# [Solved] errors when I start windows



## nlocal (Feb 17, 2004)

windows 98 second...
browser IE 6

If you need more info, asks...

when I boot the computer I get widows that I am missing:
morze5.exe
morze1.exe
k41xqxec.exe
njd0pefo.exe

windows looks for the exe but can not find them..then asks if I want to redirect the link to different exe, which I said no to...

computer seems to be working ok....

I have had spyware problems in the past and did notice lastnight that my homepage had been changed to some add.......

thanks,
Nathan


----------



## nlocal (Feb 17, 2004)

Logfile of HijackThis v1.97.7
Scan saved at 9:21:05 PM, on 3/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\CLEARSEARCH\LOADER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PDDIEE36.EXE
C:\WINDOWS\SYSTEM\FC42ENUM.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - C:\WINDOWS\SYSTEM\CALSDR.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ClrSchLoader] \Program Files\ClearSearch\Loader.exe
O4 - HKLM\..\Run: [FC42ENUM] C:\WINDOWS\SYSTEM\FC42ENUM.exe
O4 - HKLM\..\Run: [PDDIEE36.EXE] C:\WINDOWS\PDDIEE36.EXE /dk
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [PDDIEE36.EXE] C:\WINDOWS\PDDIEE36.EXE /dk
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: QECB075T.lnk = C:\WINDOWS\qecb075t.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 1ZKARB0G.lnk = C:\WINDOWS\1zkarb0g.exe
O4 - Startup: RF1M2ID0.lnk = C:\WINDOWS\rf1m2id0.exe
O4 - Startup: 29G20PMA.lnk = C:\WINDOWS\29g20pma.exe
O4 - Startup: VH7T1N0I.lnk = C:\WINDOWS\vh7t1n0i.exe
O4 - Startup: JJ40F0BD.lnk = C:\WINDOWS\jj40f0bd.exe
O4 - Startup: L6HL509D.lnk = C:\WINDOWS\l6hl509d.exe
O4 - Startup: NJD0PEFO.lnk = C:\WINDOWS\njd0pefo.exe
O4 - Startup: K41XQXEC.lnk = C:\WINDOWS\k41xqxec.exe
O4 - Startup: PDDIEE36.lnk = C:\WINDOWS\pddiee36.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: QECB075T.lnk = C:\WINDOWS\qecb075t.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 1ZKARB0G.lnk = C:\WINDOWS\1zkarb0g.exe
O4 - Global Startup: RF1M2ID0.lnk = C:\WINDOWS\rf1m2id0.exe
O4 - Global Startup: 29G20PMA.lnk = C:\WINDOWS\29g20pma.exe
O4 - Global Startup: VH7T1N0I.lnk = C:\WINDOWS\vh7t1n0i.exe
O4 - Global Startup: JJ40F0BD.lnk = C:\WINDOWS\jj40f0bd.exe
O4 - Global Startup: L6HL509D.lnk = C:\WINDOWS\l6hl509d.exe
O4 - Global Startup: NJD0PEFO.lnk = C:\WINDOWS\njd0pefo.exe
O4 - Global Startup: K41XQXEC.lnk = C:\WINDOWS\k41xqxec.exe
O4 - Global Startup: PDDIEE36.lnk = C:\WINDOWS\pddiee36.exe
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://ez.messagebay.com/code1/mbayactx.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.19/Hiwire.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37797.9005555556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab

what is this all about? I see alot of those exe here:
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: QECB075T.lnk = C:\WINDOWS\qecb075t.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 1ZKARB0G.lnk = C:\WINDOWS\1zkarb0g.exe
O4 - Global Startup: RF1M2ID0.lnk = C:\WINDOWS\rf1m2id0.exe
O4 - Global Startup: 29G20PMA.lnk = C:\WINDOWS\29g20pma.exe
O4 - Global Startup: VH7T1N0I.lnk = C:\WINDOWS\vh7t1n0i.exe
O4 - Global Startup: JJ40F0BD.lnk = C:\WINDOWS\jj40f0bd.exe
O4 - Global Startup: L6HL509D.lnk = C:\WINDOWS\l6hl509d.exe
O4 - Global Startup: NJD0PEFO.lnk = C:\WINDOWS\njd0pefo.exe
O4 - Global Startup: K41XQXEC.lnk = C:\WINDOWS\k41xqxec.exe
O4 - Global Startup: PDDIEE36.lnk = C:\WINDOWS\pddiee36.exe


----------



## mobo (Feb 23, 2003)

You had better run a full system scan http://housecall.trendmicro.com/ then rescan with hijack and post a fresh log.


----------



## Bob Cerelli (Nov 3, 2002)

First off, it's probably good that it can't find those files. Try running MSCONFIG and remove anything from starting automatically that you don't need.

In addition to a virus scan, you might want to download a good Spyware and Trojan Removal program. Those files are awfully suspicious.

Spybot Search and Destroy:
http://www.safer-networking.org/index.php?page=spybotsda

SpySweeper:
There is also a good spyware program at:
http://www.webroot.com/wb/products/spysweeper/index.php
This will also protect your home page from being hijacked.

Ad-Aware:
http://www.lavasoft.de/

With any of the above three programs, just like with Anti-Virus software, should have the latest updates installed before doing a scan.

CWShredder:
http://www.spywareinfo.com/downloads/tools/CWShredder.exe


----------



## nlocal (Feb 17, 2004)

ok, so I ran that virus checker and it found 14 infected files, but could not clean them, so I let it delete them. It dleted all but 1, b/c it was in use......

I ran highjack again and here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 11:44:34 PM, on 3/23/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\EFAX\DLLCMD32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DLLHOST.EXE
C:\WINDOWS\ZCBL4GVW.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ZCBL4GVW.EXE] C:\WINDOWS\ZCBL4GVW.EXE /dk
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [ZCBL4GVW.EXE] C:\WINDOWS\ZCBL4GVW.EXE /dk
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: QECB075T.lnk = C:\WINDOWS\qecb075t.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 1ZKARB0G.lnk = C:\WINDOWS\1zkarb0g.exe
O4 - Startup: RF1M2ID0.lnk = C:\WINDOWS\rf1m2id0.exe
O4 - Startup: 29G20PMA.lnk = C:\WINDOWS\29g20pma.exe
O4 - Startup: VH7T1N0I.lnk = C:\WINDOWS\vh7t1n0i.exe
O4 - Startup: JJ40F0BD.lnk = C:\WINDOWS\jj40f0bd.exe
O4 - Startup: L6HL509D.lnk = C:\WINDOWS\l6hl509d.exe
O4 - Startup: NJD0PEFO.lnk = C:\WINDOWS\njd0pefo.exe
O4 - Startup: K41XQXEC.lnk = C:\WINDOWS\k41xqxec.exe
O4 - Startup: PDDIEE36.lnk = C:\WINDOWS\pddiee36.exe
O4 - Startup: 0IVX5EWN.lnk = C:\WINDOWS\0ivx5ewn.exe
O4 - Startup: N43YL75G.lnk = C:\WINDOWS\n43yl75g.exe
O4 - Startup: ZCBL4GVW.lnk = C:\WINDOWS\zcbl4gvw.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: QECB075T.lnk = C:\WINDOWS\qecb075t.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 1ZKARB0G.lnk = C:\WINDOWS\1zkarb0g.exe
O4 - Global Startup: RF1M2ID0.lnk = C:\WINDOWS\rf1m2id0.exe
O4 - Global Startup: 29G20PMA.lnk = C:\WINDOWS\29g20pma.exe
O4 - Global Startup: VH7T1N0I.lnk = C:\WINDOWS\vh7t1n0i.exe
O4 - Global Startup: JJ40F0BD.lnk = C:\WINDOWS\jj40f0bd.exe
O4 - Global Startup: L6HL509D.lnk = C:\WINDOWS\l6hl509d.exe
O4 - Global Startup: NJD0PEFO.lnk = C:\WINDOWS\njd0pefo.exe
O4 - Global Startup: K41XQXEC.lnk = C:\WINDOWS\k41xqxec.exe
O4 - Global Startup: PDDIEE36.lnk = C:\WINDOWS\pddiee36.exe
O4 - Global Startup: 0IVX5EWN.lnk = C:\WINDOWS\0ivx5ewn.exe
O4 - Global Startup: N43YL75G.lnk = C:\WINDOWS\n43yl75g.exe
O4 - Global Startup: ZCBL4GVW.lnk = C:\WINDOWS\zcbl4gvw.exe
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://ez.messagebay.com/code1/mbayactx.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.19/Hiwire.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37797.9005555556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab


----------



## nlocal (Feb 17, 2004)

oh and I ran spybot b4 posting any of this and it isolated and deleted 5 files....


----------



## mobo (Feb 23, 2003)

Rescan and put a check next to each of these then close all browser windows and click "fix checked"

O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - C:\PROGRA~1\ADSHIELD\ADSHIELD\ADSHIELD.DLL
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)

O4 - HKLM\..\Run: [ZCBL4GVW.EXE] C:\WINDOWS\ZCBL4GVW.EXE /dk

O4 - HKCU\..\Run: [ZCBL4GVW.EXE] C:\WINDOWS\ZCBL4GVW.EXE /dk
O4 - Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Startup: QECB075T.lnk = C:\WINDOWS\qecb075t.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: 1ZKARB0G.lnk = C:\WINDOWS\1zkarb0g.exe
O4 - Startup: RF1M2ID0.lnk = C:\WINDOWS\rf1m2id0.exe
O4 - Startup: 29G20PMA.lnk = C:\WINDOWS\29g20pma.exe
O4 - Startup: VH7T1N0I.lnk = C:\WINDOWS\vh7t1n0i.exe
O4 - Startup: JJ40F0BD.lnk = C:\WINDOWS\jj40f0bd.exe
O4 - Startup: L6HL509D.lnk = C:\WINDOWS\l6hl509d.exe
O4 - Startup: NJD0PEFO.lnk = C:\WINDOWS\njd0pefo.exe
O4 - Startup: K41XQXEC.lnk = C:\WINDOWS\k41xqxec.exe
O4 - Startup: PDDIEE36.lnk = C:\WINDOWS\pddiee36.exe
O4 - Startup: 0IVX5EWN.lnk = C:\WINDOWS\0ivx5ewn.exe
O4 - Startup: N43YL75G.lnk = C:\WINDOWS\n43yl75g.exe
O4 - Startup: ZCBL4GVW.lnk = C:\WINDOWS\zcbl4gvw.exe
O4 - Global Startup: MORZE5.lnk = C:\WINDOWS\morze5.exe
O4 - Global Startup: QECB075T.lnk = C:\WINDOWS\qecb075t.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: 1ZKARB0G.lnk = C:\WINDOWS\1zkarb0g.exe
O4 - Global Startup: RF1M2ID0.lnk = C:\WINDOWS\rf1m2id0.exe
O4 - Global Startup: 29G20PMA.lnk = C:\WINDOWS\29g20pma.exe
O4 - Global Startup: VH7T1N0I.lnk = C:\WINDOWS\vh7t1n0i.exe
O4 - Global Startup: JJ40F0BD.lnk = C:\WINDOWS\jj40f0bd.exe
O4 - Global Startup: L6HL509D.lnk = C:\WINDOWS\l6hl509d.exe
O4 - Global Startup: NJD0PEFO.lnk = C:\WINDOWS\njd0pefo.exe
O4 - Global Startup: K41XQXEC.lnk = C:\WINDOWS\k41xqxec.exe
O4 - Global Startup: PDDIEE36.lnk = C:\WINDOWS\pddiee36.exe
O4 - Global Startup: 0IVX5EWN.lnk = C:\WINDOWS\0ivx5ewn.exe
O4 - Global Startup: N43YL75G.lnk = C:\WINDOWS\n43yl75g.exe
O4 - Global Startup: ZCBL4GVW.lnk = C:\WINDOWS\zcbl4gvw.exe

Then reboot into safe mode and delete :
C:\WINDOWS\morze5.exe
C:\WINDOWS\qecb075t.exe
C:\WINDOWS\morze1.exe
C:\WINDOWS\1zkarb0g.exe
C:\WINDOWS\rf1m2id0.exe
C:\WINDOWS\29g20pma.exe
C:\WINDOWS\vh7t1n0i.exe
C:\WINDOWS\jj40f0bd.exe
C:\WINDOWS\l6hl509d.exe
C:\WINDOWS\njd0pefo.exe
C:\WINDOWS\k41xqxec.exe
C:\WINDOWS\pddiee36.exe
C:\WINDOWS\0ivx5ewn.exe
C:\WINDOWS\n43yl75g.exe
C:\WINDOWS\zcbl4gvw.exe
C:\WINDOWS\morze5.exe
C:\WINDOWS\qecb075t.exe
C:\WINDOWS\morze1.exe
C:\WINDOWS\1zkarb0g.exe
C:\WINDOWS\rf1m2id0.exe
C:\WINDOWS\29g20pma.exe
C:\WINDOWS\vh7t1n0i.exe
C:\WINDOWS\jj40f0bd.exe
C:\WINDOWS\l6hl509d.exe
C:\WINDOWS\njd0pefo.exe
C:\WINDOWS\k41xqxec.exe
C:\WINDOWS\pddiee36.exe
C:\WINDOWS\0ivx5ewn.exe
C:\WINDOWS\n43yl75g.exe
C:\WINDOWS\zcbl4gvw.exe
C:\WINDOWS\ZCBL4GVW.EXE
C:\Program Files\Common Files\efax\Dllcmd32.exe

Then produce a fresh log please.


----------



## mobo (Feb 23, 2003)

I guess after looking over what I asked you to remove, it would have been easier to tell you what to keep..


----------



## nlocal (Feb 17, 2004)

ok, will do, I deleted the exe that the antivirus could not delete manualy..I hope that was cool....


----------



## mobo (Feb 23, 2003)

Yes it was ok to do so.It will take some time but we can clean this machine up with patience.


----------



## nlocal (Feb 17, 2004)

hey...I tried. I ran and deleted the files you said. I got to safe mode and could not find any of those exe. Yes show all is on.. They are not there in safe mode or in normal mode. when I restared the computer I had a bunch more errors regaurding missing exe that I never heard of..
so here is the scan log for the current time:

Logfile of HijackThis v1.97.7
Scan saved at 12:48:40 AM, on 3/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\QAF8UJBZ.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QAF8UJBZ.EXE] C:\WINDOWS\QAF8UJBZ.EXE /dk
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [QAF8UJBZ.EXE] C:\WINDOWS\QAF8UJBZ.EXE /dk
O4 - Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
O4 - Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
O4 - Startup: P61RWAZN.lnk = C:\WINDOWS\p61rwazn.exe
O4 - Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
O4 - Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
O4 - Global Startup: 0PXWUBJW.lnk = C:\WINDOWS\0pxwubjw.exe
O4 - Global Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
O4 - Global Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
O4 - Global Startup: P61RWAZN.lnk = C:\WINDOWS\p61rwazn.exe
O4 - Global Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Global Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
O4 - Global Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe
O4 - Global Startup: OJ8L7CR0.lnk = C:\WINDOWS\oj8l7cr0.exe
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://ez.messagebay.com/code1/mbayactx.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.19/Hiwire.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37797.9005555556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab


----------



## nlocal (Feb 17, 2004)

O4 - Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
O4 - Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
O4 - Startup: P61RWAZN.lnk = C:\WINDOWS\p61rwazn.exe
O4 - Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
O4 - Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe

I still dont like these and don't reconize em..


----------



## nlocal (Feb 17, 2004)

oh, I can find some manualy by the find now, should I delete them from there ?


----------



## mobo (Feb 23, 2003)

Yes and make certain to get 
C:\WINDOWS\QAF8UJBZ.EXE as I think it may be the queen bee.


----------



## Bob Cerelli (Nov 3, 2002)

What anti-virus software did you use?


----------



## mobo (Feb 23, 2003)

Looks like Norton


----------



## nlocal (Feb 17, 2004)

hey I used the antivirus scaner at the site listed above trend one. I am now scaning with nortan, but in all honesty, it is not so up to date....Well I will look around and try and delete some of the above and then post a log..

thanks for your continued help.....
Nathan


----------



## nlocal (Feb 17, 2004)

looking at other stuff I found this

in running proccese:
C:\WINDOWS\N8X8OUK3.EX

Shell folders Startup:
2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
P61RWAZN.lnk = C:\WINDOWS\p61rwazn.exe
QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe
GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe
7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe
Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe
P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe
ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe
AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe
N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe
BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe

Shell folders Common Startup:
PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
0PXWUBJW.lnk = C:\WINDOWS\0pxwubjw.exe
U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
P61RWAZN.lnk = C:\WINDOWS\2gjpapdz.exe
2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe
GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe
7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe
Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe
P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe
ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe
AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe
N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe
BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe
OJ8L7CR0.lnk = C:\WINDOWS\oj8l7cr0.exe


Autorun entries from Registry:
N8X8OUK3.EXE = C:\WINDOWS\N8X8OUK3.EXE /dk

Autorun entries from Registry:
N8X8OUK3.EXE = C:\WINDOWS\N8X8OUK3.EXE /dk


----------



## nlocal (Feb 17, 2004)

most recent log..let me know guys thanks..
Logfile of HijackThis v1.97.7
Scan saved at 11:26:30 PM, on 3/24/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\1LFEYTL8.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [1LFEYTL8.EXE] C:\WINDOWS\1LFEYTL8.EXE /dk
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [1LFEYTL8.EXE] C:\WINDOWS\1LFEYTL8.EXE /dk
O4 - Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
O4 - Startup: 5N000QCA.lnk = C:\WINDOWS\5n000qca.exe
O4 - Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
O4 - Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
O4 - Startup: P61RWAZN.lnk = C:\WINDOWS\p61rwazn.exe
O4 - Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
O4 - Startup: QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe
O4 - Startup: GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe
O4 - Startup: 7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe
O4 - Startup: Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe
O4 - Startup: P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe
O4 - Startup: ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe
O4 - Startup: AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe
O4 - Startup: N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe
O4 - Startup: 1LFEYTL8.lnk = C:\WINDOWS\1lfeytl8.exe
O4 - Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe
O4 - Global Startup: 5N000QCA.lnk = C:\WINDOWS\5n000qca.exe
O4 - Global Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
O4 - Global Startup: 0PXWUBJW.lnk = C:\WINDOWS\0pxwubjw.exe
O4 - Global Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
O4 - Global Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
O4 - Global Startup: P61RWAZN.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Global Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Global Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
O4 - Global Startup: QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe
O4 - Global Startup: GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe
O4 - Global Startup: 7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe
O4 - Global Startup: Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe
O4 - Global Startup: P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe
O4 - Global Startup: ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe
O4 - Global Startup: AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe
O4 - Global Startup: N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe
O4 - Global Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe
O4 - Global Startup: OJ8L7CR0.lnk = C:\WINDOWS\oj8l7cr0.exe
O4 - Global Startup: 1LFEYTL8.lnk = C:\WINDOWS\1lfeytl8.exe
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://ez.messagebay.com/code1/mbayactx.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.19/Hiwire.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37797.9005555556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab

ps:
errors that have popped up:
MORZE1 caused a general protection fault
in module DDEML.DLL at 0002:00002139.

N8X8OUK3 caused a general protection fault
in module DDEML.DLL at 0002:00002139.

AO10IRA7 caused a general protection fault
in module DDEML.DLL at 0002:00002139.

and this may or may not matter:

also microsoft office 2000 standard keeps popping up and trying to install something when I am not requesting it to do so. I hit cancel and it trys 2 more times and then stops. Ironicaly this same thing happen to me today at school on a computer in the library. The only file I can think of that I was working on at home and then at school was a powerpoint presentation and a outline in word...


----------



## mobo (Feb 23, 2003)

Go to start / run / msconfig / startup tab and see if those entries are listed there please.


----------



## Flrman1 (Jul 26, 2002)

Give me a few minutes here. I need to do something right quick. I'll post a reply in 15 or 20 mins.


----------



## Flrman1 (Jul 26, 2002)

Mobo,

Answer a question for me. I don't have my 98 test machine hooked up right now so I can't check this so maybe you know.

If you boot to safe mode in 98 and go to start > run and type in command to open a command prompt, can you copy and paste in the command shell? I can't remember if you can or not. I know you can in XP.


----------



## Flrman1 (Jul 26, 2002)

Well after looking this over I think the best thing to do is download and run TDS-3. It looks like this is a morphing trojan. TDS-3 is the best program I know of to deal with this sort of invader.

Download TDS-3 from http://www.wilders.org/anti_trojans.htm

This is a Trial version so you will have to do the update manually. 
The automatic update only works with the registered version which costs $49.

Update it following the instructions here: 
http://tds.diamondcs.com.au/index.php?page=update

Under the "Manual Update" right click on the radius.td3 file and choose "Save target as". 
Then in the "Save in" box browse to the C:\Program Files\TDS3 folder 
(provided that is the location of your TDS-3 directory)and save it there.
A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

Run the "full System scan" , preferably in safe mode.

Note: Temporarily disable your Antivirus program.
*Launch TDS-3 and click on "System Testing" then "Full System Scan" and the scan will begin.*

TDS-3 does not automatically remove infected files that it finds. It will display what it has found in the lower portion of the main window and it will either say "Positive Identification etc...." or "Suspicious File". Anything with a positive identification you should right click and delete. Don't do anything with the suspicious ones yet. Leave TDS-3 open and running after the scan and then go to the TDS-3 folder (usually C:\Program Files\TDS) and look for a scandump.txt file. Open the scandump.txt file and copy and paste it's contents here. Once we see the scandump file we can determine what to do with the suspicious ones. Many times the suspicious files are harmless.


----------



## nlocal (Feb 17, 2004)

mobo,

yes there are alot of exe loading in msconfig, that I have never seen and they are all checked to run...

flrman1 -
I have not yet done what you said yet all tho I have no clue what a morphing trojan is, it kinda makes a sense by the name as I keep gaining new exe and keep deleting as instructed and just keep getting new errors and see new exe appearing.

let me know b4 I do anything, thanks so much for your time and knowledge!!


----------



## nlocal (Feb 17, 2004)

also..

On my task bar, I get this thing that says inbox and the icon is like a exe file that does not have a icon, just the general icon. Also When I checked my email today, there was 3 emails that I did not send, that were sent back to me as rejected and then there was an email with an attachment. The body said that this attachment does not contain a virus and made it look like I sent a file to be scanned and they were sending it back. I deleted all of them.....


----------



## mobo (Feb 23, 2003)

> _Originally posted by flrman1:_
> *Mobo,
> 
> Answer a question for me. I don't have my 98 test machine hooked up right now so I can't check this so maybe you know.
> ...


Sorry for the large delay Mark, My eyelids couldn't take the strain any longer and the answer would be no to the copy /paste question


----------



## Flrman1 (Jul 26, 2002)

*nlocal*

I'd say you definitely need to run TDS-3 per my previous instructions ASAP!

Thanks mobo! :up:


----------



## tomseeberger (Mar 27, 2004)

You have TOMADI.A TROJAN. See Trend Micro for diagnosis and cure.


----------



## Flrman1 (Jul 26, 2002)

*nlocal*

Did you give up on this or did you get it straightened out?

I just successfully helped remove this trojan from another machine last night. Post back and let us know where you stand with this.


----------



## nlocal (Feb 17, 2004)

flrman1,
no I did not give up, I was out of town this weekend..OK I scanned and found:

Scan Control Dumped @ 20:27:34 28-03-04
Positive identification: TrojanClicker.Win32.WinPup.g
File: c:\windows\system\usigfxr.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\bfmkcke4.exe

Positive identification: TrojanDownloader.Win32.Revop
File: c:\do.exe

Positive identification (DLL): Adware.Adtomi (dll)
File: c:\browserhelper.dll

Positive identification (DLL): TrojanSpy.Win32.BiSpy.c (dll)
File: c:\windows\twaintec.dll

Positive identification: Trojan.Win32.Revop.c
File: c:\windows\bdl24126.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\c990xpzm.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\td0wz8gc.exe

Positive identification: TrojanClicker.Win32.WinPup.g
File: c:\windows\pup.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\morze1.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\zto1ty3z.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\5pr94ocp.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\1lfeytl8.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\a8pmf76d.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\bfmkcke4.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\p4poeouz.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\ody1pcv4.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\ao10ira7.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\n8x8ouk3.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\ihtouj0o.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\c0w2a450.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\3riq6zjg.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\q5anf0qc.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\w65v41kg.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\dckaq6g9.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\vi26vu6y.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\fqey0f5f.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\4457a8p2.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\1lyn787o.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\j8df6w1b.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\9gx8zqtw.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\wzvia4nf.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\ozfirgm9.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\be1nexfc.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\950y15rt.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\2h0x6j5y.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\va1bf01q.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\5w4042dj.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\t59yadgt.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\4dibd067.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\bm6flc6h.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\gwyz3786.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\5gjdcufq.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\eztn0poh.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\eg9yaoo2.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\w3umj70h.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\wb3a6kpq.exe

Positive identification: Adware.Adtomi.a
File: c:\windows\cof22ikg.exe

Positive identification: TrojanClicker.Win32.WinPup.g
File: c:\windows\system\usigfxr.exe

Positive identification (DLL): TrojanSpy.Win32.BiSpy.c (dll)
File: c:\windows\temp\thi217c.tmp\twaintec.dll

Positive identification (DLL): TrojanSpy.Win32.BiSpy.c (dll)
File: c:\windows\temp\thi7c55.tmp\twaintec.dll

Positive identification: Trojan.Win32.Revop.c Dropper
File: c:\windows\temporary internet files\content.ie5\e3kf89kf\pup[2].exe

Positive identification: Trojan.Win32.Revop
File: c:\windows\temporary internet files\content.ie5\e3kf89kf\over[1].exe

Positive identification: Trojan.Win32.Revop.c Dropper
File: c:\program files\pup.exe

Positive identification: Trojan.Win32.Revop
File: c:\program files\over.exe

Positive identification: Adware.Adtomi.a
File: c:\recycled\dc149.exe

Positive identification: Adware.Adtomi.a
File: c:\recycled\dc143.exe


----------



## nlocal (Feb 17, 2004)

ps I did not delete them yet, should this be done in safe mood or such? ECT...


----------



## Flrman1 (Jul 26, 2002)

Tou didn't have TDS-3 delete them?


----------



## nlocal (Feb 17, 2004)

no bc:
TDS-3 does not automatically remove infected files that it finds. It will display what it has found in the lower portion of the main window and it will either say "Positive Identification etc...." or "Suspicious File". Anything with a positive identification you should right click and delete. Don't do anything with the suspicious ones yet..........

so it is ok to right click and delete them threw TDS-3 then yes?


----------



## Flrman1 (Jul 26, 2002)

Yes.

After that post another log.


----------



## nlocal (Feb 17, 2004)

hey...ok I deleted all but one:

Positive identification: TrojanClicker.Win32.WinPup.g
File: c:\windows\system\usigfxr.exe

it was unable to delete it... also now that I have deleted all those .exe, that are listed in the startup, I am gonna get a 1000 can not find messages when I restart the computer.. Ok well below is the log and I guess you will rteview and I will delete the links ect useing hijack this..bla bla bla, thanks again

Logfile of HijackThis v1.97.7
Scan saved at 10:26:40 PM, on 3/28/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [BFMKCKE4.EXE] C:\WINDOWS\BFMKCKE4.EXE /dk
O4 - HKLM\..\Run: [HD401LCS] C:\WINDOWS\SYSTEM\HD401LCS.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [BFMKCKE4.EXE] C:\WINDOWS\BFMKCKE4.EXE /dk
O4 - Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
O4 - Startup: 5N000QCA.lnk = C:\WINDOWS\5n000qca.exe
O4 - Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
O4 - Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
O4 - Startup: P61RWAZN.lnk = C:\WINDOWS\p61rwazn.exe
O4 - Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
O4 - Startup: QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe
O4 - Startup: GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe
O4 - Startup: 7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe
O4 - Startup: Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe
O4 - Startup: P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe
O4 - Startup: ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe
O4 - Startup: AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe
O4 - Startup: N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe
O4 - Startup: 1LFEYTL8.lnk = C:\WINDOWS\1lfeytl8.exe
O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe
O4 - Startup: A8PMF76D.lnk = C:\WINDOWS\a8pmf76d.exe
O4 - Startup: IHTOUJ0O.lnk = C:\WINDOWS\ihtouj0o.exe
O4 - Startup: C0W2A450.lnk = C:\WINDOWS\c0w2a450.exe
O4 - Startup: 3RIQ6ZJG.lnk = C:\WINDOWS\3riq6zjg.exe
O4 - Startup: Q5ANF0QC.lnk = C:\WINDOWS\q5anf0qc.exe
O4 - Startup: W65V41KG.lnk = C:\WINDOWS\w65v41kg.exe
O4 - Startup: UUCLJ9XR.lnk = C:\WINDOWS\uuclj9xr.exe
O4 - Startup: VI26VU6Y.lnk = C:\WINDOWS\vi26vu6y.exe
O4 - Startup: FQEY0F5F.lnk = C:\WINDOWS\fqey0f5f.exe
O4 - Startup: 4457A8P2.lnk = C:\WINDOWS\4457a8p2.exe
O4 - Startup: C990XPZM.lnk = C:\WINDOWS\c990xpzm.exe
O4 - Startup: 1LYN787O.lnk = C:\WINDOWS\1lyn787o.exe
O4 - Startup: J8DF6W1B.lnk = C:\WINDOWS\j8df6w1b.exe
O4 - Startup: 9GX8ZQTW.lnk = C:\WINDOWS\9gx8zqtw.exe
O4 - Startup: WZVIA4NF.lnk = C:\WINDOWS\wzvia4nf.exe
O4 - Startup: 950Y15RT.lnk = C:\WINDOWS\950y15rt.exe
O4 - Startup: 2H0X6J5Y.lnk = C:\WINDOWS\2h0x6j5y.exe
O4 - Startup: VA1BF01Q.lnk = C:\WINDOWS\va1bf01q.exe
O4 - Startup: 5W4042DJ.lnk = C:\WINDOWS\5w4042dj.exe
O4 - Startup: KGZC7BX7.lnk = C:\WINDOWS\kgzc7bx7.exe
O4 - Startup: UWI41T0R.lnk = C:\WINDOWS\uwi41t0r.exe
O4 - Startup: 4DIBD067.lnk = C:\WINDOWS\4dibd067.exe
O4 - Startup: BM6FLC6H.lnk = C:\WINDOWS\bm6flc6h.exe
O4 - Startup: GWYZ3786.lnk = C:\WINDOWS\gwyz3786.exe
O4 - Startup: 5GJDCUFQ.lnk = C:\WINDOWS\5gjdcufq.exe
O4 - Startup: EZTN0POH.lnk = C:\WINDOWS\eztn0poh.exe
O4 - Startup: EG9YAOO2.lnk = C:\WINDOWS\eg9yaoo2.exe
O4 - Startup: W3UMJ70H.lnk = C:\WINDOWS\w3umj70h.exe
O4 - Startup: ZTO1TY3Z.lnk = C:\WINDOWS\zto1ty3z.exe
O4 - Startup: OZFIRGM9.lnk = C:\WINDOWS\ozfirgm9.exe
O4 - Startup: 5PR94OCP.lnk = C:\WINDOWS\5pr94ocp.exe
O4 - Startup: U1JBPLE0.lnk = C:\WINDOWS\u1jbple0.exe
O4 - Startup: T59YADGT.lnk = C:\WINDOWS\t59yadgt.exe
O4 - Startup: TD0WZ8GC.lnk = C:\WINDOWS\td0wz8gc.exe
O4 - Startup: TN87B4MM.lnk = C:\WINDOWS\tn87b4mm.exe
O4 - Startup: DCKAQ6G9.lnk = C:\WINDOWS\dckaq6g9.exe
O4 - Startup: T62ZXMKN.lnk = C:\WINDOWS\t62zxmkn.exe
O4 - Startup: WB3A6KPQ.lnk = C:\WINDOWS\wb3a6kpq.exe
O4 - Startup: 4LX78D5H.lnk = C:\WINDOWS\4lx78d5h.exe
O4 - Startup: U2ZI6PK4.lnk = C:\WINDOWS\u2zi6pk4.exe
O4 - Startup: BE1NEXFC.lnk = C:\WINDOWS\be1nexfc.exe
O4 - Startup: BFMKCKE4.lnk = C:\WINDOWS\bfmkcke4.exe
O4 - Global Startup: 5N000QCA.lnk = C:\WINDOWS\5n000qca.exe
O4 - Global Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe
O4 - Global Startup: 0PXWUBJW.lnk = C:\WINDOWS\0pxwubjw.exe
O4 - Global Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe
O4 - Global Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe
O4 - Global Startup: P61RWAZN.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Global Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe
O4 - Global Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe
O4 - Global Startup: QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe
O4 - Global Startup: GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe
O4 - Global Startup: 7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe
O4 - Global Startup: Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe
O4 - Global Startup: P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe
O4 - Global Startup: ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe
O4 - Global Startup: AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe
O4 - Global Startup: N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe
O4 - Global Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe
O4 - Global Startup: OJ8L7CR0.lnk = C:\WINDOWS\oj8l7cr0.exe
O4 - Global Startup: 1LFEYTL8.lnk = C:\WINDOWS\1lfeytl8.exe
O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe
O4 - Global Startup: A8PMF76D.lnk = C:\WINDOWS\a8pmf76d.exe
O4 - Global Startup: IHTOUJ0O.lnk = C:\WINDOWS\ihtouj0o.exe
O4 - Global Startup: C0W2A450.lnk = C:\WINDOWS\c0w2a450.exe
O4 - Global Startup: 3RIQ6ZJG.lnk = C:\WINDOWS\3riq6zjg.exe
O4 - Global Startup: Q5ANF0QC.lnk = C:\WINDOWS\q5anf0qc.exe
O4 - Global Startup: W65V41KG.lnk = C:\WINDOWS\w65v41kg.exe
O4 - Global Startup: UUCLJ9XR.lnk = C:\WINDOWS\uuclj9xr.exe
O4 - Global Startup: VI26VU6Y.lnk = C:\WINDOWS\vi26vu6y.exe
O4 - Global Startup: FQEY0F5F.lnk = C:\WINDOWS\fqey0f5f.exe
O4 - Global Startup: 4457A8P2.lnk = C:\WINDOWS\4457a8p2.exe
O4 - Global Startup: C990XPZM.lnk = C:\WINDOWS\c990xpzm.exe
O4 - Global Startup: 1LYN787O.lnk = C:\WINDOWS\1lyn787o.exe
O4 - Global Startup: J8DF6W1B.lnk = C:\WINDOWS\j8df6w1b.exe
O4 - Global Startup: 9GX8ZQTW.lnk = C:\WINDOWS\9gx8zqtw.exe
O4 - Global Startup: WZVIA4NF.lnk = C:\WINDOWS\wzvia4nf.exe
O4 - Global Startup: 950Y15RT.lnk = C:\WINDOWS\950y15rt.exe
O4 - Global Startup: 2H0X6J5Y.lnk = C:\WINDOWS\2h0x6j5y.exe
O4 - Global Startup: VA1BF01Q.lnk = C:\WINDOWS\va1bf01q.exe
O4 - Global Startup: 5W4042DJ.lnk = C:\WINDOWS\5w4042dj.exe
O4 - Global Startup: KGZC7BX7.lnk = C:\WINDOWS\kgzc7bx7.exe
O4 - Global Startup: UWI41T0R.lnk = C:\WINDOWS\uwi41t0r.exe
O4 - Global Startup: 4DIBD067.lnk = C:\WINDOWS\4dibd067.exe
O4 - Global Startup: BM6FLC6H.lnk = C:\WINDOWS\bm6flc6h.exe
O4 - Global Startup: GWYZ3786.lnk = C:\WINDOWS\gwyz3786.exe
O4 - Global Startup: 5GJDCUFQ.lnk = C:\WINDOWS\5gjdcufq.exe
O4 - Global Startup: EZTN0POH.lnk = C:\WINDOWS\eztn0poh.exe
O4 - Global Startup: EG9YAOO2.lnk = C:\WINDOWS\eg9yaoo2.exe
O4 - Global Startup: W3UMJ70H.lnk = C:\WINDOWS\w3umj70h.exe
O4 - Global Startup: ZTO1TY3Z.lnk = C:\WINDOWS\zto1ty3z.exe
O4 - Global Startup: OZFIRGM9.lnk = C:\WINDOWS\ozfirgm9.exe
O4 - Global Startup: 5PR94OCP.lnk = C:\WINDOWS\5pr94ocp.exe
O4 - Global Startup: U1JBPLE0.lnk = C:\WINDOWS\u1jbple0.exe
O4 - Global Startup: T59YADGT.lnk = C:\WINDOWS\t59yadgt.exe
O4 - Global Startup: TD0WZ8GC.lnk = C:\WINDOWS\td0wz8gc.exe
O4 - Global Startup: TN87B4MM.lnk = C:\WINDOWS\tn87b4mm.exe
O4 - Global Startup: DCKAQ6G9.lnk = C:\WINDOWS\dckaq6g9.exe
O4 - Global Startup: T62ZXMKN.lnk = C:\WINDOWS\t62zxmkn.exe
O4 - Global Startup: WB3A6KPQ.lnk = C:\WINDOWS\wb3a6kpq.exe
O4 - Global Startup: 4LX78D5H.lnk = C:\WINDOWS\4lx78d5h.exe
O4 - Global Startup: U2ZI6PK4.lnk = C:\WINDOWS\u2zi6pk4.exe
O4 - Global Startup: BE1NEXFC.lnk = C:\WINDOWS\be1nexfc.exe
O4 - Global Startup: BFMKCKE4.lnk = C:\WINDOWS\bfmkcke4.exe
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://ez.messagebay.com/code1/mbayactx.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/inbrowser/cabfiles/2.5.19/Hiwire.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37797.9005555556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Double check and triplecheck to be sure not to miss anyClose all windows except HijackThis and click "Fix checked"

*R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm

O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll

O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\TWAINTEC.DLL

O4 - HKLM\..\Run: [BFMKCKE4.EXE] C:\WINDOWS\BFMKCKE4.EXE /dk

O4 - HKLM\..\Run: [HD401LCS] C:\WINDOWS\SYSTEM\HD401LCS.exe

O4 - HKCU\..\Run: [BFMKCKE4.EXE] C:\WINDOWS\BFMKCKE4.EXE /dk

O4 - Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe

O4 - Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe

O4 - Startup: 5N000QCA.lnk = C:\WINDOWS\5n000qca.exe

O4 - Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe

O4 - Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe

O4 - Startup: P61RWAZN.lnk = C:\WINDOWS\p61rwazn.exe

O4 - Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe

O4 - Startup: QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe

O4 - Startup: GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe

O4 - Startup: 7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe

O4 - Startup: Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe

O4 - Startup: P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe

O4 - Startup: ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe

O4 - Startup: AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe

O4 - Startup: N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe

O4 - Startup: 1LFEYTL8.lnk = C:\WINDOWS\1lfeytl8.exe

O4 - Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe

O4 - Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe

O4 - Startup: A8PMF76D.lnk = C:\WINDOWS\a8pmf76d.exe

O4 - Startup: IHTOUJ0O.lnk = C:\WINDOWS\ihtouj0o.exe

O4 - Startup: C0W2A450.lnk = C:\WINDOWS\c0w2a450.exe

O4 - Startup: 3RIQ6ZJG.lnk = C:\WINDOWS\3riq6zjg.exe

O4 - Startup: Q5ANF0QC.lnk = C:\WINDOWS\q5anf0qc.exe

O4 - Startup: W65V41KG.lnk = C:\WINDOWS\w65v41kg.exe

O4 - Startup: UUCLJ9XR.lnk = C:\WINDOWS\uuclj9xr.exe

O4 - Startup: VI26VU6Y.lnk = C:\WINDOWS\vi26vu6y.exe

O4 - Startup: FQEY0F5F.lnk = C:\WINDOWS\fqey0f5f.exe

O4 - Startup: 4457A8P2.lnk = C:\WINDOWS\4457a8p2.exe

O4 - Startup: C990XPZM.lnk = C:\WINDOWS\c990xpzm.exe

O4 - Startup: 1LYN787O.lnk = C:\WINDOWS\1lyn787o.exe

O4 - Startup: J8DF6W1B.lnk = C:\WINDOWS\j8df6w1b.exe

O4 - Startup: 9GX8ZQTW.lnk = C:\WINDOWS\9gx8zqtw.exe

O4 - Startup: WZVIA4NF.lnk = C:\WINDOWS\wzvia4nf.exe

O4 - Startup: 950Y15RT.lnk = C:\WINDOWS\950y15rt.exe

O4 - Startup: 2H0X6J5Y.lnk = C:\WINDOWS\2h0x6j5y.exe

O4 - Startup: VA1BF01Q.lnk = C:\WINDOWS\va1bf01q.exe

O4 - Startup: 5W4042DJ.lnk = C:\WINDOWS\5w4042dj.exe

O4 - Startup: KGZC7BX7.lnk = C:\WINDOWS\kgzc7bx7.exe

O4 - Startup: UWI41T0R.lnk = C:\WINDOWS\uwi41t0r.exe

O4 - Startup: 4DIBD067.lnk = C:\WINDOWS\4dibd067.exe

O4 - Startup: BM6FLC6H.lnk = C:\WINDOWS\bm6flc6h.exe

O4 - Startup: GWYZ3786.lnk = C:\WINDOWS\gwyz3786.exe

O4 - Startup: 5GJDCUFQ.lnk = C:\WINDOWS\5gjdcufq.exe

O4 - Startup: EZTN0POH.lnk = C:\WINDOWS\eztn0poh.exe

O4 - Startup: EG9YAOO2.lnk = C:\WINDOWS\eg9yaoo2.exe

O4 - Startup: W3UMJ70H.lnk = C:\WINDOWS\w3umj70h.exe

O4 - Startup: ZTO1TY3Z.lnk = C:\WINDOWS\zto1ty3z.exe

O4 - Startup: OZFIRGM9.lnk = C:\WINDOWS\ozfirgm9.exe

O4 - Startup: 5PR94OCP.lnk = C:\WINDOWS\5pr94ocp.exe

O4 - Startup: U1JBPLE0.lnk = C:\WINDOWS\u1jbple0.exe

O4 - Startup: T59YADGT.lnk = C:\WINDOWS\t59yadgt.exe

O4 - Startup: TD0WZ8GC.lnk = C:\WINDOWS\td0wz8gc.exe

O4 - Startup: TN87B4MM.lnk = C:\WINDOWS\tn87b4mm.exe

O4 - Startup: DCKAQ6G9.lnk = C:\WINDOWS\dckaq6g9.exe

O4 - Startup: T62ZXMKN.lnk = C:\WINDOWS\t62zxmkn.exe

O4 - Startup: WB3A6KPQ.lnk = C:\WINDOWS\wb3a6kpq.exe

O4 - Startup: 4LX78D5H.lnk = C:\WINDOWS\4lx78d5h.exe

O4 - Startup: U2ZI6PK4.lnk = C:\WINDOWS\u2zi6pk4.exe

O4 - Startup: BE1NEXFC.lnk = C:\WINDOWS\be1nexfc.exe

O4 - Startup: BFMKCKE4.lnk = C:\WINDOWS\bfmkcke4.exe

O4 - Global Startup: 5N000QCA.lnk = C:\WINDOWS\5n000qca.exe

O4 - Global Startup: PA0I2UD6.lnk = C:\WINDOWS\pa0i2ud6.exe

O4 - Global Startup: 0PXWUBJW.lnk = C:\WINDOWS\0pxwubjw.exe

O4 - Global Startup: U5B86JLN.lnk = C:\WINDOWS\u5b86jln.exe

O4 - Global Startup: G3TR6RU2.lnk = C:\WINDOWS\g3tr6ru2.exe

O4 - Global Startup: P61RWAZN.lnk = C:\WINDOWS\2gjpapdz.exe

O4 - Global Startup: 2GJPAPDZ.lnk = C:\WINDOWS\2gjpapdz.exe

O4 - Global Startup: QAF8UJBZ.lnk = C:\WINDOWS\qaf8ujbz.exe

O4 - Global Startup: QHJUGDKR.lnk = C:\WINDOWS\qhjugdkr.exe

O4 - Global Startup: GTXYD7VM.lnk = C:\WINDOWS\gtxyd7vm.exe

O4 - Global Startup: 7FQZ1011.lnk = C:\WINDOWS\7fqz1011.exe

O4 - Global Startup: Z69CMH0T.lnk = C:\WINDOWS\z69cmh0t.exe

O4 - Global Startup: P4POEOUZ.lnk = C:\WINDOWS\p4poeouz.exe

O4 - Global Startup: ODY1PCV4.lnk = C:\WINDOWS\ody1pcv4.exe

O4 - Global Startup: AO10IRA7.lnk = C:\WINDOWS\ao10ira7.exe

O4 - Global Startup: N8X8OUK3.lnk = C:\WINDOWS\n8x8ouk3.exe

O4 - Global Startup: BH88BT43.lnk = C:\WINDOWS\bh88bt43.exe

O4 - Global Startup: OJ8L7CR0.lnk = C:\WINDOWS\oj8l7cr0.exe

O4 - Global Startup: 1LFEYTL8.lnk = C:\WINDOWS\1lfeytl8.exe

O4 - Global Startup: MORZE1.lnk = C:\WINDOWS\morze1.exe

O4 - Global Startup: A8PMF76D.lnk = C:\WINDOWS\a8pmf76d.exe

O4 - Global Startup: IHTOUJ0O.lnk = C:\WINDOWS\ihtouj0o.exe

O4 - Global Startup: C0W2A450.lnk = C:\WINDOWS\c0w2a450.exe

O4 - Global Startup: 3RIQ6ZJG.lnk = C:\WINDOWS\3riq6zjg.exe

O4 - Global Startup: Q5ANF0QC.lnk = C:\WINDOWS\q5anf0qc.exe

O4 - Global Startup: W65V41KG.lnk = C:\WINDOWS\w65v41kg.exe

O4 - Global Startup: UUCLJ9XR.lnk = C:\WINDOWS\uuclj9xr.exe

O4 - Global Startup: VI26VU6Y.lnk = C:\WINDOWS\vi26vu6y.exe

O4 - Global Startup: FQEY0F5F.lnk = C:\WINDOWS\fqey0f5f.exe

O4 - Global Startup: 4457A8P2.lnk = C:\WINDOWS\4457a8p2.exe

O4 - Global Startup: C990XPZM.lnk = C:\WINDOWS\c990xpzm.exe

O4 - Global Startup: 1LYN787O.lnk = C:\WINDOWS\1lyn787o.exe

O4 - Global Startup: J8DF6W1B.lnk = C:\WINDOWS\j8df6w1b.exe

O4 - Global Startup: 9GX8ZQTW.lnk = C:\WINDOWS\9gx8zqtw.exe

O4 - Global Startup: WZVIA4NF.lnk = C:\WINDOWS\wzvia4nf.exe

O4 - Global Startup: 950Y15RT.lnk = C:\WINDOWS\950y15rt.exe

O4 - Global Startup: 2H0X6J5Y.lnk = C:\WINDOWS\2h0x6j5y.exe

O4 - Global Startup: VA1BF01Q.lnk = C:\WINDOWS\va1bf01q.exe

O4 - Global Startup: 5W4042DJ.lnk = C:\WINDOWS\5w4042dj.exe

O4 - Global Startup: KGZC7BX7.lnk = C:\WINDOWS\kgzc7bx7.exe

O4 - Global Startup: UWI41T0R.lnk = C:\WINDOWS\uwi41t0r.exe

O4 - Global Startup: 4DIBD067.lnk = C:\WINDOWS\4dibd067.exe

O4 - Global Startup: BM6FLC6H.lnk = C:\WINDOWS\bm6flc6h.exe

O4 - Global Startup: GWYZ3786.lnk = C:\WINDOWS\gwyz3786.exe

O4 - Global Startup: 5GJDCUFQ.lnk = C:\WINDOWS\5gjdcufq.exe

O4 - Global Startup: EZTN0POH.lnk = C:\WINDOWS\eztn0poh.exe

O4 - Global Startup: EG9YAOO2.lnk = C:\WINDOWS\eg9yaoo2.exe

O4 - Global Startup: W3UMJ70H.lnk = C:\WINDOWS\w3umj70h.exe

O4 - Global Startup: ZTO1TY3Z.lnk = C:\WINDOWS\zto1ty3z.exe

O4 - Global Startup: OZFIRGM9.lnk = C:\WINDOWS\ozfirgm9.exe

O4 - Global Startup: 5PR94OCP.lnk = C:\WINDOWS\5pr94ocp.exe

O4 - Global Startup: U1JBPLE0.lnk = C:\WINDOWS\u1jbple0.exe

O4 - Global Startup: T59YADGT.lnk = C:\WINDOWS\t59yadgt.exe

O4 - Global Startup: TD0WZ8GC.lnk = C:\WINDOWS\td0wz8gc.exe

O4 - Global Startup: TN87B4MM.lnk = C:\WINDOWS\tn87b4mm.exe

O4 - Global Startup: DCKAQ6G9.lnk = C:\WINDOWS\dckaq6g9.exe

O4 - Global Startup: T62ZXMKN.lnk = C:\WINDOWS\t62zxmkn.exe

O4 - Global Startup: WB3A6KPQ.lnk = C:\WINDOWS\wb3a6kpq.exe

O4 - Global Startup: 4LX78D5H.lnk = C:\WINDOWS\4lx78d5h.exe

O4 - Global Startup: U2ZI6PK4.lnk = C:\WINDOWS\u2zi6pk4.exe

O4 - Global Startup: BE1NEXFC.lnk = C:\WINDOWS\be1nexfc.exe

O4 - Global Startup: BFMKCKE4.lnk = C:\WINDOWS\bfmkcke4.exe

O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} (Register Class) - http://content.hiwirenetworks.net/i...5.19/Hiwire.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab*

Restart to safe mode.

First in safe mode click on My Computer then go to View > Folder Options. Click on the "View" tab and make sure "Show all files" is ticked and uncheck "Hide file extensions for known file types". Click "Like Current Folder" then click "Apply" then "OK"

Now open the C:\Windows folder and find and delete any of these files that may still be there. Again double check and triplecheck to be sure not to miss any:

*5n000qca.exe
pa0i2ud6.exe
0pxwubjw.exe
u5b86jln.exe
g3tr6ru2.exe
pa0i2ud6.exe
2gjpapdz.exe
qaf8ujbz.exe
qhjugdkr.exe
gtxyd7vm.exe
7fqz1011.exe
z69cmh0t.exe
p4poeouz.exe
ody1pcv4.exe
ao10ira7.exe
n8x8ouk3.exe
bh88bt43.exe
oj8l7cr0.exe
1lfeytl8.exe
morze1.exe
a8pmf76d.exe
ihtouj0o.exe
c0w2a450.exe
3riq6zjg.exe
q5anf0qc.exe
w65v41kg.exe
uuclj9xr.exe
vi26vu6y.exe
fqey0f5f.exe
4457a8p2.exe
c990xpzm.exe
1lyn787o.exe
j8df6w1b.exe
9gx8zqtw.exe
wzvia4nf.exe
950y15rt.exe
2h0x6j5y.exe
va1bf01q.exe
5w4042dj.exe
kgzc7bx7.exe
uwi41t0r.exe
4dibd067.exe
bm6flc6h.exe
gwyz3786.exe
5gjdcufq.exe
eztn0poh.exe
eg9yaoo2.exe
w3umj70h.exe
zto1ty3z.exe
ozfirgm9.exe
5pr94ocp.exe
u1jbple0.exe
t59yadgt.exe
td0wz8gc.exe
tn87b4mm.exe
dckaq6g9.exe
t62zxmkn.exe
wb3a6kpq.exe
4lx78d5h.exe
u2zi6pk4.exe
be1nexfc.exe
bfmkcke4.exe
u5b86jln.exe
p61rwazn.exe
gtxyd7vm.exe*

**Note:* Also you you see any other files that look similar to these with the random letters and numbers, delete them as well.

Also in the Windows folder find the *Temp* folder and go to Edit > Select All then Edit > Delete and delete *everything* in the Temp folder.

Now go to Control Panel > Internet Options and on the General tab under "Temporary Internet Files" Click "Delete Files". In the box that pops up put a check by "Delete offline content" then click OK.

How to start your computer in safe mode


----------



## nlocal (Feb 17, 2004)

hello...

done and done....I restarted windows and there was one missing exe error like the rest, so I deleted the link from start up..Restarted and it ran smooth. do you think we are done or is there more? I mean is the registry fixed ect...

new log:
Logfile of HijackThis v1.97.7
Scan saved at 1:21:21 AM, on 3/29/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS1977\HIJACKTHIS.EXE

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O8 - Extra context menu item: Add to &Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\suppress.htm
O8 - Extra context menu item: &Maintain Block List... - C:\PROGRA~1\ADSHIELD\ADSHIELD\maintain.htm
O8 - Extra context menu item: AdShield Option &Settings... - C:\PROGRA~1\ADSHIELD\ADSHIELD\settings.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Juno (HKCU)
O9 - Extra button: AdShield (HKCU)
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .ofb: C:\PROGRA~1\INTERN~1\PLUGINS\NPONFLOW.DLL
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {226906C8-B910-11D3-82A3-0000F81A655B} (Mbayactx Control) - http://ez.messagebay.com/code1/mbayactx.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37797.9005555556
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab

ok let me know.
thanks a lot!


----------



## Flrman1 (Jul 26, 2002)

Well the log looks fine now! :up:

We did this the hard way. I just found out some new info on this one. Hopefully everything is OK now, but if it's not let me know.


----------



## Flrman1 (Jul 26, 2002)

I will recommend that you run Adaware and Spybot to do a final cleanup. I know that they were already recommended to you, but I don't know if you ran them or not. Either way I want you to run them again according to these settings:

Go here and download Adaware 6 Build 181

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* and download the latest referencefiles.

Make sure the following settings are made and on -------*ON=GREEN*

From main window :Click *Start* then *Activate in-depth scan (recommended)*

Click *Use custom scanning options* then click *Customize* and have these options selected: Under *Drives and Folders* put a check by *Scan within archives* and below that under *Memory and Registry* put a check by *all* the options there.

Now click on the *Tweak* button in that same window. Under *Scanning engine* select *Unload recognized processes during scanning* and under *Cleaning Engine* select *Let windows remove files in use at next reboot*

Click *proceed* to save your settings.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Then go here and download Spybot Search & Destroy.

Install the program and launch it.

Before scanning press *Online* and *Search for Updates* .

Put a check mark at and install *all updates*.

Click *Check for Problems* and when the scan is finished let Spybot fix/remove *all* it finds marked in RED.

*Restart your computer*.


----------



## nlocal (Feb 17, 2004)

flrman1 ,

hey will do! I will let you know ...

I have ran spybot, but just d/l adaware...

thanks for all your help and I see you are in NC. I am in Charlotte..
reply soon


----------



## Flrman1 (Jul 26, 2002)

Always good to have another Tarheel onboard! :up:

Let us know how it's going.


----------



## nlocal (Feb 17, 2004)

Hey man,
adaware found 57 and deleted them. spyboot found ZERO....I guess this whole case is solved..UNtil next time,
thanks alot for all your help!!
Nathan
oh and I am a tarhel, but I was born a long long time ago in Atlanta and I am very proud of my yellow jackets and thier run to the finale 4!!!


----------



## Flrman1 (Jul 26, 2002)

Glad we could help!


----------

