1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

"THEY" got me - I've been hijaked..:(

Discussion in 'Virus & Other Malware Removal' started by sherstgeo, Sep 22, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    My computer is on its last leg - popups, wierd searchpages and homepages, and I think it may even has a fever... hellllllllllppppppppp...
    Here is my logfile..

    Logfile of HijackThis v1.97.7
    Scan saved at 6:54:35 PM, on 9/22/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\BCMDMMSG.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\NETGB.EXE
    C:\WINDOWS\NTYW.EXE
    C:\WINDOWS\APPCN.EXE
    C:\WINDOWS\SYSTEM\MFCCY32.EXE
    C:\WINDOWS\IEJJ32.EXE
    C:\WINDOWS\NETXL.EXE
    C:\WINDOWS\SYSTEM\MSNL32.EXE
    C:\WINDOWS\IEWZ.EXE
    C:\WINDOWS\SYSTEM\ATLOV.EXE
    C:\WINDOWS\SYSTEM\NTWK32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\ADDNU.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\SYSTEM\ADDLD32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\NETGB.EXE
    C:\WINDOWS\SYSTEM\ADDNU.EXE
    C:\PROGRAM FILES\ADAPTEC\GOBACK\GBMENU.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\ADDNU.EXE
    C:\WINDOWS\SYSTEM\APIEW.EXE
    C:\WINDOWS\SYSTEM\APIEW.EXE
    C:\WINDOWS\SYSKR32.EXE
    C:\WINDOWS\SYSKR32.EXE
    C:\WINDOWS\NTQL32.EXE
    C:\WINDOWS\NTQL32.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSKR32.EXE
    C:\WINDOWS\SYSKR32.EXE
    C:\WINDOWS\D3PG.EXE
    C:\PROGRAM FILES\XOFTSPY\XOFTSPY.EXE
    C:\WINDOWS\SYSTEM\ADDNU.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSKR32.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSKR32.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: (no name) - {05BA99FE-B9FE-C1A4-557E-880036A20118} - C:\WINDOWS\SYSAF.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKLM\..\Run: [Consumer Input] C:\Program Files\Consumer Input\ConsumerInput.exe
    O4 - HKLM\..\Run: [Consumer Input Update] C:\Program Files\Consumer Input\ConsumerInputUa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [ADDLD32.EXE] C:\WINDOWS\SYSTEM\ADDLD32.EXE
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [NETGB.EXE] C:\WINDOWS\SYSTEM\NETGB.EXE
    O4 - HKLM\..\RunServices: [IEJJ32.EXE] C:\WINDOWS\IEJJ32.EXE
    O4 - HKLM\..\RunServices: [IEWZ.EXE] C:\WINDOWS\IEWZ.EXE
    O4 - HKLM\..\RunServices: [ATLOV.EXE] C:\WINDOWS\SYSTEM\ATLOV.EXE
    O4 - HKLM\..\RunServices: [NTWK32.EXE] C:\WINDOWS\SYSTEM\NTWK32.EXE
    O4 - HKLM\..\RunServices: [APPCN.EXE] C:\WINDOWS\APPCN.EXE
    O4 - HKLM\..\RunServices: [NTYW.EXE] C:\WINDOWS\NTYW.EXE
    O4 - HKLM\..\RunServices: [ADDNU.EXE] C:\WINDOWS\SYSTEM\ADDNU.EXE
    O4 - HKLM\..\RunServices: [NETXL.EXE] C:\WINDOWS\NETXL.EXE
    O4 - HKLM\..\RunServices: [MFCCY32.EXE] C:\WINDOWS\SYSTEM\MFCCY32.EXE
    O4 - HKLM\..\RunServices: [MSNL32.EXE] C:\WINDOWS\SYSTEM\MSNL32.EXE
    O4 - HKLM\..\RunServices: [APIEW.EXE] C:\WINDOWS\SYSTEM\APIEW.EXE
    O4 - HKLM\..\RunServices: [SYSKR32.EXE] C:\WINDOWS\SYSKR32.EXE
    O4 - HKLM\..\RunServices: [NTQL32.EXE] C:\WINDOWS\NTQL32.EXE
    O4 - HKLM\..\RunServices: [D3PG.EXE] C:\WINDOWS\D3PG.EXE
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Startup: GoBack.lnk = C:\Program Files\Adaptec\GoBack\GBMenu.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37895.3651736111
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {4B6E165B-1085-4550-A4E4-7C6D874AD96B} - http://www.topmoxie.com/external/builds/mypoints/mypt800.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
    O16 - DPF: {93EFDAB8-8800-4896-B428-76F943140E1B} (Setup Class) - http://www.consumerinput.com/panel/grapevine/dcainst.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/054d370b5dc9a573be03/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
     
  2. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    1. ActiveServices ...
      • Please download GetService.zip
      • Extract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.
      • getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here.
    From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the service will have changed and the fix provided will not work
     
  3. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    OK - This downloaded fine but when I click on the Getsrevice.bat file, the 2 windows open up but I just get an error that says: The PSSERVICE.EXE file is linked to missing export NETAPI32.DLL: NetServerEnum.
    A notepad file was created but nothing is in it.
    ???
     
  4. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Did you extract everything in the .ZIP file to the same folder? Or did you run getservices.bat directly from the .ZIP file?
     
  5. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    First I extracted it into a regular folder on my desktop and then clicked on getservice.bat - then I saved it as a compressed folder to my desktop, extracted all the files into the same folder, and tried again and the same thing happened.. am I doing something wrong?
     
  6. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
  7. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    I dont have a C:\WINNT or a C:\WINNT\SYSTEM directory - I am running Windows ME - does this change things?
     
  8. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Do you have a C:\WINDOWS and C:\WINDOWS\SYSTEM directory? I missed the ME part.
     
  9. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    Yes - C:\WINDOWS and C:\WINDOWS\SYSTEM - should I download NETAPI32.DLL to these directories?
     
  10. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
  11. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    Ok - I did that and tried getservice again and got the same error - even deleted it and downloaded it again and got the same error - I'm over-error-ated.
    ~Sherri
     
  12. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    You may want to print out these instructions or save them to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

    Please close all browsers and windows and have HijackThis fix these entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nknuo.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {05BA99FE-B9FE-C1A4-557E-880036A20118} - C:\WINDOWS\SYSAF.DLL
    O4 - HKLM\..\Run: [ADDLD32.EXE] C:\WINDOWS\SYSTEM\ADDLD32.EXE
    O4 - HKLM\..\RunServices: [NETGB.EXE] C:\WINDOWS\SYSTEM\NETGB.EXE
    O4 - HKLM\..\RunServices: [IEJJ32.EXE] C:\WINDOWS\IEJJ32.EXE
    O4 - HKLM\..\RunServices: [IEWZ.EXE] C:\WINDOWS\IEWZ.EXE
    O4 - HKLM\..\RunServices: [ATLOV.EXE] C:\WINDOWS\SYSTEM\ATLOV.EXE
    O4 - HKLM\..\RunServices: [NTWK32.EXE] C:\WINDOWS\SYSTEM\NTWK32.EXE
    O4 - HKLM\..\RunServices: [APPCN.EXE] C:\WINDOWS\APPCN.EXE
    O4 - HKLM\..\RunServices: [NTYW.EXE] C:\WINDOWS\NTYW.EXE
    O4 - HKLM\..\RunServices: [ADDNU.EXE] C:\WINDOWS\SYSTEM\ADDNU.EXE
    O4 - HKLM\..\RunServices: [NETXL.EXE] C:\WINDOWS\NETXL.EXE
    O4 - HKLM\..\RunServices: [MFCCY32.EXE] C:\WINDOWS\SYSTEM\MFCCY32.EXE
    O4 - HKLM\..\RunServices: [MSNL32.EXE] C:\WINDOWS\SYSTEM\MSNL32.EXE
    O4 - HKLM\..\RunServices: [APIEW.EXE] C:\WINDOWS\SYSTEM\APIEW.EXE
    O4 - HKLM\..\RunServices: [SYSKR32.EXE] C:\WINDOWS\SYSKR32.EXE
    O4 - HKLM\..\RunServices: [NTQL32.EXE] C:\WINDOWS\NTQL32.EXE
    O4 - HKLM\..\RunServices: [D3PG.EXE] C:\WINDOWS\D3PG.EXE
    O16 - DPF: {4B6E165B-1085-4550-A4E4-7C6D874AD96B} - http://www.topmoxie.com/external/bu...nts/mypt800.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/054d370...ip/RdxIE601.cab

    Reconfigure Windows ME to show hidden files:
    Double-click the My Computer icon on the Windows desktop.
    Select the Tools menu and click Folder Options. Select the View tab.

    Under the Hidden files and folders heading select "Show hidden files and folders".
    Uncheck the "Hide protected operating system files (recommended)" option.
    Uncheck the "Hide file extensions for known file types" option.
    Click Yes to confirm. Click OK.

    Click Start, Programs and Accessories and open Windows Explorer.
    Select a hard drive from the left hand side of the Windows Explorer window.
    Select "View the Entire contents of this drive".

    Boot into Safe Mode:
    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
    To get back to normal mode just restart the computer as you normally would.

    Please delete these files using Windows Explorer(if present):

    C:\WINDOWS\APPCN.EXE
    C:\WINDOWS\D3PG.EXE
    C:\WINDOWS\IEJJ32.EXE
    C:\WINDOWS\IEWZ.EXE
    C:\WINDOWS\NETXL.EXE
    C:\WINDOWS\nknuo.dll
    C:\WINDOWS\NTQL32.EXE
    C:\WINDOWS\NTYW.EXE
    C:\WINDOWS\SYSAF.DLL
    C:\WINDOWS\SYSKR32.EXE
    C:\WINDOWS\SYSTEM\ADDLD32.EXE
    C:\WINDOWS\SYSTEM\ADDNU.EXE
    C:\WINDOWS\SYSTEM\APIEW.EXE
    C:\WINDOWS\SYSTEM\ATLOV.EXE
    C:\WINDOWS\SYSTEM\MFCCY32.EXE
    C:\WINDOWS\SYSTEM\MSNL32.EXE
    C:\WINDOWS\SYSTEM\NETGB.EXE
    C:\WINDOWS\SYSTEM\NTWK32.EXE

    Now you can restart the computer normally.
    Please run HijackThis again and post a fresh log, just so I can make sure that all the malware was deleted according to plan. :)
     
  13. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    Ok - done. (But as soon as I opened this IE window I got a dreaded pop-up window..)
    Here is my new log file..
    Logfile of HijackThis v1.98.2
    Scan saved at 8:51:19 PM, on 9/22/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\BCMDMMSG.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\SDKQS32.EXE
    C:\WINDOWS\JAVAKQ.EXE
    C:\WINDOWS\ATLUI.EXE
    C:\WINDOWS\SYSTEM\ATLSZ32.EXE
    C:\WINDOWS\SYSTEM\IEJM32.EXE
    C:\WINDOWS\SYSLW32.EXE
    C:\WINDOWS\SYSTEM\NETDN.EXE
    C:\WINDOWS\APITW.EXE
    C:\WINDOWS\WINIC.EXE
    C:\WINDOWS\IPBJ32.EXE
    C:\WINDOWS\APIAQ.EXE
    C:\WINDOWS\MFCGT.EXE
    C:\WINDOWS\SYSTEM\D3GB32.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\PROGRAM FILES\ADAPTEC\GOBACK\GBMENU.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\APIDS32.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\4ZCZKJED\HIJACKTHIS[1].EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xgyqb.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xgyqb.dll/sp.html#37049
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xgyqb.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xgyqb.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xgyqb.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xgyqb.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: Class - {8A75B9E2-7BAB-C3F7-4007-DCC3D24A9C47} - C:\WINDOWS\NETMQ32.DLL
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [BCMDMMSG] BCMDMMSG.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKLM\..\Run: [Consumer Input] C:\Program Files\Consumer Input\ConsumerInput.exe
    O4 - HKLM\..\Run: [Consumer Input Update] C:\Program Files\Consumer Input\ConsumerInputUa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\Run: [APIDS32.EXE] C:\WINDOWS\APIDS32.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [GoBack Polling Service] C:\Program Files\Adaptec\GoBack\GBPoll.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [APIAQ.EXE] C:\WINDOWS\APIAQ.EXE
    O4 - HKLM\..\RunServices: [APITW.EXE] C:\WINDOWS\APITW.EXE
    O4 - HKLM\..\RunServices: [JAVAKQ.EXE] C:\WINDOWS\JAVAKQ.EXE
    O4 - HKLM\..\RunServices: [NETDN.EXE] C:\WINDOWS\SYSTEM\NETDN.EXE
    O4 - HKLM\..\RunServices: [WINIC.EXE] C:\WINDOWS\WINIC.EXE
    O4 - HKLM\..\RunServices: [IPBJ32.EXE] C:\WINDOWS\IPBJ32.EXE
    O4 - HKLM\..\RunServices: [MFCGT.EXE] C:\WINDOWS\MFCGT.EXE
    O4 - HKLM\..\RunServices: [SYSLW32.EXE] C:\WINDOWS\SYSLW32.EXE
    O4 - HKLM\..\RunServices: [IEJM32.EXE] C:\WINDOWS\SYSTEM\IEJM32.EXE
    O4 - HKLM\..\RunServices: [ATLUI.EXE] C:\WINDOWS\ATLUI.EXE
    O4 - HKLM\..\RunServices: [ATLSZ32.EXE] C:\WINDOWS\SYSTEM\ATLSZ32.EXE
    O4 - HKLM\..\RunServices: [SDKQS32.EXE] C:\WINDOWS\SYSTEM\SDKQS32.EXE
    O4 - HKLM\..\RunServices: [D3GB32.EXE] C:\WINDOWS\SYSTEM\D3GB32.EXE
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRAM FILES\YAHOO!\MESSENGER\ypager.exe -quiet
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\SCANSOFT\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Startup: GoBack.lnk = C:\Program Files\Adaptec\GoBack\GBMenu.exe
    O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...taller_activex_en_4.60.38.0_MEGAPANEL_USA.cab
    O16 - DPF: {93EFDAB8-8800-4896-B428-76F943140E1B} (Setup Class) - http://www.consumerinput.com/panel/grapevine/dcainst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
     
  14. sherstgeo

    sherstgeo Thread Starter

    Joined:
    Sep 22, 2004
    Messages:
    20
    BUT I reset my home page to where it is supposed to be and it seems to be staying out instead of changing back to the horrible one the next time I open IE, so maybe the computer Gods are beginning to smile on me again afterall..
     
  15. LineOFire

    LineOFire

    Joined:
    Jan 28, 2004
    Messages:
    322
    Are you sure it's gone? Have you tried restarting and see if it comes back? Try restarting and post a new log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/277013

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice