|
Search Tech-Forums - link takes you to our Forum's search page. Note: The following is only a text archive! To view the actual forum discussion, please visit our website at http://www.tech-forums.net Pages:1 RANDRECO.EXE keeps coming back !(Click here to view the original thread with full colors/images)Posted by: drmajcher I've run ad-aware , AVG Anti-Virus and yet RANDRECO>EXE keeps comming back on my computer. Can someone look at this Hijack file and give advice on ridding my PC of Randreco.exe . THANKS SO MUCH ! Logfile of HijackThis v1.99.0 Scan saved at 9:26:15 PM, on 2/12/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\KHOOKER.EXE C:\WINDOWS\ptsnoop.exe C:\WINDOWS\TWAIN_32\PAPRPORT\3100BUSB\FLATBED.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\HIJACK\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 69:136.241.91:05 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file) O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\STOPzilla!\SZMsgSvc.exe O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\REAL\REALJUKEBOX\tsystray.exe" O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [oqwaanoxz] C:\WINDOWS\SYSTEM\ylkjpvjf.exe O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [offerp01.exe] "C:\WINDOWS\TEMP\offerp01.exe" 1107050582 1107282469 O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - [url]http://216.249.24.141/code/PWActiveXImgCtl.CAB[/url] O16 - DPF: Yahoo! Go Fish - [url]http://download.games.yahoo.com/games/clients/y/zt3_x.cab[/url] O16 - DPF: Java AS400 Display (ASD) - [url]http://www.co.kent.de.us/w2hlegacy/java/wdasd.cab[/url] O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url] O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url] O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe[/url] O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab[/url] O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - [url]http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab[/url] Posted by: rstones12 Hello drmajcher. Welcome to Tech-Forums, I have outlined some preliminary steps that we need to address. [b]You may want to print out these intructions for reference.[/b] This process will take a few steps so please be patient and follow the provided directions. [b]1.[/b] First Download [URL=http://cwshredder.net/bin/CWShredder.exe][color=blue]CWShredder[/color][/URL] And save it to your desktop. Close all open browser windows and any other open windows. Install CWShredder, then: Open CWS and click [b]Check for Updates[/b] Then click [b]"FIX"[/b] I suggest doing an online scan just as a secondary check. [b]2.[/b] Please run this online scan, allow it to delete anything it finds: You may have to select auto-fix prior to scanning, it should be a selection on the screen.[LIST][URL=http://www.pandasoftware.com/activescan/com/activescan_principal.htm][color=blue]Panda ActiveScan[/color][/URL] [/LIST]Please make a note of anything that wasn't or couldn't be fixed. Reboot your machine when finished. [b]3.[/b] You may have run these programs already, make sure they are up to date and run per provided instructions. Current Versions are: [b]Spybot S&D Ver: 1.3[/b] [URL=http://www.safer-networking.org/en/download/index.html][color=blue]Download Here[/color][/URL] [b]Ad-Aware SE Build 1.05[/b] [URL=http://www.majorgeeks.com/download506.html][color=blue]Download Here[/color][/URL] Download and install both Spybot S&D and Ad-Aware SE. Instructions: [b]Spybot S&D:[/b] Go to your Start Menu >> Programs >> Spybot S&D >> then choose Spybot S&D. [b]*[/b]Close [b]ALL [/b]windows except Spybot S&D [b]*[/b]Click the button to [b]"Search for Updates"[/b] and download and install the Updates. [b]*[/b]Close Spybot then launch it again [b]*[/b]Click the button [b]"Check for Problems" [/b] [b]*[/b]When Spybot is done scanning, it will be showing "RED" (RED) entries, "BLACK" entries and "GREEN" (GREEN) entries in the window [b]*[/b]Put a check mark beside the RED [color=red](RED) entries ONLY.[/color] [b]*[/b]Choose "Fix Selected Problems" and allow Spybot to fix the RED [color=red](RED)[/color] entries. [b]Ad-Aware SE FULL SCAN:[/b] Go to your Start Menu >> Programs >> Lavasoft Ad-Aware SE >> then choose Ad-Aware SE Personal. When the main window opens look in the bottom right corner and click on [b]Check For Updates Now[/b] then click Connect and download the latest reference files. From main window: [b]*[/b]Click Start then under Select a scan Mode check [b]Perform Full System Scan.[/b] [b]*[/b]Next [color=red]deselect [/color]Search for negligible risk entries. [b]*[/b]To scan just click the [b]Next[/b] button. When the scan has finished [b]mark everything for removal [/b]and get rid of it. [i](Right-click the window and choose [b]select all[/b] from the drop down menu and click Next)[/i] The program will ask if you want to fix/delete selected items, choose yes/fix. Empty Your Recycle Bin. Reboot your machine and post a new HJT log, by clicking [b]"Post a Reply"[/b] Thanks, rstones12 Posted by: drmajcher Thank you rstones12 for the welcome & the instructions ! I followed all the insructions you provided me with and below is the new Hijack Log. Logfile of HijackThis v1.99.0 Scan saved at 2:10:27 PM, on 2/13/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\KHOOKER.EXE C:\WINDOWS\ptsnoop.exe C:\WINDOWS\TWAIN_32\PAPRPORT\3100BUSB\FLATBED.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\HIJACK\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 69:136.241.91:05 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\STOPzilla!\SZMsgSvc.exe O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\REAL\REALJUKEBOX\tsystray.exe" O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [oqwaanoxz] C:\WINDOWS\SYSTEM\ylkjpvjf.exe O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [offerp01.exe] "C:\WINDOWS\TEMP\offerp01.exe" 1107050582 1107282469 O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - [url]http://216.249.24.141/code/PWActiveXImgCtl.CAB[/url] O16 - DPF: Yahoo! Go Fish - [url]http://download.games.yahoo.com/games/clients/y/zt3_x.cab[/url] O16 - DPF: Java AS400 Display (ASD) - [url]http://www.co.kent.de.us/w2hlegacy/java/wdasd.cab[/url] O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url] O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url] O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe[/url] O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab[/url] O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - [url]http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab[/url] O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url] ------------------------------ Also, Panda did find & fix the following: Incident Status Location Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.exe And, Spybot & Adware caught and got rid of more items. CWShedder came up clean. I'm most appreciate of your help with this continuing annoying problem . drmajcher Posted by: rstones12 drmajcher, I will be reviewing this log later this eveing. Thanks rstones12 Posted by: rstones12 drmajcher, Run HJT and place a checkmark next to the following items: [b] O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL O4 - HKLM\..\Run: [oqwaanoxz] C:\WINDOWS\SYSTEM\ylkjpvjf.exe O4 - HKLM\..\Run: [satmat] C:\WINDOWS\SATMAT.exe O4 - HKLM\..\Run: [offerp01.exe] "C:\WINDOWS\TEMP\offerp01.exe" 1107050582 1107282469 O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - [url]http://216.249.24.141/code/PWActiveXImgCtl.CAB[/url] O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - [url]http://a1540.g.akamai.net/7/1540/52...meInstaller.exe[/url] [/b] Close all browsers and open windows except HJT and click [b]"Fix Checked"[/b]. Enable show hidden files and folders: * Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK. Reboot into Safe Mode: Search your system and remove the following files/folders if present. C:\WINDOWS\SYSTEM\[b]ylkjpvjf.exe[/b] C:\WINDOWS\[b]SATMAT.exe[/b] Scan with Spybot S&D and Ad-Aware SE Scan your drive(s) with your updated AVG Virus Scan. Empty Your Recycle Bin. Reboot your machine and post a new HJT log, by clicking [b]"Post a Reply"[/b]. Thanks, rstones12 Posted by: drmajcher Thanks rstones12 for the followup instructions. I was able to follow them all except your instructions on Enable Hidden files & Folders. I run Windows 98 and couldn't find MY COMPUTER after clicking start. I did go under Explore and click on tools and made sure the settings there allowed Hidden files to be viewed. I did everything else you instructed me to and after going into the safe mode I did not find : C:\WINDOWS\SYSTEM\ylkjpvjf.exe or C:\WINDOWS\SATMAT.exe I ran Adware, Spybot & AVG only finding one minor item under Spybot. Here's my new Hijack log. Once again, I 'd like to thank you for all your valuable help. drmajcher Logfile of HijackThis v1.99.0 Scan saved at 12:20:08 PM, on 2/14/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\KHOOKER.EXE C:\WINDOWS\ptsnoop.exe C:\WINDOWS\TWAIN_32\PAPRPORT\3100BUSB\FLATBED.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\HIJACK\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 69:136.241.91:05 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\STOPzilla!\SZMsgSvc.exe O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\REAL\REALJUKEBOX\tsystray.exe" O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: Yahoo! Go Fish - [url]http://download.games.yahoo.com/games/clients/y/zt3_x.cab[/url] O16 - DPF: Java AS400 Display (ASD) - [url]http://www.co.kent.de.us/w2hlegacy/java/wdasd.cab[/url] O16 - DPF: Yahoo! Chat - [url]http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab[/url] O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - [url]http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab[/url] O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url] O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [url]http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab[/url] O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - [url]http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab[/url] O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url] Posted by: drmajcher No sooner do I get my last post done and check my email and another Trojan Horse pops up on my computer. NEWALL1T.exe is the name of this intruder. I'm headed over to Panda to do another Virus check. drmajcher Posted by: drmajcher I ran Panda and it found no virures. I did a windows update on IE6 and it did find one security update which I now have. I rebooted to have the security update in effect. Posted by: drmajcher RandReco.exe just popped up again ! Darn . drmajcher Posted by: rstones12 drmajcher, Are you using any proxy service that you know of. Did you enable email scanning with AVG 7. Let me know and I will give you some intructions. Thanks rstones12 Posted by: drmajcher rstones12, I'm not sure what you mean by proxy service. I have Comcast High Speed Internet Service. I only use Hotmail or Yahoo for my email accounts (and I always scan files first before opening them). I've never used Outlook Express cause I heard it's so vunerable to Viruses. Randreco.exe came back several times as I was on the internet tonight. Thanks again for your help with this annoying problem. drmajcher Posted by: rstones12 drmajcher, This one is really stubborn. Download [url=http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml]VX2 Cleaner Lavasoft - Ad-Aware SE Plug-In[/url] Install VX2 Cleaner. Dont run it just yet. Scan with HJT and place a checkmark next to the following items. [b] O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe All of the O16's, they will come back if needed. [/b] Close all browsers and windows except HJT and click [b]Fix Checked[/b] Restart in Safe Mode, search and remove the following files/folders if present. C:\WINDOWS\[b]BTGRAB.DLL[/b] C:\WINDOWS\SYSTEM\[b]khooker.exe[/b] [b]pctptt.exe[/b] [b]ptsnoop.exe[/b] Run the VX2 cleaner in safe mode: Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder. Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. Empty the Recycle Bin. Reboot normally and post a new HJT log by using [b]Post a Reply[/b] Posted by: drmajcher Hello rstones12, I followed your latest instructions and the one hitch I ran into when running Hijackthis and having checked all the items you said to was the following message: Could not Delete O16 - DPF: Java AS400 Display (ASD) - [url]http://www.co.kent.de.us/w2hlegacy/java/wdasd.cab[/url] because it does not exist anymore. Also, just wanted to note that when Randreco.exe does pop up , I get a message from my AVG Shield that it's present and I click delete file each time. I also have been deleting all the contents of the Windows/TEMP file on a regular basis. Again, I appreciate your help in ridding me of this annoyance. drmajcher Logfile of HijackThis v1.99.0 Scan saved at 12:27:58 PM, on 2/15/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\TWAIN_32\PAPRPORT\3100BUSB\FLATBED.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\HIJACK\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 69:136.241.91:05 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [SZMsgSvc.exe] C:\STOPzilla!\SZMsgSvc.exe O4 - HKLM\..\Run: [PP3100B] C:\WINDOWS\twain_32\paprport\3100bUSB\flatbed.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\REAL\REALJUKEBOX\tsystray.exe" O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE" O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL O16 - DPF: Java AS400 Display (ASD) - [url]http://www.co.kent.de.us/w2hlegacy/java/wdasd.cab[/url] Posted by: rstones12 That litte nasty is hidden some where. Lets try another scannner, because there must be something that reloads it. Download the trial version of tds-3 anti trojan from here: [url]http://www.diamondcs.com.au/tds/downloads/tds3setup.exe[/url] install it, but do not launch it yet Update it: right click the link below, select "save as" [url]http://www.diamondcs.com.au/tds/radius.td3[/url] Save it to the directory where you installed tds-3, overwriting the previous radius.td3. Then launch tds-3. in the top bar of tds window click system testing> full system scan. detections will appear in the lower pane of tds window. after the scan is finished ( [b]this will take a while[/b] ) right click the list> select save as txt. save it and post the contents of the scandump.txt here After posting the scanlog go ahead and right click the list again, this time select delete! Delete everything labelled positive identification _________________ Posted by: Warez Monster Delete the following keys HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\adstartup HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\bokja HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\sqinstaller HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run\stcloader Posted by: drmajcher Hello rstones12, I didn't have to follow through with your last set of instructions as I've been free of RANDRECO.exe since I followed your previous series of instructions. Somewhere in the instructions below , was the answer: Scan with HJT and place a checkmark next to the following items. O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGRAB.DLL O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe O4 - HKLM\..\Run: [CountrySelection] pctptt.exe O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe All of the O16's, they will come back if needed. Close all browsers and windows except HJT and click Fix Checked Restart in Safe Mode, search and remove the following files/folders if present. C:\WINDOWS\BTGRAB.DLL C:\WINDOWS\SYSTEM\khooker.exe pctptt.exe ptsnoop.exe -------------------------- I remember in Safe mode that I found and deleted 3 of the 4 above files and then ran vx2 cleaner & it came up clean. Once again, I can't thank you enough for all your help in solving this annoying and persistant problem. I hope I won't need to come back to this Forum again but to me it seems like just going on the internet has everyone at risk to getting infected with Trojan Horses and other various virus bugs. So, I'm glad I know where to come should I get infected again. Thanks a million -- this Forum & people like yourself are invaluable to us regular compter users. drmajcher P.S. Thanks also to Warez Monster for your input Posted by: rstones12 drmajcher, Glad to help, I have included some threads that are worthwhile reading, please take a look at them. [url]http://www.tech-forums.net/showthread.php?s=&threadid=36259[/url] [url]http://www.tech-forums.net/showthread.php?s=&threadid=35181[/url] Thanks, rstones12 Posted by: southernlady Closing thread. Liz vBulletin Copyright ©2000 - 2003, Jelsoft Enterprises Limited. PPC Management vB Easy Archive Final - Created by Xenon |