Everytime I reboot, this bugger and its bunch of random alph-numeric garbage files keeps popping up. I try running Spybot, Ad-aware, McAfee to try and remove these files but it keeps coming back. I ran Hijack This and after removing a couple of offending files I've come up with this. Is there anything else I need to remove?
Logfile of HijackThis v1.97.3
Scan saved at 2:41:59 PM, on 03/04/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\INSTANT UPDATER\RULAUNCH.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\CRUD\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINDOWS\BrowserHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSCSHELLEXTENSION.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com/
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {3734A957-FBD5-4F87-A404-4289C6F3DDFF} (DownloadScanEngine.ctlDSE296315) - http://downloads.rogershelp.com/updates.cab
I need help getting rid of the self replicating MORZE1.exe!
Moderator: Thanas
I need help getting rid of the self replicating MORZE1.exe!
ASVS('97)/SDN('03)
"Whilst human alchemists refer to the combustion triangle, some of their orcish counterparts see it as more of a hexagon: heat, fuel, air, laughter, screaming, fun." Dawn of the Dragons
ASSCRAVATS!
"Whilst human alchemists refer to the combustion triangle, some of their orcish counterparts see it as more of a hexagon: heat, fuel, air, laughter, screaming, fun." Dawn of the Dragons
ASSCRAVATS!
-
General Zod
- Never Shuts Up
- Posts: 29211
- Joined: 2003-11-18 03:08pm
- Location: The Clearance Rack
- Contact:
doing a quick search, it seems alot of people are having the same problem. +http://help.lockergnome.com/index.php?s ... ntry119920
this thread on another forum seems to show someone with the exact same problem, and gives tips for removing it. i've also seen some other various forums that recommend using cwshredder to get rid of it instead of spybot.
this thread on another forum seems to show someone with the exact same problem, and gives tips for removing it. i've also seen some other various forums that recommend using cwshredder to get rid of it instead of spybot.
"It's you Americans. There's something about nipples you hate. If this were Germany, we'd be romping around naked on the stage here."
-
Crayz9000
- Sith Apprentice
- Posts: 7329
- Joined: 2002-07-03 06:39pm
- Location: Improbably superpositioned
- Contact:
If you hack the Registry carefully enough you can safely remove it. It's just difficult.Tribun wrote:What does this damn thing exactly do?
I remember having something that I think sounded similar, that corrupted Windows, so it was executed every time I executed a .exe, .bat or .com file. Removing it broke the OS and I had to re-install all of it.
And by the way, Engima, you seem to have MyWebSearch installed (smartbotpro.net). That needs to be junked.
Oh, yes. Turn off System Restore (I see you're running WinME). Right now, I think it's cacheing the problem file, and Spybot can't delete it.
A Tribute to Stupidity: The Robert Scott Anderson Archive (currently offline)
John Hansen - Slightly Insane Bounty Hunter - ASVS Vets' Assoc. Class of 2000
HAB Cryptanalyst | WG - Intergalactic Alliance and Spoof Author | BotM | Cybertron | SCEF
John Hansen - Slightly Insane Bounty Hunter - ASVS Vets' Assoc. Class of 2000
HAB Cryptanalyst | WG - Intergalactic Alliance and Spoof Author | BotM | Cybertron | SCEF
System Restore has been disabled. But I think I've got the problem licked. I don't know which program fixed it but it's gone. I ran spybot, hijack this, killbox, avast, cwshredder and ad-aware to eliminate the problem.Crayz9000 wrote:If you hack the Registry carefully enough you can safely remove it. It's just difficult.Tribun wrote:What does this damn thing exactly do?
I remember having something that I think sounded similar, that corrupted Windows, so it was executed every time I executed a .exe, .bat or .com file. Removing it broke the OS and I had to re-install all of it.
And by the way, Engima, you seem to have MyWebSearch installed (smartbotpro.net). That needs to be junked.
Oh, yes. Turn off System Restore (I see you're running WinME). Right now, I think it's cacheing the problem file, and Spybot can't delete it.
ASVS('97)/SDN('03)
"Whilst human alchemists refer to the combustion triangle, some of their orcish counterparts see it as more of a hexagon: heat, fuel, air, laughter, screaming, fun." Dawn of the Dragons
ASSCRAVATS!
"Whilst human alchemists refer to the combustion triangle, some of their orcish counterparts see it as more of a hexagon: heat, fuel, air, laughter, screaming, fun." Dawn of the Dragons
ASSCRAVATS!