 2006
Messages
81
Thanks a ton.
I have turned off system restore, rebooted then established a new restore point. Then I have downloaded an installed the AVG anti virus. Do I need anyting else? Can I remove the HJT, KILLBOX and DrCureit from my programs on the computer? Is the DrCureIt recommended for any time use on any of my other computers or is it just for cases like this? One other thing...can you direct me to a place where I can learn to evaluate what is seen in these HJT logs?
Finally, I went to the Hedgehog rescue website. Just checking, but this is really where you'd like a donation sent for your time and expertise in helping me out? You've been a great help so please verify the hedgehog deal, OK?
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Dr cureit is a stand alone scanner & fixer that doesn't update so you have to download a new version every time you want to use it

Yes please any donations for my help can be made to the hedgehog rescue site where it is put to very good use

as to learning HJT logs if you are really interested send a pm to cookiegal who will put you in touch with one of the teaching schools

you can quite safely remove hjt & killbox & dr web now but uninstall hjt & dr web from add/remove programs if there
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top