1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Viruses found after running Traffic Generator

Discussion in 'Virus & Other Malware Removal' started by tlopez87, Sep 3, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. tlopez87

    tlopez87 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    12
    I ran some traffic generators tonight and then found that they had infected my computer with viruses and also installed some programs without my authorization.

    I am running Windows Me. I have disabled system restore. I have AVG Free Edition virus scan. I ran HiJackThis - log follows:

    Logfile of HijackThis v1.98.2
    Scan saved at 2:30:06 AM, on 9/3/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\CREATIVE\MOUSE OPTICAL\MOUSE_ME.EXE
    C:\WINDOWS\SYSTEM\WMIEXE32.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    C:\PROGRAM FILES\WINAD CLIENT\WINCLT.EXE
    C:\TEMP\MSBB.EXE
    C:\WINDOWS\ZEBMPQB.EXE
    C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
    C:\PROGRAM FILES\INTERNET OPTIMIZER\OPTIMIZE.EXE
    C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
    C:\PROGRAM FILES\KODAK\KODAK SOFTWARE UPDATER\7288971\PROGRAM\BACKWEB-7288971.EXE
    C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.4.0.1\EBAYTBAR.EXE
    C:\PROGRAM FILES\INTERNET OPTIMIZER\ACTALERT.EXE
    C:\PROGRAM FILES\WORDWEB\WWEB32.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\PROGRAM FILES\INTERNET OPTIMIZER\INSTALL.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\EYETIDE MEDIA\EYETIDE VIEWER\EYETIDECONTROLLER.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\WEB_REBATES\WEBREBATES1.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: eBay Helper Object - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.4.0.1\EBAYBAND.DLL
    O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM301.DLL
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\SYSTEM\APUC.DLL
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.4.0.1\EBAYBAND.DLL
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Creative\Mouse Optical\mouse_me.exe
    O4 - HKLM\..\Run: [wmiexe] C:\WINDOWS\SYSTEM\wmiexe32.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
    O4 - HKLM\..\Run: [zebmpqb] C:\WINDOWS\zebmpqb.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O4 - Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.4.0.1\ebaytbar.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.4.0.1\EBAYBAND.DLL
    O9 - Extra 'Tools' menuitem: eBay Toolbar - {92D7F210-7F20-11d3-8157-0090278B20DE} - C:\PROGRAM FILES\EBAY\EBAY TOOLBAR\4.4.0.1\EBAYBAND.DLL
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
    O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\TRASH.EXE (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\TRASH.EXE (file missing) (HKCU)
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit24.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Backgammon by pogo.com - http://backgammon02.pogo.com/applet/backgammon/backgammon-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo.com - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Triviatron II by pogo.com - http://triviatron2.pogo.com/applet/triviatron2/triviatron2-ob-assets.cab
    O16 - DPF: EZ Win Bingo by pogo.com - http://bingoe.pogo.com/applet/bingo/bingoe-ob-assets.cab
    O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Dominoes by pogo.com - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
    O16 - DPF: Keno by pogo.com - http://keno.pogo.com/applet/keno/keno-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Jackpot Bingo by pogo.com - http://bingoj02.pogo.com/applet/bingo/bingoj-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://temp36.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://showbiz2.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Checkers by pogo.com - http://checkers.pogo.com/applet/checkers2/checkers-ob-assets.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Hearts by pogo.com - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Video Poker by pogo.com - http://vpoker05.pogo.com/applet/videopoker2/videopoker-ob-assets.cab
    O16 - DPF: Cribbage by pogo.com - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
    O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v41/wordcube/wordcube.cab
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldwinner.com/games/v42/territory/territory.cab
    O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.0.25/gin/gin-ob-assets.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.8.5.28/hearts/hearts-ob-assets.cab
    O16 - DPF: Big Shot Roulette TM by pogo - http://roulet.pogo.com/applet/roulette/roulette-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.8.3.26/poppit/poppit-ob-assets.cab
    O16 - DPF: Animal Ark by pogo - http://play48.pogo.com/applet/animal/animal-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://temp29.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.9.2.38/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.9.2.31/popfu/popfu-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.9.2.31/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-5.9.2.38/sweettooth/sweettooth-ob-assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.9.2.21/peaks/peaks-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo - http://game6.pogo.com/applet-5.8.6.20/turbo21/turbo21-ob-assets.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://temp39.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo - http://temp35.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.2.19/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: SciFi Slots by pogo - http://temp92.pogo.com/applet/slots/scifi-ob-assets.cab
    O16 - DPF: Triviatron II by pogo - http://triviatron2.pogo.com/applet/triviatron2/triviatron2-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.6.20/freecell/freecell-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.4.18/worldclass/worldclass-ob-assets.cab
    O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet/pebble/pebble-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-5.8.3.20/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.8.6.20/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-5.9.0.18/backgammon/backgammon-ob-assets.cab
    O16 - DPF: Pirate's Gold by pogo - http://solitaire32.pogo.com/applet-5.8.3.26/piratesgold/piratesgold-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem03.pogo.com/applet/holdem/holdem-ob-assets.cab
    O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-5.9.2.21/videopoker2/doubledeuce-ob-assets.cab
    O16 - DPF: Showbiz Slots by pogo - http://showbiz.pogo.com/applet-5.8.1.28/slots/showbiz-ob-assets.cab
    O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.6.20/pool2/pool-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/flinger/flinger-ob-assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.8.3.26/euchre/euchre-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8.4.18/greenback/greenback-ob-assets.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet-5.8.5.21/domino/domino-ob-assets.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.0.25/waterwheel/waterwheel-ob-assets.cab
    O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-5.8.6.20/cribbage/cribbage-ob-assets.cab
    O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.926476744993806&file=stamps.cab
    O16 - DPF: Ricochet by pogo - http://game3.pogo.com/applet-5.9.0.18/ricochet/ricochet-ob-assets.cab
    O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-5.9.0.18/keno/keno-ob-assets.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...r4_6/nminstall_en_4.62.33.0_MEGAPANEL_USA.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/canasta/canasta-ob-assets.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab

    My virus scan program moved most of the viruses into Virus Vault - log follows:
    Results of Complete Test, date and time 9/3/2004 1:24:01 :

    Testing C:\ volume HP_PAVILION serial 3612-0BDA
    C:\WINDOWS\TEMP\me_YAEimQp Cannot open; not checked!
    C:\WINDOWS\TEMP\me_3yGGuUbD7OeoBFy Cannot open; not checked!
    C:\WINDOWS\TEMP\me_auPXy0GE70KD2BR Cannot open; not checked!
    C:\WINDOWS\TEMP\me_MmAzohGo30wGr9v Cannot open; not checked!
    C:\TEMP\INSTAL~4.EXE Trojan horse Dropper.Delf.3.L
    C:\TEMP\BDL74125.EXE repaired
    C:\_RESTORE\TEMP\A0185514.CPY Trojan horse Downloader.Dyfica.2.AA
    C:\_RESTORE\TEMP\A0185528.CPY Trojan horse Downloader.Dyfica.2.AA
    C:\_RESTORE\TEMP\A0185534.CPY Trojan horse Downloader.Dyfica.2.AA
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\D0000000.FCS Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\CHANDIR.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\CHANDIR.IDX Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\STORYDB.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\STORYDB.IDX Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\CHN.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\CHN.IDX Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\L0000148.FCS Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_DIE.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_DIE.IDX Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_DND.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_DND.IDX Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_EXT.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_EXT.IDX Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_RCV.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS_RCV.IDX Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS.DAT Cannot open; not checked!
    C:\Program Files\KODAK\KODAK Software Updater\7288971\USERS\DEFAULT\DATA\PRS.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\D0000000.FCS Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\CHANDIR.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\CHN.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\L0000006.FCS Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_DIE.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_DND.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_EXT.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_RCV.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\STORYDB.DAT Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\STORYDB.IDX Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\CHANDIR.DAT Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\CHN.DAT Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_DIE.DAT Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_DND.DAT Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_EXT.DAT Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS_RCV.DAT Cannot open; not checked!
    C:\Program Files\BACKWEB\BACKWEB\DATA\PRS.DAT Cannot open; not checked!

    Test finished, duration 00:23:30.0 s
    67777 objects tested, 5 found infected

    Please help me get rid of these!

    On another note, are there any free programs out there that will stop this stuff from happening???

    Thank you!!!
    tlopez87
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    first copy these files and zip them and send to [email protected] with a short note referring to this thread
    C:\WINDOWS\SYSTEM\wmiexe32.exe
    C:\WINDOWS\zebmpqb.exe


    Before you start, please unzip or move hijackthis to a separate folder. The program will make backups in the folder in the folder it's in.
    These easily get lost in a Temp folder or in the root of C: or get scattered all over the desktop and we need to empty the temp folders to remove the hijackers

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\WSEM301.DLL
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\WINDOWS\SYSTEM\APUC.DLL
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\SYSTEM\MSCB.DLL


    O4 - HKLM\..\Run: [wmiexe] C:\WINDOWS\SYSTEM\wmiexe32.exe

    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [msbb] c:\temp\msbb.exe
    O4 - HKLM\..\Run: [zebmpqb] C:\WINDOWS\zebmpqb.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

    O4 - Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
    O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...23/cpbrkpie.cab
    O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1...GAPANEL_USA.cab


    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\zebmpqb.exe
    C:\WINDOWS\SYSTEM\wmiexe32.exe

    and Delete these folders


    C:\PROGRAM FILES\WEB_REBATES
    C:\Program Files\BullsEye Network
    C:\Program Files\Internet Optimizer
    C:\PROGRAM FILES\WINAD CLIENT



    then and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

    and everything in C:\Temp and delete all that as well

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Reboot normally &

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

    Spybot - Search & Destroy from http://security.kolla.de
    AdAware SE from http://www.lavasoft.de/support/download


    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &

    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R6 30.08.2004 or a higher number/later date
    Then ........
    click the "Scan" button. and select full scan

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

    reboot again

    then post a new hijackthis log to check what is left
     
  3. tlopez87

    tlopez87 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    12
    I followed your directions exactly. This is the latest Hijack This log:

    Logfile of HijackThis v1.98.2
    Scan saved at 9:05:31 PM, on 9/3/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM32\DRIVERS\KODAKCCS.EXE
    C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
    C:\PROGRAM FILES\CREATIVE\MOUSE OPTICAL\MOUSE_ME.EXE
    C:\PROGRAM FILES\WORDWEB\WWEB32.EXE
    C:\PROGRAM FILES\KODAK\KODAK EASYSHARE SOFTWARE\BIN\EASYSHARE.EXE
    C:\PROGRAM FILES\ADOBE\ACROBAT 4.0\DISTILLR\ACROTRAY.EXE
    C:\PROGRAM FILES\EYETIDE MEDIA\EYETIDE VIEWER\EYETIDECONTROLLER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\PROGRAM FILES\BACKWEB\BACKWEB\PROGRAM\BACKWEB.EXE
    C:\PROGRAM FILES\HJT\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [KodakCCS] C:\WINDOWS\System32\Drivers\KodakCCS.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [CreativeMouse ] C:\Program Files\Creative\Mouse Optical\mouse_me.exe
    O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe C:\PROGRA~1\WILDTA~1\APPS\CDA\CDAENG~1.DLL,cdaEngineMain
    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
    O4 - Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
    O4 - Startup: Eyetide Launcher.lnk = C:\Program Files\Eyetide Media\Eyetide Viewer\EyetideController.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O8 - Extra context menu item: &AIM Search - res://C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL/aimsearch.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMPANION\MODULES\MESSMOD2\V4\YHEXBMES.DLL
    O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\TRASH.EXE (file missing) (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\TRASH.EXE (file missing) (HKCU)
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: Jungle Gin by pogo.com - http://gin.pogo.com/applet/gin/gin-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo.com - http://greenback.pogo.com/applet/greenback/greenback-ob-assets.cab
    O16 - DPF: Poppit! TM by pogo.com - http://poppit24.pogo.com/applet/poppit/poppit-ob-assets.cab
    O16 - DPF: Backgammon by pogo.com - http://backgammon02.pogo.com/applet/backgammon/backgammon-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo.com - http://jumbee.pogo.com/applet/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Pop Fu by pogo.com - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
    O16 - DPF: Triviatron II by pogo.com - http://triviatron2.pogo.com/applet/triviatron2/triviatron2-ob-assets.cab
    O16 - DPF: EZ Win Bingo by pogo.com - http://bingoe.pogo.com/applet/bingo/bingoe-ob-assets.cab
    O16 - DPF: Word Whomp by pogo.com - http://whomp.pogo.com/applet/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo.com - http://whackdown.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Dominoes by pogo.com - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
    O16 - DPF: Keno by pogo.com - http://keno.pogo.com/applet/keno/keno-ob-assets.cab
    O16 - DPF: Dice Derby by pogo.com - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Jackpot Bingo by pogo.com - http://bingoj02.pogo.com/applet/bingo/bingoj-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo.com - http://temp36.pogo.com/applet/freecell/freecell-ob-assets.cab
    O16 - DPF: Showbiz Slots 2 by pogo.com - http://showbiz2.pogo.com/applet/slots/showbiz2-ob-assets.cab
    O16 - DPF: Checkers by pogo.com - http://checkers.pogo.com/applet/checkers2/checkers-ob-assets.cab
    O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
    O16 - DPF: Hearts by pogo.com - http://hearts.pogo.com/applet/hearts/hearts-ob-assets.cab
    O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/Cult.cab
    O16 - DPF: Spades by pogo.com - http://temp36.pogo.com/applet/spades/spades-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo.com - http://solitaire44.pogo.com/applet/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Video Poker by pogo.com - http://vpoker05.pogo.com/applet/videopoker2/videopoker-ob-assets.cab
    O16 - DPF: Cribbage by pogo.com - http://crib.pogo.com/applet/cribbage/cribbage-ob-assets.cab
    O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
    O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v41/wordcube/wordcube.cab
    O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://mirror.worldwinner.com/games/v40/hangman/hangman.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldwinner.com/games/v42/territory/territory.cab
    O16 - DPF: Squelchies by pogo.com - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.0.25/gin/gin-ob-assets.cab
    O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.8.5.28/hearts/hearts-ob-assets.cab
    O16 - DPF: Big Shot Roulette TM by pogo - http://roulet.pogo.com/applet/roulette/roulette-ob-assets.cab
    O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.8.3.26/poppit/poppit-ob-assets.cab
    O16 - DPF: Animal Ark by pogo - http://play48.pogo.com/applet/animal/animal-ob-assets.cab
    O16 - DPF: High Stakes Poker by pogo - http://temp29.pogo.com/applet/drawpoker/drawpoker-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.9.2.38/jumbee/jumbee-ob-assets.cab
    O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.9.2.31/popfu/popfu-ob-assets.cab
    O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.9.2.31/solitaire2/solitaire2-ob-assets.cab
    O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchies/squelchies-ob-assets.cab
    O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown2.pogo.com/applet/whackdown/whackdown-ob-assets.cab
    O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-5.9.2.38/sweettooth/sweettooth-ob-assets.cab
    O16 - DPF: Tri-Peaks by pogo - http://peaks.pogo.com/applet-5.9.2.21/peaks/peaks-ob-assets.cab
    O16 - DPF: Turbo 21 TM by pogo - http://game6.pogo.com/applet-5.8.6.20/turbo21/turbo21-ob-assets.cab
    O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
    O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18/superbingo/superbingo-ob-assets.cab
    O16 - DPF: Ali Baba Slots TM by pogo - http://temp39.pogo.com/applet/slots/alibaba-ob-assets.cab
    O16 - DPF: Jokers Wild Poker by pogo - http://temp35.pogo.com/applet/videopoker2/jokerswild-ob-assets.cab
    O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.8.2.19/wordwhomp/wordwhomp-ob-assets.cab
    O16 - DPF: SciFi Slots by pogo - http://temp92.pogo.com/applet/slots/scifi-ob-assets.cab
    O16 - DPF: Triviatron II by pogo - http://triviatron2.pogo.com/applet/triviatron2/triviatron2-ob-assets.cab
    O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet/checkeredflag/checkeredflag-ob-assets.cab
    O16 - DPF: Payday FreeCell by pogo - http://freecell.pogo.com/applet-5.8.6.20/freecell/freecell-ob-assets.cab
    O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.8.4.18/worldclass/worldclass-ob-assets.cab
    O16 - DPF: Pebble Beach Golf by pogo - http://pebble.pogo.com/applet/pebble/pebble-ob-assets.cab
    O16 - DPF: Buckaroo Blackjack TM by pogo - http://vbjack.pogo.com/applet-5.8.3.20/videoblackjack/videoblackjack-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.8.6.20/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-5.9.0.18/backgammon/backgammon-ob-assets.cab
    O16 - DPF: Pirate's Gold by pogo - http://solitaire32.pogo.com/applet-5.8.3.26/piratesgold/piratesgold-ob-assets.cab
    O16 - DPF: Texas Hold'em Poker by pogo - http://holdem03.pogo.com/applet/holdem/holdem-ob-assets.cab
    O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-5.9.2.21/videopoker2/doubledeuce-ob-assets.cab
    O16 - DPF: Showbiz Slots by pogo - http://showbiz.pogo.com/applet-5.8.1.28/slots/showbiz-ob-assets.cab
    O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.8.6.20/pool2/pool-ob-assets.cab
    O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/flinger/flinger-ob-assets.cab
    O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.8.3.26/euchre/euchre-ob-assets.cab
    O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8.4.18/greenback/greenback-ob-assets.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet-5.8.5.21/domino/domino-ob-assets.cab
    O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.0.25/waterwheel/waterwheel-ob-assets.cab
    O16 - DPF: Cribbage by pogo - http://crib.pogo.com/applet-5.8.6.20/cribbage/cribbage-ob-assets.cab
    O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} - http://www.stamps.com/download/us/cab/stamps/stamps.cab?r=0.926476744993806&file=stamps.cab
    O16 - DPF: Ricochet by pogo - http://game3.pogo.com/applet-5.9.0.18/ricochet/ricochet-ob-assets.cab
    O16 - DPF: {31932A5C-9234-4377-A920-72E7DD340DB4} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
    O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-5.9.0.18/keno/keno-ob-assets.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
    O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/canasta/canasta-ob-assets.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/pc/support/access/sdccommon/download/IbmEgath.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
     
  4. tlopez87

    tlopez87 Thread Starter

    Joined:
    Sep 2, 2004
    Messages:
    12
    Did your directions take care of everything or do things still show on the HiJack Log?

    Please let me know if there is anything else I should do.

    Thanks!
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    still a couple of left overs to fix

    and the files you sent me

    I can't see anything in C:\WINDOWS\SYSTEM\wmiexe32.exe so I have sent it off for further analysis. I am sure it's bad though

    and C:\WINDOWS\zebmpqb.exe is a N-case parasite so that will go top adaware etc to be included

    now to fix the left overs
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKLM\..\Run: [Winad Client] C:\PROGRAM FILES\WINAD CLIENT\WINAD.EXE
    O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    I've just heard back from Kapersky

    C:\WINDOWS\SYSTEM\wmiexe32.exe is a new trojan with a completely unknown compression routine, they are developing a new uncompress routine to find out exactly what it does but it's a bad one
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,253
    First Name:
    Derek
    Also fromwhat I've read on a german forum it has a backdoor capability, puts a text file in c:\windows\temp and then sends that file with all your passwords and Email adresses and in fact all log ons on your computer to an unknown IP address


    If you haven't already got one, then get a firewall and make sure nothing is allowed to phone home and change all your passwords
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269650

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice