pop ups - help

Hi Jacks log

Here is the current Hijacks log. I will leave the computer on until I hear from you, as you requested. Thanks again.
mmuzzy

Logfile of HijackThis v1.99.1
Scan saved at 10:33:26 AM, on 7/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\WINSTARTER.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\SYSTEM\THESRV.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\WINDOWS\RHRAPK.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\T2EPI.EXE
C:\WINDOWS\SYSTEM\HPZCFG.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\SYSTEM\HPZCFG.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [p4mX37V] THESRV.EXE
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rhrapk.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Y357RXZ6R] T2EPI.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - HKCU\..\RunOnce: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 
Hi mmuzzy.
The entries haven't changed, it's ok if you need to turn the machine off. You might want to print these instructions. Can you download these programs.
Killbox.
CCleaner.
Trojanhunter.
Then go to Add\Remove Programs and remove anything related to WinTools, Toolbar, Search Toolbar or 180search.
Boot into safemode. Run the Killbox. Check "Replace on Reboot" and "Use Dummy". Copy and paste these one at a time into the "Full path of file to delete" box. After each one press the red button with the white cross, and yes to replace on reboot and no to restart now.
C:\WINDOWS\SEEDCO~1.EXE
C:\WINDOWS\RHRAPK.EXE
C:\WINDOWS\BDBAMCM.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\NRNA.EXE
Then run Trojanhunter.
Then CCleaner, under "Internet Explorer" uncheck "Cookies" (and under Firefox if you use it)
Then Hijackthis, hit "scan only" and check the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [p4mX37V] THESRV.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rhrapk.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKCU\..\Run: [Y357RXZ6R] T2EPI.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - Startup: nrna.exe
Close all open windows, hit "Fix Checked"
Find and delete these folders\files (in bold) if still there.
C:\WINDOWS\SYSTEM\WINSTARTER.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\SYSTEM\THESRV.EXE
C:\WINDOWS\SYSTEM\T2EPI.EXE
C:\WINDOWS\SYSTEM\exp
C:\WINDOWS\CERES.DLL
There's more than all these, but my eyes are hurting, we'll get what's left later.
Reboot to normal mode, and post a new Qoologic log and Hijackthis log.
 
Dear Buzz,
I followed your directions. Here is the Qoologic scan:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp


Here is the Hijacks scan:
Logfile of HijackThis v1.99.1
Scan saved at 2:59:36 PM, on 7/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Thanks from the bottom of my heart.
mmuzzy
 
Hi mmuzzy.
We're making progress, are things any better? Could you re-do the Killbox steps again, but add this line.
C:\WINDOWS\vuvzpr.exe
Then post back the Qoologic log, and the line from Hijackthis that looks like this.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
 
Last edited:
new log

Hi Buzz,
I ran the Qoologic log and then rebooted into normal mode. The log was no longer on my clipboard, but I went into the Qoologic text and copied the file that was placed in there about 15 minutes ago, so I'm assuming this is the correct log. Here is the Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic C:\WINDOWS\SEEDCO~1.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\SEEDCO~1.EXE
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SKYTOWN.EXE
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* UPX! C:\WINDOWS\System\HPZCFG.EXE
* UPX! C:\WINDOWS\System\AUNPS2.DLL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\SEEDCO~1.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\CERES.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL

I think this is the line you were looking for on the Hijacks this:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run

The computer is running great. No popups. When I start up the computer, I am getting these two error messages:

error loaking AUNPS2.dll

System cannot find the file specified: C:\WINDOWS\CFGMcr52.dll

The trojanhunter is cleaning trojans from Qlogic when I start up the computer, as well.

You are a genius....can't thank you enough....
mmuzzy

Buzz1927 said:
Hi mmuzzy.
We're making progress, are things any better? Could you re-do the Killbox steps again, but add this line.
C:\WINDOWS\vuvzpr.exe
Then post back the Qoologic log, and the line from Hijackthis that looks like this.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
This part - vuvzpr.exe reg_run - might have changed, that's what I'm looking for. No need to post the whole Hijackthis log yet.
Click to expand...
 
Hi mmuzzy.
I don't think the problem is gone. It may be OK now, but give it a day or two. Please post back if this is the case.
 
Hi Buzz,
My son tells me that the computer is acting up again. The popups seem to have returned. The Trojanhunter is definitely cleaning the computer each time it opens, but I'm wondering if you could take a look at this log and let me know what you think. Thanks so much~
mmuzzy

Logfile of HijackThis v1.99.1
Scan saved at 2:12:41 PM, on 7/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: NRNA.EXE.tcf
O4 - Startup: NRNA.EXE7027.tcf
O4 - Startup: NRNA.EXE5420.tcf
O4 - Startup: NRNA.EXE5536.tcf
O4 - Startup: NRNA.EXE824.tcf
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 
Hi mmuzzy.
I was expecting you to come back, as you left before we finished fixing you up. Run the FindQoologic and post the log from it, it can take a few tries to get everything.
In the meantime, let's get things looking a bit better. Uninstall Trojanhunter, it might be stopping us from seeing everything. Then run Hijackthis. Put a check by these entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: NRNA.EXE.tcf
O4 - Startup: NRNA.EXE7027.tcf
O4 - Startup: NRNA.EXE5420.tcf
O4 - Startup: NRNA.EXE5536.tcf
O4 - Startup: NRNA.EXE824.tcf

Make sure you're offline, and all windows are closed apart from Hijackthis, and hit "Fix Checked".
Run Killbox, under "Files" hit "Delete all dummy files".
Make sure you can see hidden files and protected operating system files. Find and delete this folder.
c:\Program Files\AutoUpdate
and these files, if they still exist.
C:\WINDOWS\CERES.DLL
C:\WINDOWS\SYSTB.DLL
C:\WINDOWS\SYSTEM\STLB2.DLL
c:\windows\system\vfmloq.exe
C:\WINDOWS\SYSTEM\SUPDATE.DLL
C:\WINDOWS\wupdt.exe
C:\WINDOWS\SYSTEM\HPZCFG.exe
C:\WINDOWS\CFGMGR52.DLL
If any can't be deleted, try in safemode.
Search for and delete this file
AUNPS2.DLL

Reboot, and post a new Hijackthis log, as well as the Find Qoologic log.
 
Last edited:
Dear Buzz,
Here is the Qoologic log. I ran it first and will not uninstall Trojanhunter, and then take off the entries on Hijacks this. I'll post another log when I finish.
Thanks so much.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

mmuzzy
 
Dear Buzz,
I followed all of your directions. On startup of the computer, I get this error message:
Error loading Windows\system\supdate.dll

Here is the Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp


Here is the Hijacks This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:36:38 AM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\VUVZPR.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Thanks again for helping us.
mmuzzy
 
Hi mmuzzy.
We're getting there. You'll get an error message on startup until we get everything. Important - does your son play Prince of Persia 2? and if so, have you got the disc? Run the Killbox. Select "Delete on Reboot". Highlight the lines below and press Crtl + C. In Killbox, under "File" select "Paste from clipboard". Check all the entries appear (if it doesn't work you'll need to do them one by one, saying "No" when asked to restart) and press the red button with white cross. (They might not all exist).
C:\WINDOWS\System\SUPDATE.DLL
C:\WINDOWS\SEEDCO~1.EXE
C:\WINDOWS\RNRKIEI.DLL
C:\WINDOWS\UIUKS.DLL
C:\WINDOWS\System\REDIT.CPL
C:\WINDOWS\System\SKYTOWN.EXE
C:\WINDOWS\System\VFMLOQ.EXE
C:\WINDOWS\System\HPZCFG.EXE
C:\WINDOWS\System\AUNPS2.DLL
C:\WINDOWS\RHRAPK.EXE
C:\WINDOWS\BDBAMCM.EXE
C:\WINDOWS\IUP1LD~5.EXE
C:\WINDOWS\IUP1LD~6.EXE
C:\WINDOWS\WUPDT.EXE
C:\WINDOWS\IUP1LD~4.EXE
C:\WINDOWS\IUP1LD~7.EXE
C:\WINDOWS\POP2.EXE
C:\WINDOWS\IUP1LD~8.EXE
C:\WINDOWS\IUP1LD~9.EXE
C:\WINDOWS\BUDDY.EXE
C:\WINDOWS\TDTB.EXE
C:\WINDOWS\CERES.DLL
C:\WINDOWS\ZOZXRPR.DLL
C:\WINDOWS\POPMU.DLL
C:\WINDOWS\startmenu\programs\startup\NRNA.EXE
C:\WINDOWS\vuvzpr.exe
C:\WINDOWS\SYSTEM\winstarter.exe

Run Hijackthis and check these entries.

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - Startup: nrna.exe
Close all open windows and browsers, and hit "Fix Checked".
Find and delete this folder C:\WINDOWS\SYSTEM\VIDCTRL
Reboot and post the new logs.
 
Last edited:
Dear Buzz,
We cleaned up the files as you directed. Here are the logs. Thanks again.
mmuzzy

Qoologic Log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp



HiJacksThis Log:


Logfile of HijackThis v1.99.1
Scan saved at 3:45:10 PM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
 
Hi mmuzzy.
In one Qoologic log you posted, there was a lot more entries than in all the others. Where it says "User Startup", I think it was on page 2 of this thread. Can you try and find the latest one like that? Apart from that, it's looking pretty good. Did you ask your son about Prince of Persia?
Run the Killbox again, this time in safemode, with the "Delete on Reboot" option checked. Copy and paste these.
C:\WINDOWS\CERES.DLL
C:WINDOWS\BUDDY.EXE
C:\WINDOWS\RHRAPK.EXE
C:\WINDOWS\BDBAMCM.EXE
c:\windows\system\vfmloq.exe
Run Hijackthis and check these.
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
Reboot and post the logs. We're not far away now. How are the popups?
And can you try to download the latest versions of Adaware and Spybot.
Buzz.
 
Last edited:
Dear Buzz,
My son said he has not heard of the Prince of Persia game, and we have no software for it. I looked at the Qoologic log and this is what was saved in the file as of this afternoon.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic C:\WINDOWS\SEEDCO~1.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\SEEDCO~1.EXE
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SKYTOWN.EXE
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* UPX! C:\WINDOWS\System\HPZCFG.EXE
* UPX! C:\WINDOWS\System\AUNPS2.DLL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\SEEDCO~1.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\CERES.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\VUVZPR.EXE
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* UPX! C:\WINDOWS\System\AUNPS2.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\VUVZPR.EXE
* UPX! C:\WINDOWS\INSTAL~1.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\CERES.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\VUVZPR.EXE
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\VUVZPR.EXE
* UPX! C:\WINDOWS\INSTAL~1.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\VUVZPR.EXE
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\VUVZPR.EXE
* UPX! C:\WINDOWS\INSTAL~1.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ZOZXRPR.DLL


I will run the killbox again and then follow your directions and repost logs for you.
Thanks,
mmuzzy
 
Dear Buzz,
I downloaded the latest versions of Adaware and Spybot and ran them both after I had followed your directions with killbox and hijacks. I just ran the Qoologic and Hijacks logs again. Here is the first log. I'll post the hijacks log in another post.

Qoologic Log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic C:\WINDOWS\SEEDCO~1.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\SEEDCO~1.EXE
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SKYTOWN.EXE
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* UPX! C:\WINDOWS\System\HPZCFG.EXE
* UPX! C:\WINDOWS\System\AUNPS2.DLL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\SEEDCO~1.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\CERES.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\VUVZPR.EXE
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* UPX! C:\WINDOWS\System\AUNPS2.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\VUVZPR.EXE
* UPX! C:\WINDOWS\INSTAL~1.EXE
* UPX! C:\WINDOWS\WUPDT.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\CERES.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\VUVZPR.EXE
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\VUVZPR.EXE
* UPX! C:\WINDOWS\INSTAL~1.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\VUVZPR.EXE
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\TDTB.EXE
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\VUVZPR.EXE
* UPX! C:\WINDOWS\INSTAL~1.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ZOZXRPR.DLL
* KavSvc C:\WINDOWS\System\SUPDATE.DLL
* KavSvc C:\WINDOWS\VUVZPR.EXE
* KavSvc C:\WINDOWS\POPMU.DLL
* KavSvc C:\WINDOWS\RNRKIEI.DLL
* KavSvc C:\WINDOWS\UIUKS.DLL
* KavSvc C:\WINDOWS\ZOZXRPR.DLL
* aspack C:\WINDOWS\System\REDIT.CPL
* UPX! C:\WINDOWS\System\VFMLOQ.EXE
* UPX! C:\WINDOWS\System\SUPDATE.DLL
* aspack C:\WINDOWS\EFAXVIEW.EXE
* aspack C:\WINDOWS\RHRAPK.EXE
* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\RNRKIEI.DLL
* aspack C:\WINDOWS\UIUKS.DLL
* aspack C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\VUVZPR.EXE
* UPX! C:\WINDOWS\IUP1LD~5.EXE
* UPX! C:\WINDOWS\IUP1LD~6.EXE
* UPX! C:\WINDOWS\INSTAL~1.EXE
* UPX! C:\WINDOWS\IUP1LD~4.EXE
* UPX! C:\WINDOWS\IUP1LD~7.EXE
* UPX! C:\WINDOWS\POP2.EXE
* UPX! C:\WINDOWS\IUP1LD~8.EXE
* UPX! C:\WINDOWS\IUP1LD~9.EXE
* UPX! C:\WINDOWS\BUDDY.EXE
* UPX! C:\WINDOWS\TSC.EXE
* UPX! C:\WINDOWS\VSAPI32.DLL
* UPX! C:\WINDOWS\ZOZXRPR.DLL
 
Here is the Hijacks log

Logfile of HijackThis v1.99.1
Scan saved at 9:54:44 PM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\VUVZPR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Hope things are getting better.
mmuzzy

popups are not appearing.... :)
 
Hi mmuzzy.
Can you try downloading Kaspersky again. Update it, then under "settings" hit the riskware detection button and check the 2 boxes, then run it in safemode. Post a Hijackthis log afterwards. Also download Registrar Lite. We'll use it later. And in the Qoologic log, do you get any registry entries at the bottom? If so can you post them (just these entries, not the whole log).
 
Last edited:
Hi Buzz,
Still cannot download the Kaspersky software. Left it on for an hour and it said that the server had to be reset. I downloaded the Registrar Lite. I didn't post a log as I couldn't download the Kaspersky.
mmuzzy

Are you in the United Kingdom?
 
Hi mmuzzy.
Yes, I'm in the UK. Let's try this. Open CCleaner. Under "Options" check "Run CCleaner when computer starts", then under "Advanced", uncheck "Only delete files in temp folders older than 48 hours." Then do the Killbox steps in post #31. Then run Hijackthis and fix these lines.
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - Startup: nrna.exe
Then reboot.
Every time you reboot, run FindQoologic and check what's under "Files found in System" and "startup files". Keep doing it until the only file left is the EFAXVIEW.EXE. If it's still not working after doing it 5 times, try it with "Replace on reboot" and "Use dummy". Let me know how it goes and post a new Hijackthis log.

Edit: And things are looking much better, just this last problem to kill.
 
Last edited:
Hi Buzz,
I am almost there but am having trouble understanding one of your directions. I ran CCleaner following the steps in post #31 and then ran hijackthis and deleted the files you suggested. Then I rebooted and Ran Qoologic. I found this:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack C:\WINDOWS\BDBAMCM.EXE
* aspack C:\WINDOWS\EFAXVIEW.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

My question is, keep doing what for 5 times until I only have EFAXVIEW.EXE left. How do I do to get rid of * aspack C:\WINDOWS\BDBAMCM.EXE? Another question: Is the User startup information correct?
mmuzzy
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top