This is driving me crazy! I keep getting a spyware message that starts with a window that says the following BHO has been added to my computer:
{26CCEO3A-1BF4-4214-AOB4-FB72B95ABC3E} It says it's in C:\WINDOWS\SYSTEMS\LIDFAOD.DDL
It asked me what I want to do and I indicate "remove BHO". The following boxes then appear:
Your IE Search page has been changed from yahoo.com to about blank
I indicate "restore old values"
Your IE current user search bar has been changed from <none> to C:\WINDOWS\TEMP\SP.HTML
I indicate "restore old values"
Your IE local machine search page has been changed from <none> to C:\WINDOWS\TEMP\SP.HTML
I indicate "restore old values"
Your IE local machine search bar has been changed from <none> to C:\WINDOWS\TEMP\SP.HTML
I indicate "restore old values"
This happens everytime I open my browser, and sometimes when I am on the net. It happened a while back and I rebooted in safe mode and ran a HighjackThis scan and posted it to this site. I thought we had it cleaned up, but it's back.
Here's the log I ran just now:
Logfile of HijackThis v1.98.0
Scan saved at 8:11:03 AM, on 7/28/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\CBA\PDS.EXE
C:\WINDOWS\SYSTEM\CBA\XFR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\MSGSYS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\B142E3.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\JIMMYSURF\KEEPCLEAN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [system check] C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
O4 - HKLM\..\Run: [web] C:\WINDOWS\SYSTEM\B142E3.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [JimmySurf] C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE -Boot
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
O18 - Filter: text/html - {3A7B346D-F0F2-40A1-B6FA-C6DF8846F1D5} - C:\WINDOWS\SYSTEM\LIDFAOD.DLL
O18 - Filter: text/plain - {3A7B346D-F0F2-40A1-B6FA-C6DF8846F1D5} - C:\WINDOWS\SYSTEM\LIDFAOD.DLL
Any suggestions???? I'm really frustrated by this! :mad:
As always - THANKS!
Angel
Full Version: I can't get rid of this BHO
=== Find Name of Hidden dll ===
Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.htm
http://www.niksoft.at/download/startdreck.htm
Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)
Post the log in this thread.
Download: "StartDreck", from here:
http://members.blackbox.net/hp_links/21/ni.../startdreck.htm
http://www.niksoft.at/download/startdreck.htm
Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)
Post the log in this thread.
Hello LoPhatPhuud! (Me again - sorry) Here is the startderek log:
StartDreck (build 2.1.5 public BETA) - 2004-07-29 @ 06:16:40
Platform: Windows ME (Win 4.90.3000 )
舞egistry
舞un Keys
翟urrent User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*MoneyStartUp=C:\Program Files\Microsoft Money\System\Money Startup.exe
*JimmySurf=C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE -Boot
舞unOnce
聞efault User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*MoneyStartUp=C:\Program Files\Microsoft Money\System\Money Startup.exe
*JimmySurf=C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE -Boot
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Keyboard Manager=C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
*Adaptec DirectCD=C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*LexStart=lexstart.exe
*MMTray=
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*Delay=C:\WINDOWS\delayrun.exe
*mgavrtclexe=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
*vptray=C:\Program Files\Norton AntiVirus\vptray.exe
*WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe
*Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
*Microsoft Works Update Detection=C:\Program Files\Microsoft Works\WkDetect.exe
*MotiveMonitor=C:\Program Files\Motive\motmon.exe
*HPLogiFinder=\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
*system check=C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
*web=C:\WINDOWS\SYSTEM\B142E3.EXE
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
*Intel PDS=C:\WINDOWS\system\cba\pds.exe
*Intel File Transfer=C:\WINDOWS\system\cba\xfr.exe
*rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
舞unServicesOnce
**v=rundll32 C:\WINDOWS\SYSTEM\WDMH.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FF0F6E0D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFA5F9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFC5ED=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFC029=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE084D=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE1AC1=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
*FFFE68A9=C:\WINDOWS\SYSTEM\CBA\PDS.EXE
*FFFEB0E5=C:\WINDOWS\SYSTEM\CBA\XFR.EXE
*FFFECA69=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
*FFFECB3D=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
*FFFDA9E5=C:\WINDOWS\EXPLORER.EXE
*FFFE83A9=C:\WINDOWS\RUNDLL32.EXE
*FFFE59C1=C:\WINDOWS\SYSTEM\MSGSYS.EXE
*FFFC3135=C:\WINDOWS\TASKMON.EXE
*FFFC012D=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
*FFFBAD6D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFB3ECD=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
*FFFB71A5=C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*FFF97409=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
*FFF96E05=C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
*FFFA9159=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
*FFFAF471=C:\WINDOWS\SYSTEM\LEXBCES.EXE
*FFF974D1=C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
*FFFA8CA5=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
*FFFB596D=C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
*FFF95095=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF9C9C5=C:\WINDOWS\SYSTEM\RPCSS.EXE
*FFFBCA59=C:\WINDOWS\SYSTEM\B142E3.EXE
*FFF86FC1=C:\WINDOWS\RunDLL.exe
*FFF8F529=C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
*FFF8F625=C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE
*FFF72741=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
*FFF79B9D=C:\WINDOWS\SYSTEM\LEXPPS.EXE
*FFF9DF55=C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
*FFF6B3DD=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
*FFF5BC31=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
*FFF941E5=C:\PROGRAM FILES\JIMMYSURF\KEEPCLEAN.EXE
*FFF31E95=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF33525=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFF35D1D=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFF4C471=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF27755=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific
Thank you for everything! Angel
StartDreck (build 2.1.5 public BETA) - 2004-07-29 @ 06:16:40
Platform: Windows ME (Win 4.90.3000 )
舞egistry
舞un Keys
翟urrent User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*MoneyStartUp=C:\Program Files\Microsoft Money\System\Money Startup.exe
*JimmySurf=C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE -Boot
舞unOnce
聞efault User
舞un
*Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
*MoneyStartUp=C:\Program Files\Microsoft Money\System\Money Startup.exe
*JimmySurf=C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE -Boot
舞unOnce
腿ocal Machine
舞un
*ScanRegistry=C:\WINDOWS\scanregw.exe /autorun
*TaskMonitor=C:\WINDOWS\taskmon.exe
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Keyboard Manager=C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
*Adaptec DirectCD=C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*LexStart=lexstart.exe
*MMTray=
*hpsysdrv=c:\windows\system\hpsysdrv.exe
*Delay=C:\WINDOWS\delayrun.exe
*mgavrtclexe=C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
*vptray=C:\Program Files\Norton AntiVirus\vptray.exe
*WorksFUD=C:\Program Files\Microsoft Works\wkfud.exe
*Microsoft Works Portfolio=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
*Microsoft Works Update Detection=C:\Program Files\Microsoft Works\WkDetect.exe
*MotiveMonitor=C:\Program Files\Motive\motmon.exe
*HPLogiFinder=\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
*system check=C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
*web=C:\WINDOWS\SYSTEM\B142E3.EXE
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
*Intel PDS=C:\WINDOWS\system\cba\pds.exe
*Intel File Transfer=C:\WINDOWS\system\cba\xfr.exe
*rtvscn95=C:\Program Files\Norton AntiVirus\rtvscn95.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*defwatch=C:\Program Files\Norton AntiVirus\defwatch.exe
舞unServicesOnce
**v=rundll32 C:\WINDOWS\SYSTEM\WDMH.DLL,StreamingDeviceSetup
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
*FF0F6E0D=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFA5F9=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFFC5ED=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFFC029=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE084D=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFE1AC1=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
*FFFE68A9=C:\WINDOWS\SYSTEM\CBA\PDS.EXE
*FFFEB0E5=C:\WINDOWS\SYSTEM\CBA\XFR.EXE
*FFFECA69=C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
*FFFECB3D=C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
*FFFDA9E5=C:\WINDOWS\EXPLORER.EXE
*FFFE83A9=C:\WINDOWS\RUNDLL32.EXE
*FFFE59C1=C:\WINDOWS\SYSTEM\MSGSYS.EXE
*FFFC3135=C:\WINDOWS\TASKMON.EXE
*FFFC012D=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
*FFFBAD6D=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFFB3ECD=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
*FFFB71A5=C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
*FFF97409=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
*FFF96E05=C:\WINDOWS\MCBIN\AV\RT\MGAVRTCL.EXE
*FFFA9159=C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
*FFFAF471=C:\WINDOWS\SYSTEM\LEXBCES.EXE
*FFF974D1=C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
*FFFA8CA5=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
*FFFB596D=C:\WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
*FFF95095=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFF9C9C5=C:\WINDOWS\SYSTEM\RPCSS.EXE
*FFFBCA59=C:\WINDOWS\SYSTEM\B142E3.EXE
*FFF86FC1=C:\WINDOWS\RunDLL.exe
*FFF8F529=C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
*FFF8F625=C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE
*FFF72741=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
*FFF79B9D=C:\WINDOWS\SYSTEM\LEXPPS.EXE
*FFF9DF55=C:\WINDOWS\MCBIN\AV\RT\MGAVRTE.EXE
*FFF6B3DD=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
*FFF5BC31=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
*FFF941E5=C:\PROGRAM FILES\JIMMYSURF\KEEPCLEAN.EXE
*FFF31E95=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFF33525=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFF35D1D=C:\WINDOWS\SYSTEM\PSTORES.EXE
*FFF4C471=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF27755=C:\WINDOWS\DESKTOP\STARTDRECK\STARTDRECK.EXE
翠pplication specific
Thank you for everything! Angel
=== Delete Hidden dll === (preferred method)
Download: "Win98Fix.zip" from here:
http://downloads.subratam.org/Win98fix.zip
Unzip to its own folder.
Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.
The bad file should now be visible so you can delete it.
Browse to C:\WINDOWS\SYSTEM\WDMH.DLL
Right click on it to remove any read only protection. Then delete it.
(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)
=== Clean Remaining Infection ===
Please Download CoolWebShredder from:
http://www.merijn.org/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip
Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.
Next:
Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/
After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html
Select 'custom options'.
Select your drive, scan and fix all it finds.
Last:
Post a new HiJackThis log in this thread.
Download: "Win98Fix.zip" from here:
http://downloads.subratam.org/Win98fix.zip
Unzip to its own folder.
Open Folder and double click on RunFix.reg file.
Hit 'Yes' to merge it into your registry.
Restart your computer.
The bad file should now be visible so you can delete it.
Browse to C:\WINDOWS\SYSTEM\WDMH.DLL
Right click on it to remove any read only protection. Then delete it.
(If you cannot find the file, run the 'Who.bat' file in the folder.
The file will be found and listed.)
=== Clean Remaining Infection ===
Please Download CoolWebShredder from:
http://www.merijn.org/files/cwshredder.zip
http://www.zerosrealm.com/downloads/CWShredder.zip
Extract CWShredder to its own folder,
Click the 'Fix ->' button.
Make sure you let it fix all CWS Remnants.
Next:
Download the latest version of Ad-Aware at
http://www.lavasoft.de/software/adaware/
After installing AAW, and before running the program, you NEED to FIRST update the reference file following the instructions here: http://www.lavahelp.com/howto/updref/index.html
Select 'custom options'.
Select your drive, scan and fix all it finds.
Last:
Post a new HiJackThis log in this thread.
YEAH! You are the BEST!!! I followed the instructions, and the problem seems to be fixed. Here's the latest HighjackThis log:Logfile of HijackThis v1.98.0
Scan saved at 9:02:26 AM, on 7/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\CBA\PDS.EXE
C:\WINDOWS\SYSTEM\CBA\XFR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MSGSYS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\DELAYRUN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\B142E3.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\JIMMYSURF\KEEPCLEAN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [system check] C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
O4 - HKLM\..\Run: [web] C:\WINDOWS\SYSTEM\B142E3.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [JimmySurf] C:\PROGRAM FILES\JIMMYSURF\JIMMYSURF.EXE -Boot
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
Thank you (a million times)!!!
Angel
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.
Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [system check] C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
O4 - HKLM\..\Run: [web] C:\WINDOWS\SYSTEM\B142E3.EXE
Close all windows except HijackThis and click Fix checked.
Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
C:\WINDOWS\SYSTEM\B142E3.EXE
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode.
HiJackThis version 198.0 is now available.
If you do not already have it installed, download it from here:
http://209.133.47.12/~merijn/files/HijackThis.exe
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
Then run HiJackThis again and post a new log in this thread.
Check the following items in HijackThis.
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O4 - HKLM\..\Run: [system check] C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
O4 - HKLM\..\Run: [web] C:\WINDOWS\SYSTEM\B142E3.EXE
Close all windows except HijackThis and click Fix checked.
Reboot in Safe Mode*, delete the following: (you may need to show hidden files**)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UPDATER.EXE
C:\WINDOWS\SYSTEM\B142E3.EXE
*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.
Reboot in normal mode.
HiJackThis version 198.0 is now available.
If you do not already have it installed, download it from here:
http://209.133.47.12/~merijn/files/HijackThis.exe
http://downloads.net-integration.net/HijackThis.exe
http://www.computercops.biz/downloads-file-328.html
Then run HiJackThis again and post a new log in this thread.
Hello!
I did as you suggested. Here is the latest Highjack This Log:
Logfile of HijackThis v1.98.0
Scan saved at 2:24:39 AM, on 7/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
I think we got it!!! WDYT? Thanks! Angel
I did as you suggested. Here is the latest Highjack This Log:
Logfile of HijackThis v1.98.0
Scan saved at 2:24:39 AM, on 7/30/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [mgavrtclexe] C:\WINDOWS\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [HPLogiFinder] \WINDOWS\OPTIONS\CABS\LOGITECH\HP_FINDER.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [Intel PDS] C:\WINDOWS\system\cba\pds.exe
O4 - HKLM\..\RunServices: [Intel File Transfer] C:\WINDOWS\system\cba\xfr.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {869F3BBC-A812-4D13-A93B-7B3FC816DCD5} (McAfee.com Updater) - http://download.mcafee.com/molbin/clinic/v...can/mcasupd.cab
I think we got it!!! WDYT? Thanks! Angel
At last, your system is clean and free of spyware! Want to keep it that way?
Here are some simple steps you can take to reduce the chance of infection in the future.
1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.
2. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857
Good luck, and thanks for coming to our forums for help with your security and malware issues.
Here are some simple steps you can take to reduce the chance of infection in the future.
1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
1. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.
2. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.wilderssecurity.net/spywareguard.html
c. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
1. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857
Good luck, and thanks for coming to our forums for help with your security and malware issues.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.