68 replies to this topic

[clueless123]

I don't think I ran a full scan at silent runners last night. Below is a full scan. I wanted to mention that I didn't start having problems with the full page pop up ads until I downloaed updates at microsoft.

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Taskbar Display Controls" = "RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY" [MS]
"Weather" = "C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1" ["AWS Convergence Technologies, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"HPScanPatch" = "C:\WINDOWS\SYSTEM\HPScanFix.exe" ["Hewlett-Packard Company"]
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"USBMMKBD" = "usbmmkbd.exe" ["Hewlett-Packard Company"]
"Keyboard Manager" = "C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"eBayToolbar" = "C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe" ["eBay"]
"HP Component Manager" = ""C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"" ["Hewlett-Packard Company"]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"Motive SmartBridge" = "C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"QuickTime Task" = ""C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime" ["Apple Computer, Inc."]
"THGuard" = ""C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"" ["Mischel Internet Security"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"Hidserv" = "Hidserv.exe run" [MS]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{22D8E815-4A5E-4DFB-845E-AAB64207F5BD}\(Default) = "eBay Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\EBAYTB.DLL" [null data]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL" ["Yahoo! Inc."]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL" ["Yahoo!"]
{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ICQ\ICQSHEXT.DLL" ["ICQ"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI20041123.DLL" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL" ["RealNetworks, Inc."]
"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI20041123.DLL" ["Yahoo! Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{CD949A20-BDC8-11CE-8919-00608C39D066}"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL" ["Novell, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
QuickFinderMenu\(Default) = "{CD949A20-BDC8-11CE-8919-00608C39D066}"
-> {CLSID}\InProcServer32\(Default) = "C:\COREL\OFFICE7\SHARED\QFINDER7\PFSE70.DLL" ["Novell, Inc."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\CONTMENU.DLL" [null data]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Verizon Online Support Center" -> shortcut to: "C:\Program Files\Verizon Online\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]
"PerfectPrint" -> shortcut to: "C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE" ["Corel Corporation"]
"wink" -> shortcut to: "C:\Program Files\Wink\Wink.exe" [null data]
"Corel Desktop Application Director" -> shortcut to: "C:\Corel\Office7\Dad7\QUICK.EXE" ["4"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1
c:\windows\SYSTEM\msafd.dll [MS], 2 - 4
c:\windows\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{5E92F538-B50B-46C5-9C5F-C6EECED3F6C6}" = "Dogpile Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\DOGPILETOOLBAR\INSPTBAR.DLL" [null data]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{92085AD4-F48A-450D-BD93-B28CC7DF67CE}" = "eBay Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\EBAYTB.DLL" [null data]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "RealGuide" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\Shdocvw.dll" [MS]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUS.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{F05B7DAE-337E-11D3-83B6-00E0980647AC}\ = "PeoplePC Wallet" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\PEOPLEPC\BIN\PAYMEN~1.DLL" ["4"]

{A6E07A81-436A-11D3-83B6-00902747E82E}\ = "PeoplePC Guide" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\windows\system\shdocvw.dll" [MS]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUS.DLL" ["Yahoo! Inc."]

{5E92F538-B50B-46C5-9C5F-C6EECED3F6C6}\ = "Dogpile Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\DOGPILETOOLBAR\INSPTBAR.DLL" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
usbmon\Driver = "usbmon.dll" [MS]
hpzs9x09\Driver = "hpzs9x09.dll" ["HP"]
usbmon.dll\Driver = "usbmon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 39 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 30 seconds.
---------- (total run time: 103 seconds)

[daparker]

Can you try uninstalling the dogpile toolbar and see if that is the culprit?

[clueless123]

I'm pretty sure I uninstalled it..But I am still getting the ads.

[daparker]

Please download StartDreck from here. Unzip it to the desktop and run it. Click Config, and choose "Unmark all". Then select only "Run Keys" under "Registry" and "Running Processes" under "System/Drivers" and click OK. Click Refresh, and Save to save a log. Then post the log here for me.

Edited by daparker, 14 December 2005 - 02:55 PM.

[clueless123]

Which one do I download. There are several on the webpage you sent me.

[daparker]

clueless, I have fixed the link, sorry about that. It should work now.

[clueless123]

StartDreck (build 2.1.7 public stable) - 2005-12-14 @ 16:18:55 (GMT -05:00) Platform: Windows 98 SE (Win 4.10.2222 A) Internet Explorer: 6.0.2800.1106 Logged in as Mark Simmons at PAVILION »Registry »Run Keys »Current User »Run *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY *Weather=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 »RunOnce »Default User »Run *Taskbar Display Controls=RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY *Weather=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1 »RunOnce »Local Machine »Run *ScanRegistry=c:\windows\scanregw.exe /autorun *TaskMonitor=c:\windows\taskmon.exe *SystemTray=SysTray.Exe *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme *HPScanPatch=C:\WINDOWS\SYSTEM\HPScanFix.exe *hpsysdrv=c:\windows\system\hpsysdrv.exe *USBMMKBD=usbmmkbd.exe *Keyboard Manager=C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe *HP Component Manager="C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE" *StillImageMonitor=C:\WINDOWS\SYSTEM\STIMON.EXE *Motive SmartBridge=C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe *QuickTime Task="C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime *THGuard="C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE" *TkBellExe="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot *AVG7_CC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP *AVG7_EMC=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE *AVG7_AMSVR=C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE »RunOnce »RunServices *LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme *SchedulingAgent=mstask.exe *Hidserv=Hidserv.exe run *KB891711=c:\windows\SYSTEM\KB891711\KB891711.EXE »RunServicesOnce »RunOnceEx »RunServicesOnceEx »Files »System/Drivers »Running Processes +FF0FABC9=C:\WINDOWS\SYSTEM\KERNEL32.DLL +FFFF9C65=C:\WINDOWS\SYSTEM\MSGSRV32.EXE +FFFF944D=C:\WINDOWS\SYSTEM\SPOOL32.EXE +FF006601=C:\WINDOWS\SYSTEM\MPREXE.EXE +FF00D59D=C:\WINDOWS\SYSTEM\MSTASK.EXE +FF00B701=c:\windows\SYSTEM\KB891711\KB891711.EXE +FF0096F5=C:\WINDOWS\SYSTEM\HIDSERV.EXE +FF00B3BD=C:\WINDOWS\SYSTEM\mmtask.tsk +FF00D2A5=C:\WINDOWS\EXPLORER.EXE +FF024789=C:\WINDOWS\TASKMON.EXE +FF025F09=C:\WINDOWS\SYSTEM\SYSTRAY.EXE +FF021961=C:\WINDOWS\SYSTEM\HPSYSDRV.EXE +FF022409=C:\WINDOWS\SYSTEM\USBMMKBD.EXE +FF021121=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE +FF02C065=C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE +FF02A7F1=C:\WINDOWS\SYSTEM\STIMON.EXE +FF0286D5=C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE +FF0365E5=C:\WINDOWS\SYSTEM\QTTASK.EXE +FF034EA9=C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE +FF0308B5=C:\WINDOWS\SYSTEM\WMIEXE.EXE +FF03032D=C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE +FF03EDB1=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE +FF03F95D=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE +FF0381E9=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE +FF047BE9=C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE +FF04266D=C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE +FF041975=C:\WINDOWS\RunDLL.exe +FF04C1E9=C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE +FF0525E1=C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE +FF05F36D=C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE +FF058D25=C:\PROGRAM FILES\WINK\WINK.EXE +FF066211=C:\COREL\OFFICE7\DAD7\QUICK.EXE +FF06CDA5=C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE +FF06BA75=C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE +FF068C81=C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE +FF08B899=C:\PROGRAM FILES\VERIZON ONLINE\BIN\MPBTN.EXE +FF085F61=C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE +FF0ACBAD=C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE +FF0906DD=C:\WINDOWS\SYSTEM\PSTORES.EXE +FF09F7C9=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE +FF09F0C5=C:\UNZIPPED\STARTDRECK217\STARTDRECK.EXE »Application specific

[daparker]

That does not appear to be the full log. Please make sure it finishes running before posting the text. It could take several minutes.

[clueless123]

I'm doing something wrong then. Because that is all it is giving me. I'm not real good with winzip or zip files.

[daparker]

And you are sure that it did complete running?

[clueless123]

Are you sure you gave me ALL the commands? I have ran over and over again and it still shows the same thing..And it only takes a second. I don't know what I could be doing wrong.

[daparker]

All the commands are there. It can take several minutes to run and it is not alway obvious when it is complete.

[clueless123]

I'm sorry to be a pain. But I keep doing the commands over and over and it still brings up the same log. I don't know what I am doing wrong.

[daparker]

OK, let's try this one. lease download L2m9xfix from one of these two locations:
GeeksToGo
Noidea.us

Save it to the desktop and run it. Extract the files, and then open the l2m9xfix folder you just created and run RunThis.bat.

A window will open, and your desktop will disappear, then reappear. Please be patient until the batch says it is completed.

Then please restart your computer, and post a new HijackThis log as well as the entire text of the log.txt file which should be in the same folder as RunThis.bat.

[clueless123]

og of L2M9XFix v1.01a

************

Running from directory:
C:\WINDOWS\Desktop\l2m9xfix

************

Files found:


************

Registry entries found:



************

Killing Explorer
Done!

Killing Rundll32
Done!

Removing malicious CLSID(s)
Done!

Restarting Explorer
Done!

Deleting malicious files
Done!


Finished!

Logfile of HijackThis v1.99.1
Scan saved at 1:42:27 AM, on 12/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\VERIZON ONLINE\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\COREL\OFFICE7\SHARED\PFIT7\PFPPOP70.EXE
C:\PROGRAM FILES\WINK\WINK.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\COREL\OFFICE7\DAD7\QUICK.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\VERIZON ONLINE\BIN\MPBTN.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://cgi.verizon.n....1&bm=ho_search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com...://hp.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/info.dogpl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...://hp.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/info.dogpl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.c...orms/search.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.dogpile.c...orms/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRAM FILES\YAHOO!\COMMON\YIETAGBM.DLL
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Startup: wink.lnk = C:\Program Files\Wink\Wink.exe
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &eBay Search - res://C:\PROGRAM FILES\EBAY\EBAY TOOLBAR2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.n...tivePreQual.cab
O16 - DPF: {192F9A01-8030-48CE-9BC6-B03DE3E613C6} (PeoplePC Web Installer) - https://www.peoplepc...oad/ppcwebi.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll