I'm Infected Too! <ab>


Recommended Posts

Hello:

Like pretty much everyone here, I've been infected and can't seem to get uninfected. I'm so mad at myself - should have been more careful. My HJT log is posted below - any help you could give me would be greatly appreciated.

Many thanks!

Aprguy

Logfile of HijackThis v1.99.1

Scan saved at 6:23:41 PM, on 5/12/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ATI2EVAE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\WINDOWS\SYSTEM\JAVABN32.EXE

C:\WINDOWS\SYSTEM\APINA.EXE

C:\WINDOWS\NETKR32.EXE

C:\WINDOWS\ATLDF.EXE

C:\WINDOWS\SDKLK.EXE

C:\WINDOWS\SYSTEM\NETNC32.EXE

C:\WINDOWS\IPNN.EXE

C:\WINDOWS\SYSTEM\APIIW32.EXE

C:\WINDOWS\IPDD32.EXE

C:\WINDOWS\MSDA.EXE

C:\WINDOWS\SYSTEM\SDKPW.EXE

C:\WINDOWS\IPZF32.EXE

C:\WINDOWS\JAVARD.EXE

C:\WINDOWS\NTNR.EXE

C:\WINDOWS\NTQA32.EXE

C:\WINDOWS\SYSTEM\NETMV.EXE

C:\WINDOWS\SYSTEM\MFCKO32.EXE

C:\WINDOWS\SYSTEM\ADDSB32.EXE

C:\WINDOWS\D3TF32.EXE

C:\WINDOWS\SYSTEM\MSSH.EXE

C:\WINDOWS\SYSTEM\NTZY32.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\APPBH32.EXE

C:\WINDOWS\MSOC32.EXE

C:\WINDOWS\NTPU32.EXE

C:\WINDOWS\IEGJ32.EXE

C:\WINDOWS\SYSPG32.EXE

C:\WINDOWS\SYSTEM\SYSMP.EXE

C:\WINDOWS\SYSTEM\MSCT.EXE

C:\WINDOWS\APPNP32.EXE

C:\WINDOWS\APPPU.EXE

C:\WINDOWS\SYSTEM\ADDMR32.EXE

C:\WINDOWS\SYSTEM\WINRM.EXE

C:\WINDOWS\IERL.EXE

C:\WINDOWS\SYSTEM\ADDCL32.EXE

C:\WINDOWS\SYSTEM\MSHV.EXE

C:\WINDOWS\SYSTEM\WINSU.EXE

C:\WINDOWS\JAVAUJ.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\NTFJ.EXE

C:\WINDOWS\NETMT32.EXE

C:\WINDOWS\MSQY32.EXE

C:\WINDOWS\APIRI32.EXE

C:\WINDOWS\SYSTEM\NTEF.EXE

C:\WINDOWS\SYSTEM\SYSSO.EXE

C:\WINDOWS\SYSTEM\NTRW.EXE

C:\WINDOWS\EXPLORER.EXE

C:\Tools_95\Register\REMIND.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\ATI2CWXX.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\LOADQM.EXE

C:\WINDOWS\WINMJ32.EXE

C:\TOOLS_95\IMGICON.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE

C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE

C:\WINDOWS\JAVARD.EXE

C:\WINDOWS\JAVARD.EXE

C:\WINDOWS\SYSTEM\JAVABN32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE

C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\WINDOWS\SYSTEM\MSSY32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE

C:\WINDOWS\SYSTEM\HPZIPM12.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\NETNC32.EXE

C:\WINDOWS\SDKHK.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\WINSU.EXE

C:\WINDOWS\SYSTEM\NTCN.EXE

C:\WINDOWS\SYSTEM\NTCN.EXE

C:\WINDOWS\IPYC.EXE

C:\WINDOWS\IPYC.EXE

C:\WINDOWS\SYSTEM\ADDSB32.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\WINSU.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\IPDD32.EXE

C:\WINDOWS\IPDD32.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\asjwc.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\asjwc.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\asjwc.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\asjwc.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\asjwc.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\asjwc.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\asjwc.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe

F1 - win.ini: run=Qtstub.exe

O2 - BHO: Class - {9760FCA3-CBB6-E7B6-B1C7-5E57E71F2369} - C:\WINDOWS\SYSTEM\CRHH32.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\82F4C060.hta

O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O4 - HKLM\..\Run: [WINMJ32.EXE] C:\WINDOWS\WINMJ32.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [JAVABN32.EXE] C:\WINDOWS\SYSTEM\JAVABN32.EXE /s

O4 - HKLM\..\RunServices: [APINA.EXE] C:\WINDOWS\SYSTEM\APINA.EXE /s

O4 - HKLM\..\RunServices: [NETKR32.EXE] C:\WINDOWS\NETKR32.EXE /s

O4 - HKLM\..\RunServices: [ATLDF.EXE] C:\WINDOWS\ATLDF.EXE /s

O4 - HKLM\..\RunServices: [sDKLK.EXE] C:\WINDOWS\SDKLK.EXE /s

O4 - HKLM\..\RunServices: [NETNC32.EXE] C:\WINDOWS\SYSTEM\NETNC32.EXE /s

O4 - HKLM\..\RunServices: [iPNN.EXE] C:\WINDOWS\IPNN.EXE /s

O4 - HKLM\..\RunServices: [APIIW32.EXE] C:\WINDOWS\SYSTEM\APIIW32.EXE /s

O4 - HKLM\..\RunServices: [iPDD32.EXE] C:\WINDOWS\IPDD32.EXE /s

O4 - HKLM\..\RunServices: [MSDA.EXE] C:\WINDOWS\MSDA.EXE /s

O4 - HKLM\..\RunServices: [sDKPW.EXE] C:\WINDOWS\SYSTEM\SDKPW.EXE /s

O4 - HKLM\..\RunServices: [iPZF32.EXE] C:\WINDOWS\IPZF32.EXE /s

O4 - HKLM\..\RunServices: [JAVARD.EXE] C:\WINDOWS\JAVARD.EXE /s

O4 - HKLM\..\RunServices: [NTNR.EXE] C:\WINDOWS\NTNR.EXE /s

O4 - HKLM\..\RunServices: [NTQA32.EXE] C:\WINDOWS\NTQA32.EXE /s

O4 - HKLM\..\RunServices: [NETMV.EXE] C:\WINDOWS\SYSTEM\NETMV.EXE /s

O4 - HKLM\..\RunServices: [MFCKO32.EXE] C:\WINDOWS\SYSTEM\MFCKO32.EXE /s

O4 - HKLM\..\RunServices: [ADDSB32.EXE] C:\WINDOWS\SYSTEM\ADDSB32.EXE /s

O4 - HKLM\..\RunServices: [D3TF32.EXE] C:\WINDOWS\D3TF32.EXE /s

O4 - HKLM\..\RunServices: [MSSH.EXE] C:\WINDOWS\SYSTEM\MSSH.EXE /s

O4 - HKLM\..\RunServices: [NTZY32.EXE] C:\WINDOWS\SYSTEM\NTZY32.EXE /s

O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE /s

O4 - HKLM\..\RunServices: [MSOC32.EXE] C:\WINDOWS\MSOC32.EXE /s

O4 - HKLM\..\RunServices: [NTPU32.EXE] C:\WINDOWS\NTPU32.EXE /s

O4 - HKLM\..\RunServices: [iEGJ32.EXE] C:\WINDOWS\IEGJ32.EXE /s

O4 - HKLM\..\RunServices: [sYSPG32.EXE] C:\WINDOWS\SYSPG32.EXE /s

O4 - HKLM\..\RunServices: [sYSMP.EXE] C:\WINDOWS\SYSTEM\SYSMP.EXE /s

O4 - HKLM\..\RunServices: [MSCT.EXE] C:\WINDOWS\SYSTEM\MSCT.EXE /s

O4 - HKLM\..\RunServices: [APPNP32.EXE] C:\WINDOWS\APPNP32.EXE /s

O4 - HKLM\..\RunServices: [APPPU.EXE] C:\WINDOWS\APPPU.EXE /s

O4 - HKLM\..\RunServices: [ADDMR32.EXE] C:\WINDOWS\SYSTEM\ADDMR32.EXE /s

O4 - HKLM\..\RunServices: [WINRM.EXE] C:\WINDOWS\SYSTEM\WINRM.EXE /s

O4 - HKLM\..\RunServices: [iERL.EXE] C:\WINDOWS\IERL.EXE /s

O4 - HKLM\..\RunServices: [ADDCL32.EXE] C:\WINDOWS\SYSTEM\ADDCL32.EXE /s

O4 - HKLM\..\RunServices: [MSHV.EXE] C:\WINDOWS\SYSTEM\MSHV.EXE /s

O4 - HKLM\..\RunServices: [WINSU.EXE] C:\WINDOWS\SYSTEM\WINSU.EXE /s

O4 - HKLM\..\RunServices: [JAVAUJ.EXE] C:\WINDOWS\JAVAUJ.EXE /s

O4 - HKLM\..\RunServices: [ATLUK32.EXE] C:\WINDOWS\ATLUK32.EXE /s

O4 - HKLM\..\RunServices: [NTFJ.EXE] C:\WINDOWS\NTFJ.EXE /s

O4 - HKLM\..\RunServices: [NETMT32.EXE] C:\WINDOWS\NETMT32.EXE /s

O4 - HKLM\..\RunServices: [MSQY32.EXE] C:\WINDOWS\MSQY32.EXE /s

O4 - HKLM\..\RunServices: [APIRI32.EXE] C:\WINDOWS\APIRI32.EXE /s

O4 - HKLM\..\RunServices: [NTEF.EXE] C:\WINDOWS\SYSTEM\NTEF.EXE /s

O4 - HKLM\..\RunServices: [sYSSO.EXE] C:\WINDOWS\SYSTEM\SYSSO.EXE /s

O4 - HKLM\..\RunServices: [NTRW.EXE] C:\WINDOWS\SYSTEM\NTRW.EXE /s

O4 - HKLM\..\RunServices: [MSSY32.EXE] C:\WINDOWS\SYSTEM\MSSY32.EXE /s

O4 - HKLM\..\RunServices: [sDKHK.EXE] C:\WINDOWS\SDKHK.EXE /s

O4 - HKLM\..\RunServices: [NTCN.EXE] C:\WINDOWS\SYSTEM\NTCN.EXE /s

O4 - HKLM\..\RunServices: [iPYC.EXE] C:\WINDOWS\IPYC.EXE /s

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\RunServices: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background

O4 - HKCU\..\RunServices: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE

O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE

O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O13 - WWW. Prefix: http://

O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com

O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.hearme.com/HearMeAutoInstaller.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

Link to post
Share on other sites

1.

Download about:buster by RubbeRDuckY Here.

Save the file somewhere you will remember like to the Desktop.

Please run about:buster by RubbeRDuckY:

  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Boot into safemode again
  • Open About:buster again
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.

3. Reboot and Download and run http://cwshredder.net/bin/CWShredder.exe click fix.

4. Then post the about:buster log and a new Hijackthis log here in a reply.

Link to post
Share on other sites

First - Rock - thank you for the assist - my computer is getting more and more gummed up by the moment. I couldn't get the About Buster Log to open so I had to open it in QuickView and right it down - here's what I got.

Scan 1

About Buster Version 4.0

Reference List: 26

Ads not scanned system (FAT)

Removed! C:\Windows\xaxtjs.dat

Removed! C:\Windows\ramxuu.dat

Removed! C:\Windows\ipwffm.dat

Removed! C:\Windows\dinzm.dat

Removed! C:\Windows\System\gwiig.dat

Removed! C:\Windows\System\pybct.dat

Attempted Clean of Temp Folder

Removed! Uninstall Key (HSA)

Removed! Uninstal Key (SE)

Removed! Uninstall Key (SW)

Pages Reset...Done!

Scan 2

Removed! C:\Windows\lguosi.dat

This is the Hijack This Log - had to open it with Winword and copy it from there.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - Default URLSearchHook is missing

F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe

F1 - win.ini: run=Qtstub.exe

O2 - BHO: Class - {24F7A19B-E91E-3E36-E139-91C802FC2B0F} - C:\WINDOWS\APIZN32.DLL

O2 - BHO: Class - {ADE15B25-99D9-47AB-3E33-9B2A8D282369} - C:\WINDOWS\SYSTEM\MFCPP32.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\82F4C060.hta

O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O4 - HKLM\..\Run: [WINMJ32.EXE] C:\WINDOWS\WINMJ32.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [JAVABN32.EXE] C:\WINDOWS\SYSTEM\JAVABN32.EXE /s

O4 - HKLM\..\RunServices: [APINA.EXE] C:\WINDOWS\SYSTEM\APINA.EXE /s

O4 - HKLM\..\RunServices: [NETKR32.EXE] C:\WINDOWS\NETKR32.EXE /s

O4 - HKLM\..\RunServices: [ATLDF.EXE] C:\WINDOWS\ATLDF.EXE /s

O4 - HKLM\..\RunServices: [sDKLK.EXE] C:\WINDOWS\SDKLK.EXE /s

O4 - HKLM\..\RunServices: [NETNC32.EXE] C:\WINDOWS\SYSTEM\NETNC32.EXE /s

O4 - HKLM\..\RunServices: [iPNN.EXE] C:\WINDOWS\IPNN.EXE /s

O4 - HKLM\..\RunServices: [APIIW32.EXE] C:\WINDOWS\SYSTEM\APIIW32.EXE /s

O4 - HKLM\..\RunServices: [iPDD32.EXE] C:\WINDOWS\IPDD32.EXE /s

O4 - HKLM\..\RunServices: [MSDA.EXE] C:\WINDOWS\MSDA.EXE /s

O4 - HKLM\..\RunServices: [sDKPW.EXE] C:\WINDOWS\SYSTEM\SDKPW.EXE /s

O4 - HKLM\..\RunServices: [iPZF32.EXE] C:\WINDOWS\IPZF32.EXE /s

O4 - HKLM\..\RunServices: [JAVARD.EXE] C:\WINDOWS\JAVARD.EXE /s

O4 - HKLM\..\RunServices: [NTNR.EXE] C:\WINDOWS\NTNR.EXE /s

O4 - HKLM\..\RunServices: [NTQA32.EXE] C:\WINDOWS\NTQA32.EXE /s

O4 - HKLM\..\RunServices: [NETMV.EXE] C:\WINDOWS\SYSTEM\NETMV.EXE /s

O4 - HKLM\..\RunServices: [MFCKO32.EXE] C:\WINDOWS\SYSTEM\MFCKO32.EXE /s

O4 - HKLM\..\RunServices: [ADDSB32.EXE] C:\WINDOWS\SYSTEM\ADDSB32.EXE /s

O4 - HKLM\..\RunServices: [D3TF32.EXE] C:\WINDOWS\D3TF32.EXE /s

O4 - HKLM\..\RunServices: [MSSH.EXE] C:\WINDOWS\SYSTEM\MSSH.EXE /s

O4 - HKLM\..\RunServices: [NTZY32.EXE] C:\WINDOWS\SYSTEM\NTZY32.EXE /s

O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE /s

O4 - HKLM\..\RunServices: [MSOC32.EXE] C:\WINDOWS\MSOC32.EXE /s

O4 - HKLM\..\RunServices: [NTPU32.EXE] C:\WINDOWS\NTPU32.EXE /s

O4 - HKLM\..\RunServices: [iEGJ32.EXE] C:\WINDOWS\IEGJ32.EXE /s

O4 - HKLM\..\RunServices: [sYSPG32.EXE] C:\WINDOWS\SYSPG32.EXE /s

O4 - HKLM\..\RunServices: [sYSMP.EXE] C:\WINDOWS\SYSTEM\SYSMP.EXE /s

O4 - HKLM\..\RunServices: [MSCT.EXE] C:\WINDOWS\SYSTEM\MSCT.EXE /s

O4 - HKLM\..\RunServices: [APPNP32.EXE] C:\WINDOWS\APPNP32.EXE /s

O4 - HKLM\..\RunServices: [APPPU.EXE] C:\WINDOWS\APPPU.EXE /s

O4 - HKLM\..\RunServices: [ADDMR32.EXE] C:\WINDOWS\SYSTEM\ADDMR32.EXE /s

O4 - HKLM\..\RunServices: [WINRM.EXE] C:\WINDOWS\SYSTEM\WINRM.EXE /s

O4 - HKLM\..\RunServices: [iERL.EXE] C:\WINDOWS\IERL.EXE /s

O4 - HKLM\..\RunServices: [ADDCL32.EXE] C:\WINDOWS\SYSTEM\ADDCL32.EXE /s

O4 - HKLM\..\RunServices: [MSHV.EXE] C:\WINDOWS\SYSTEM\MSHV.EXE /s

O4 - HKLM\..\RunServices: [WINSU.EXE] C:\WINDOWS\SYSTEM\WINSU.EXE /s

O4 - HKLM\..\RunServices: [JAVAUJ.EXE] C:\WINDOWS\JAVAUJ.EXE /s

O4 - HKLM\..\RunServices: [ATLUK32.EXE] C:\WINDOWS\ATLUK32.EXE /s

O4 - HKLM\..\RunServices: [NTFJ.EXE] C:\WINDOWS\NTFJ.EXE /s

O4 - HKLM\..\RunServices: [NETMT32.EXE] C:\WINDOWS\NETMT32.EXE /s

O4 - HKLM\..\RunServices: [MSQY32.EXE] C:\WINDOWS\MSQY32.EXE /s

O4 - HKLM\..\RunServices: [APIRI32.EXE] C:\WINDOWS\APIRI32.EXE /s

O4 - HKLM\..\RunServices: [NTEF.EXE] C:\WINDOWS\SYSTEM\NTEF.EXE /s

O4 - HKLM\..\RunServices: [sYSSO.EXE] C:\WINDOWS\SYSTEM\SYSSO.EXE /s

O4 - HKLM\..\RunServices: [NTRW.EXE] C:\WINDOWS\SYSTEM\NTRW.EXE /s

O4 - HKLM\..\RunServices: [MSSY32.EXE] C:\WINDOWS\SYSTEM\MSSY32.EXE /s

O4 - HKLM\..\RunServices: [sDKHK.EXE] C:\WINDOWS\SDKHK.EXE /s

O4 - HKLM\..\RunServices: [NTCN.EXE] C:\WINDOWS\SYSTEM\NTCN.EXE /s

O4 - HKLM\..\RunServices: [iPYC.EXE] C:\WINDOWS\IPYC.EXE /s

O4 - HKLM\..\RunServices: [iPAX.EXE] C:\WINDOWS\IPAX.EXE /s

O4 - HKLM\..\RunServices: [iELM32.EXE] C:\WINDOWS\IELM32.EXE /s

O4 - HKLM\..\RunServices: [APPDV32.EXE] C:\WINDOWS\SYSTEM\APPDV32.EXE /s

O4 - HKLM\..\RunServices: [NTIF.EXE] C:\WINDOWS\NTIF.EXE /s

O4 - HKLM\..\RunServices: [ADDMQ32.EXE] C:\WINDOWS\SYSTEM\ADDMQ32.EXE /s

O4 - HKLM\..\RunServices: [iPXX.EXE] C:\WINDOWS\IPXX.EXE /s

O4 - HKLM\..\RunServices: [NETMZ32.EXE] C:\WINDOWS\SYSTEM\NETMZ32.EXE /s

O4 - HKLM\..\RunServices: [ATLAF32.EXE] C:\WINDOWS\SYSTEM\ATLAF32.EXE /s

O4 - HKLM\..\RunServices: [CRWA32.EXE] C:\WINDOWS\CRWA32.EXE /s

O4 - HKLM\..\RunServices: [CRCG.EXE] C:\WINDOWS\CRCG.EXE /s

O4 - HKLM\..\RunServices: [sDKBX.EXE] C:\WINDOWS\SDKBX.EXE /s

O4 - HKLM\..\RunServices: [D3QQ32.EXE] C:\WINDOWS\SYSTEM\D3QQ32.EXE /s

O4 - HKLM\..\RunServices: [WINGQ32.EXE] C:\WINDOWS\SYSTEM\WINGQ32.EXE /s

O4 - HKLM\..\RunServices: [NETXC32.EXE] C:\WINDOWS\NETXC32.EXE /s

O4 - HKLM\..\RunServices: [MSXQ32.EXE] C:\WINDOWS\MSXQ32.EXE /s

O4 - HKLM\..\RunServices: [iPBN32.EXE] C:\WINDOWS\IPBN32.EXE /s

O4 - HKLM\..\RunServices: [sDKKI32.EXE] C:\WINDOWS\SDKKI32.EXE /s

O4 - HKLM\..\RunServices: [JAVAHV.EXE] C:\WINDOWS\JAVAHV.EXE /s

O4 - HKLM\..\RunServices: [MSQE.EXE] C:\WINDOWS\MSQE.EXE /s

O4 - HKLM\..\RunServices: [ATLFM.EXE] C:\WINDOWS\SYSTEM\ATLFM.EXE /s

O4 - HKLM\..\RunServices: [iEBL.EXE] C:\WINDOWS\IEBL.EXE /s

O4 - HKLM\..\RunServices: [sDKGJ.EXE] C:\WINDOWS\SDKGJ.EXE /s

O4 - HKLM\..\RunServices: [iEQI32.EXE] C:\WINDOWS\SYSTEM\IEQI32.EXE /s

O4 - HKLM\..\RunServices: [iPXO.EXE] C:\WINDOWS\SYSTEM\IPXO.EXE /s

O4 - HKLM\..\RunServices: [CRYE.EXE] C:\WINDOWS\CRYE.EXE /s

O4 - HKLM\..\RunServices: [sYSLZ32.EXE] C:\WINDOWS\SYSLZ32.EXE /s

O4 - HKLM\..\RunServices: [JAVAJT.EXE] C:\WINDOWS\JAVAJT.EXE /s

O4 - HKLM\..\RunServices: [MSXO32.EXE] C:\WINDOWS\MSXO32.EXE /s

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background

O4 - HKCU\..\Run: [update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background

O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE

O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE

O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O13 - WWW. Prefix: http://

O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com

O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.hearme.com/HearMeAutoInstaller.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

Hope this is usable for you.

Again - many many thanks for the assist.

Aprguy

Link to post
Share on other sites

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\xzhki.dll/sp.html#12345

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {24F7A19B-E91E-3E36-E139-91C802FC2B0F} - C:\WINDOWS\APIZN32.DLL

O2 - BHO: Class - {ADE15B25-99D9-47AB-3E33-9B2A8D282369} - C:\WINDOWS\SYSTEM\MFCPP32.DLL

O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\82F4C060.hta

O4 - HKLM\..\Run: [WINMJ32.EXE] C:\WINDOWS\WINMJ32.EXE

O4 - HKLM\..\RunServices: [JAVABN32.EXE] C:\WINDOWS\SYSTEM\JAVABN32.EXE /s

O4 - HKLM\..\RunServices: [APINA.EXE] C:\WINDOWS\SYSTEM\APINA.EXE /s

O4 - HKLM\..\RunServices: [NETKR32.EXE] C:\WINDOWS\NETKR32.EXE /s

O4 - HKLM\..\RunServices: [ATLDF.EXE] C:\WINDOWS\ATLDF.EXE /s

O4 - HKLM\..\RunServices: [sDKLK.EXE] C:\WINDOWS\SDKLK.EXE /s

O4 - HKLM\..\RunServices: [NETNC32.EXE] C:\WINDOWS\SYSTEM\NETNC32.EXE /s

O4 - HKLM\..\RunServices: [iPNN.EXE] C:\WINDOWS\IPNN.EXE /s

O4 - HKLM\..\RunServices: [APIIW32.EXE] C:\WINDOWS\SYSTEM\APIIW32.EXE /s

O4 - HKLM\..\RunServices: [iPDD32.EXE] C:\WINDOWS\IPDD32.EXE /s

O4 - HKLM\..\RunServices: [MSDA.EXE] C:\WINDOWS\MSDA.EXE /s

O4 - HKLM\..\RunServices: [sDKPW.EXE] C:\WINDOWS\SYSTEM\SDKPW.EXE /s

O4 - HKLM\..\RunServices: [iPZF32.EXE] C:\WINDOWS\IPZF32.EXE /s

O4 - HKLM\..\RunServices: [JAVARD.EXE] C:\WINDOWS\JAVARD.EXE /s

O4 - HKLM\..\RunServices: [NTNR.EXE] C:\WINDOWS\NTNR.EXE /s

O4 - HKLM\..\RunServices: [NTQA32.EXE] C:\WINDOWS\NTQA32.EXE /s

O4 - HKLM\..\RunServices: [NETMV.EXE] C:\WINDOWS\SYSTEM\NETMV.EXE /s

O4 - HKLM\..\RunServices: [MFCKO32.EXE] C:\WINDOWS\SYSTEM\MFCKO32.EXE /s

O4 - HKLM\..\RunServices: [ADDSB32.EXE] C:\WINDOWS\SYSTEM\ADDSB32.EXE /s

O4 - HKLM\..\RunServices: [D3TF32.EXE] C:\WINDOWS\D3TF32.EXE /s

O4 - HKLM\..\RunServices: [MSSH.EXE] C:\WINDOWS\SYSTEM\MSSH.EXE /s

O4 - HKLM\..\RunServices: [NTZY32.EXE] C:\WINDOWS\SYSTEM\NTZY32.EXE /s

O4 - HKLM\..\RunServices: [APPBH32.EXE] C:\WINDOWS\SYSTEM\APPBH32.EXE /s

O4 - HKLM\..\RunServices: [MSOC32.EXE] C:\WINDOWS\MSOC32.EXE /s

O4 - HKLM\..\RunServices: [NTPU32.EXE] C:\WINDOWS\NTPU32.EXE /s

O4 - HKLM\..\RunServices: [iEGJ32.EXE] C:\WINDOWS\IEGJ32.EXE /s

O4 - HKLM\..\RunServices: [sYSPG32.EXE] C:\WINDOWS\SYSPG32.EXE /s

O4 - HKLM\..\RunServices: [sYSMP.EXE] C:\WINDOWS\SYSTEM\SYSMP.EXE /s

O4 - HKLM\..\RunServices: [MSCT.EXE] C:\WINDOWS\SYSTEM\MSCT.EXE /s

O4 - HKLM\..\RunServices: [APPNP32.EXE] C:\WINDOWS\APPNP32.EXE /s

O4 - HKLM\..\RunServices: [APPPU.EXE] C:\WINDOWS\APPPU.EXE /s

O4 - HKLM\..\RunServices: [ADDMR32.EXE] C:\WINDOWS\SYSTEM\ADDMR32.EXE /s

O4 - HKLM\..\RunServices: [WINRM.EXE] C:\WINDOWS\SYSTEM\WINRM.EXE /s

O4 - HKLM\..\RunServices: [iERL.EXE] C:\WINDOWS\IERL.EXE /s

O4 - HKLM\..\RunServices: [ADDCL32.EXE] C:\WINDOWS\SYSTEM\ADDCL32.EXE /s

O4 - HKLM\..\RunServices: [MSHV.EXE] C:\WINDOWS\SYSTEM\MSHV.EXE /s

O4 - HKLM\..\RunServices: [WINSU.EXE] C:\WINDOWS\SYSTEM\WINSU.EXE /s

O4 - HKLM\..\RunServices: [JAVAUJ.EXE] C:\WINDOWS\JAVAUJ.EXE /s

O4 - HKLM\..\RunServices: [ATLUK32.EXE] C:\WINDOWS\ATLUK32.EXE /s

O4 - HKLM\..\RunServices: [NTFJ.EXE] C:\WINDOWS\NTFJ.EXE /s

O4 - HKLM\..\RunServices: [NETMT32.EXE] C:\WINDOWS\NETMT32.EXE /s

O4 - HKLM\..\RunServices: [MSQY32.EXE] C:\WINDOWS\MSQY32.EXE /s

O4 - HKLM\..\RunServices: [APIRI32.EXE] C:\WINDOWS\APIRI32.EXE /s

O4 - HKLM\..\RunServices: [NTEF.EXE] C:\WINDOWS\SYSTEM\NTEF.EXE /s

O4 - HKLM\..\RunServices: [sYSSO.EXE] C:\WINDOWS\SYSTEM\SYSSO.EXE /s

O4 - HKLM\..\RunServices: [NTRW.EXE] C:\WINDOWS\SYSTEM\NTRW.EXE /s

O4 - HKLM\..\RunServices: [MSSY32.EXE] C:\WINDOWS\SYSTEM\MSSY32.EXE /s

O4 - HKLM\..\RunServices: [sDKHK.EXE] C:\WINDOWS\SDKHK.EXE /s

O4 - HKLM\..\RunServices: [NTCN.EXE] C:\WINDOWS\SYSTEM\NTCN.EXE /s

O4 - HKLM\..\RunServices: [iPYC.EXE] C:\WINDOWS\IPYC.EXE /s

O4 - HKLM\..\RunServices: [iPAX.EXE] C:\WINDOWS\IPAX.EXE /s

O4 - HKLM\..\RunServices: [iELM32.EXE] C:\WINDOWS\IELM32.EXE /s

O4 - HKLM\..\RunServices: [APPDV32.EXE] C:\WINDOWS\SYSTEM\APPDV32.EXE /s

O4 - HKLM\..\RunServices: [NTIF.EXE] C:\WINDOWS\NTIF.EXE /s

O4 - HKLM\..\RunServices: [ADDMQ32.EXE] C:\WINDOWS\SYSTEM\ADDMQ32.EXE /s

O4 - HKLM\..\RunServices: [iPXX.EXE] C:\WINDOWS\IPXX.EXE /s

O4 - HKLM\..\RunServices: [NETMZ32.EXE] C:\WINDOWS\SYSTEM\NETMZ32.EXE /s

O4 - HKLM\..\RunServices: [ATLAF32.EXE] C:\WINDOWS\SYSTEM\ATLAF32.EXE /s

O4 - HKLM\..\RunServices: [CRWA32.EXE] C:\WINDOWS\CRWA32.EXE /s

O4 - HKLM\..\RunServices: [CRCG.EXE] C:\WINDOWS\CRCG.EXE /s

O4 - HKLM\..\RunServices: [sDKBX.EXE] C:\WINDOWS\SDKBX.EXE /s

O4 - HKLM\..\RunServices: [D3QQ32.EXE] C:\WINDOWS\SYSTEM\D3QQ32.EXE /s

O4 - HKLM\..\RunServices: [WINGQ32.EXE] C:\WINDOWS\SYSTEM\WINGQ32.EXE /s

O4 - HKLM\..\RunServices: [NETXC32.EXE] C:\WINDOWS\NETXC32.EXE /s

O4 - HKLM\..\RunServices: [MSXQ32.EXE] C:\WINDOWS\MSXQ32.EXE /s

O4 - HKLM\..\RunServices: [iPBN32.EXE] C:\WINDOWS\IPBN32.EXE /s

O4 - HKLM\..\RunServices: [sDKKI32.EXE] C:\WINDOWS\SDKKI32.EXE /s

O4 - HKLM\..\RunServices: [JAVAHV.EXE] C:\WINDOWS\JAVAHV.EXE /s

O4 - HKLM\..\RunServices: [MSQE.EXE] C:\WINDOWS\MSQE.EXE /s

O4 - HKLM\..\RunServices: [ATLFM.EXE] C:\WINDOWS\SYSTEM\ATLFM.EXE /s

O4 - HKLM\..\RunServices: [iEBL.EXE] C:\WINDOWS\IEBL.EXE /s

O4 - HKLM\..\RunServices: [sDKGJ.EXE] C:\WINDOWS\SDKGJ.EXE /s

O4 - HKLM\..\RunServices: [iEQI32.EXE] C:\WINDOWS\SYSTEM\IEQI32.EXE /s

O4 - HKLM\..\RunServices: [iPXO.EXE] C:\WINDOWS\SYSTEM\IPXO.EXE /s

O4 - HKLM\..\RunServices: [CRYE.EXE] C:\WINDOWS\CRYE.EXE /s

O4 - HKLM\..\RunServices: [sYSLZ32.EXE] C:\WINDOWS\SYSLZ32.EXE /s

O4 - HKLM\..\RunServices: [JAVAJT.EXE] C:\WINDOWS\JAVAJT.EXE /s

O4 - HKLM\..\RunServices: [MSXO32.EXE] C:\WINDOWS\MSXO32.EXE /s < there many be more like that fix them also

4. Delete the files.

C:\WINDOWS\xzhki.dll

C:\WINDOWS\APIZN32.DLL

C:\WINDOWS\SYSTEM\MFCPP32.DLL

C:\WINDOWS\SYSTEM\82F4C060.hta

C:\WINDOWS\WINMJ32.EXE

C:\WINDOWS\SYSTEM\JAVABN32.EXE

C:\WINDOWS\SYSTEM\APINA.EXE

C:\WINDOWS\NETKR32.EXE

C:\WINDOWS\ATLDF.EXE

C:\WINDOWS\SDKLK.EXE

C:\WINDOWS\SYSTEM\NETNC32.EXE

C:\WINDOWS\IPNN.EXE

C:\WINDOWS\SYSTEM\APIIW32.EXE

C:\WINDOWS\IPDD32.EXE

C:\WINDOWS\MSDA.EXE

C:\WINDOWS\SYSTEM\SDKPW.EXE

C:\WINDOWS\IPZF32.EXE

C:\WINDOWS\JAVARD.EXE

C:\WINDOWS\NTNR.EXE

C:\WINDOWS\NTQA32.EXE

C:\WINDOWS\SYSTEM\NETMV.EXE

C:\WINDOWS\SYSTEM\MFCKO32.EXE

C:\WINDOWS\SYSTEM\ADDSB32.EXE

C:\WINDOWS\D3TF32.EXE

C:\WINDOWS\SYSTEM\MSSH.EXE

C:\WINDOWS\SYSTEM\NTZY32.EXE

C:\WINDOWS\SYSTEM\APPBH32.EXE

C:\WINDOWS\MSOC32.EXE

C:\WINDOWS\NTPU32.EXE

C:\WINDOWS\IEGJ32.EXE

C:\WINDOWS\SYSPG32.EXE

C:\WINDOWS\SYSTEM\SYSMP.EXE

C:\WINDOWS\SYSTEM\MSCT.EXE

C:\WINDOWS\APPNP32.EXE

C:\WINDOWS\APPPU.EXE

C:\WINDOWS\SYSTEM\ADDMR32.EXE

C:\WINDOWS\SYSTEM\WINRM.EXE

C:\WINDOWS\IERL.EXE

C:\WINDOWS\SYSTEM\ADDCL32.EXE

C:\WINDOWS\SYSTEM\MSHV.EXE

C:\WINDOWS\SYSTEM\WINSU.EXE

C:\WINDOWS\JAVAUJ.EXE

C:\WINDOWS\ATLUK32.EXE

C:\WINDOWS\NTFJ.EXE

C:\WINDOWS\NETMT32.EXE

C:\WINDOWS\MSQY32.EXE

C:\WINDOWS\APIRI32.EXE

C:\WINDOWS\SYSTEM\NTEF.EXE

C:\WINDOWS\SYSTEM\SYSSO.EXE

C:\WINDOWS\SYSTEM\NTRW.EXE

C:\WINDOWS\SYSTEM\MSSY32.EXE

C:\WINDOWS\SDKHK.EXE

C:\WINDOWS\SYSTEM\NTCN.EXE

C:\WINDOWS\IPYC.EXE

C:\WINDOWS\IPAX.EXE

C:\WINDOWS\IELM32.EXE

C:\WINDOWS\SYSTEM\APPDV32.EXE

C:\WINDOWS\NTIF.EXE

C:\WINDOWS\SYSTEM\ADDMQ32.EXE

C:\WINDOWS\IPXX.EXE

C:\WINDOWS\SYSTEM\NETMZ32.EXE

C:\WINDOWS\SYSTEM\ATLAF32.EXE

C:\WINDOWS\CRWA32.EXE

C:\WINDOWS\CRCG.EXE

C:\WINDOWS\SDKBX.EXE

C:\WINDOWS\SYSTEM\D3QQ32.EXE

C:\WINDOWS\SYSTEM\WINGQ32.EXE

C:\WINDOWS\NETXC32.EXE

C:\WINDOWS\MSXQ32.EXE

C:\WINDOWS\IPBN32.EXE

C:\WINDOWS\SDKKI32.EXE

C:\WINDOWS\JAVAHV.EXE

C:\WINDOWS\MSQE.EXE

C:\WINDOWS\SYSTEM\ATLFM.EXE

C:\WINDOWS\IEBL.EXE

C:\WINDOWS\SDKGJ.EXE

C:\WINDOWS\SYSTEM\IEQI32.EXE

C:\WINDOWS\SYSTEM\IPXO.EXE

C:\WINDOWS\CRYE.EXE

C:\WINDOWS\SYSLZ32.EXE

C:\WINDOWS\JAVAJT.EXE

C:\WINDOWS\MSXO32.EXE

5. Reboot back into normal mode and post a new Hijackthis log here in a reply.

Link to post
Share on other sites

Rock - you are amazing.

While still not 100% I can at least function - thank you so much.

Here's the latest Hijack this log

v1.99.1

Scan saved at 12:37:01 AM, on 5/17/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ATI2EVAE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\Tools_95\Register\REMIND.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\ATI2CWXX.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\SYSTEM\STIMON.EXE

C:\WINDOWS\LOADQM.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\TOOLS_95\IMGICON.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE

C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE

C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE

C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\WINDOWS\SYSTEM\HPZIPM12.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE

C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/

F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe

F1 - win.ini: run=Qtstub.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\82F4C060.hta

O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE

O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE

O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O13 - WWW. Prefix: http://

O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com

O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.hearme.com/HearMeAutoInstaller.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

Thank you, thank you for your great work.

I'll await your reply.

Aprguy

Link to post
Share on other sites

1. Boot into safemode again.

2. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\82F4C060.hta

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O13 - WWW. Prefix: http://

3. Delete the files. (if present)

C:\WINDOWS\SYSTEM\82F4C060.hta

4. Reboot and post a new Hijackthis log here in a reply.

Link to post
Share on other sites

Rock - here's the new log and at the risk of sounding like a broken record - thank you!

The file you wanted me to delete: C:\Windows\System\82F4C060.hta was not present.

Don't know if this is relevant, but nearly everytime I reboot, I get a message that Stimon has performed an illegal task and has been shutdown.

Aprguy

Logfile of HijackThis v1.99.1

Scan saved at 5:46:19 PM, on 5/17/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ATI2EVAE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\Tools_95\Register\REMIND.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\ATI2CWXX.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\LOADQM.EXE

C:\TOOLS_95\IMGICON.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE

C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE

C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE

C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE

C:\WINDOWS\SYSTEM\HPZIPM12.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/

F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe

F1 - win.ini: run=Qtstub.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\Run: [iEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE

O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE

O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com

O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.hearme.com/HearMeAutoInstaller.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

Link to post
Share on other sites

Your Hijackthis log is clean :)

1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [iEXPLORE.EXE] C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

The file that is causing you a problem is this line in Hijackthis you can fix it if you wish and try opening it when needed look here for infomation on it http://castlecops.com/startuplist-3543.html

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

2. Reboot your PC and see if you still have a problem.

Link to post
Share on other sites

Rock - as requested - here is my latest log.

Best regards - and thanks

Aprguy

1

Scan saved at 4:54:36 PM, on 5/18/05

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\ATI2EVAE.EXE

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\EXPLORER.EXE

C:\Tools_95\Register\REMIND.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\WINDOWS\SYSTEM\ATIPTAXX.EXE

C:\WINDOWS\SYSTEM\ATI2CWXX.EXE

C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE

C:\WINDOWS\SYSTEM\QTTASK.EXE

C:\WINDOWS\LOADQM.EXE

C:\TOOLS_95\IMGICON.EXE

C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE

C:\PROGRAM FILES\NORTON ANTIVIRUS\NSCHED32.EXE

C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOHMR08.EXE

C:\PROGRAM FILES\PALMONE\HOTSYNC.EXE

C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE

C:\WINDOWS\SYSTEM\SPOOL32.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE

C:\WINDOWS\SYSTEM\HPZIPM12.EXE

C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.canoe.ca/

F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe

F1 - win.ini: run=Qtstub.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe

O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET

O4 - HKLM\..\Run: [QuickFinder Scheduler] C:\COREL\OFFICE7\SHARED\QFINDER7\QFSCHED.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime

O4 - HKLM\..\Run: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evae.exe

O4 - HKLM\..\RunServices: [schedulingAgent] mstask.exe

O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE

O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE

O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

O4 - Startup: Norton Program Scheduler.lnk = C:\Program Files\Norton AntiVirus\NSCHED32.EXE

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE

O4 - Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

O4 - Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe

O4 - Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe

O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com

O16 - DPF: {4248083C-9656-11D2-8B7F-00105A17847A} - http://downloads.hearme.com/HearMeAutoInstaller.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200210...meInstaller.exe

Link to post
Share on other sites

How is the PC running?

Your log is clean :)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Credit to PGPhantom for canned speech.

Link to post
Share on other sites

Hello:

I heard of this type of virus or malware from APRGUY and wondered how I could get my list of processes reviewed for infection. I'm alittle lost and not sure how to capture the LOG and post it. I,m not even sure if this is how I forward this request.

Respectively,

Spurv

Link to post
Share on other sites
Guest
This topic is now closed to further replies.