Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer taken over by about:blank

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Computer taken over by about:blank

Unread postby Perkypen » March 25th, 2005, 3:15 pm

Logfile of HijackThis v1.99.1
Scan saved at 2:24:31 PM, on 3/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} - C:\WINDOWS\SYSTEM\KEEB.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [cargncrmg] C:\WINDOWS\SYSTEM\jcnamo.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\ISafe.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sextxsp.chm::/on-line.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09d0b20e184 ... xIE601.cab
O18 - Filter: text/html - {42B69E29-36DF-4C60-A937-1CA0D332E6CB} - C:\WINDOWS\SYSTEM\KEEB.DLL
O18 - Filter: text/plain - {42B69E29-36DF-4C60-A937-1CA0D332E6CB} - C:\WINDOWS\SYSTEM\KEEB.DLL

Thanks,

Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC
Advertisement
Register to Remove

Unread postby Bertha » March 25th, 2005, 5:18 pm

Hey perkypen,

You infected again what do you get up to?

Anyway I am looking at your HJT Log now and will get back to you

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Perkypen » March 25th, 2005, 10:54 pm

Bertha,

I would like you to know that I have just become a student. I figured if I can be infected with all this malware I better learn how to take care of it!

This log is from my home computer and the other log was from one of the computers at work.

Thanks for all your help.

Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby Bertha » March 26th, 2005, 4:43 am

Hey perkypen,

Please disable Spybots Teatimer for this fix as it may stop things working:

To do this right click the running icon of Spybot’s Teatimer and choose exit, otherwise it can interfere.

Download FxAgentB.exe from securityresponse.symantec.com/avcenter/FxAgentB.exe and save it to your desktop. After downloading, double-click the FxAgentB file to run it and the program will scan your entire hard drive - this may take a while. When it is done, it will generate a log file called FxAgentB.log - save that information as you will need to paste it here later. Reboot when done.

Next download CWShredder, install and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, please delete it and download the latest version. Reboot when done.

Then click www.lavasoftusa.com/support/download/ to download Ad-Aware SE and install. Before scanning click on "check for updates now" to make sure you have the latest reference file. Click "Start", select "Perform Full System scan" and "Next" to start the scan. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done, rescan with HijackThis and post a new log at the forum where you are getting help, together with the FxAgentB log.

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Perkypen » March 26th, 2005, 5:00 pm

Bertha,

FxAgentB said it was not found on my computer so I have no log.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:10:53 PM, on 3/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {D54DE4E4-951C-41CD-AC05-1F8890CCE98E} - C:\WINDOWS\SYSTEM\KEEB.DLL
O2 - BHO: (no name) - {AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [cargncrmg] C:\WINDOWS\SYSTEM\jcnamo.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\ISafe.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sextxsp.chm::/on-line.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09d0b20e184 ... xIE601.cab
O18 - Filter: text/html - {CAD2711E-256C-4D9B-A470-EDC6107CA878} - C:\WINDOWS\SYSTEM\KEEB.DLL
O18 - Filter: text/plain - {CAD2711E-256C-4D9B-A470-EDC6107CA878} - C:\WINDOWS\SYSTEM\KEEB.DLL

Thanks,
Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

About:buster

Unread postby Perkypen » March 30th, 2005, 4:11 pm

Bertha,

Can I download this program and run it? I have been reading and this program should remove it? If I run the program in safe mode then I won't have to worry about the O2 & O4 fixes?

Thanks,
Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby ChrisRLG » March 31st, 2005, 4:12 pm

Bertha has time problems at the moment - so I am taking some of his topics to help out.

===============

Download CW-Shredder at the link below:
http://cwshredder.net/bin/CWShredder.exe


Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

New HJT Log

Unread postby Perkypen » March 31st, 2005, 7:45 pm

Logfile of HijackThis v1.99.1
Scan saved at 6:53:16 PM, on 3/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [cargncrmg] C:\WINDOWS\SYSTEM\jcnamo.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\ISafe.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sextxsp.chm::/on-line.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09d0b20e184 ... xIE601.cab






(3/31/05 6:39:15 PM) SPSeHjFix started v1.1.1
(3/31/05 6:39:15 PM) OS: WinME (4.90.3000)
(3/31/05 6:39:15 PM) Language: english
(3/31/05 6:39:22 PM) Disinfection started
(3/31/05 6:39:22 PM) Bad-Dll(IEP): c:\windows\temp\se.dll
(3/31/05 6:39:22 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\KEEB.DLL
(3/31/05 6:39:22 PM) Searchassistant Uninstaller - Keys Deleted
(3/31/05 6:39:22 PM) FilterKey: HKCR\text/html (deleted)
(3/31/05 6:39:22 PM) FilterKey: HKCR\CLSID\{CAD2711E-256C-4D9B-A470-EDC6107CA878} (deleted)
(3/31/05 6:39:22 PM) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(3/31/05 6:39:22 PM) FilterKey: HKCR\text/plain (deleted)
(3/31/05 6:39:22 PM) FilterKey: HKCR\CLSID\{CAD2711E-256C-4D9B-A470-EDC6107CA878} (error while deleting)
(3/31/05 6:39:22 PM) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(3/31/05 6:39:22 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D54DE4E4-951C-41CD-AC05-1F8890CCE98E} (deleted)
(3/31/05 6:39:22 PM) BHO-Key: HKCR\CLSID\{D54DE4E4-951C-41CD-AC05-1F8890CCE98E} (deleted)
(3/31/05 6:39:22 PM) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} (file missing: deleted)
(3/31/05 6:39:22 PM) BHO-Key: HKCR\CLSID\{AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} (file missing: deleted)
(3/31/05 6:39:22 PM) UBF: 6
(3/31/05 6:39:22 PM) UBB: 3
(3/31/05 6:39:22 PM) UBR: 23
(3/31/05 6:39:22 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/spage.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/spage.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(3/31/05 6:39:22 PM) Stealth-String not found
(3/31/05 6:39:28 PM) Temp-Files delete on Reboot
(3/31/05 6:39:28 PM) File added to delete: c:\windows\system\keeb.dll
(3/31/05 6:39:28 PM) File added to delete: error
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\jet290.tmp
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\~dfb61e.tmp
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp1.dir
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp3.dir
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp4.dir
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp5.dir
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp2.dir
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp2.dir\_istmp0.dir
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp2.dir\_istmp0.dir\filegrp
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\_istmp2.dir\_istmp0.dir\filegrp\pdfmaker
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\hta
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\setup
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\msoclip1
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\q312339
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\q312339\options
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\ccd
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\12
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\13
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\14
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\16
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\17
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\18
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\19
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\20
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\21
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\23
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\28
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\33
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\57
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\66
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\68
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\93
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ac
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ag
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\al
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ap
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ar
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\as
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ba
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\be
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\bl
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\bo
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\bt
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\b_
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ch
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\cl
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\cm
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\co
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\cr
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\cu
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\de
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\df
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\di
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\do
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\et
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ex
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\fa
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\fe
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\fi
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\fo
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\fr
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\fu
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ge
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\gr
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ha
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ho
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ie
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\im
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\in
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\jo
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\js
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\li
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ma
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\me
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\mi
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ms
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ne
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\no
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\np
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ns
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\nt
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\os
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\pl
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\po
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\pr
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\qu
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\re
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ru
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\sa
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\sd
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\se
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\sh
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\sn
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\so
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\sp
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ss
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\st
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\su
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\sv
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\te
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\tg
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\to
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\tr
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ub
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ui
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\un
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\ur
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\us
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\va
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\vi
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\vn
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\vs
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\w9
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\we
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\wo
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\wr
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{0
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{1
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{2
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{3
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{4
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{5
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{6
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{7
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{8
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{9
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{a
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{b
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{c
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{d
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{e
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\bellsouth\sprt\vault\{f
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\ns_temp
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\ns_temp\xpcom.ns
(3/31/05 6:39:28 PM) File added to delete: c:\windows\temp\ns_temp\xpcom.ns\bin
(3/31/05 6:39:30 PM) Reboot
(3/31/05 6:40:36 PM) SPSeHjFix 2nd Step
(3/31/05 6:40:36 PM) Stealth-String not present. Disinfection succesfully
(3/31/05 6:40:44 PM) Cleaned


Thanks,
Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby ChrisRLG » April 1st, 2005, 4:31 am

  • Download CWShredder, unzip it, and save it on the Desktop. Please do not run it yet, though.
  • Please set your system to show all files; please see here if you're unsure how to do this.
  • Press Control-Alt-Del to enter the Task Manager.
    Click on the Processes tab and end the following processes:
    (Spybot & Spysubtract are good but need to be stopped from running while we do this fix)
    C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
    C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
    Exit the Task Manager when finished.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/spage.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} - (no file)
    O4 - HKLM\..\Run: [cargncrmg] C:\WINDOWS\SYSTEM\jcnamo.exe
    O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\EbatesMoeMoneyMaker0.exe"
    O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
    O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://c:\nosuch.mht!http://2awm.com/pop/chm/sextxsp.chm::/on-line.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/09d0b20e184 ... xIE601.cab

    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.

    Using Windows Explorer, locate the following files/folders, and delete them:
    C:\WINDOWS\TEMP\se.dll
    C:\WINDOWS\SYSTEM\jcnamo.exe
    C:\PROGRAM FILES\EBATES_MOEMONEYMAKER\


    Exit Explorer, and reboot as normal afterwards.
  • Run CWShredder to fix your CWS problem.

    Reboot to normal mode.


Post back a fresh HijackThis log and we will take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

New log

Unread postby Perkypen » April 2nd, 2005, 12:14 am

Logfile of HijackThis v1.99.1
Scan saved at 11:25:18 PM, on 4/1/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\ISafe.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby Perkypen » April 2nd, 2005, 12:16 am

IE still opens to about:blank :evil:
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby ChrisRLG » April 2nd, 2005, 4:45 am

so have very little time, so just some questions - I will post some more tonight.

Is the AB page you get this or smilar.
http://www.malwareremoval.com/images/ab ... age001.JPG

or is it just a blank page - because you do not have a home page set now, so IE has to display something.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby Perkypen » April 2nd, 2005, 10:05 am

Chris,

I reset the home page and seems to work!! Sorry for not doing that sooner! Hopefully, this experience of being a victim will make me a better teacher!

Penny
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC

Unread postby ChrisRLG » April 2nd, 2005, 2:29 pm

post back with a last HJT log, just to be sure.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

New log

Unread postby Perkypen » April 2nd, 2005, 11:11 pm

Chris,

Here is the new log.

Thanks for your help!!

Logfile of HijackThis v1.99.1
Scan saved at 10:23:19 PM, on 4/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ISP50\BIN\BARTSHEL.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
C:\PROGRAM FILES\SUPPORT.COM\BIN\TGCMD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\BROWSER MOUSE\MOUSE32A.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\PELMICED.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\BELLSOUTH\CONNECTION MANAGER\CMANAGER.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\PROGRAM FILES\ISP50\BIN\PPSHARED.EXE
C:\PROGRAM FILES\BROADJUMP\CORRECTCONNECT ENGINE\CCD.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {AA83BE7A-CEC1-40C1-85B4-B9BE0AE75300} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [2wSysTray] C:\PROGRAM FILES\2WIRE HOMEPORTAL MONITOR\2PORTALMON.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] PELMICED.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\CA\eTrust EZ Armor\ISafe.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0411.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {10003000-1000-0000-1000-000000000000} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
Perkypen
Regular Member
 
Posts: 180
Joined: February 9th, 2005, 12:07 pm
Location: Catawba, NC
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware