Hello Wave.gif

I need help getting rid of VX2 for good, which I think includes euxmbd.exe, farmmext.exe and DrTemp.

I have Housecall from Trend Micro and Adaware with VX2 cleaner from Lavasoft, which I keep running and maybe deleting bits and I also have deleted euxmbd.exe in safe mode but it keeps coming back to give me pop-ups for online -- Look for another playground --, books, travel, porn etc.

I thought I would come back to this site to see if you can help me as last year Calamity Jane was very good in helping me get rid of a cool web hijacker.

Below is a recent scan from HijackThis

Glyn

Logfile of HijackThis v1.97.7
Scan saved at 19:13:24, on 05/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683_0.DIR\UD_LIGFIT_RELEASE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\EUXMBD.EXE
C:\WINDOWS\PACKAGER.EXE
C:\MY DOWNLOAD FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.supanet.com/
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [euxmbd] c:\windows\system\euxmbd.exe
O4 - HKLM\..\RunServices: [LoadProfile] c:\windows\system\cdromsrvdll.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab

You are using an old version of HiJackThis.
Please download and install the new version (199.1) from one of the following links:
http://www.computercops.biz/downloads-file-328.html


Run HiJackThis-199.1 and post the new log in this thread.

Here is my updated hijackthis log

Glyn :king:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [euxmbd] c:\windows\system\euxmbd.exe
O4 - HKLM\..\RunServices: [LoadProfile] c:\windows\system\cdromsrvdll.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/

Sorry, that wasn't the full log - I'll get it right one day.

Logfile of HijackThis v1.99.1
Scan saved at 14:03:37, on 06/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683_0.DIR\UD_LIGFIT_RELEASE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [euxmbd] c:\windows\system\euxmbd.exe
O4 - HKLM\..\RunServices: [LoadProfile] c:\windows\system\cdromsrvdll.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/

First:
Download DLLCompare from here:
http://www.downloads.subratam.org/DllCompare.exe

Copy the program to its own folder and double click on it.
Press the 'Run Locate.com' button

That should finish quickly, then:
Press the 'Compare' button.

That will run for a while longer.

When it is finished, press the 'Make A Log of What was Found' button
and post the log in this thread.

Press 'Exit' to quit program.


Second:
Please go here and click in the little box that has browse beside it and paste this line into it,

c:\windows\system\cdromsrvdll.exe

then press submit.
That sends a copy of the file to their virus checker to see if it is infected. Please post back the report.


Third:
Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'C:\Program Files\Hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Reboot in Safe Mode* and run HiJackThis. <-- IMPORTANT

Check the following items in HijackThis.
(note: If any R* items do not appear in Safe Mode, re-run HiJackThis in Normal Mode and remove them after you finish removing these items.)
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\DLMAX.DLL

O4 - HKLM\..\Run: [FARMMEXT] C:\WINDOWS\FARMMEXT.exe
O4 - HKLM\..\Run: [euxmbd] c:\windows\system\euxmbd.exe

Close all windows except HijackThis and click Fix checked.

While still in Safe Mode*, delete the following: (you may need to show hidden files**)
(Files specified without a full path will be lcoated in C:\Windows\ or C:\Windows\System32\)
C:\WINDOWS\FARMMEXT.exe
c:\windows\system\euxmbd.exe

*How to Boot into Safe mode: http://service1.symantec.com/SUPPORT/tsgen...001052409420406
**Show Hidden and System files and folders: http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Also, uncheck the boxes for hiding known file extensions and hiding protected operating system files. We want to see it all. When we finish here, it would be a good idea to rehide the protected operating system files but leave the rest to be shown.

Reboot in normal mode

Run HiJackThis again and post a new log in this thread.

Hello

This is my log of DLLcompare

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

898 items found: 898 files, 0 directories.
Total of file sizes: 161,411,605 bytes 153.93 M

--------------------End log---------------------

and this is my log revised log of HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 20:50:43, on 07/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683_0.DIR\UD_LIGFIT_RELEASE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadProfile] c:\windows\system\cdromsrvdll.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/


not to sure what happened to the virus checker bit you mentioned in stage 2 - I submitted the pasted file but it kept saying 'please insert a file name for scanning and try again' - have I done something wrong here?

Glyn Wave.gif

I wanted to have Kaspersky check this file: c:\windows\system\cdromsrvdll.exe

I can find no information about it. Make sure you put in the full path and file name.

THen let me know what the result is. Everything else is ok, I just need to check this one.

I tried again and it said the same thing so I tried searching - start - find - find files and folders and typed in '*.exe' for C drive and then arranged everything in alphabetical order - I don't appear to have that file

I did have trouble the other night in that I couldn't log in to windows (it said there was a general failure reading C drive. After trying my boot disk etc I was prompted to do a surface scan of C drive which told me I had a bad cluster - maybe this deleted the file?????????

That is possible, or at least it removed the directory entry for it. To be safe we will remove the satrtup entry from the log, but leave it there. If it turns out to be needed we can restore. If the file is truly missing, I doubt it was required.


Before we begin, please be sure that HiJackThis is in its own folder. This will allow us to use backups to restore entries if necessary. Please do not put HiJackThis in a temporary folder, or on the Desktop. I suggest using 'c:\program files\hijackthis\' or C:\HiJackThis\, but any name you choose is fine.

Check the following items in HiJackThis:
O4 - HKLM\..\RunServices: [LoadProfile] c:\windows\system\cdromsrvdll.exe

Close all open windows except HiJackThis and press 'Fix Checked'.

Reboot.
Run HiJackThis again and post a new log in this thread.

Hi there Wave.gif

This is my new log

Logfile of HijackThis v1.99.1
Scan saved at 01:35:06, on 09/03/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\ACCSTAT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\PTSNOOP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\FREESERVE\FREESERVECONNECTIONKIT\ATDIALLER1.EXE
C:\WINDOWS\TWAIN_32\1200 UB\WATCH.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683.EXE
C:\PROGRAM FILES\UNITED DEVICES\UD_7174683_0.DIR\UD_LIGFIT_RELEASE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
F1 - win.ini: load=PTSNOOP.EXE
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MicroDialler] C:\Freeserve\FreeserveConnectionKit\atdialler1.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\TWAIN_32\1200 UB\WATCH.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/

At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and Internet Explorer. The first defense against infection is a properly patched Operating System.
a. Windows Update: http://v5.windowsupdate.microsoft.com/en/default.asp

2. Adjust your security settings for ActiveX:
Select Internet Options from the Control Panels, or from Internet Explorer (Tools -> Internet Options)
Press 'default level', then OK
Now press "Custom Level."

In the ActiveX controls and plug-ins section set these options:
'Download singed ActiveX controls' - Prompt
'Download unsigned ActiveX controls' - Disable
'Initialize and script ActiveX controls not maked as safe'- Disable
All other options accept the default

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. IE/Spyad: https://netfiles.uiuc.edu/ehowes/www/resource.htm
c. BHODemon: http://www.definitivesolutions.com/bhodemon.htm
d. Bugoff: http://castlecops.com/downloads-file-374.html

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing one of the following:
a. Microsoft AntiSpyware: http://www.microsoft.com/athome/security/s...re/default.mspx
NOTE: MS AntiSpyware only runs on Windows 2000, XP, and 2003.
b. Spybot S&D: http://security.kolla.de/index.php?lang=en&page=download
c. AdAware: http://www.lavasoft.de/ Due to AdAware's recent decision to remove WhenU from its detection database, only to quickly add it back in response to public outcry I can no longer recommend this product as a first line of defense. For those interested, here is a link to discussion regarding this: http://www.dslreports.com/forum/remark,12665642~mode=flat

Use these programs to regularly scan your system for and remove many forms of spyware/malware. I recommend and use Micosoft AntiSpyware.

If you use, or plan on using, additional spyware/malware detection and/or removal programs, please check Items 8 and 9.

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore. See Windows help for information.

7. Clean Temporary Files and Folders
Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window. On the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.

Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

8. Rogue/Suspect Anti-Spyware
Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm

9. Anti-Spyware Programs Compared
Want to know just how effective your anti-spyware program is? Wonder how well any of the "rogue" programs listed above work? Check this link for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

10. Alternate Browser
Consider using an alternate browser as your default. I recommend and use Firefox as my primary browser. It is still necessary to keep Internet Explorer current and protected in order to use Windows Update.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiator-antivirus.com/index...?showtopic=9857

"It is your responsibility to read and adhere to the End User Licensing Agreement (EULA) of all software and services mentioned."

Good luck, and thanks for coming to our forums for help with your security and malware issues.

Thanks for helping me

Glyn :thumb:

We are glad we were able to be of assistance.

NOTE: This thread is now closed. Should you need it reopened, please PM an administrator or moderator.

Everyone else having a similar issue, please launch a new topic for yourselves.