Weird stuff trying to remove programs etc.

  1. 04-11-2004  #1
    JonBoy
    JonBoy is offline Junior Member

    Weird stuff trying to remove programs etc.

    Hello to all,

    I am working with a neighbors system. When I try to remove some programs from add/remove programs it will not. I was able to remove some, but when I connect to the internet they are re-installed. I have run AdAware and the first time it would not complete detecting. I then went to safe mode, ran again, over 1700 items. I removed some more thing from add/remove programs, ran again, 866 items. Then disabled system restore, down to 4 items. Tried to remove those and AdAware froze again. Safe mode, 2 critical items (the other 2 were processes) tried to remove again and it froze. Whenever I go on the internet I get a TON of popups and as I mentioned before some programs re-appear.

    Here is the hijack this log...

    Logfile of HijackThis v1.98.2
    Scan saved at 6:48:09 PM, on 11/3/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0600)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\TEMP\BN5U7WO.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
    C:\PROGRAM FILES\COMMON FILES\TSA\TS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\VCZ3HRG.EXE
    C:\WINDOWS\SYSTEM\JCVT9.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\HJT\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.munky.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [BN5U7WO] C:\WINDOWS\TEMP\BN5U7WO.EXE
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Vqxt.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [umpomc] C:\WINDOWS\SYSTEM\umpomc.exe
    O4 - HKLM\..\Run: [deinfoi] C:\WINDOWS\SYSTEM\deinfoi.exe
    O4 - HKLM\..\Run: [Create A Monster] C:\Program Files\Kudd.com\createAMonster.exe -run
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [CRYPTEXT] C:\WINDOWS\SYSTEM\CRYPTEXT.EXE
    O4 - HKCU\..\Run: [MSIKBDIF] C:\WINDOWS\SYSTEM\MSIKBDIF.EXE
    O4 - HKCU\..\Run: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - HKCU\..\RunServices: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServices: [CRYPTEXT] C:\WINDOWS\SYSTEM\CRYPTEXT.EXE
    O4 - HKCU\..\RunServices: [MSIKBDIF] C:\WINDOWS\SYSTEM\MSIKBDIF.EXE
    O4 - HKCU\..\RunServices: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
    O4 - HKCU\..\RunServices: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ss...temsoappro.cab
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

    Thanks for your help in advance, I hope I have the right forum,

    Jon

  3. 05-11-2004  #2
    owen
    owen is offline D-A-L Team Member (UK)
    Hello,
    You need to try and get IE Upgraded from 5.5 to 6.0 ASAP at Windows Update.

    Please download PeperFix. Leave it for now we'll use it later.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.munky.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime     These five in blue are optional but recommended to improve system performance
    O4 - HKLM\..\Run: [BN5U7WO] C:\WINDOWS\TEMP\BN5U7WO.EXE
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Vqxt.exe
    O4 - HKLM\..\Run: [stcinstaller] c:\installer\id53.exe
    O4 - HKLM\..\Run: [umpomc] C:\WINDOWS\SYSTEM\umpomc.exe
    O4 - HKLM\..\Run: [deinfoi] C:\WINDOWS\SYSTEM\deinfoi.exe
    O4 - HKCU\..\Run: [CRYPTEXT] C:\WINDOWS\SYSTEM\CRYPTEXT.EXE
    O4 - HKCU\..\Run: [MSIKBDIF] C:\WINDOWS\SYSTEM\MSIKBDIF.EXE
    O4 - HKCU\..\Run: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
    O4 - HKCU\..\RunServices: [CRYPTEXT] C:\WINDOWS\SYSTEM\CRYPTEXT.EXE
    O4 - HKCU\..\RunServices: [MSIKBDIF] C:\WINDOWS\SYSTEM\MSIKBDIF.EXE
    O4 - HKCU\..\RunServices: [Tsa] C:\PROGRAM FILES\COMMON FILES\TSA\TSM.EXE
    O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/s...stemsoappro.cab
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Run PeperFix.exe you download earlier and click Find and Fix. Let it remove your Peper Trojan infection.

    Go to C:\Windows\Temp and once in the folder click Edit> Select All. Then hit the delete key to get rid of the entire contents of the folder. Leave the folder itself intact though.

    Delete the following files and folders:
    c:\installer
    C:\WINDOWS\SYSTEM\umpomc.exe
    C:\WINDOWS\SYSTEM\deinfoi.exe
    C:\WINDOWS\SYSTEM\CRYPTEXT.EXE
    C:\WINDOWS\SYSTEM\MSIKBDIF.EXE
    C:\PROGRAM FILES\COMMON FILES\TSA

    Reboot and post a fresh log
  4. 05-11-2004  #3
    JonBoy
    JonBoy is offline Junior Member
    Thanks Owen,

    I did IE6 upgrade, got an error on reboot (sorry did not write it down). I did notice that windows media player has some sort of problem though, not worried about that right now can re-run setup later.

    Ran HiJack this and some of the items in the list were missing. Deleted those that were left. Went to safe mode and ran PeperFix got 9 items there. Rebooted to safe mode, deleted items in c:\windows\temp. Removed files and folders as instructed, some missing there too.

    Upon booting to windows normal mode I am now getting a message from norton that there is a problem with c:\windows\temporary internet files\content.ie5\igduvx6\idleui[1].dll and c:\windows\system\idleui.dll. I chose to delete the 2 files and upon rebooting I get the message and have to delete them again. I then get the desktop and cannot use IE6?!?!

    Anyway here is the latest log...

    Logfile of HijackThis v1.98.2
    Scan saved at 5:23:28 PM, on 11/5/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    C:\WINDOWS\SYSTEM\SAIE.EXE
    C:\WINDOWS\SYSTEM\WINUPDT.EXE
    C:\WINDOWS\PUP.EXE
    C:\WINDOWS\PGTAFF.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\CFXNT10.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\CVXD37.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WINUPDT.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\WINDOWS\SYSTEM\LMSTMLER.EXE
    C:\WINDOWS\SYSTEM\LOG40.EXE
    C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
    C:\PROGRAM FILES\CXTPLS\CXTPLS.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\FteiKZ.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe
    O4 - HKLM\..\Run: [sabgqfy] C:\WINDOWS\SYSTEM\yduwegm.exe
    O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe
    O4 - HKLM\..\Run: [oetkrc] C:\WINDOWS\SYSTEM\oetkrc.exe
    O4 - HKLM\..\Run: [pup] c:\windows\pup.exe
    O4 - HKLM\..\Run: [pgtaff] C:\WINDOWS\pgtaff.exe
    O4 - HKLM\..\Run: [trsfmimjakdv] C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    O4 - HKLM\..\Run: [vdwdmqbyrhla] C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
    O4 - HKLM\..\Run: [ot9V36l] LMSTMLER.EXE
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [pgtaff] C:\WINDOWS\pgtaff.exe
    O4 - HKCU\..\Run: [ZAq9RWJmP] LOG40.EXE
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKCU\..\RunServices: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServices: [pgtaff] C:\WINDOWS\pgtaff.exe
    O4 - HKCU\..\RunServices: [ZAq9RWJmP] LOG40.EXE
    O4 - HKCU\..\RunServices: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
    O18 - Filter: text/html - {E64E4E60-EF13-4C79-A159-119762E18181} - C:\WINDOWS\SYSTEM\LMF32.DLL

    Thanks again for your assistance.
    Jon
  5. 06-11-2004  #4
    owen
    owen is offline D-A-L Team Member (UK)
    Download SSS from here. Install it, but leave it for now, we'll use it later.

    We also still have a Peper Trojan infection, so download the removal tool again if you haven't kept it and leave that for now.

    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL
    O1 - Hosts: 69.20.16.183 auto.search.msn.com
    O1 - Hosts: 69.20.16.183 search.netscape.com
    O1 - Hosts: 69.20.16.183 ieautosearch
    O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL
    O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\PROGRAM FILES\CXTPLS\CXTPLS.DLL
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\FteiKZ.exe
    O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
    O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe
    O4 - HKLM\..\Run: [sabgqfy] C:\WINDOWS\SYSTEM\yduwegm.exe
    O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe
    O4 - HKLM\..\Run: [oetkrc] C:\WINDOWS\SYSTEM\oetkrc.exe
    O4 - HKLM\..\Run: [pup] c:\windows\pup.exe
    O4 - HKLM\..\Run: [pgtaff] C:\WINDOWS\pgtaff.exe
    O4 - HKLM\..\Run: [trsfmimjakdv] C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    O4 - HKLM\..\Run: [vdwdmqbyrhla] C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
    O4 - HKLM\..\Run: [ot9V36l] LMSTMLER.EXE
    O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
    O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKCU\..\Run: [pgtaff] C:\WINDOWS\pgtaff.exe
    O4 - HKCU\..\Run: [ZAq9RWJmP] LOG40.EXE
    O4 - HKCU\..\RunServices: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKCU\..\RunServices: [pgtaff] C:\WINDOWS\pgtaff.exe
    O4 - HKCU\..\RunServices: [ZAq9RWJmP] LOG40.EXE
    O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
    O18 - Filter: text/html - {E64E4E60-EF13-4C79-A159-119762E18181} - C:\WINDOWS\SYSTEM\LMF32.DLL

    Click Fix Checked

    Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.

    Run SSS and on the items to clear tab select both "Temporary Files" options and the "Recycle Bin" option. Then click Clear Selected Items.

    Run the Peper Trojan removal tool and let it remove the infection.

    Go to the Control Panel and double click Add/Remove programs. Uninstall the following programs:
    TV Media

    Delete the following files and folders:
    C:\PROGRAM FILES\TV MEDIA
    C:\PROGRAM FILES\CXTPLS
    C:\WINDOWS\SYSTEM\stcloader.exe
    C:\WINDOWS\SYSTEM\winupdtl.exe
    C:\WINDOWS\SYSTEM\yduwegm.exe
    c:\windows\system\saie.exe
    C:\WINDOWS\SYSTEM\oetkrc.exe
    c:\windows\pup.exe
    C:\WINDOWS\pgtaff.exe
    C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE
    C:\WINDOWS\SYSTEM\LMSTMLER.EXE
    c:\Program Files\AutoUpdate
    C:\WINDOWS\SYSTEM\LOG40.EXE
    C:\WINDOWS\SYSTEM\LMF32.DLL
    c:\windows\system\idleui.dll

    Reboot and post a fresh log
  6. 07-11-2004  #5
    JonBoy
    JonBoy is offline Junior Member
    Followed above instructions and here is the latest log...

    Logfile of HijackThis v1.98.2
    Scan saved at 6:53:59 PM, on 11/6/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\CFXNT10.EXE
    C:\WINDOWS\SYSTEM\JUV0.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\FteiKZ.exe
    O4 - HKLM\..\Run: [ittstwvibpai] C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    O4 - HKLM\..\Run: [ot9V36l] LMSTMLER.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

    Thanks,
    Jon
  7. 07-11-2004  #6
    owen
    owen is offline D-A-L Team Member (UK)
    Hello again,
    Close all browser windows, restart Hijack This and put a checkmark next to the following entries:

    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL (file missing)
    O4 - HKLM\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\FteiKZ.exe
    O4 - HKLM\..\Run: [ittstwvibpai] C:\WINDOWS\SYSTEM\YDUWEGM.EXE
    O4 - HKLM\..\Run: [ot9V36l] LMSTMLER.EXE
    O4 - HKCU\..\Run: [TV Media] C:\PROGRAM FILES\TV MEDIA\Tvm.exe

    Click Fix Checked

    Reboot and post a fresh log
  8. 07-11-2004  #7
    JonBoy
    JonBoy is offline Junior Member
    Here is the latest log, looks like we are getting close!

    Logfile of HijackThis v1.98.2
    Scan saved at 1:13:34 PM, on 11/7/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\KSBSD3.EXE
    C:\WINDOWS\SYSTEM\CVXD37.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\HJT\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Ahm9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

    Thanks,
    Jon
  9. 09-11-2004  #8
    owen
    owen is offline D-A-L Team Member (UK)
    What I need you to do for me is fix this entry in Hijack This:

    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Ahm9.exe

    Then download PeperFix if you haven't already got it, then boot into Safe Mode and run it. Let it remove your infection.

    Reboot into Normal Mode.

    Run PeperFix again to check for an infection.

    Then post a fresh log.
  10. 10-11-2004  #9
    JonBoy
    JonBoy is offline Junior Member
    This is a mean one! Ok, ran hijack this and checked the line above, booted to safe mode ran peperfix and found 9 itmes again. This time I was watching the !peperfix folder and did not see anything get written to it to be deleted. Booted to normal mode, ran peperfix, 9 items, again nothing written to !peperfix folder. Re-booted to normal mode and ran peperfix again, 9 items again and nothing written to !peperfix folder. Here is the latest log...

    Looks like O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Vqxt.exe this time but will wait for a response.


    Logfile of HijackThis v1.98.2
    Scan saved at 5:50:29 PM, on 11/9/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
    C:\WINDOWS\DELAYRUN.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\USBMMKBD.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUNOTIFY.EXE
    C:\PROGRAM FILES\AMERICA ONLINE 8.0\AOLTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\VCZ3HRG.EXE
    C:\WINDOWS\SYSTEM\JCVT9.EXE
    C:\PROGRAM FILES\AOL COMPANION\COMPANION.EXE
    C:\HJT\HIJACKTHIS.EXE
    C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us2.hpwis.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Vqxt.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Keyboard Manager] c:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
    O4 - Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
    O4 - Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net


    Thanks again,
    Jon
  11. 10-11-2004  #10
    owen
    owen is offline D-A-L Team Member (UK)
    Save 20% on AVG Internet Security 2012 Suite!
    Right, you are most correct. What I want you to do for me is this. Delete the version of Peper Fix you have and the folders it created. Then reboot.

    Restart Hijack This and put a checkmark next to the entry you mentioned, or it may have morphed.

    Basically, for identifying Peper, look for the entry which is randomly generated and if you see below, the area in bold always has 14 characters.

    O4 - HKLM\..\Run: [4THQMFQ5XMTXYD] C:\WINDOWS\SYSTEM\Vqxt.exe

    Then download PeperFix again from http://download.broadbandmedic.com/PeperFix.exe.

    Run it and click Find And Fix. You will be prompted to Restart your PC. Agree to this prompt and on reboot it should delete the files.

    Post a fresh log
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« coolwwwsearch.smartsearch. | all these files c:\ drive do i need any of them »