Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Hijack This Log - Please Review (Thank you!)


  • This topic is locked This topic is locked
7 replies to this topic

#1 tml2k6

tml2k6

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 05 February 2006 - 08:43 AM

Hello,

This is a Windows 98 machine with some serious spyware problems. Thank you in advance for your help.

***************************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 4:26:43 PM, on 2/4/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\OUTPOSTUPDATE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETASSISTANT\SMARTBRIDGE\MOTIVESB.EXE
C:\WINDOWS\BP_BG.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SONIC\UPDATE MANAGER\SGTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETASSISTANT\BIN\MPBTN.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/space.html
R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.sympatico.ca
R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://c:\windows\TEMP\se.dll/space.html
R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R0 HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Sympatico Internet Service
R1 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = ;127.0.0.1;<local>
O2 BHO: AcroIEHlprObj Class {06849E9FC8D74D59B87D784B7D6BE0B3}C:\PROGRAM
FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 BHO: (no name)
{34EC0FE109B411DA8B1B00A024C93BDD}C:\WINDOWS\SYSTEM\JCEM.DLL
O3 Toolbar: MapQuest
{4E7BD74F2B8D469EA3FAF363B384B77D}C:\WINDOWS\DOWNLO~1\MQGOLD1.DLL
O3 Toolbar: &Radio
{8E718888423F11D2876E00A0C9082467}C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 HKLM\..\Run: [SystemTray] SysTray.Exe
O4 HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
powrprof.dll,LoadCurrentPwrScheme
O4 HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\WebScanX.Exe
O4 HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE
VIRUSSCAN\VSHWIN32.EXE
O4 HKLM\..\Run: [LoadQM] loadqm.exe
O4 HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 HKLM\..\Run: [CY_BG] C:\WINDOWS\BP_BG.EXE
O4 HKLM\..\Run: [RemoteControl] "C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update
Manager\sgtray.exe" /r
O4 HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK
ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 HKCU\..\RunServices: [MsnMsgr] "c:\Program Files\MSN
Messenger\MsnMsgr.Exe" /background
O4 HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 Startup: PowerReg Scheduler V3.exe
O9 Extra button: Microsoft AntiSpyware helper
{3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL
O9 Extra 'Tools' menuitem: Microsoft AntiSpyware helper
{3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL
O9 Extra button: Microsoft AntiSpyware helper
{3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 Extra 'Tools' menuitem: Microsoft AntiSpyware helper
{3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O12 Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 DPF: {03F998B20E0011D3A49800104B6EB52E}(MetaStreamCtl Class)
https://components.v...w.viewpoint.com
O16 DPF: {4E7BD74F2B8D469EA3FAF363B384B77D}(MapQuest)
http://cdn.mapquest....bar/mqgold1.cab
O18 Filter: text/html
{7B08D7E07C6111DA8B1B00A09C6A8D3C}C:\WINDOWS\SYSTEM\JCEM.DLL
O18 Filter: text/plain
{7B08D7E07C6111DA8B1B00A09C6A8D3C}C:\WINDOWS\SYSTEM\JCEM.DLL

***************************************************************************************

Thanks again!!

    Advertisements

Register to Remove


#2 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 11 February 2006 - 11:03 AM

Please download and run CWShredder here
Make sure that all browser windows are closed with the exception of Cwshredder and choose FIX.

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine.
Detailed instructions from here

Then post another log.

#3 tml2k6

tml2k6

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 12 February 2006 - 11:35 AM

Hello,

My original post was:

http://forums.tomcoy...showtopic=57656

and I was instructed by little eagle (thank you!) to run CWS Shredder. After that I ran another HijackThis and here is the results of the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:25:01 PM, on 2/12/06
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\OUTPOSTUPDATE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETASSISTANT\SMARTBRIDGE\MOTIVESB.EXE
C:\WINDOWS\BP_BG.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SONIC\UPDATE MANAGER\SGTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\NETASSISTANT\BIN\MPBTN.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://c:\windows\TEMP\se.dll/space.html
R1 HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 BHO: AcroIEHlprObj Class {06849E9FC8D74D59B87D784B7D6BE0B3}C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 Toolbar: MapQuest {4E7BD74F2B8D469EA3FAF363B384B77D}C:\WINDOWS\DOWNLO~1\MQGOLD1.DLL
O3 Toolbar: &Radio {8E718888423F11D2876E00A0C9082467}C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 HKLM\..\Run: [SystemTray] SysTray.Exe
O4 HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE

VIRUSSCAN\WebScanX.Exe
O4 HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 HKLM\..\Run: [LoadQM] loadqm.exe
O4 HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 HKLM\..\Run: [CY_BG] C:\WINDOWS\BP_BG.EXE
O4 HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 Startup: PowerReg Scheduler V3.exe
O9 Extra button: Microsoft AntiSpyware helper {3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL
O9 Extra 'Tools' menuitem: Microsoft AntiSpyware helper {3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL
O9 Extra button: Microsoft AntiSpyware helper {3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 Extra 'Tools' menuitem: Microsoft AntiSpyware helper {3BB175E009B411DA8B1B00A0CC23015A}C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O12 Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 DPF: {03F998B20E0011D3A49800104B6EB52E}(MetaStreamCtl Class) https://components.v...w.viewpoint.com
O16 DPF: {4E7BD74F2B8D469EA3FAF363B384B77D}(MapQuest) http://cdn.mapquest....bar/mqgold1.cab


Thanks again for your help!

#4 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 12 February 2006 - 06:19 PM

Download 'SpSeHjfix'. to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage

Now run the Shredder - Hit The FIX button!

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

#5 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 12 February 2006 - 06:21 PM

use Posted Image
not Posted Image

#6 tml2k6

tml2k6

    New Member

  • Authentic Member
  • Pip
  • 8 posts

Posted 27 February 2006 - 07:37 PM

Hello,

I performed all of the tasks from the last post, and here are the results:

First the spfix log:

(2/27/06 8:18:19 PM) SPSeHjFix started v1.1.2
(2/27/06 8:18:19 PM) OS: Win98 (4.10.1998)
(2/27/06 8:18:19 PM) Language: english
(2/27/06 8:18:19 PM) Win-Path: C:\WINDOWS
(2/27/06 8:18:19 PM) System-Path: C:\WINDOWS\SYSTEM
(2/27/06 8:18:19 PM) Temp-Path: c:\windows\TEMP\
(2/27/06 8:18:22 PM) Disinfection started
(2/27/06 8:18:22 PM) Bad-Dll(IEP): c:\windows\temp\se.dll
(2/27/06 8:18:22 PM) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINDOWS\SYSTEM\JCEM.DLL
(2/27/06 8:18:22 PM) Searchassistant Uninstaller - Keys Deleted
(2/27/06 8:18:22 PM) UBF: 4 - UBB: 0 - UBR: 16
(2/27/06 8:18:22 PM) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall (deleted)
(2/27/06 8:18:22 PM) UBF: 4 - UBB: 0 - UBR: 15
(2/27/06 8:18:22 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/space.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(2/27/06 8:18:22 PM) Stealth-String not found
(2/27/06 8:18:22 PM) File added to delete: c:\windows\system\jcem.dll
(2/27/06 8:18:22 PM) File added to delete: c:\windows\temp\se.dll
(2/27/06 8:18:22 PM) Reboot
(2/27/06 8:20:11 PM) SPSeHjFix 2nd Step
(2/27/06 8:20:11 PM) Stealth-String not present. Disinfection succesfully
(2/27/06 8:20:27 PM) Cleaned


Then I ran CWShredder, rebooted, then HijackThis again. Here is the HJT Log:

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\WINDOWS\SYSTEM\OUTPOSTUPDATE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETASSISTANT\SMARTBRIDGE\MOTIVESB.EXE
C:\WINDOWS\BP_BG.EXE
C:\PROGRAM FILES\CYBERLINK\POWERDVD\PDVDSERV.EXE
C:\PROGRAM FILES\COMMON FILES\SONIC\UPDATE MANAGER\SGTRAY.EXE
C:\PROGRAM FILES\NETASSISTANT\BIN\MPBTN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sympatico.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico Internet Service
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINDOWS\DOWNLO~1\MQGOLD1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\BP_BG.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Microsoft AntiSpyware helper - {3BB175E0-09B4-11DA-8B1B-00A0CC23015A} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3BB175E0-09B4-11DA-8B1B-00A0CC23015A} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {3BB175E0-09B4-11DA-8B1B-00A0CC23015A} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {3BB175E0-09B4-11DA-8B1B-00A0CC23015A} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest....bar/mqgold1.cab



Thank you very much for your continued help!

#7 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 28 February 2006 - 01:22 AM

Download System Security Suite v1.04 here
Tutorial here.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Reboot in safe mode. Close all Browser and Program Windows.
Have HijackThis fix the following. Do this by checking the box beside each and then clicking on Fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [CY_BG] C:\WINDOWS\BP_BG.EXE
O4 - HKLM\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\Run: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - HKCU\..\RunServices: [outpostupdate] C:\WINDOWS\SYSTEM\outpostupdate.exe
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.v...w.viewpoint.com


You may need to set you computer to show hidden files. Click here for Instructions.
Then click start>my computer>local disk
(then follow the path) or Using Windows Explorer, locate the following files/folders, and delete them:
Delete the following file(s) listed.

C:\WINDOWS\BP_BG.EXE
C:\WINDOWS\SYSTEM\outpostupdate.exe
C:\WINDOWS\TEMP\SE.DLL

If you were unable to find any of the files then please follow these additional instructions:
Run Pocket Killbox, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Here are Instructions for deleting multiple files with Pocket Killbox.

Reboot then Run 3S under “Items To Clear” tab place a checkmark in all of them but user defined folders.


Go here and run online scans, allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner

Note any thing that can't be fixed
Reboot when done. Rescan with HJT and post a new log here.

Also please describe how your computer behaves now.

#8 little eagle

little eagle

    spyware hawk

  • Visiting Fellow
  • PipPipPipPipPipPip
  • 8,968 posts
  • Interests:spyware

Posted 10 March 2006 - 05:08 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users