Problems with strange dll. hijack or BHO

  Zurdo 15:58 11 Apr 05
Locked

A couple of weeks ago when my daughter was online the connection dropped and I found the user name/password changed. I put it bck and all seemed OK but I have since found a couple of strange dlls which are sometimes causing trouble on IE, I run spybot which cannot delete or disable a BHO. I have found the files atmpvc.dll, miamore32.dll and another clbcatix.dll ( the last I think has been deleted when I system restored backwards.I cannot delete these files (access denied etc.) I run adaware and eztrust av which give an all clear. The comp runs XPSP1. I would really appreciate any help as there is very little on the web about these files. I'll post a hijackthis log file.

  octal 18:12 11 Apr 05

Can I make a suggestion? if you post all your hijack this log in the same thread it won't get scattered across the forum.

If you close the other two postings and post your log here it'll keep it all tidy, you'll probably have to put it in two or three posting to get around the 800 word limit. Some one will then be along who knows more than me, good luck.

  Zurdo 18:20 11 Apr 05

I realised this a bit late.........sorry.
Here goes for the log
Logfile of HijackThis v1.99.1
Scan saved at 15:44:43, on 11/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\CNYHKey.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe
C:\WINDOWS\System32\PRISMSTA.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

  Dan the Doctus 18:20 11 Apr 05

Have you tried deleting the files in safe mode? Tap the F8 key before Windows loads and select from menu.

  Zurdo 18:20 11 Apr 05

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = click here*click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = click here*click here
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = click here*click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = click here*click here
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = click here*click here
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = click here*click here
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\system32\miamore32.dll - {1559C6FD-8BDE-476E-98C7-871E59193FCE} - C:\WINDOWS\system32\miamore32.dll (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: C:\WINDOWS\system32\atmpvc.dll - {7DBA5E61-9C51-4365-ACD2-DE684E133F8C} - C:\WINDOWS\system32\atmpvc.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [ledpointer] CNYHKey.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Medion Home Cinema XL II\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PRISMSTA.EXE] PRISMSTA.EXE START
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\System32\DrvMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?

  Zurdo 18:21 11 Apr 05

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\miamore32.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\miamore32.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\WINDOWS\system32\miamore32.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\WINDOWS\system32\miamore32.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\miamore32.dll
O14 - IERESET.INF: START_PAGE_URL=click here
O16 - DPF: ppctlcab - click here
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - click here
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - click here
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - click here
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - click here
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - click here
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {402EE96E-2CE8-482D-ADA5-CECEEA07E16D} (TurnTool Scene) - click here
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - click here
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - click here
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - click here
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - click here
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - click here
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - click here
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A95A6C1-7141-4F14-BD7D-5AA09B40BF6D}: NameServer = 194.72.9.38 194.74.65.68
O20 - Winlogon Notify: eventss - C:\WINDOWS\system32\atmpvc.dll
O20 - Winlogon Notify: lindow - C:\WINDOWS\system32\miamore32.dll
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates International Inc. - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

  Zurdo 18:29 11 Apr 05

I haven't tried to delete anyhting in safe mode yet, Scannow says all ok. Looks like the miamore file may ne something to do wit the BTYahoo browser, I'm not sure. I'll wait gratefully for any replies. I've also ticked resolved on original thread. To recap my daughter had downloaded an mp3 track shortly before and was on MSN Messenger when the Broadband connection dropped. This is not a life-threatening problem but I do get a bit paranoid when things don't go right!! :-(

  Zurdo 17:28 12 Apr 05

I've found a couple of links to this problem, will wait to see the advice on here. At least I don't seem to be redirected to porn sites up to now.
click here
click here

  Curio 20:39 12 Apr 05

Would this be of any help? click here

  Zurdo 18:48 13 Apr 05

Following the advice on the second link above (bleeping computer.com) my comp is now as clean as a whistle..........hope it stays that way ;-)

  Zurdo 18:50 13 Apr 05

Sorry forgot to say thanks for the info Curio.I may well use this in the future.

This thread is now locked and can not be replied to.

How to get Windows 10 for free | How to install Windows 10: There is still a way to avoid paying…

1995-2015: How technology has changed the world in 20 years

Alex Chinneck’s giant ice cube Christmas tree at Kings Cross

Apple rumours & predictions 2017: The iPhone 8, new iPads, and everything else you should expect fr7…