Solved: sspmydoom

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

flitsct

Thread Starter
Joined
Feb 7, 2005
Messages
7
I have been infected by this virus/spyware
Can anyone help?
Here is my log file from adware.
Listing running processes
#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4291810675
Threads : 4
Priority : High
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294935259
Threads : 1
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright (C) Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294939723
Threads : 2
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1998
OriginalFilename : MPREXE.EXE

#:4 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294838527
Threads : 1
Priority : Normal
FileVersion : 4.03.1998
ProductVersion : 4.03.1998
ProductName : Microsoft Windows
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
LegalCopyright : Copyright © Microsoft Corp. 1991-1998
OriginalFilename : mmtask.tsk

#:5 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294725447
Threads : 13
Priority : Normal
FileVersion : 4.72.3110.1
ProductVersion : 4.72.3110.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1997
OriginalFilename : EXPLORER.EXE

#:6 [SYSTRAY.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294856271
Threads : 2
Priority : Normal
FileVersion : 4.10.2224
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
LegalCopyright : Copyright (C) Microsoft Corp. 1993-1999
OriginalFilename : SYSTRAY.EXE

#:7 [EM_EXEC.EXE]
FilePath : C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\
ProcessID : 4294765743
Threads : 1
Priority : Normal
FileVersion : 8.62.192
ProductVersion : 8.62
ProductName : MouseWare
CompanyName : Logitech Inc.
FileDescription : Control Center
InternalName : EM_EXEC
LegalCopyright : Copyright © Logitech Inc. 1987-1999.
LegalTrademarks : Logitech® and MouseWare® are registered trademarks of Logitech Inc.
OriginalFilename : EM_EXEC.CPP
Comments : Created by the MouseWare Team

#:8 [3DFXMAN.EXE]
FilePath : C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\
ProcessID : 4294740047
Threads : 2
Priority : Normal
FileVersion : 2.1.9.139
ProductVersion : 2.6.2.116
ProductName : 3dfx Tools
CompanyName : 3dfx Interactive, Inc.
FileDescription : 3dfxTools Task Manager
LegalCopyright : Copyright © 3dfx Interactive, Inc. 2000

#:9 [QTTASK.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294746659
Threads : 2
Priority : Normal
FileVersion : 6.0.2
ProductVersion : QuickTime 6.0.2
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2002
OriginalFilename : QTTask.exe

#:10 [DISK_MONITOR.EXE]
FilePath : C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\
ProcessID : 4294663199
Threads : 1
Priority : Normal
FileVersion : 1.4.730.1
ProductVersion : 1.4.0610.1
ProductName : Disk Monitor
CompanyName : Neodio Corp.
FileDescription : Disk Monitor
InternalName : Disk Monitor
LegalCopyright : Copyright (C) Neodio Corp. 2001
LegalTrademarks : Neodio
OriginalFilename : Disk_Monitor.exe

#:11 [SDKIU.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294663623
Threads : 2
Priority : Normal


#:12 [CREATECD.EXE]
FilePath : C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\
ProcessID : 4294650699
Threads : 2
Priority : Normal
FileVersion : 4.02d (292)
ProductVersion : 4.02d (292)
ProductName : Easy CD Creator
CompanyName : Adaptec
FileDescription : Adaptec Create CD
InternalName : createcd.exe
LegalCopyright : Copyright (c) 1996-2000 Adaptec, Inc.
OriginalFilename : createcd.exe

#:13 [MSMSGS.EXE]
FilePath : C:\PROGRAM FILES\MESSENGER\
ProcessID : 4294691555
Threads : 1
Priority : Normal
FileVersion : 3.0.0286
ProductVersion : Version 3.0
ProductName : MSN(tm) Messenger Service
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger Service
InternalName : msmsgs
LegalCopyright : Copyright (c) Microsoft Corporation 1997-2000
LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:14 [RNAAPP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294588387
Threads : 2
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Dial-Up Networking Application
InternalName : RNAAPP
LegalCopyright : Copyright (C) Microsoft Corp. 1992-1996
OriginalFilename : RNAAPP.EXE

#:15 [PSTORES.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294630951
Threads : 3
Priority : Normal
FileVersion : 5.00.1877.3
ProductVersion : 5.00.1877.3
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Protected storage server
InternalName : Protected storage server
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
OriginalFilename : Protected storage server

#:16 [TAPISRV.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294618679
Threads : 5
Priority : Normal
FileVersion : 4.10.2222
ProductVersion : 4.10.2222
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft® Windows(TM) Telephony Server
InternalName : Telephony Service
LegalCopyright : Copyright (C) Microsoft Corp. 1994-1998
OriginalFilename : TAPISRV.EXE

#:17 [WMIEXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294523919
Threads : 3
Priority : Normal
FileVersion : 5.00.1755.1
ProductVersion : 5.00.1755.1
ProductName : Microsoft(R) Windows NT(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1998
OriginalFilename : wmiexe.exe

#:18 [SPOOL32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294371463
Threads : 4
Priority : Normal
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler Sub System Process
InternalName : spool32
LegalCopyright : Copyright (C) Microsoft Corp. 1994 - 1998
OriginalFilename : spool32.exe

#:19 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294316855
Threads : 2
Priority : Realtime
FileVersion : 4.08.01.0881
ProductVersion : 4.08.01.0881
ProductName : Microsoft® DirectX for Windows® 95 and 98
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2001
OriginalFilename : DDHelp.exe

#:20 [CVEKVIJ.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294763883
Threads : 3
Priority : Normal
FileVersion : 1, 0, 2, 17
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: (c) <Company name>. All rights reserved.

VX2 Object Recognized!
Type : Process
Data : CVEKVIJ.EXE
Category : Malware
Comment : (CSI MATCH)
Object : C:\WINDOWS\SYSTEM\
FileVersion : 1, 0, 2, 17
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: (c) <Company name>. All rights reserved.

Warning! VX2 Object found in memory(C:\WINDOWS\SYSTEM\CVEKVIJ.EXE)

"C:\WINDOWS\SYSTEM\CVEKVIJ.EXE"Process terminated successfully

#:21 [PACKAGER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294804059
Threads : 1
Priority : Realtime
FileVersion : 4.10.1998
ProductVersion : 4.10.1998
ProductName : Microsoft(R) Windows(R) Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Packager application file
InternalName : PACKAGER
LegalCopyright : Copyright (C) Microsoft Corp. 1991-1998
OriginalFilename : PACKAGER.EXE

#:22 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294840347
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
Memory scan result:


Started Tracking Cookie scan

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : tim [email protected][1].txt
Category : Data Miner
Comment : Hits:5
Value : Cookie:tim [email protected]/
Expires : 2-7-08 8:30:54 PM
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking cookie scan result:



Deep scanning and examining files...
CoolWebSearch Object Recognized!
Type : File
Data : ovxaau.dat
Category : Malware
Comment :
Object : C:\WINDOWS\



ImIServer IEPlugin Object Recognized!
Type : File
Data : systb.dll
Category : Data Miner
Comment :
Object : C:\WINDOWS\
FileVersion : 1, 0, 8, 1
ProductVersion : 1, 0, 8, 1
ProductName : wbho Module
FileDescription : wbho Module
InternalName : wbho
LegalCopyright : Copyright 2004
OriginalFilename : wbho.DLL


CoolWebSearch Object Recognized!
Type : File
Data : zwakwh.txt
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : vuemyj.dat
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : dixls.dll
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : dgqed.txt
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : jmccn.dll
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : iedwa.dat
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : yghwd.dll
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : uwtbcu.txt
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : nxmgwx.txt
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : yypzss.log
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : pjbvg.dll
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : skensw.txt
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : mgfff.dat
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : rxkoii.log
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : cywyed.log
Category : Malware
Comment :
Object : C:\WINDOWS\



Disk Scan Result for C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 19

CoolWebSearch Object Recognized!
Type : File
Data : bdkmu.dat
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : ffklo.dll
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : qbguy.txt
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : lofzj.txt
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : tfnrd.txt
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



CoolWebSearch Object Recognized!
Type : File
Data : fdsed.dat
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM\



Disk Scan Result for C:\WINDOWS\SYSTEM
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 25

VX2 Object Recognized!
Type : File
Data : satmat.cab
Category : Malware
Comment :
Object : C:\WINDOWS\TEMP\



VX2 Object Recognized!
Type : File
Data : satmat.exe
Category : Malware
Comment :
Object : C:\WINDOWS\TEMP\
FileVersion : 0, 1, 1, 3
ProductVersion : 0, 1, 1, 3
CompanyName : Better Internet Inc.
FileDescription : www.abetterinternet.com
LegalCopyright : Copyright © 2002


win32.winshow Object Recognized!
Type : File
Data : B055.TMP
Category : Malware
Comment :
Object : C:\WINDOWS\TEMP\



win32.winshow Object Recognized!
Type : File
Data : B055.TMP.exe
Category : Malware
Comment :
Object : C:\WINDOWS\TEMP\



win32.winshow Object Recognized!
Type : File
Data : B200.TMP
Category : Malware
Comment :
Object : C:\WINDOWS\TEMP\



win32.winshow Object Recognized!
Type : File
Data : B200.TMP.exe
Category : Malware
Comment :
Object : C:\WINDOWS\TEMP\



Disk Scan Result for C:\WINDOWS\TEMP\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 31

Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Search the web.url
Category : Misc
Comment : Problematic URL discovered: http://www.lookfor.cc/
Object : C:\WINDOWS\Profiles\Tim Flitsch\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Only sex website.url
Category : Misc
Comment : Problematic URL discovered: http://www.onlysex.ws/
Object : C:\WINDOWS\Profiles\Tim Flitsch\Favorites\



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : Seven days of free porn.url
Category : Misc
Comment : Problematic URL discovered: http://www.7days.ws/



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

VX2 Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\vendor\xml

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\vendor\xml
Value :

VX2 Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\vendor

VX2 Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\toolbar\webbrowser
Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

VX2 Object Recognized!
Type : File
Data : dummy.htm
Category : Malware
Comment :
Object : C:\WINDOWS\TEMP\



CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\sw
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\se
Value : UninstallString

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : DisplayName

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\uninstall\hsa
Value : UninstallString

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\search
Value : SearchAssistant

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\main
Value : Search Bar

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft
Value : set

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\internet settings\zonemap\ranges\range1
Value : :Range

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : remove

ImIServer IEPlugin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp

ImIServer IEPlugin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp
Value : IID

ImIServer IEPlugin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp
Value : Version

ImIServer IEPlugin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\intexp
Value : bid

ImIServer IEPlugin Object Recognized!
Type : File
Data : redir.txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\



win32.winshow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings
Value : Security_RunActiveXControls

win32.winshow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings
Value : Safety Warning Level

win32.winshow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\windows\currentversion\internet settings
Value : Security_RunScripts

win32.winshow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .default\software\microsoft\windows\currentversion\internet settings
Value : Safety Warning Level

win32.winshow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .default\software\microsoft\windows\currentversion\internet settings
Value : MinLevel

win32.winshow Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_USERS
Object : .default\software\microsoft\windows\currentversion\internet settings
Value : Security_RunActiveXControls
 

flitsct

Thread Starter
Joined
Feb 7, 2005
Messages
7
This tool does not work for Windows 98 which I am running
Any other suggestions???
Thanks
 
Joined
Jan 13, 2005
Messages
106
I may be mistaken but I feel pretty sure mydoom is a virus that affects systems running XP only. I am not sure what is going on with your sys. But, here is something to try: Go to www.majorgeeks.com and look at the menu on the left and find "anti-virus", then look for the program called "antivir". Install and run this free anti-virus program. Hope this helps.
 
Joined
Sep 7, 2004
Messages
49,014
SpywareBlaster http://www.javacoolsoftware.com/spywareblaster.html
AdAware SE http://www.majorgeeks.com/download506.html
SpyBot S&D 1.3 http://www.safer-networking.org/en/download/

DL them (they are free), install them, check each for their
definition updates
and then run AdAware and Spybot, fixing anything
they say.

In SpywareBlaster - Always enable all protection after updates
SpyBot - After an update run immunize

Do these and reboot before the next step.

Then get HiJack This http://www.majorgeeks.com/download3155.html, put
it in a permanent folder (C:\HJT) , run it , DO NOT fix anything, post the
log here.
 

flitsct

Thread Starter
Joined
Feb 7, 2005
Messages
7
Here is the log file
Adware would not delete some things found
It would lock up and just sit there
I think it was this program

C:\WINDOWS\SYSTEM\CVEKVIJ.EXE


Logfile of HijackThis v1.99.0
Scan saved at 12:07:08 AM, on 2/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\WINXO.EXE
C:\WINDOWS\SYSTEM\SDKCD.EXE
C:\WINDOWS\WINXZ32.EXE
C:\WINDOWS\CRNA32.EXE
C:\WINDOWS\SYSTEM\SYSAT32.EXE
C:\WINDOWS\SYSTEM\NETRK.EXE
C:\WINDOWS\SYSTEM\IESJ32.EXE
C:\WINDOWS\SYSTEM\NETYT32.EXE
C:\WINDOWS\APPEM32.EXE
C:\WINDOWS\SYSTEM\JAVAYG32.EXE
C:\WINDOWS\SYSTEM\ADDPE.EXE
C:\WINDOWS\SYSTEM\NTHY.EXE
C:\WINDOWS\SYSTEM\IPUU32.EXE
C:\WINDOWS\ATLYX.EXE
C:\WINDOWS\NETJC32.EXE
C:\WINDOWS\JAVALF.EXE
C:\WINDOWS\WINGD.EXE
C:\WINDOWS\SYSTEM\SYSPP.EXE
C:\WINDOWS\SYSTEM\D3RC32.EXE
C:\WINDOWS\SYSTEM\MFCCZ.EXE
C:\WINDOWS\SYSTEM\SYSVI.EXE
C:\WINDOWS\SDKLR.EXE
C:\WINDOWS\ATLQT32.EXE
C:\WINDOWS\NETHT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\WINDOWS\SDKIU.EXE
C:\WINDOWS\SYSTEM\CVEKVIJ.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\SYSPP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\WINXO.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\PACKAGER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SDKLR.EXE
C:\WINDOWS\CRPI.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\CRPI.EXE
C:\WINDOWS\SYSTEM\MFCMT.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dluce.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C5FDFB41-2927-504B-74D4-04BFC6A9C392} - C:\WINDOWS\WINKG32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
O4 - HKLM\..\Run: [cvekvij] c:\windows\system\cvekvij.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
O4 - HKLM\..\RunServices: [SYSAT32.EXE] C:\WINDOWS\SYSTEM\SYSAT32.EXE
O4 - HKLM\..\RunServices: [SDKCD.EXE] C:\WINDOWS\SYSTEM\SDKCD.EXE
O4 - HKLM\..\RunServices: [NETRK.EXE] C:\WINDOWS\SYSTEM\NETRK.EXE
O4 - HKLM\..\RunServices: [APPEM32.EXE] C:\WINDOWS\APPEM32.EXE
O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE
O4 - HKLM\..\RunServices: [IESJ32.EXE] C:\WINDOWS\SYSTEM\IESJ32.EXE
O4 - HKLM\..\RunServices: [WINXO.EXE] C:\WINDOWS\WINXO.EXE
O4 - HKLM\..\RunServices: [JAVAYG32.EXE] C:\WINDOWS\SYSTEM\JAVAYG32.EXE
O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE
O4 - HKLM\..\RunServices: [ADDPE.EXE] C:\WINDOWS\SYSTEM\ADDPE.EXE
O4 - HKLM\..\RunServices: [IPUU32.EXE] C:\WINDOWS\SYSTEM\IPUU32.EXE
O4 - HKLM\..\RunServices: [NTHY.EXE] C:\WINDOWS\SYSTEM\NTHY.EXE
O4 - HKLM\..\RunServices: [ATLYX.EXE] C:\WINDOWS\ATLYX.EXE
O4 - HKLM\..\RunServices: [D3RC32.EXE] C:\WINDOWS\SYSTEM\D3RC32.EXE
O4 - HKLM\..\RunServices: [NETJC32.EXE] C:\WINDOWS\NETJC32.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [SYSPP.EXE] C:\WINDOWS\SYSTEM\SYSPP.EXE
O4 - HKLM\..\RunServices: [WINGD.EXE] C:\WINDOWS\WINGD.EXE
O4 - HKLM\..\RunServices: [MFCCZ.EXE] C:\WINDOWS\SYSTEM\MFCCZ.EXE
O4 - HKLM\..\RunServices: [SYSVI.EXE] C:\WINDOWS\SYSTEM\SYSVI.EXE
O4 - HKLM\..\RunServices: [SDKLR.EXE] C:\WINDOWS\SDKLR.EXE
O4 - HKLM\..\RunServices: [ATLQT32.EXE] C:\WINDOWS\ATLQT32.EXE
O4 - HKLM\..\RunServices: [NETHT.EXE] C:\WINDOWS\NETHT.EXE
O4 - HKLM\..\RunServices: [CRPI.EXE] C:\WINDOWS\CRPI.EXE
O4 - HKLM\..\RunServices: [MFCMT.EXE] C:\WINDOWS\SYSTEM\MFCMT.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Hi flitsct, Give me a few minutes and I'll post something for you...

EDIT: I just noticed you are running Hijackthis from a temp folder. You need to move that to a permanent folder before we begin.

To create a permanent folder click My Computer, then C:\
In the menu bar click on File, New, Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Now you need to move hijackthis.exe into that folder.

When you have done that post a new log and don't reboot or do any kind of scans or fixes until you receive a reply.
 

flitsct

Thread Starter
Joined
Feb 7, 2005
Messages
7
Moved it...here you go


Logfile of HijackThis v1.99.0
Scan saved at 6:24:41 PM, on 2/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SDKCD.EXE
C:\WINDOWS\SYSTEM\SYSAT32.EXE
C:\WINDOWS\APPEM32.EXE
C:\WINDOWS\SYSTEM\NETYT32.EXE
C:\WINDOWS\SYSTEM\NETRK.EXE
C:\WINDOWS\WINXZ32.EXE
C:\WINDOWS\CRNA32.EXE
C:\WINDOWS\SYSTEM\IESJ32.EXE
C:\WINDOWS\WINXO.EXE
C:\WINDOWS\SYSTEM\ADDPE.EXE
C:\WINDOWS\SYSTEM\IPUU32.EXE
C:\WINDOWS\SYSTEM\JAVAYG32.EXE
C:\WINDOWS\ATLYX.EXE
C:\WINDOWS\SYSTEM\NTHY.EXE
C:\WINDOWS\SYSTEM\D3RC32.EXE
C:\WINDOWS\NETJC32.EXE
C:\WINDOWS\JAVALF.EXE
C:\WINDOWS\SYSTEM\SYSPP.EXE
C:\WINDOWS\WINGD.EXE
C:\WINDOWS\SYSTEM\MFCCZ.EXE
C:\WINDOWS\SYSTEM\SYSVI.EXE
C:\WINDOWS\SDKLR.EXE
C:\WINDOWS\ATLQT32.EXE
C:\WINDOWS\NETHT.EXE
C:\WINDOWS\CRPI.EXE
C:\WINDOWS\SYSTEM\MFCMT.EXE
C:\WINDOWS\SYSTEM\SYSWL.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\WINDOWS\SDKIU.EXE
C:\WINDOWS\SYSTEM\CVEKVIJ.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\SYSWL.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\SDKCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PACKAGER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FBC7D80C-C17A-896F-1A0F-9292CE6726F7} - C:\WINDOWS\D3JA32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
O4 - HKLM\..\Run: [cvekvij] c:\windows\system\cvekvij.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
O4 - HKLM\..\RunServices: [SYSAT32.EXE] C:\WINDOWS\SYSTEM\SYSAT32.EXE
O4 - HKLM\..\RunServices: [SDKCD.EXE] C:\WINDOWS\SYSTEM\SDKCD.EXE
O4 - HKLM\..\RunServices: [NETRK.EXE] C:\WINDOWS\SYSTEM\NETRK.EXE
O4 - HKLM\..\RunServices: [APPEM32.EXE] C:\WINDOWS\APPEM32.EXE
O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE
O4 - HKLM\..\RunServices: [IESJ32.EXE] C:\WINDOWS\SYSTEM\IESJ32.EXE
O4 - HKLM\..\RunServices: [WINXO.EXE] C:\WINDOWS\WINXO.EXE
O4 - HKLM\..\RunServices: [JAVAYG32.EXE] C:\WINDOWS\SYSTEM\JAVAYG32.EXE
O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE
O4 - HKLM\..\RunServices: [ADDPE.EXE] C:\WINDOWS\SYSTEM\ADDPE.EXE
O4 - HKLM\..\RunServices: [IPUU32.EXE] C:\WINDOWS\SYSTEM\IPUU32.EXE
O4 - HKLM\..\RunServices: [NTHY.EXE] C:\WINDOWS\SYSTEM\NTHY.EXE
O4 - HKLM\..\RunServices: [ATLYX.EXE] C:\WINDOWS\ATLYX.EXE
O4 - HKLM\..\RunServices: [D3RC32.EXE] C:\WINDOWS\SYSTEM\D3RC32.EXE
O4 - HKLM\..\RunServices: [NETJC32.EXE] C:\WINDOWS\NETJC32.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [SYSPP.EXE] C:\WINDOWS\SYSTEM\SYSPP.EXE
O4 - HKLM\..\RunServices: [WINGD.EXE] C:\WINDOWS\WINGD.EXE
O4 - HKLM\..\RunServices: [MFCCZ.EXE] C:\WINDOWS\SYSTEM\MFCCZ.EXE
O4 - HKLM\..\RunServices: [SYSVI.EXE] C:\WINDOWS\SYSTEM\SYSVI.EXE
O4 - HKLM\..\RunServices: [SDKLR.EXE] C:\WINDOWS\SDKLR.EXE
O4 - HKLM\..\RunServices: [ATLQT32.EXE] C:\WINDOWS\ATLQT32.EXE
O4 - HKLM\..\RunServices: [NETHT.EXE] C:\WINDOWS\NETHT.EXE
O4 - HKLM\..\RunServices: [CRPI.EXE] C:\WINDOWS\CRPI.EXE
O4 - HKLM\..\RunServices: [MFCMT.EXE] C:\WINDOWS\SYSTEM\MFCMT.EXE
O4 - HKLM\..\RunServices: [SYSWL.EXE] C:\WINDOWS\SYSTEM\SYSWL.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
If you have any questions ask them prior to starting. It would be a good idea to print this out before you start.

First copy the contents of the quotebox to notepad. Go to File > Save As and name it Fix.reg (save as type: 'all files' )

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]
___________________________________________________________________________

Click here to download CWShredder. Do Not run it yet. Download it to the desktop and have it ready to run later.

____________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.
_____________________________________________________________________

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.
______________________________________________________________________

Restart to safe mode.

How to start your computer in safe mode


Perform the following steps in safe mode:

____________________________________________________________________

To configure Windows98 to show all files

On the Windows desktop, double-click the My Computer icon.
On the View menu, click Folder Options.
In the Advanced Settings box, under the "Hidden files" folder, click Show all files.
Click Apply.
Click OK.

____________________________________________________________________

Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\baeyp.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FBC7D80C-C17A-896F-1A0F-9292CE6726F7} - C:\WINDOWS\D3JA32.DLL
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\SYSTEM\tibs3.exe
O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
O4 - HKLM\..\Run: [cvekvij] c:\windows\system\cvekvij.exe
O4 - HKLM\..\RunServices: [NETYT32.EXE] C:\WINDOWS\SYSTEM\NETYT32.EXE
O4 - HKLM\..\RunServices: [SYSAT32.EXE] C:\WINDOWS\SYSTEM\SYSAT32.EXE
O4 - HKLM\..\RunServices: [SDKCD.EXE] C:\WINDOWS\SYSTEM\SDKCD.EXE
O4 - HKLM\..\RunServices: [NETRK.EXE] C:\WINDOWS\SYSTEM\NETRK.EXE
O4 - HKLM\..\RunServices: [APPEM32.EXE] C:\WINDOWS\APPEM32.EXE
O4 - HKLM\..\RunServices: [WINXZ32.EXE] C:\WINDOWS\WINXZ32.EXE
O4 - HKLM\..\RunServices: [IESJ32.EXE] C:\WINDOWS\SYSTEM\IESJ32.EXE
O4 - HKLM\..\RunServices: [WINXO.EXE] C:\WINDOWS\WINXO.EXE
O4 - HKLM\..\RunServices: [JAVAYG32.EXE] C:\WINDOWS\SYSTEM\JAVAYG32.EXE
O4 - HKLM\..\RunServices: [CRNA32.EXE] C:\WINDOWS\CRNA32.EXE
O4 - HKLM\..\RunServices: [ADDPE.EXE] C:\WINDOWS\SYSTEM\ADDPE.EXE
O4 - HKLM\..\RunServices: [IPUU32.EXE] C:\WINDOWS\SYSTEM\IPUU32.EXE
O4 - HKLM\..\RunServices: [NTHY.EXE] C:\WINDOWS\SYSTEM\NTHY.EXE
O4 - HKLM\..\RunServices: [ATLYX.EXE] C:\WINDOWS\ATLYX.EXE
O4 - HKLM\..\RunServices: [D3RC32.EXE] C:\WINDOWS\SYSTEM\D3RC32.EXE
O4 - HKLM\..\RunServices: [NETJC32.EXE] C:\WINDOWS\NETJC32.EXE
O4 - HKLM\..\RunServices: [JAVALF.EXE] C:\WINDOWS\JAVALF.EXE
O4 - HKLM\..\RunServices: [SYSPP.EXE] C:\WINDOWS\SYSTEM\SYSPP.EXE
O4 - HKLM\..\RunServices: [WINGD.EXE] C:\WINDOWS\WINGD.EXE
O4 - HKLM\..\RunServices: [MFCCZ.EXE] C:\WINDOWS\SYSTEM\MFCCZ.EXE
O4 - HKLM\..\RunServices: [SYSVI.EXE] C:\WINDOWS\SYSTEM\SYSVI.EXE
O4 - HKLM\..\RunServices: [SDKLR.EXE] C:\WINDOWS\SDKLR.EXE
O4 - HKLM\..\RunServices: [ATLQT32.EXE] C:\WINDOWS\ATLQT32.EXE
O4 - HKLM\..\RunServices: [NETHT.EXE] C:\WINDOWS\NETHT.EXE
O4 - HKLM\..\RunServices: [CRPI.EXE] C:\WINDOWS\CRPI.EXE
O4 - HKLM\..\RunServices: [MFCMT.EXE] C:\WINDOWS\SYSTEM\MFCMT.EXE
O4 - HKLM\..\RunServices: [SYSWL.EXE] C:\WINDOWS\SYSTEM\SYSWL.EXE
O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)


Delete these files:
C:\WINDOWS\baeyp.dll
C:\WINDOWS\D3JA32.DLL
C:\WINDOWS\SYSTEM\tibs3.exe
C:\WINDOWS\SDKIU.EXE
c:\windows\system\cvekvij.exe
C:\WINDOWS\SYSTEM\NETYT32.EXE
C:\WINDOWS\SYSTEM\SYSAT32.EXE
C:\WINDOWS\SYSTEM\SDKCD.EXE
C:\WINDOWS\SYSTEM\NETRK.EXE
C:\WINDOWS\APPEM32.EXE
C:\WINDOWS\WINXZ32.EXE
C:\WINDOWS\SYSTEM\IESJ32.EXE
C:\WINDOWS\WINXO.EXE
C:\WINDOWS\SYSTEM\JAVAYG32.EXE
C:\WINDOWS\CRNA32.EXE
C:\WINDOWS\SYSTEM\ADDPE.EXE
C:\WINDOWS\SYSTEM\IPUU32.EXE
C:\WINDOWS\SYSTEM\NTHY.EXE
C:\WINDOWS\ATLYX.EXE
C:\WINDOWS\SYSTEM\D3RC32.EXE
C:\WINDOWS\NETJC32.EXE
C:\WINDOWS\JAVALF.EXE
C:\WINDOWS\SYSTEM\SYSPP.EXE
C:\WINDOWS\WINGD.EXE
C:\WINDOWS\SYSTEM\MFCCZ.EXE
C:\WINDOWS\SYSTEM\SYSVI.EXE
C:\WINDOWS\SDKLR.EXE
C:\WINDOWS\ATLQT32.EXE
C:\WINDOWS\NETHT.EXE
C:\WINDOWS\CRPI.EXE
C:\WINDOWS\SYSTEM\MFCMT.EXE
C:\WINDOWS\SYSTEM\SYSWL.EXE


Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.



This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file.
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)


control.exe may have been deleted.
See if control.exe is present in C:\windows\system

If control.exe isn't there, Click here to download control_me.zip.

Unzip the file and copy the new control.exe file to the C:\Windows\System folder.


IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.
 

flitsct

Thread Starter
Joined
Feb 7, 2005
Messages
7
Thanks...I will do this on Sunday...busy until then

Going to do it tonight
 

flitsct

Thread Starter
Joined
Feb 7, 2005
Messages
7
Still have it after doing all this

Did not find
C;\windows\baeyp.dll
c:windows\d3ja32.dll

when I ran hijackthis but deleted all the others

Also got an internet error when I tried to do the online virus scan

Here is a new log file

Logfile of HijackThis v1.99.0
Scan saved at 1:24:43 AM, on 2/11/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\ADDNF.EXE
C:\WINDOWS\SDKIU.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D92E50CF-C735-C403-CC44-197C38A75AE8} - C:\WINDOWS\SYSTEM\NTZN32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ADDNF.EXE] C:\WINDOWS\SYSTEM\ADDNF.EXE
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
This hijacker changes when you reboot or do any fixes, that's why some of those files could not be found.

What was the error you got when you tried to do the virus scan?

What is this? [Tango] D:\RELEASE\..\Setup.exe


Download this tool
http://www.mvps.org/winhelp2002/DelDomains.inf

Right click on the file and choose install.

Run HJT again and put a check in the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\wnidu.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D92E50CF-C735-C403-CC44-197C38A75AE8} - C:\WINDOWS\SYSTEM\NTZN32.DLL
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [SDKIU.EXE] C:\WINDOWS\SDKIU.EXE
O4 - HKLM\..\RunServices: [ADDNF.EXE] C:\WINDOWS\SYSTEM\ADDNF.EXE
O9 - Extra button: PhoenixNet - {59226440-fb18-11d4-9cf8-a2f19057a065} - http://www.seqdl.com/servlets/Redir?BID=65457&CID=9875 (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)

Close all applications and browser windows before you click "fix checked".

Restart in safe mode

Delete these files:
C:\WINDOWS\SYSTEM\ADDNF.EXE
C:\WINDOWS\SYSTEM\NTZN32.DLL
C:\WINDOWS\SDKIU.EXE
C:\WINDOWS\system\wnidu.dll
mtwirl.dll
mtwirl32.dll

Empty this folder: c:\windows\temp

Empty your recycle bin.

Run Ad-Aware again while in safe mode.
Run About:buster again.

Reboot.
 

flitsct

Thread Starter
Joined
Feb 7, 2005
Messages
7
I think it is gone
Here is the Hijackthis logfile

Logfile of HijackThis v1.99.0
Scan saved at 5:54:14 PM, on 2/13/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\3DFX INTERACTIVE\3DFX TOOLS\APPS\3DFXMAN.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\GENERIC\MEMORYSTICK USB CARD READER DRIVER V1.7\DISK_MONITOR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.district6hockey.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [3dfx Task Manager] "C:\Program Files\3dfx Interactive\3dfx Tools\Apps\3dfxMan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Tango] D:\RELEASE\..\Setup.exe
O4 - HKLM\..\Run: [Disk Monitor] C:\Program Files\Generic\MemoryStick USB Card Reader Driver v1.7\Disk_Monitor.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

let me n\know if there is anything else I can do
Thanks
Tim
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
The most important thing now is installl an antivirus so you don't get reinfected
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top