[lahilliar]

Logfile of HijackThis v1.99.1
Scan saved at 4:23:17 PM, on 8/14/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\TOSHIBA\MOUSE\TMOUSE.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\TFUNCKEY.EXE
C:\WINDOWS\SYSTEM\TPWRMGR.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPCLIENT.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\SMARTBRIDGE\MOTIVESB.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\ELITEZKH32.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\SYSTEM\FCZBFJ.EXE
C:\PROGRAM FILES\YAHOO!\YOP\YOP.EXE
C:\WINDOWS\ETB\POKAPOKA63.EXE
C:\WINDOWS\JNROAN.EXE
C:\PROGRAM FILES\SURFACCURACY\SACC.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\AMERICA ONLINE 4.0\AOLTRAY.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;dynhost.inetcam.com;register.inetcam.com;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TMOUSE] C:\Toshiba\Mouse\tmouse.exe
O4 - HKLM\..\Run: [Norton AntiVirus Reminder] C:\PROGRA~1\NORTON~1\N32RMD.EXE /RES
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [TFunckey] TFunckey.Exe
O4 - HKLM\..\Run: [TPwrMgr] TPwrMgr.Exe
O4 - HKLM\..\Run: [TDspOff] TDspOff.Exe B
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ntuagndnfyp] C:\WINDOWS\SYSTEM\bdabuz.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEZKH32.EXE
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\FCZBFJ.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [qp5U36R] SPONONCE.EXE
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jnroan.exe reg_run
O4 - HKLM\..\Run: [4DTm9eAE] C:\TQKCNVT.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [THotkey] THotkey.Exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [TAXPDF] C:\WINDOWS\SYSTEM\TAXPDF.EXE
O4 - HKCU\..\Run: [DX7VB] C:\WINDOWS\SYSTEM\DX7VB.EXE
O4 - HKCU\..\Run: [bEu8RWdmg] NSWAIG32.EXE
O4 - HKCU\..\Run: [MOMO] C:\PROGRAM FILES\COMMON FILES\MOMO\MOMOM.EXE
O4 - HKCU\..\Run: [196_150_NI] C:\WINDOWS\SYSTEM\196_150_NI.EXE
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: America Online Tray Icon.lnk = C:\America Online 4.0\aoltray.exe
O4 - Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Startup: nakt.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\fsacskys.mht!http://filesharingaccess.com/script/ysb.chm::/ysb_regular.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

 

[MicroBell]

Hi and Welcome to TSF

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
• Spybot Search & Destroy
• CWShredder

Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT)

Open My Computer>>View>>FolderOptions>>View Tab>>Advance Advanced settings box, under the "Hidden files" folder, select Show all files>>Apply>>OK

Please go to at least two of these sites and run an online Virus Scan.
Be sure to have the AutoFix box(es) checked.

http://housecall.trendmicro.com/
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
http://www3.ca.com/virusinfo/virusscan.aspx

Download and install CleanUp! but do not run it yet.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Please download miekiemoes' LQfix batch here:
http://www.downloads.subratam.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Please download and run the ISTsvc Removal Tool


Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Once in Safe Mode, please run LQfix.bat and allow it to finish.


Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure)

C:\WINDOWS\SYSTEM\ELITEZKH32.EXE
C:\WINDOWS\SYSTEM\FCZBFJ.EXE
C:\WINDOWS\ETB\POKAPOKA63.EXE
C:\WINDOWS\JNROAN.EXE
C:\PROGRAM FILES\SURFACCURACY\SACC.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE

Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ntuagndnfyp] C:\WINDOWS\SYSTEM\bdabuz.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITEZKH32.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\FCZBFJ.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\DATADX.DLL,SHStart
O4 - HKLM\..\Run: [qp5U36R] SPONONCE.EXE
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\ETB\POKAPOKA63.EXE
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\jnroan.exe reg_run
O4 - HKLM\..\Run: [4DTm9eAE] C:\TQKCNVT.EXE
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [TAXPDF] C:\WINDOWS\SYSTEM\TAXPDF.EXE
O4 - HKCU\..\Run: [DX7VB] C:\WINDOWS\SYSTEM\DX7VB.EXE
O4 - HKCU\..\Run: [bEu8RWdmg] NSWAIG32.EXE
O4 - HKCU\..\Run: [MOMO] C:\PROGRAM FILES\COMMON FILES\MOMO\MOMOM.EXE
O4 - HKCU\..\Run: [196_150_NI] C:\WINDOWS\SYSTEM\196_150_NI.EXE
O4 - Startup: nakt.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\fsacskys.mht!http://filesharingaccess.com/script...ysb_regular.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} - http://www.180searchassistant.com/180saax.cab


Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS)

C:\WINDOWS\SYSTEM\ELITEZKH32.EXE
C:\WINDOWS\SYSTEM\FCZBFJ.EXE
C:\WINDOWS\ETB\POKAPOKA63.EXE
C:\WINDOWS\JNROAN.EXE
C:\PROGRAM FILES\SURFACCURACY\SACC.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\SYSTEM\bdabuz.exe
C:\WINDOWS\SYSTEM\PSof1.exe
C:\WINDOWS\CFGMGR52.DLL
C:\WINDOWS\SYSTEM\exp.exe
C:\WINDOWS\SYSTEM\DATADX.DLL
C:\WINDOWS\jnroan.exe
C:\TQKCNVT.EXE
C:\WINDOWS\SYSTEM\TAXPDF.EXE
C:\WINDOWS\SYSTEM\DX7VB.EXE
c:\fsacskys.mht
C:\PROGRAM FILES\COMMON FILES\MOMO\MOMOM.EXE
nakt.exe
SPONONCE.EXE
NSWAIG32.EXE<--locate and delete these 3.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Once back to normal windows......

Please run an online scan at http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Select the “Autofix/Clean” option IF it’s found and save the activescan log.

Download WinPFInd http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.

Download Track qoo http://www.geekstogo.com/downloads/Trackqoo.zip
Save it somewhere you will remember like the Desktop. Unzip the Track qoo.vbs inside to your desktop. DO NOT run it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.!


Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found.

1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Please post those results in your next post!

REBOOT to normal mode.

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind! and the rest of the logs.

So I need the following tool logs..

WinPFind.txt log
Track qoo.vbs log
Panda Scan log
Hijackthis log