Options
Need Help
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\RYYKRI.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MONSTER SOUND II\FREECTRL.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\RYYKRI.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MONSTER SOUND II\FREECTRL.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\PROGRAM FILES\WEB OFFER\WO.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
0
Comments
Download LSPFix from http://www.cexx.org/lspfix.zip and run it.
Check the I know what I'm doing box.
In the Keep box you should see one or more instances of the following files.
aklsp.dll
Select every instance of this file, but no others, and move each one to the Remove box by clicking the >> button.
When you are done click Finish>>.
Now let's see if we can get rid of Wintools for you.
Wintools may have an entry in the Add/Remove Programs Control Panel. If so, it may be easy to get rid of. If not, there are still ways to remove it from your system.
For either solution:
Reboot into Safe Mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode. To get back to normal mode just restart the computer as you normally would.
Once in Safe Mode:
Right-click on the Windows Taskbar and select Task Manager.
In the Processes tab, look for WToolsA.exe, WToolsS.exe and WSup.exe. If any or all of these exist, right-click on each one and select End Process Tree, and answer affirmatively to any confirmation questions.
At this point, you can check the Add/Remove Programs Control Panel. If there is an uninstaller for Wintools, try running it now. I would still recommend proceeding through the rest of this fix even if there is an uninstaller, however.
Now, please open a command prompt (Start button -> Run, type cmd and click "OK"). at the prompt, type
regsvr32 /u /s "C:\Program Files\Toolbar\toolbar.dll" then <ENTER>.
Then type exit to close the command prompt window.
Now, we can proceed to delete these directories, located at:
C:\Program Files\Common Files\WinTools <-- Delete the BOLD directory.
C:\Program Files\Toolbar <-- Delete the BOLD directory.
Reboot your computer and post a new hijackthis log. Try to be sure to post the entire log so we can see everything we need to.
Scan saved at 10:46:57 PM, on 2/3/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
that's all that was in the file
Download Ad-aware SE from: http://www.majorgeeks.com/download506.html
Install the program and launch it.
First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Then exit Adaware for now.
Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
Reboot your computer into Safe Mode
Then delete this directory:
C:\PROGRAM FILES\TOOLBAR
Run a full scan with Adaware while in Safe Mode.
Reboot back to normal mode.
Download L2mfix from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
when I try to open it it says "Not compatible with 9x or windows nt" (I'm running ME on this computer"
By the way thank you for all your help
Download the following file:
http://castlecops.com/zx/Zupe/FindIt9xME.zip
and unzip the contents to a folder. When it has unzipped, open that folder and double click on Find.bat. It will run for a while, so be patient, and then produce a log (ignore any File not found messages on the screen, it should continue anyway).
Please copy and paste that log here.
From the moment you post your list, until you see a detailed fix written up, DO NOT reboot your system or log off. If you do, the files will have changed and the fix provided will not work.
Do not remove anything unless you are sure you know what you're doing.
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
TBPS INI 660 02-04-05 9:14a TBPS.ini
WSDMLOG DLL 222,568 01-27-05 2:31a WSDMLOG.DLL
MK3216 DLL 222,568 01-27-05 2:31a MK3216.DLL
DVIP32 DLL 222,568 01-27-05 2:31a DVIP32.DLL
QWDWIPES DLL 222,568 01-27-05 2:31a QWDWIPES.DLL
LP32 DLL 222,568 01-27-05 2:31a LP32.DLL
QSDWIPES DLL 222,568 01-27-05 2:31a QSDWIPES.DLL
MTSWCH DLL 222,568 01-27-05 2:31a MTSWCH.DLL
HKTPLUG DLL 222,568 01-27-05 2:31a HKTPLUG.DLL
RZPILIB DLL 222,568 01-27-05 2:31a RZPILIB.DLL
JKPL400 DLL 222,568 01-27-05 2:31a JKPL400.DLL
UEBUI DLL 222,568 01-27-05 2:31a UEBUI.DLL
DNIP32 DLL 222,568 01-27-05 2:31a DNIP32.DLL
OHBCBCP DLL 222,568 01-27-05 2:31a OHBCBCP.DLL
UAER32 DLL 222,568 01-27-05 2:31a UAER32.DLL
NCTAPI32 DLL 222,568 01-27-05 2:31a NCTAPI32.DLL
MOVCRT20 DLL 222,568 01-27-05 2:31a MOVCRT20.DLL
WWNINET DLL 222,568 01-27-05 2:31a WWNINET.DLL
WCSPDMOE DLL 222,568 01-27-05 2:31a wcspdmoe.dll
MLISIP DLL 222,568 01-27-05 2:31a mlisip.dll
WOP DLL 222,568 01-27-05 2:31a wop.dll
HRZTBI07 DLL 222,568 01-27-05 2:31a hrztbi07.dll
22 file(s) 4,674,588 bytes
0 dir(s) 5,291.58 MB free
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-27-05 8:57a vmss
WSXSVC <DIR> 01-27-05 8:57a wsxsvc
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
2 dir(s) 5,291.57 MB free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C5192E-9BD8-485B-9E78-50D068033BB7}"=""
Locate.com Results
C:\WINDOWS\SYSTEM\
wsdmlog.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
mk3216.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
dvip32.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
qwdwipes.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
lp32.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
qsdwipes.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
mtswch.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
hktplug.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
rzpilib.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
jkpl400.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
uebui.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
dnip32.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
ohbcbcp.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
uaer32.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
nctapi32.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
movcrt20.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
wwninet.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
tbps.ini Fri Feb 4 2005 9:14:36a ..S.R 660 0.64 K
wcspdmoe.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
mlisip.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
wop.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
hrztbi07.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
22 items found: 22 files, 0 directories.
Total of file sizes: 4,674,588 bytes 4.46 M
Strings.exe Qoologic Results
C:\WINDOWS\eaagen.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,
C:\WINDOWS\bzzabo.dll: updates.qoologic.com
C:\WINDOWS\wppqwz.exe: updates.qoologic.com
C:\WINDOWS\oggpoy.dll: updates.qoologic.com
Strings.exe Aspack Results
C:\WINDOWS\bqqvba.dat: .aspack
C:\WINDOWS\ryykri.exe: .aspack
C:\WINDOWS\Start Menu\Programs\StartUp\tyyntu.exe: .aspack
HKLM Run Key
Strings.exe Umonitor Results
C:\WINDOWS\SYSTEM\WSDMLOG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MK3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTSWCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\HKTPLUG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RZPILIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JKPL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\UEBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHBCBCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\UAER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NCTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\WWNINET.DLL: UMonitor
C:\WINDOWS\SYSTEM\wcspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\mlisip.dll: UMonitor
C:\WINDOWS\SYSTEM\wop.dll: UMonitor
C:\WINDOWS\SYSTEM\hrztbi07.dll: UMonitor
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPS"="C:\\PROGRA~1\\TOOLBAR\\TBPS.exe"
"Narrator"="C:\\WINDOWS\\ryykri.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Step 1:
Download the Killbox.
Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
C:\WINDOWS\SYSTEM\WSDMLOG.DLL
Repeat step 1 through 5 above for each of the following files. The only difference is that you will be substituting the file listed in step 2 with each of the files below.
C:\WINDOWS\SYSTEM\mk3216.dll
C:\WINDOWS\SYSTEM\dvip32.dll
C:\WINDOWS\SYSTEM\qwdwipes.dll
C:\WINDOWS\SYSTEM\lp32.dll Thu
C:\WINDOWS\SYSTEM\qsdwipes.dll
C:\WINDOWS\SYSTEM\mtswch.dll
C:\WINDOWS\SYSTEM\hktplug.dll
C:\WINDOWS\SYSTEM\rzpilib.dll
C:\WINDOWS\SYSTEM\jkpl400.dll
C:\WINDOWS\SYSTEM\uebui.dll
C:\WINDOWS\SYSTEM\dnip32.dll
C:\WINDOWS\SYSTEM\ohbcbcp.dll
C:\WINDOWS\SYSTEM\uaer32.dll
C:\WINDOWS\SYSTEM\nctapi32.dll
C:\WINDOWS\SYSTEM\movcrt20.dll
C:\WINDOWS\SYSTEM\wwninet.dll
C:\WINDOWS\SYSTEM\tbps.ini
C:\WINDOWS\SYSTEM\wcspdmoe.dll
C:\WINDOWS\SYSTEM\mlisip.dll
C:\WINDOWS\SYSTEM\wop.dll
C:\WINDOWS\SYSTEM\hrztbi07.dll
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\eaagen.dll
C:\WINDOWS\bqqvba.dat
C:\WINDOWS\ryykri.exe
C:\WINDOWS\Start Menu\Programs\StartUp\tyyntu.exe
C:\WINDOWS\System32\Guard.tmp
After you add the last file, Guard.tmp, and it prompts to reboot, you should press the Yes button to allow it to do so.
Do not reboot more than once as the Guard.tmp will probably recreate on reboot but will be an easy kill this time.
Step 2:
Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.
Do not remove anything unless you are sure you know what you're doing.
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
WSDMLOG DLL 222,568 01-27-05 2:31a WSDMLOG.DLL
LP32 DLL 222,568 01-27-05 2:31a LP32.DLL
2 file(s) 445,136 bytes
0 dir(s) 5,347.88 MB free
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
VMSS <DIR> 01-27-05 8:57a vmss
WSXSVC <DIR> 01-27-05 8:57a wsxsvc
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
2 dir(s) 5,347.88 MB free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C5192E-9BD8-485B-9E78-50D068033BB7}"=""
Locate.com Results
C:\WINDOWS\SYSTEM\
wsdmlog.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
lp32.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
2 items found: 2 files, 0 directories.
Total of file sizes: 445,136 bytes 434.70 K
Strings.exe Qoologic Results
C:\WINDOWS\eaagen.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,
C:\WINDOWS\bzzabo.dll: updates.qoologic.com
C:\WINDOWS\wppqwz.exe: updates.qoologic.com
C:\WINDOWS\oggpoy.dll: updates.qoologic.com
Strings.exe Aspack Results
C:\WINDOWS\bqqvba.dat: .aspack
C:\WINDOWS\ryykri.exe: .aspack
C:\WINDOWS\Start Menu\Programs\StartUp\tyyntu.exe: .aspack
HKLM Run Key
Strings.exe Umonitor Results
C:\WINDOWS\SYSTEM\WSDMLOG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MK3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTSWCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\HKTPLUG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RZPILIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JKPL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\UEBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHBCBCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\UAER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NCTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJ50_QCX.DLL: UMonitor
C:\WINDOWS\SYSTEM\wcspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\mlisip.dll: UMonitor
C:\WINDOWS\SYSTEM\wop.dll: UMonitor
C:\WINDOWS\SYSTEM\hrztbi07.dll: UMonitor
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPS"="C:\\PROGRA~1\\TOOLBAR\\TBPS.exe"
"Narrator"="C:\\WINDOWS\\ryykri.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
C:\WINDOWS\eaagen.dll
C:\WINDOWS\bzzabo.dll
C:\WINDOWS\wppqwz.exe
C:\WINDOWS\oggpoy.dll
C:\WINDOWS\bqqvba.dat
C:\WINDOWS\ryykri.exe
C:\WINDOWS\Start Menu\Programs\StartUp\tyyntu.exe
C:\WINDOWS\SYSTEM\WSDMLOG.DLL
C:\WINDOWS\SYSTEM\IJGUTIL.DLL
C:\WINDOWS\SYSTEM\MK3216.DLL
C:\WINDOWS\SYSTEM\DVIP32.DLL
C:\WINDOWS\SYSTEM\QWDWIPES.DLL
C:\WINDOWS\SYSTEM\LP32.DLL
C:\WINDOWS\SYSTEM\QSDWIPES.DLL
C:\WINDOWS\SYSTEM\MTSWCH.DLL
C:\WINDOWS\SYSTEM\HKTPLUG.DLL
C:\WINDOWS\SYSTEM\RZPILIB.DLL
C:\WINDOWS\SYSTEM\JKPL400.DLL
C:\WINDOWS\SYSTEM\UEBUI.DLL
C:\WINDOWS\SYSTEM\DNIP32.DLL
C:\WINDOWS\SYSTEM\OHBCBCP.DLL
C:\WINDOWS\SYSTEM\UAER32.DLL
C:\WINDOWS\SYSTEM\NCTAPI32.DLL
C:\WINDOWS\SYSTEM\MOVCRT20.DLL
C:\WINDOWS\SYSTEM\IJ50_QCX.DLL
C:\WINDOWS\SYSTEM\wcspdmoe.dll
C:\WINDOWS\SYSTEM\mlisip.dll
C:\WINDOWS\SYSTEM\wop.dll
C:\WINDOWS\SYSTEM\hrztbi07.dll
C:\WINDOWS\SYSTEM\vmss
C:\WINDOWS\SYSTEM\wsxsvc
C:\PROGRA~1\TOOLBAR
Please run Findit again and post the resulting log. Remember it may take quite a bit of time before the log appears. So be patient.
Do not remove anything unless you are sure you know what you're doing.
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
JDMD400 DLL 222,568 01-27-05 2:31a JDMD400.DLL
MOCONF DLL 222,568 01-27-05 2:31a MOCONF.DLL
2 file(s) 445,136 bytes
0 dir(s) 5,270.25 MB free
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
WSDMLOG DLL 222,568 01-27-05 2:31a WSDMLOG.DLL
JDMD400 DLL 222,568 01-27-05 2:31a JDMD400.DLL
2 file(s) 445,136 bytes
0 dir(s) 5,192.68 MB free
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
0 dir(s) 5,270.24 MB free
User Agent
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
0 dir(s) 5,192.68 MB free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C5192E-9BD8-485B-9E78-50D068033BB7}"=""
Locate.com Results
C:\WINDOWS\SYSTEM\
jdmd400.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
moconf.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
2 items found: 2 files, 0 directories.
Total of file sizes: 445,136 bytes 434.70 K
Locate.com Results
C:\WINDOWS\SYSTEM\
wsdmlog.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
jdmd400.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
2 items found: 2 files, 0 directories.
Total of file sizes: 445,136 bytes 434.70 K
Strings.exe Qoologic Results
C:\WINDOWS\eaagen.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,
C:\WINDOWS\bzzabo.dll: updates.qoologic.com
C:\WINDOWS\wppqwz.exe: updates.qoologic.com
C:\WINDOWS\oggpoy.dll: updates.qoologic.com
Strings.exe Aspack Results
C:\WINDOWS\bqqvba.dat: .aspack
C:\WINDOWS\ryykri.exe: .aspack
C:\WINDOWS\Start Menu\Programs\StartUp\tyyntu.exe: .aspack
HKLM Run Key
Strings.exe Umonitor Results
Strings.exe Umonitor Results
C:\WINDOWS\SYSTEM\WSDMLOG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MK3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTSWCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\HKTPLUG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RZPILIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JKPL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\UEBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHBCBCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\UAER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NCTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\JDMD400.DLL: UMonitor
C:\WINDOWS\SYSTEM\MYXML.DLL: UMonitor
C:\WINDOWS\SYSTEM\wcspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\mlisip.dll: UMonitor
C:\WINDOWS\SYSTEM\wop.dll: UMonitor
C:\WINDOWS\SYSTEM\hrztbi07.dll: UMonitor
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPS"="C:\\PROGRA~1\\TOOLBAR\\TBPS.exe"
"Narrator"="C:\\WINDOWS\\ryykri.exe"
"Dvx"="C:\\WINDOWS\\SYSTEM\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINDOWS\\SYSTEM\\VMSS\\VMSS.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Sorry I took so long to repost
The computer i'm trying to fix is my girlfriends and I'm only here on the weekends really.
If you could still help me out I'd be greatly appreciative
C:\WINDOWS\SYSTEM\jdmd400.dll
C:\WINDOWS\SYSTEM\moconf.dll
C:\WINDOWS\SYSTEM\wsdmlog.dll
C:\WINDOWS\eaagen.dll
C:\WINDOWS\bzzabo.dll
C:\WINDOWS\wppqwz.exe
C:\WINDOWS\oggpoy.dll
C:\WINDOWS\bqqvba.dat
C:\WINDOWS\ryykri.exe
After you reboot please post a hijackthis log and a new findit log.
Scan saved at 12:08:40 PM, on 2/11/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RYYKRI.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\ryykri.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O4 - Startup: tyyntu.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
Do not remove anything unless you are sure you know what you're doing.
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
WSDMLOG DLL 222,568 01-27-05 2:31a WSDMLOG.DLL
1 file(s) 222,568 bytes
0 dir(s) 5,144.11 MB free
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
0 dir(s) 5,144.10 MB free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C5192E-9BD8-485B-9E78-50D068033BB7}"=""
Locate.com Results
C:\WINDOWS\SYSTEM\
wsdmlog.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
1 item found: 1 file, 0 directories.
Total of file sizes: 222,568 bytes 217.35 K
Strings.exe Qoologic Results
C:\WINDOWS\eaagen.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,
C:\WINDOWS\bzzabo.dll: updates.qoologic.com
C:\WINDOWS\wppqwz.exe: updates.qoologic.com
C:\WINDOWS\oggpoy.dll: updates.qoologic.com
Strings.exe Aspack Results
C:\WINDOWS\bqqvba.dat: .aspack
C:\WINDOWS\ryykri.exe: .aspack
C:\WINDOWS\Start Menu\Programs\StartUp\tyyntu.exe: .aspack
HKLM Run Key
Strings.exe Umonitor Results
C:\WINDOWS\SYSTEM\WSDMLOG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MK3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTSWCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\HKTPLUG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RZPILIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JKPL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\UEBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHBCBCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\UAER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NCTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\JDMD400.DLL: UMonitor
C:\WINDOWS\SYSTEM\OFCACHE.DLL: UMonitor
C:\WINDOWS\SYSTEM\wcspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\mlisip.dll: UMonitor
C:\WINDOWS\SYSTEM\wop.dll: UMonitor
C:\WINDOWS\SYSTEM\hrztbi07.dll: UMonitor
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TBPS"="C:\\PROGRA~1\\TOOLBAR\\TBPS.exe"
"Narrator"="C:\\WINDOWS\\ryykri.exe"
"Dvx"="C:\\WINDOWS\\SYSTEM\\wsxsvc\\wsxsvc.exe"
"vmss"="C:\\WINDOWS\\SYSTEM\\VMSS\\VMSS.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\ryykri.exe
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - Startup: tyyntu.exe
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\Start Menu\Programs\StartUp\tyyntu.exe
C:\WINDOWS\ryykri.exe
C:\PROGRA~1\TOOLBAR
C:\WINDOWS\SYSTEM\wsxsvc
C:\WINDOWS\SYSTEM\VMSS
Reboot and post a new hijackthis log. Let me know how things are running now.
Scan saved at 12:15:19 AM, on 2/12/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
what do you think?
edit: still a few things popping up
Please post a new findit log.
Do not remove anything unless you are sure you know what you're doing.
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
WSDMLOG DLL 222,568 01-27-05 2:31a WSDMLOG.DLL
SMSDETMG DLL 222,568 01-27-05 2:31a SMSDETMG.DLL
DBDPMESH DLL 222,568 01-27-05 2:31a DBDPMESH.DLL
MPC42 DLL 222,568 01-27-05 2:31a MPC42.DLL
MVOERT2 DLL 222,568 01-27-05 2:31a mvoert2.dll
5 file(s) 1,112,840 bytes
0 dir(s) 4,147.22 MB free
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
0 dir(s) 4,147.21 MB free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C5192E-9BD8-485B-9E78-50D068033BB7}"=""
Locate.com Results
C:\WINDOWS\SYSTEM\
wsdmlog.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
smsdetmg.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
dbdpmesh.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
mpc42.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
mvoert2.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
5 items found: 5 files, 0 directories.
Total of file sizes: 1,112,840 bytes 1.06 M
Strings.exe Qoologic Results
C:\WINDOWS\eaagen.dll: excl_urls=adsv2.delfinproject.com,popup.msn.com,i.emarketresearchgroup.com,u.clkoptimizer.com,ezula.com,ads2.revenue.net,banners.pennyweb.com,counters.honesty.com,ads.bidclix.com,oz.valueclick.com,radio.launch.yahoo.com,zone.msn.com,sr.adwave.com,xlime.offeroptimizer.com,clickit.go2net.com,us.update.companion.yahoo.com,kill-pop-ups.com,qksrv.net,clickspring.net,cdn-aimtoday.aol.com,search200.com,servedby.adscpm.com,xanga.com,count.exitexchange.com,jnictech.cjt1.net,xadsq.offeroptimizer.com,paypopup.com,popuptraffic.com,cdn-cf.aol.com,allaboutsearching.com,hotmail.msn.com,adfarm.mediaplex.com,by.optimost.com,amch.questionmarket.com,akapp.whenu.com,newupdates.lzio.com,cfg.mywebsearch.com,searcheffect.com,ads.delfinproject.com,master.mx-targeting.com,hotmail.com,ctl.twain-tech.com,mail.yahoo.com,m2.doubleclick.net,insider.msg.yahoo.com,focusin.ads.targetnet.com,e.rn11.com,jmnad1.com,topicks.com,ad.doubleclick.net,m3.doubleclick.net,as.casalemedia.com,pgq.yahoo.com,webpdp.gator.com,stopzilla.com,ayb.lop.com,xadso.offeroptimizer.com,download.smileycentral.com,mm.delfinproject.com,view.atdmt.com,delfinproject.com,jbns2.cydoor.com,bannerfarm.ace.advertising.com,as.adwave.com,popuppers.com,look2me.com,wisapidata.weatherbug.com,ads.addynamix.com,ar.atwola.com,ad.trafficmp.com,updates.qoologic.com,ads1.revenue.net,weatherbug.com,jicmedia.cjt1.net,games.yahoo.com,adsrv.qoologic.com,servedby.advertising.com,ww2.weatherbug.com,rightmedia.net,bannerserver.gator.com,www4.yesadvertising.com,mmm.media-motor.net,hop.clickbank.net,media76.fastclick.net,websearch.com,isapi60.weatherbug.com,web.tickle.com,messenger.zango.com,wwp.icq.com,smileycentral.com,adserv1.gruvmedia.com,cdn.icq.com,s.clkoptimizer.com,tv.180solutions.com,pops.browseraid.com,download.abetterinternet.com,adserv.internetfuel.com,messenger.msn.com,sr.websearch.com,top-banners.com,advert.runescape.com,join1.winhundred.com,odysseusmarketing.com,v4.windowsupdate.microsoft.com,adverts.lzio.com,windowsupdate.microsoft.com,filter.belkin.com,comcast.net,sc.musicmatch.com,license.hotbar.com,trk.pcsecurityshield.com,web.icq.com,whenusearch.com,jbigpops.cjt1.net,isg05.casalemedia.com,yahoo.com,aol.com,anrdoezrs.net,microsoft.com,target.com,aim-charts.pf.aol.com,download.websearch.com,actualdeals.com,images.trafficmp.com,mydailyhoroscope.net,couponage.com,c5.zedo.com,ekmas.com,ads.mydailyhoroscope.net,creativeby.viewpoint.com,affiliates.4lowrates.com,hits.clickandtrack.net,jcontent.bns1.net,clickserve.cc-dt.com,popups.ad-logics.com,adlog2.lzio.com,host239.ipowerweb.com,bv.channel.aol.com,img2.mailpostdirect.com,dw.dailywinner.net,toprebates.com,trk.bestmagsdirect.com,ads.clickagents.com,a.websponsors.com,sandboxer.com,media.fastclick.net,click2.containsitall.com,ads234.com,http300.edge.ru4.com,adlog.com.com,rs.websearch.com,ads.com.com,server.iad.liveperson.net,
C:\WINDOWS\bzzabo.dll: updates.qoologic.com
C:\WINDOWS\wppqwz.exe: updates.qoologic.com
C:\WINDOWS\oggpoy.dll: updates.qoologic.com
Strings.exe Aspack Results
C:\WINDOWS\bqqvba.dat: .aspack
HKLM Run Key
Strings.exe Umonitor Results
C:\WINDOWS\SYSTEM\WSDMLOG.DLL: UMonitor
C:\WINDOWS\SYSTEM\IJGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MK3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTSWCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\HKTPLUG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RZPILIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JKPL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\UEBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHBCBCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\UAER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NCTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\JDMD400.DLL: UMonitor
C:\WINDOWS\SYSTEM\OFCACHE.DLL: UMonitor
C:\WINDOWS\SYSTEM\SMSDETMG.DLL: UMonitor
C:\WINDOWS\SYSTEM\DBDPMESH.DLL: UMonitor
C:\WINDOWS\SYSTEM\MPC42.DLL: UMonitor
C:\WINDOWS\SYSTEM\wcspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\mlisip.dll: UMonitor
C:\WINDOWS\SYSTEM\wop.dll: UMonitor
C:\WINDOWS\SYSTEM\hrztbi07.dll: UMonitor
C:\WINDOWS\SYSTEM\mvoert2.dll: UMonitor
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
C:\WINDOWS\SYSTEM\wsdmlog.dll
C:\WINDOWS\SYSTEM\smsdetmg.dll
C:\WINDOWS\SYSTEM\dbdpmesh.dll
C:\WINDOWS\SYSTEM\mpc42.dll
C:\WINDOWS\SYSTEM\mvoert2.dll
C:\WINDOWS\eaagen.dll
C:\WINDOWS\bqqvba.dat
C:\WINDOWS\bzzabo.dll
C:\WINDOWS\wppqwz.exe
C:\WINDOWS\oggpoy.dll
Step 1:
Copy the contents of the Quote Box below to Notepad.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.
Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.
Step 2:
Repair the Recycle bin:
Click Start, Run and type cmd. Press OK.
A DOS window will open.
Type the following and then press Enter after typing each one:
attrib -h -s c:\recycler
del c:\recycler
Close the window and REBOOT.
Check if the Recycle Bin is OK. Please report back.
Step 3:
Download VX2Finder from this link:
http://www.downloads.subratam.org/VX2Finder.exe
Run Vx2Finder and click on the Restore Policy button.
Step 4:
Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
Step 5:
Post another find.bat log along with a new hijackthis log.
Scan saved at 7:24:54 PM, on 2/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1108616740\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1108616740\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108616740\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - Startup: STRINGS.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Do not remove anything unless you are sure you know what you're doing.
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
RCCHED20 DLL 222,568 01-27-05 2:31a RCCHED20.DLL
1 file(s) 222,568 bytes
0 dir(s) 3,924.90 MB free
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
0 dir(s) 3,924.89 MB free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C5192E-9BD8-485B-9E78-50D068033BB7}"=""
Locate.com Results
C:\WINDOWS\SYSTEM\
rcched20.dll Thu Jan 27 2005 2:31:16a ..S.R 222,568 217.35 K
1 item found: 1 file, 0 directories.
Total of file sizes: 222,568 bytes 217.35 K
Strings.exe Qoologic Results
Strings.exe Aspack Results
HKLM Run Key
Strings.exe Umonitor Results
C:\WINDOWS\SYSTEM\IJGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MK3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTSWCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\HKTPLUG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RZPILIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JKPL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\UEBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHBCBCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\UAER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NCTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\JDMD400.DLL: UMonitor
C:\WINDOWS\SYSTEM\OFCACHE.DLL: UMonitor
C:\WINDOWS\SYSTEM\RCCHED20.DLL: UMonitor
C:\WINDOWS\SYSTEM\wcspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\mlisip.dll: UMonitor
C:\WINDOWS\SYSTEM\wop.dll: UMonitor
C:\WINDOWS\SYSTEM\hrztbi07.dll: UMonitor
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1108616740\\EE\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
If there is a space in this word "CurrentVersion" when you copy it to notepad, please delete the space.
Click File menu -> Save and name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop.
Double-click on the fix.reg file you saved on your desktop, and when it prompts to merge say Yes, and this will clear some registry entries left behind by the process.
Killbox this file:
C:\WINDOWS\SYSTEM\rcched20.dll
Reboot, post a new hijackthis log and a new findit log. Let me know if your recycle bin is working or not. Are you still getting popups?
Scan saved at 7:24:54 PM, on 2/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1108616740\EE\AOLHOSTMANAGER.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1108616740\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AIM\AIM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108616740\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - Startup: STRINGS.EXE
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Do not remove anything unless you are sure you know what you're doing.
System Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
4,156.64 MB free
Hidden Files in System Directory
Volume in drive C is LOCAL DISK
Volume Serial Number is 1F24-0E0E
Directory of C:\WINDOWS\SYSTEM
FOLDER HTT 23,155 05-09-04 7:40a folder.htt
DESKTOP INI 271 05-09-04 7:40a desktop.ini
2 file(s) 23,426 bytes
0 dir(s) 4,156.63 MB free
User Agent
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D9C5192E-9BD8-485B-9E78-50D068033BB7}"=""
Locate.com Results
No matches found.
Strings.exe Qoologic Results
Strings.exe Aspack Results
HKLM Run Key
Strings.exe Umonitor Results
C:\WINDOWS\SYSTEM\IJGUTIL.DLL: UMonitor
C:\WINDOWS\SYSTEM\MK3216.DLL: UMonitor
C:\WINDOWS\SYSTEM\DVIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QWDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\LP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\QSDWIPES.DLL: UMonitor
C:\WINDOWS\SYSTEM\MTSWCH.DLL: UMonitor
C:\WINDOWS\SYSTEM\HKTPLUG.DLL: UMonitor
C:\WINDOWS\SYSTEM\RZPILIB.DLL: UMonitor
C:\WINDOWS\SYSTEM\JKPL400.DLL: UMonitor
C:\WINDOWS\SYSTEM\UEBUI.DLL: UMonitor
C:\WINDOWS\SYSTEM\DNIP32.DLL: UMonitor
C:\WINDOWS\SYSTEM\OHBCBCP.DLL: UMonitor
C:\WINDOWS\SYSTEM\UAER32.DLL: UMonitor
C:\WINDOWS\SYSTEM\NCTAPI32.DLL: UMonitor
C:\WINDOWS\SYSTEM\MOVCRT20.DLL: UMonitor
C:\WINDOWS\SYSTEM\JDMD400.DLL: UMonitor
C:\WINDOWS\SYSTEM\OFCACHE.DLL: UMonitor
C:\WINDOWS\SYSTEM\wcspdmoe.dll: UMonitor
C:\WINDOWS\SYSTEM\mlisip.dll: UMonitor
C:\WINDOWS\SYSTEM\wop.dll: UMonitor
C:\WINDOWS\SYSTEM\hrztbi07.dll: UMonitor
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1108616740\\EE\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
The pop up ads have stopped it seems.
And the trash works.
Have hijackthis fix this line.
O4 - Startup: STRINGS.EXE
Then search for and delete this file, if present.
STRINGS.EXE
Please download VXFInder9x from :
http://www.downloads.subratam.org/VX2Finder9x.exe
This is for Windows 98/ME Only.
Please run this program and click on the button Click to find VX2.Betterinternet.
If any items are listed, select all the files and delete them all by clicking on the Delete these files
Then click on the User Agent$ button.
If you have the Quicklaunch toolbar, you can click on the Import Reg button.
Reboot and post one last hijackthis log.
Scan saved at 10:01:58 AM, on 2/19/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLDIAL.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE
C:\PROGRAM FILES\CISCO\CLEAN ACCESS\CCAAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1108616740\EE\AOLHOSTMANAGER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\1108616740\EE\AOLSERVICEHOST.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/chsi.html
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1108616740\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\RunServices: [AolAcsDaemon1] "C:\PROGRAM FILES\COMMON FILES\AOL\ACS\AOLACSD.EXE"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRAM FILES\AMERICA ONLINE 9.0\AOL.EXE" -b
O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco\Clean Access\CCAAgent.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
what do you think?
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware